Re: AXFR from Windows 2008R2 failing after upgrading to 9.18

Tue, 24 May 2022 09:16:04 -0700 

On 24/5/2022 7:55, Mark Andrews wrote:

Firstly upgrade the primary.  Microsoft issued a fix for this March 2019.



Would have been the best to do that if possible for sure but 
unfortunately only the workaround can be applied in this case.



Unknown EDNS options are supposed to be ignored and not produce FORMERR.
Named has stopped working around broken servers that return FORMERR to unknown
EDNS options and include the OPT record.  It has also stopped working around
servers that just echo back the request (including the OPT record) when sending
FORMERR when the server doesn’t understand EDNS.  These servers should be
constructing a DNS HEADER from the request with RCODE set to FORMERR and if
the request was a QUERY and they could parse the QUESTION adding that as well
as per RFC 1034.  The DNS header alone is enough to send FORMERR.  No where in
any RFC does it say to echo back the request when sending FORMERR.

FORMERR + OPT indicates the server understands EDNS.

You can workaround this by adding “server 1.1.2.2 { request-expire no; };” to
named.conf.


This worked really well! Thank you very much


On 24 May 2022, at 11:12, Lefteris Tsintjelis via bind-users 
<bind-users@lists.isc.org> wrote:

I turned on all logs channels and this is the error I get:

zone domain.com/IN: refresh: unexpected rcode (FORMERR) from primary1.1.2.2#53 
(source 0.0.0.0#0

tcpdump seems to also agree with the FORMERR

1.1.2.2.domain > secondary.58648: 113 FormErr- 0/0/1 (45)

On 24/5/2022 3:00, Grant Taylor via bind-users wrote:

On 5/23/22 5:55 PM, Lefteris Tsintjelis via bind-users wrote:

Nothing actually. Windows logs are clean. Unix logs also.

#trustTheBitsOnTheWire
#useTheSniffer
I'd start by capturing w/ tcpdump using the `-s 0` and `-w 
/path/to/capture.pcapng` options.  Then use Wireshark to analyze the packet 
capture.
You may see the problem with tcpdump, especially if you turn verbosity up.  But 
Wireshark has some much nicer decoding and display than tcpdump does.


Regards,

Lefteris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to