Secondary zone is only using the first listed primary

[Nick Tait]

Hi list.

I have a BIND server that is acting as a secondary to replicate a zone 
from SpamHaus/Deteque, which is then used internally as a Response 
Policy Zone. This had been working fine for several years, but recently 
I noticed that BIND was reporting that the zone had expired. When I 
looked closer I realised that I'd only specified the 2 x IPv6 addresses 
for the SpamHaus servers, and for some reason neither of those were 
responding to DNS queries, so I added in the IPv4 addresses. My 
configuration basically looked like this:

    primaries deteque-primary {
             2600:1f18:215e:b701:8624:5523:94aa:f163;
             2a05:d014:1bf:db01:c11:ab37:1f20:3358;
             34.194.195.25;
             35.156.219.71;
    };
    ...
    view "xxx" {
             zone "drop.ip.dtq" {
                     type secondary;
                     file "db.drop.ip.dtq";
                     primaries { deteque-primary; };
                     notify explicit;
                     also-notify { nick-secondary-deteque; };
                     allow-transfer { nick-nameservers-private; };
                     allow-query { nick-nameservers-private; loopback-networks; };
             };
    };

My expectation was that BIND would try the first IPv6 address 
(2600:1f18:215e:b701:8624:5523:94aa:f163), then when that timed out due 
to no response, it would try the second one 
(2a05:d014:1bf:db01:c11:ab37:1f20:3358), then after that timed out it 
would try the first IPv4 address (34.194.195.25) which should succeed.

However after restarting BIND I was finding that the zone still wasn't 
being transferred. And Wireshark revealed that SOA query packets were 
being sent every 15 seconds to the first address only 
(2600:1f18:215e:b701:8624:5523:94aa:f163), which wasn't replying (as 
expected), and no packets were being sent to any of the other IP 
addresses listed in the 'primaries' statement. (I left the packet 
capture running for >15 minutes without seeing any packets being sent to 
the other 3 addresses.)

So my question is: For a secondary zone, are there any circumstances 
where BIND would try the servers listed after the first entry in the 
primaries stanza? And if so, should the lack of response from the first 
primary be one of those circumstances?

In other words, is the behaviour I'm seeing a bug, or does BIND always 
only use the first entry in a primaries stanza of a secondary zone?

FYI BIND version is: 9.18.1

Thanks,

Nick.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221019/c1595130/attachment.htm>