zone transfers timeout in bind but work via dig
Danny Mayer
mayer at gis.net
Tue Oct 5 00:55:01 UTC 2004
At 09:36 PM 10/1/2004, Christian Smith wrote:
>In article <cjf8ni$cfc$1 at sf1.isc.org>,
> Mark Jeftovic <markjr at c3po.easydns.com> wrote:
>
> > What is the difference between doing an AXFR or IXFR from the command
> > line using dig, and then having bind9 timeout on the refresh when it
> > tries to do it in production?
>
>My understanding is thus:
>
>The difference is that when the slave BIND server issues the AXFR or
>IXFR, it then closes the connection instead of leaving the connection
>open and waiting for a response (which is what happens with dig).
This is total nonsense. This doesn't make any logical sense never mind
what really happens. How is the slave expected to receive the zone transfer
if the socket is closed?
The only difference between the way that BIND works and dig is that
BIND will issue a SOA request first to see if the zone has changed.
dig always just issues the AXFR request.
>Because of this, there needs to be an explicit hole punched in the
>firewall at the master server to allow outgoing connections in the
>1024-65535 range. And, at the slave end there needs to be a matching
>hole to allow in coming connections to those ports (sourced from port
>53).
>
>If you don't do this you will tend to see the transfers time out, just
>as you are seeing.
firewall problems are normally seen when they are not set up right.
AXFR requests require that the firewall be open to TCP requests for
the address on the master site on port 53 and any TCP port on the
slave side. The SOA request is a UDP request to port 53 on the master.
Danny
Danny
More information about the bind-users
mailing list