Re: refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)

2015-11-14 Thread Reindl Harald 



Am 14.11.2015 um 22:45 schrieb Chris Buxton:

I've seen this where a firewall blocks UDP packets between slave and master, 
typically because it doesn't understand EDNS. The refresh query fails, so at 
expiry time, it just initiates a zone transfer anyway, and that succeeds (over 
TCP).

Checkpoint firewalls are the most common offenders in my experience.


cisco routers, dns alg breaks transfers completly or changes the data in 
unexpected ways like set the TTL for all cname records to 0


no ip nat service alg udp dns
no ip nat service alg tcp dns

http://blog.webernetz.net/2014/05/09/cisco-router-disable-dns-rewrite-alg-for-static-nats/



On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng.  wrote:

So, the last couple of days I've been banging my head on this problem

Where I'm seeing this strangeness.

13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal: 
refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)
13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal: 
Transfer started.
13-Nov-2015 18:00:27.900 xfer-in: info: transfer of 
'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
129.130.254.21#65439

Among the things I tried, included setting 'transfer-source'.

13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
refresh: retry limit for master 10.133.253.128#53 exceeded (source 
129.130.254.21#0)
13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
Transfer started.
13-Nov-2015 23:03:42.393 xfer-in: info: transfer of 
'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
129.130.254.21#34391






signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)

2015-11-14 Thread Chris Buxton 
Lawrence,

I've seen this where a firewall blocks UDP packets between slave and master, 
typically because it doesn't understand EDNS. The refresh query fails, so at 
expiry time, it just initiates a zone transfer anyway, and that succeeds (over 
TCP).

Checkpoint firewalls are the most common offenders in my experience.

Regards,
Chris Buxton

Sent from my iPhone

> On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng.  wrote:
> 
> So, the last couple of days I've been banging my head on this problem
> 
> Where I'm seeing this strangeness.
> 
> 13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal: 
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)
> 13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal: 
> Transfer started.
> 13-Nov-2015 18:00:27.900 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
> 129.130.254.21#65439
> 
> Among the things I tried, included setting 'transfer-source'.
> 
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 
> 129.130.254.21#0)
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> Transfer started.
> 13-Nov-2015 23:03:42.393 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
> 129.130.254.21#34391
> 
> No help.
> 
> Also disabled the host's firewall though it was wide open for tcp/udp 
> involving port 53
> 
> The fuller logs context is:
> 
> 13-Nov-2015 23:03:03.298 notify: info: client 10.133.253.128#17589: view 
> internal: received notify for zone 'salina.k-state.edu'
> 13-Nov-2015 23:03:03.298 notify: info: client 10.133.253.128#17589: view 
> internal: received notify for zone '178.130.129.in-addr.arpa'
> 13-Nov-2015 23:03:03.298 general: info: zone salina.k-state.edu/IN/internal: 
> notify from 10.133.253.128#17589: refresh in progress, refresh check queued
> 13-Nov-2015 23:03:03.298 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: notify from 10.133.253.128#17589: 
> refresh in progress, refresh check queued
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 
> 129.130.254.21#0)
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal: 
> Transfer started.
> 13-Nov-2015 23:03:42.393 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using 
> 129.130.254.21#34391
> 13-Nov-2015 23:03:42.443 general: info: zone salina.k-state.edu/IN/internal: 
> transferred serial 2015113475
> 13-Nov-2015 23:03:42.443 xfer-in: info: transfer of 
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: Transfer completed: 
> 9 messages, 654 records, 17889 bytes, 0.049 secs (365081 bytes/sec)
> 13-Nov-2015 23:03:42.443 notify: info: zone salina.k-state.edu/IN/internal: 
> sending notifies (serial 2015113475)
> 13-Nov-2015 23:03:43.395 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: refresh: retry limit for master 
> 10.133.253.128#53 exceeded (source 129.130.254.21#0)
> 13-Nov-2015 23:03:43.396 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: Transfer started.
> 13-Nov-2015 23:03:43.400 xfer-in: info: transfer of 
> '178.130.129.in-addr.arpa/IN/internal' from 10.133.253.128#53: connected 
> using 129.130.254.21#34392
> 13-Nov-2015 23:03:43.438 general: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: transferred serial 2015113421
> 13-Nov-2015 23:03:43.439 xfer-in: info: transfer of 
> '178.130.129.in-addr.arpa/IN/internal' from 10.133.253.128#53: Transfer 
> completed: 5 messages, 223 records, 6184 bytes, 0.038 secs (162736 bytes/sec)
> 13-Nov-2015 23:03:43.439 notify: info: zone 
> 178.130.129.in-addr.arpa/IN/internal: sending notifies (serial 2015113421)
> 
> zone "salina.k-state.edu" {
>type slave;
>file "sec/internal/zone.salina.k-state.edu";
>masters {
>10.133.253.128;
>10.133.253.129;
>129.130.254.20 key "int-tsig";
>}
>also-notify { 129.130.254.20 key "int-tsig"; };
>transfer-source 129.130.254.21;
> };
> 
> I have 4 nameservers...one stealth master and 3 exposed secondariesthis 
> is the zone on 'ns-1.ksu.edu', and where I've just given away the IP of our 
> stealth master...
> 
> The intent (temporary at the time) was so delegated zones sending to 
> 'ns-1.ksu.edu' would workby having that server send it to stealth master, 
> which will then distribute it everywhere as if it had gotten it directly
> 
> Of all the delegated subodmainsonly the ones involving 10.133.253.128 are 
> experiencing this.  So, wondering if there's something about this that's 
> causing problems, or something special that needs to be set, etc.  Been 
> staring