refresh failure despite ability to do AXFR and IXFR via command line (was Re: refresh times out from Win DNS)

Tue Jul 20 07:27:23 UTC 2004

Mark Jeftovic wrote:

>This didn't seem to help in one other case we've found.
>
>On Sun, 18 Jul 2004, Vinny Abello wrote:
>  
>
>>In named.conf:
>>
>>server 1.2.3.4 {
>>         edns no;
>>};
>>
>>    
>>
>
>This other case I have access to the master, it is running 8.4.1-REL via
>some "hsphere" system I'm unfamiliar with.
>
>But the symptoms are the same, I can do an AXFR from the command line
>using host or dig and I can see it arrive in the logs on the master:
>
>Jul 19 18:16:34 cp named[2695]: approved AXFR from [192.168.40.250].47650
>for "example.com"
>Jul 19 18:16:34 cp named[2695]: zone transfer (AXFR) of "example.com" (IN)
>to [192.168.40.250].47650 serial 2004071202
>  
>
Note that this happens with an internal IP, i.e. from the inside of the 
firewall.

>But when I do it via the slave with "rndc reload example.com", I just
>get this error in the logs immediately on the slave side (bind9.2.3):
>
>Jul 19 19:23:57 ds2 named[1879]: zone example.com/IN: refresh: failure
>trying master 24.227.181.110#53: timed out
>  
>
Note that the master referred to here has a different IP than above. I 
assume that it is the same host? If so, it is seen from the outside of 
the firewall?

I suggest that you start with assuring that the request gets through the 
firewall and hits the correct server. Until then I will see this as a 
firewall issue.

>happens a bunch of times and then
>
>Jul 19 19:27:43 ds2 named[1879]: zone example.com/IN: refresh: retry limit
>for master 24.227.181.110#53 exceeded
>
>So on the face of it it seems as if the nameserver gets stuck on
>*something* and the request doesn't even make it to the master.
>
>(Like I said previously, this slave has about 80K zones on it, so it is
>not a system wide problem, and as I try this there are 0 xfers running and
>9 soa queries in progress)
>
>Everything else works, i.e. AXFR and IXFR can both be obtained using host
>or dig.
>
>We're seeing this more often these days, we thought it was only Windows
>DNS masters but as I said, this one is bind8.
>
>-mark
>
>  
>

-- 
Best regards

Sten Carlsen

Let HIM who has an empty INBOX send the first mail.