Hi there, Here's the *context*: *Ubuntu 19.10 / Debian bullseye 11* *bind9 9.15.4*
*zone "sdxlive.com <http://sdxlive.com>" { type master; file "/etc/bind/db.sdxlive.com <http://db.sdxlive.com>"; // Publishing and activating dnssec keys auto-dnssec maintain; // Using inline signing inline-signing yes; * * allow-transfer { w.x.y.z; };* *... * *}* I'm experiencing a peculiar situation in both aforementioned distributions: - I have modified a zone file and incremented its serial number on the master to 2019101515 - the debug log shows that the zone transfer has *successfully* taken place on the primary towards the secondary server: *15-Oct-2019 16:54:59.075 xfer-out: info: client @0xaaaaaaaaaaaa w.x.y.z#54219 (sdxlive.com <http://sdxlive.com>): transfer of 'sdxlive.com/IN <http://sdxlive.com/IN>': IXFR started (serial 2019092407 -> 2019101515)15-Oct-2019 16:54:59.075 xfer-out: info: client @0xaaaaaaaaaaaa w.x.y.z#54219 (sdxlive.com <http://sdxlive.com>): transfer of 'sdxlive.com/IN <http://sdxlive.com/IN>': IXFR ended: 1 messages, 14 records, 1412 bytes, 0.001 secs (1412000 bytes/sec)15-Oct-2019 16:55:14.078 xfer-out: info: client @0xbbbbbbbbbbbb w.x.y.z#58529 (sdxlive.com <http://sdxlive.com>): transfer of 'sdxlive.com/IN <http://sdxlive.com/IN>': AXFR started (serial 2019101515)15-Oct-2019 16:55:14.078 xfer-out: info: client @0xbbbbbbbbbbbb w.x.y.z#58529 (sdxlive.com <http://sdxlive.com>): transfer of 'sdxlive.com/IN <http://sdxlive.com/IN>': AXFR ended: 1 messages, 36 records, 2906 bytes, 0.001 secs (2906000 bytes/sec)* - actually, the zone transfer could not have succeeded because the port 53 was closed on the secondary server for the master - indeed, the secondary server has no knowledge of the new data: *# named-checkzone -D -f raw -o - sdxlive.com <http://sdxlive.com> db.sdxlive.com.signedzone sdxlive.com/IN <http://sdxlive.com/IN>: loaded serial 2019092407 (DNSSEC signed)* - whatever I try, it seems impossible to retransfer the zone data now that the port 53 is open: on the primary: *rndc freeze sdxlive.com <http://sdxlive.com>* *serial number --> 2019101614* *rndc thaw sdxlive.com <http://sdxlive.com>* *A zone reload and thaw was started.Check the logs to see the result.* *# grep -P "16-Oct-2019 .* xfer-out: .* -> 2019101614" /var/log/named/debug.log* *#* on the secondary server: # named-checkzone -D -f raw -o - sdxlive.com db.sdxlive.com.signed zone sdxlive.com/IN: loaded serial 2019092407 (DNSSEC signed) As a summary: + there should be some kind of zone transfer control to check whether the transfer has really taken place or not + there should be a way to manually force a immediate zone transfer from the master to the secondary server(s) even though only the serial number has changed So, are these + bugs + some missing features + or am I missing something? -- Jean-Christophe
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users