Secondary zone is only using the first listed primary

Wed, 19 Oct 2022 01:11:31 -0700 

Hi list.
I have a BIND server that is acting as a secondary to replicate a zone from SpamHaus/Deteque, which is then used internally as a Response Policy Zone. This had been working fine for several years, but recently I noticed that BIND was reporting that the zone had expired. When I looked closer I realised that I'd only specified the 2 x IPv6 addresses for the SpamHaus servers, and for some reason neither of those were responding to DNS queries, so I added in the IPv4 addresses. My configuration basically looked like this: 

   primaries deteque-primary {
            2600:1f18:215e:b701:8624:5523:94aa:f163;
            2a05:d014:1bf:db01:c11:ab37:1f20:3358;
            34.194.195.25;
            35.156.219.71;
   };
   ...
   view "xxx" {
            zone "drop.ip.dtq" {
                    type secondary;
                    file "db.drop.ip.dtq";
                    primaries { deteque-primary; };
                    notify explicit;
                    also-notify { nick-secondary-deteque; };
                    allow-transfer { nick-nameservers-private; };
                    allow-query { nick-nameservers-private; loopback-networks; 
};
            };
   };


My expectation was that BIND would try the first IPv6 address 
(2600:1f18:215e:b701:8624:5523:94aa:f163), then when that timed out due 
to no response, it would try the second one 
(2a05:d014:1bf:db01:c11:ab37:1f20:3358), then after that timed out it 
would try the first IPv4 address (34.194.195.25) which should succeed.



However after restarting BIND I was finding that the zone still wasn't 
being transferred. And Wireshark revealed that SOA query packets were 
being sent every 15 seconds to the first address only 
(2600:1f18:215e:b701:8624:5523:94aa:f163), which wasn't replying (as 
expected), and no packets were being sent to any of the other IP 
addresses listed in the 'primaries' statement. (I left the packet 
capture running for >15 minutes without seeing any packets being sent to 
the other 3 addresses.)



So my question is: For a secondary zone, are there any circumstances 
where BIND would try the servers listed after the first entry in the 
primaries stanza? And if so, should the lack of response from the first 
primary be one of those circumstances?



In other words, is the behaviour I'm seeing a bug, or does BIND always 
only use the first entry in a primaries stanza of a secondary zone?


FYI BIND version is: 9.18.1

Thanks,

Nick.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users














    











					Reply via email to