Re: Unable to completely transfer root zone
Matus UHLAR - fantomas wrote: If you use cisco routers, ask network admins to disable any DNS "fixup" functionality, because that usually causes problems. On 14.02.20 12:47, Tony Finch wrote: In my experience all Cisco PIX/ASA fuxup options are horribly broken and should be turned off. I agree but FW admins won't like generalisation like that. Currently we can say that DNS fixup caused the DNS to fail and should be turned off. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to completely transfer root zone
On 11/02/2020 15:28, Warren Kumari wrote: > On Tue, Feb 11, 2020 at 3:12 AM Stephane Bortzmeyer wrote: >> >> On Mon, Feb 10, 2020 at 02:32:55PM -0500, >> Warren Kumari wrote >> a message of 70 lines which said: >> >>> Also, can you try: >>> dig +tcp . axfr @192.0.32.132 >>> dig +tcp . axfr @192.0.47.132 >>> dig +tcp . axfr @b.root-servers.net >>> >>> (no, I'm not really sure why trying with the first 2 IPs instead of >>> hostname >> >> Because you know that IPv6 and IPv4 may exhibit different issues. > > Hey, yeah, that's it! Thank you for explaining my thought processes to > me -- for an encore, can you explain why I keep losing my keys? :-) > I hope you guys are friends otherwise... -1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to completely transfer root zone
On 14.02.20 09:32, von Dein, Thomas wrote: As reported we were unable to transfer the root zone for 1 week, then the expire time was over and we had an outage. unfortunately this happens when you decide to mirror root zone and it fails. you should use more primary servers when possible and change root zone type from secondary to hint if it fails. Note that rarely someone needs to have local copy of the root zone. Now we've seen in the logs many many log entries as the following on slave nameservers during that week when our local copy were still valid but the transfer was failing: 09-Jan-2020 16:24:23.361 edns-disabled: success resolving 'some-random-hostname.some-domain.de/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets Besides the EDNS problem: it says (in '.'?). What does this mean? don't you have any problem with "intelligent" firewall on your side? If you use cisco routers, ask network admins to disable any DNS "fixup" functionality, because that usually causes problems. The setup is like this: Proxy dmz with local forwarding bind => internet bind => internet why not client => bind => internet? one bind is superflous there, isdn't it? The error above occurred on the forwarding bind in the proxy dmz. so the problem firewall is between "forwarding bind" and "internet bind" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to completely transfer root zone
Matus UHLAR - fantomas wrote:
>
> unfortunately this happens when you decide to mirror root zone and it fails.
>
> you should use more primary servers when possible and change root zone
> type from secondary to hint if it fails.
In this particular case, adding more primaries would not have helped
because the firewall that caused the breakage would have broken every
primary.
I have a little monitoring cron job to avoid this kind of problem.
(You'll need to adjust the paths for your setup.)
#!/usr/bin/perl
use warnings;
use strict;
my $type = '';
for (qx(named-checkconf -px)) {
$type = $1 if m{^\s*type\s+(\w+);$};
next unless $type eq "slave"
and m{^\s*file\s+"\.\./zone/(.*)";$};
my $zone = $1;
my $file = "/home/named/zone/$1";
next if -f $file and 1 > -M $file;
print "stale zone $zone\n";
}
> Note that rarely someone needs to have local copy of the root zone.
Yes.
> If you use cisco routers, ask network admins to disable any DNS "fixup"
> functionality, because that usually causes problems.
In my experience all Cisco PIX/ASA fuxup options are horribly broken and
should be turned off.
Tony.
--
f.anthony.n.finchhttp://dotat.at/
Shannon: South or southwest 6 to gale 8, increasing severe gale 9 or storm 10
for a time. Very rough at first in east, otherwise high or very high. Rain or
showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
AW: Unable to completely transfer root zone
I've got one follow-up question: As reported we were unable to transfer the root zone for 1 week, then the expire time was over and we had an outage. Now we've seen in the logs many many log entries as the following on slave nameservers during that week when our local copy were still valid but the transfer was failing: 09-Jan-2020 16:24:23.361 edns-disabled: success resolving 'some-random-hostname.some-domain.de/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets Besides the EDNS problem: it says (in '.'?). What does this mean? The setup is like this: Proxy dmz with local forwarding bind => internet bind => internet The error above occurred on the forwarding bind in the proxy dmz. best regards, Tom -Ursprüngliche Nachricht- Von: von Dein, Thomas Gesendet: Dienstag, 11. Februar 2020 14:45 An: 'Tony Finch' ; Warren Kumari Cc: bind-users@lists.isc.org Betreff: AW: Unable to completely transfer root zone Hi, > So maybe try setting `request-ixfr no;` and see if that improves matters. Nope, didn't change anything. Also, I was wrong when I stated that dig works, it does not. It transfers only a part of the zone as well. However, in the meantime we found, that some component drops packets. I implemented my own "root nameserver" and lots of packets sent out from it are not arriving here. So, not bind9's fault. Thanks a lot for your help anyway people! best, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
