[nsd-users] test setup problem: secondary expires zones

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Feb 16 10:15:41 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

It turns out that axfrdns/djbdns does not implement RFC1995, IXFR. It
will respond to an IXFR query with NODATA. NSD marks this packet as
bad (too short) and it will retry again later.

To make NSD deal better with this, I have committed a change to the
NSD3 branch. NSD will fallback to query AXFR, if an IXFR request
results in a NODATA response. This behavior will not interfere with
the 'allow-axfr-fallback' option: if that is set to no, there will
still be no fallback to AXFR.

Best regards,
  Matthijs

On 02/13/2012 01:59 PM, Toni Mueller wrote:
> 
> Hi Matthijs,
> 
> On Mon, Feb 13, 2012 at 12:01:53PM +0100, Matthijs Mekking wrote:
>>> axfrdns: fatal: unable to locate information in data.cdb
>> So dig is able to transfer the zone, without axfrdns logging
>> this message? What is the difference in query packet?
> 
> I'm not clueful enough to understand the query packets, but I could
> see nsd querying for the TLD, but not always querying for the full
> domain, provided that the queried domain name is supposed to be
> contained in the query packet in clear text (like querying for
> "net", not always "oeko.net").
> 
>> If I don't update the zone at the master, no logs are being
>> produced, but I see SOA queries going over the wire. If I update
>> the zone, you should see something like:
>> 
>> [1329129836] nsd[6042]: info: Zone example.com serial 23 is
>> updated to 24.
> 
> I artificially updated zones with no other change than an
> increased serial on the master, then restarted nsd, but to no
> effect.
> 
>> This shows that the socket is nonblocking and connecting cannot
>> be completed immediately. The read would block. Seems ok to me if
>> the response is not received (immediately).
> 
>>> Both software packages run on the same machine, but currently,
>>> nsd usually does not receive any queries from the Internet
>>> (unless you query the ip directly).
>> 
>> With both software packages, you mean? Both addresses seem to be
>> non responsive to me, by the way.
> 
> I am uncertain about what you mean. Is my network (46.29.40/21)
> not being routed to you?
> 
> I have no trouble querying the servers from here, but I configured
> the servers to not allow axfr from anywhere, only from select
> sources (the secondaries). If you have an IP number for me, I can
> put you onto the whitelist, too.
> 
> 
> As for regular queries:
> 
> 
> $ dig +tcp @46.29.40.35 oeko.net any   <--- this is axfrdns
> 
> ; <<>> DiG 9.7.3 <<>> @46.29.40.35 oeko.net any ; (1 server found) 
> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode:
> QUERY, status: NOERROR, id: 25192 ;; flags: qr aa rd; QUERY: 1,
> ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 2 ;; WARNING: recursion
> requested but not available
> 
> ;; QUESTION SECTION: ;oeko.net.                      IN      ANY
> 
> ;; ANSWER SECTION: oeko.net.               2560    IN      SOA
> a.ns.oeko.net. hostmaster.oeko.net. 1021018224 16384 2048 1048576
> 2560 oeko.net.               259200  IN      NS
> a.ns.oeko.net. oeko.net.               259200  IN      NS
> a.ns.bsws.de. oeko.net.               259200  IN      NS
> c.ns.bsws.de. oeko.net.               86400   IN      MX      12848
> d.mx.oeko.net. oeko.net.               86400   IN      A
> 46.29.42.25
> 
> ;; ADDITIONAL SECTION: a.ns.oeko.net.          86400   IN      A
> 46.29.40.35 d.mx.oeko.net.          3600    IN      A
> 46.29.42.41
> 
> ;; Query time: 44 msec ;; SERVER: 46.29.40.35#53(46.29.40.35) ;;
> WHEN: Mon Feb 13 13:49:06 2012 ;; MSG SIZE  rcvd: 203
> 
> $ dig +tcp @46.29.40.34 oeko.net any   <--- This is nsd
> 
> ; <<>> DiG 9.7.3 <<>> @46.29.40.34 oeko.net any ; (1 server found) 
> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode:
> QUERY, status: SERVFAIL, id: 47903 ;; flags: qr rd; QUERY: 1,
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion
> requested but not available
> 
> ;; QUESTION SECTION: ;oeko.net.                      IN      ANY
> 
> ;; Query time: 44 msec ;; SERVER: 46.29.40.34#53(46.29.40.34) ;;
> WHEN: Mon Feb 13 13:49:09 2012 ;; MSG SIZE  rcvd: 26
> 
> 
> Anything that you'd like me to test, specifically?
> 
> 
> 
> Kind regards, --Toni++
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPPNdNAAoJEA8yVCPsQCW5o4EIAMyTcw93P2vaua0+5u7eLbpr
N2rZSPfZk/iiL8b+RV59mI4gjZiNoV0RiiafGx1qdY8OZcROH1OrcqA5H7pTOA5m
SSnafK3NO4O2BT4c/QrkH06r3c55iMeWo95IZZVH8zjqCE5layEDRlQg+MHMHiUE
KbDkJNACgT3YgJoMmJgKY6UayOus4f0DI5s1Ne2TObWdMqqO1GsNvilXIQ2jV8YE
S31Uu2mLKcNHgj437gyxRYrixKIxE/hsgLWcdyor7fClK7OmEH+E5OhhAV+As+SX
13M/XY2Qkyo/pgrqNN7QbTk4qnX0iAUFv2+hmitPCaC/15VghdYuDpWeHpexI6A=
=YDq/
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list