excessive notify traffic

Tue Feb 27 05:24:23 UTC 2001

I recently upgraded my bind to 8.2.3, as suggested in the widely
distributed security notification.

I run bind on two systems, scifi.squawk.com and glock.squawk.com.  I
provide nameservice to about ten domains including hints and reverse
translation and so forth.

Since the upgrade, several of the domains have notify traffic that won't
quit.  One of my secondaries has complained that I am the only domain that
they provide DNS for that have this problem.

Some of the domains settle down.  Some do not.

One domain that will not settle down is squawk.com.  I wrote the following
simple shell script to check for inconsistencies in serials.

#! /bin/bash

#count=0

while [ $# -gt 0 ] ; do
    b="$1"
    shift
#    count=$((count+1))
    # echo $# $@
    echo "Checking $b"
    if [ "$b" != "." ] ; then
        nlast=''
        serverlast=''
        otherhost=`host -t soa squawk.com|awk '/start of/ {print $5;exit}'`
        othersw=0
        for a in `host $b -t ns| cut -f4 -d' '`;
          do #echo $a;
            last=`host -t soa $b $a | awk '/\;serial \(version\)/{print
$1;exit}'`
            if [ "$nlast" != "$last" -a "$nlast" != '' ] ; then
              echo "error - $nlast ne $last for $b, server $a != $serverlast"
            fi
            #echo $last
            nlast="$last"
            serverlast="$a"
            if [ "$a" = "$otherhost" ] ; then
                othersw=1
            fi
          done
          if [ $othersw -eq 0 ] ; then
            last=`host -t soa $b $otherhost | awk '/\;serial
\(version\)/{print  $1;exit}'`
            if [ "$nlast" != "$last" -a "$nlast" != '' ] ; then
              echo "error - $nlast ne $last for $b, server $otherhost !=
$serverlast"
            fi
          fi
       fi
done

 ~njs/bin/check_dns_soa `grep '^zone' /etc/named.conf | cut -f2
 -d'"'` 2>&1 | less
Checking 151.74.199.in-addr.arpa
Checking 152.74.199.in-addr.arpa
Checking .
Checking 0.0.127.in-addr.arpa
Checking squawk.com
Checking sfsfs.org
Checking cleanaquifer.com
Checking equineheartmonitors.com
Checking evergladesriflepistolclub.org
Checking labed.com
error - 2001022101 ne 2001022605 for labed.com, server glock.squawk.com !=
ns1.concentric.net

Even though the only zone with serial inconsistencies is labed.com (and I
hope that will resolve eventually) I'm getting notifies for labed.com,
sfsfs.org, and squawk.com.

If someone is looking to help me debug this, feel free to zone transfer -
glock and scifi allow it, I'm not sure about the rest.

And they go on, and on and on.  I can give exact messages if desire, but
they are messages that look normal - sent notify for "domain IN SOA serial"
(domain) 1 NS, 1 A, and the rcvd NOTIFY message and the Received NOTIFY
answer messages.

I can let anyone who is interested have a log extract.

Now, I've read through the archives searching the last few months for
people who had "notify" in their subjects.  A couple of people have
reported this. They were told how to turn notify completely off on their
servers, or how to turn notify logging completely off or how to turn it off
for a zone.

This is a related answer, and might be pallative, but I don't think it is
responsive - at least, I'm concerned it won't work in my situation where I
have lots of nameservers for my domain, under several different
administrative domains, and there is no clear reason why the notifies don't
stop, and thus there is nothing I can clearly ask someone to fix, or fix
myself.  

I really believe this is a bug.  The notify traffic seems to be kicking up,
over and over again.  I just don't know if it is my bug in definitions or a
bug in the notify processing.  I read through the RFC, and it looked like
the traffic was supposed to quench and snuff itself out in short order,
whether it worked or not.  A brief look at the code does not reveal to me
where the notify responses are being processed nor where the notify element
for any particular target is finally removed.  Then again, I've been slow
with C code lately.

The only other symptom is that if I have configured two name servers, and
both are running 8.2.3 and both are under my control, the notify traffic
quenches.

If I specify more, or some are not under my control, the traffic does not
quench.

If someone can suggest trace data that they would like to have, I'll give
them that as well.  Or if someone can tell me where I might start looking,
I'll dig further into the code.

It may be trivial for me.  It may be trivial for any individual user or
system.  If this is happening around the whole net, the excess notifies end
up being a non-trivial amount of traffic, and the problem needs to be fixed.
--
We will fight for bovine freedom, And hold our large heads high.
We will run free, with the buffalo or die! Cows with Guns.
 - Dana Lyons, Cows With Guns
Nick Simicich mailto:njs at scifi.squawk.com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!