zone transfers timeout in bind but work via dig
Barry Margolin
barmar at alum.mit.edu
Sun Oct 3 11:53:40 UTC 2004
In article <cjo1g0$s1r$1 at sf1.isc.org>,
Christian Smith <none at i.am.invalid> wrote:
> In article <cjf8ni$cfc$1 at sf1.isc.org>,
> Mark Jeftovic <markjr at c3po.easydns.com> wrote:
>
> > What is the difference between doing an AXFR or IXFR from the command
> > line using dig, and then having bind9 timeout on the refresh when it
> > tries to do it in production?
>
> My understanding is thus:
>
> The difference is that when the slave BIND server issues the AXFR or
> IXFR, it then closes the connection instead of leaving the connection
> open and waiting for a response (which is what happens with dig).
This makes no sense. How would it get the data it's trying to transfer
if it closed the connection.
> Because of this, there needs to be an explicit hole punched in the
> firewall at the master server to allow outgoing connections in the
> 1024-65535 range. And, at the slave end there needs to be a matching
> hole to allow in coming connections to those ports (sourced from port
> 53).
This is totally wrong. The DNS protocol contains no mechanism like this.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list