"not exact" error message
Havard Eidnes
he at uninett.no
Sat Jan 21 17:30:42 UTC 2023
Hi,
I tried using BIND 9.18.10 as a downstream name server of an
OpenDNSSEC 2.1.8 installation, but after sorting out the ACL
issues on the OpenDNSSEC side, zone transfers failed with
messages such as these:
Jan 21 17:15:34 new-ns named[22056]: transfer of '4.38.158.in-addr.arpa/IN' from 158.38.x.yy#53: failed while receiving responses: not exact
Jan 21 17:16:42 new-ns named[22056]: transfer of 'ufisa.no/IN' from 158.38.x.yy#53: failed while receiving responses: not exact
Downgrading BIND to 9.16.36 made this work, so this appears to be
a new consistency check introduced with the newer version which
isn't being done by 9.16.36.
Any idea what this new check consists of, and what I should hint
to the OpenDNSSEC developers to fix?
I did a "dig axfr -y <whatever>" of one of the zones from the
OpenDNSSEC host, and I found the TSIG record used to support the
zone transfer embedded in the result (twice!), and when I fed the
resulting file to named-checkzone, it didn't want to validate the
zone before I removed the two TSIG records. This, however, may
be unrelated; I do not know.
Best regards,
- Håvard
More information about the bind-users
mailing list