AXFR from Windows 2008R2 failing after upgrading to 9.18

Mark Andrews marka at isc.org
Tue May 24 04:55:21 UTC 2022 

Firstly upgrade the primary.  Microsoft issued a fix for this March 2019.

Unknown EDNS options are supposed to be ignored and not produce FORMERR.
Named has stopped working around broken servers that return FORMERR to unknown
EDNS options and include the OPT record.  It has also stopped working around
servers that just echo back the request (including the OPT record) when sending
FORMERR when the server doesn’t understand EDNS.  These servers should be
constructing a DNS HEADER from the request with RCODE set to FORMERR and if
the request was a QUERY and they could parse the QUESTION adding that as well
as per RFC 1034.  The DNS header alone is enough to send FORMERR.  No where in
any RFC does it say to echo back the request when sending FORMERR.

FORMERR + OPT indicates the server understands EDNS.

You can workaround this by adding “server 1.1.2.2 { request-expire no; };” to
named.conf.

Mark

> On 24 May 2022, at 11:12, Lefteris Tsintjelis via bind-users <bind-users at lists.isc.org> wrote:
> 
> I turned on all logs channels and this is the error I get:
> 
> zone domain.com/IN: refresh: unexpected rcode (FORMERR) from primary1.1.2.2#53 (source 0.0.0.0#0
> 
> tcpdump seems to also agree with the FORMERR
> 
> 1.1.2.2.domain > secondary.58648: 113 FormErr- 0/0/1 (45)
> 
> Regards,
> 
> Lefteris
> 
> On 24/5/2022 3:00, Grant Taylor via bind-users wrote:
>> On 5/23/22 5:55 PM, Lefteris Tsintjelis via bind-users wrote:
>>> Nothing actually. Windows logs are clean. Unix logs also.
>> #trustTheBitsOnTheWire
>> #useTheSniffer
>> I'd start by capturing w/ tcpdump using the `-s 0` and `-w /path/to/capture.pcapng` options.  Then use Wireshark to analyze the packet capture.
>> You may see the problem with tcpdump, especially if you turn verbosity up.  But Wireshark has some much nicer decoding and display than tcpdump does.
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list