AW: Unable to completely transfer root zone
Hi Warren, > This sounds very much like a path MTU issue -- it starts the transfer, > gets part of the way and then a big packet doesn't make it through... > Are you doing the test dig from the same machine? And if so, from the same IP? Yes, I test from the same system using the same source address. > Also, can you try: > dig +tcp . axfr @192.0.32.132 > dig +tcp . axfr @192.0.47.132 > dig +tcp . axfr @b.root-servers.net This works, I get the whole root zone that way, no problems whatsoever. Also, the nameserver today stopped responding to any queries because of this, I had to install a master copy of the root zone manually to get it working again. @alcol: the zone file is writable for the bind user, the setup hasn't changed for a couple of years more or less. The zone transfer worked until 2020/02/04 as expected. Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to completely transfer root zone
Hi usually it is a common problem. If u'r succesful via u'r root access, it
mean is not a network or BIND related but FULL PATH and File Permission issue.
Daemons does not run with root privilege for priviledge escalation and
specially bind and others are jailed.
Check if all paths are not relative (all places) and FILEs permission (not
forgetting directory permission ( R X W )
as last some security program could intercept it as a malicious action and lock
it.
Some checks on the way but is the common scenario when it is succesful via u'r
root access and not via daemon
Alberto
From: bind-users on behalf of von Dein,
Thomas
Sent: Monday, February 10, 2020 6:53 PM
To: bind-users@lists.isc.org
Subject: Unable to completely transfer root zone
Hi everyone,
we are unable to complete root zone transfer from our nameservers. This is the
error we're getting:
Feb 10 18:33:32 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
connected using 192.168.1.1#11281
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
resetting
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
connected using 192.168.1.1#46875
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
failed while receiving responses: connection reset
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
Transfer status: connection reset
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
Transfer completed: 11 messages, 3058 records, 179403 bytes, 0.410 secs (437568
bytes/sec)
I can, however do it manually using "dig +tcp . axfr @lax.xfr.dns.icann.org".
The relevant part of the config is:
zone "." {
type slave;
file "zone/slave/root.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org.
192.0.47.132; // iad.xfr.dns.icann.org.
};
notify no;
};
Does anyone have an idea, what's wrong here and how I could possibly fix this?
Thanks in advance,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to completely transfer root zone
On Mon, Feb 10, 2020 at 12:53 PM von Dein, Thomas
wrote:
>
> Hi everyone,
>
> we are unable to complete root zone transfer from our nameservers. This is
> the error we're getting:
>
> Feb 10 18:33:32 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
> connected using 192.168.1.1#11281
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
> resetting
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
> connected using 192.168.1.1#46875
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
> failed while receiving responses: connection reset
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
> Transfer status: connection reset
> Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
> Transfer completed: 11 messages, 3058 records, 179403 bytes, 0.410 secs
> (437568 bytes/sec)
>
> I can, however do it manually using "dig +tcp . axfr @lax.xfr.dns.icann.org".
>
> The relevant part of the config is:
>
> zone "." {
> type slave;
> file "zone/slave/root.slave";
> masters {
> 192.0.32.132; // lax.xfr.dns.icann.org.
> 192.0.47.132; // iad.xfr.dns.icann.org.
> };
> notify no;
> };
>
> Does anyone have an idea, what's wrong here and how I could possibly fix this?
This sounds very much like a path MTU issue -- it starts the transfer,
gets part of the way and then a big packet doesn't make it through...
Are you doing the test dig from the same machine? And if so, from the same IP?
Also, can you try:
dig +tcp . axfr @192.0.32.132
dig +tcp . axfr @192.0.47.132
dig +tcp . axfr @b.root-servers.net
(no, I'm not really sure why trying with the first 2 IPs instead of
hostname, but, hey, 'tis easy to test :-))
W
>
>
> Thanks in advance,
> Tom
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Unable to completely transfer root zone
Hi everyone,
we are unable to complete root zone transfer from our nameservers. This is the
error we're getting:
Feb 10 18:33:32 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
connected using 192.168.1.1#11281
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
resetting
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
connected using 192.168.1.1#46875
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
failed while receiving responses: connection reset
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
Transfer status: connection reset
Feb 10 18:33:33 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53:
Transfer completed: 11 messages, 3058 records, 179403 bytes, 0.410 secs (437568
bytes/sec)
I can, however do it manually using "dig +tcp . axfr @lax.xfr.dns.icann.org".
The relevant part of the config is:
zone "." {
type slave;
file "zone/slave/root.slave";
masters {
192.0.32.132; // lax.xfr.dns.icann.org.
192.0.47.132; // iad.xfr.dns.icann.org.
};
notify no;
};
Does anyone have an idea, what's wrong here and how I could possibly fix this?
Thanks in advance,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
