Discussion:
My IXFR/AXFR stopped suddenly
Blason R
2018-07-06 13:46:00 UTC
Permalink
Hi Team,

Any clue how do I troubleshoot why master to Slave IXFR/AXFR stopped? It
was working before even my logs shows notifies..I can connect to my slave
on customised port that NOTIFY messages are sent but then PULL from slave
to master is not working.

Master
zone "block.now" {
type master;
file "/var/lib/bind/zones/block.now.db";
notify explicit;
also-notify {
2.2.2.2 port 15455;
};
allow-transfer {
2.2.2.2;
};


ON SLAVE
zone "block.now" {
type slave;
file "/var/lib/bind/zones/block.now.db";
masters { x.x.x.x; };
allow-transfer { none; };
allow-query { localhost;};
allow-notify { x.x.x.x; };
};

06-Jul-2018 14:10:28.341 client x.x.x.x#10090: received notify for zone
'block.now'
06-Jul-2018 14:14:54.988 client x.x.x.x#10093: received notify for zone
'block.now'
Sten Carlsen
2018-07-06 17:28:53 UTC
Permalink
Hi
Post by Blason R
Hi Team,
Any clue how do I troubleshoot why master to Slave IXFR/AXFR stopped?
It was working before even my logs shows notifies..I can connect to my
slave on customised port that NOTIFY messages are sent but then PULL
from slave to master is not working.
Master
zone "block.now" {
        type master;
        file "/var/lib/bind/zones/block.now.db";
        notify explicit;
        also-notify {
               2.2.2.2 port 15455;
        };
        allow-transfer {
                2.2.2.2;
        };
                       
ON SLAVE
zone "block.now" {
        type slave;
        file "/var/lib/bind/zones/block.now.db";
        masters { x.x.x.x; };
        allow-transfer { none; };
        allow-query { localhost;};
        allow-notify { x.x.x.x; };
        };
Maybe I am missing something but how will the slave know that it must
use port 15455?
Post by Blason R
06-Jul-2018 14:10:28.341 client x.x.x.x#10090: received notify for
zone 'block.now'
06-Jul-2018 14:14:54.988 client x.x.x.x#10093: received notify for
zone 'block.now'
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Matus UHLAR - fantomas
2018-07-06 17:36:54 UTC
Permalink
Post by Sten Carlsen
Post by Blason R
Any clue how do I troubleshoot why master to Slave IXFR/AXFR stopped?
It was working before even my logs shows notifies..I can connect to my
slave on customised port that NOTIFY messages are sent but then PULL
from slave to master is not working.
customised port, that's why transfers stopped working.
Post by Sten Carlsen
Post by Blason R
Master
zone "block.now" {
        type master;
        file "/var/lib/bind/zones/block.now.db";
        notify explicit;
        also-notify {
               2.2.2.2 port 15455;
        };
        allow-transfer {
                2.2.2.2;
        };
                       
ON SLAVE
zone "block.now" {
        type slave;
        file "/var/lib/bind/zones/block.now.db";
        masters { x.x.x.x; };
        allow-transfer { none; };
        allow-query { localhost;};
        allow-notify { x.x.x.x; };
        };
Maybe I am missing something but how will the slave know that it must
use port 15455?
on the slave, you must configure the master with port 15455.
see "server" directive.
of course, it will use port 15455 for all queries then.
Post by Sten Carlsen
Post by Blason R
06-Jul-2018 14:10:28.341 client x.x.x.x#10090: received notify for
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Anand Buddhdev
2018-07-06 21:49:04 UTC
Permalink
Post by Matus UHLAR - fantomas
customised port, that's why transfers stopped working.
No Matus, you're wrong.
Post by Matus UHLAR - fantomas
on the slave, you must configure the master with port 15455.
see "server" directive.
of course, it will use port 15455 for all queries then.
No, you're off the track here.

Blason's config means this:

The slave is configured to listen on port 15455. The master has been
told to send a NOTIFY to the slave. The master will originate this
NOTIFY message from a random source port, and send it to the slave on
destination port 15455.

The slave is obviously receiving the NOTIFY message, as evidence by the
log message on the slave:

06-Jul-2018 14:10:28.341 client x.x.x.x#10090: received notify for zone
'block.now'

At this point, the slave should refresh the zone from the master. Blason
says it's not refreshing.

Blason, try debugging by using "dig" on the slave to manually transfer
the zone from the master. Maybe that will give you a clue to the problem.

Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Sten Carlsen
2018-07-06 21:52:42 UTC
Permalink
Post by Anand Buddhdev
Post by Matus UHLAR - fantomas
customised port, that's why transfers stopped working.
No Matus, you're wrong.
Post by Matus UHLAR - fantomas
on the slave, you must configure the master with port 15455.
see "server" directive.
of course, it will use port 15455 for all queries then.
No, you're off the track here.
The slave is configured to listen on port 15455.
Where in the slave's configuration is that specified? Rather the master
sends notifys on two ports: 53 and 15455.
Post by Anand Buddhdev
The master has been
told to send a NOTIFY to the slave. The master will originate this
NOTIFY message from a random source port, and send it to the slave on
destination port 15455.
The slave is obviously receiving the NOTIFY message, as evidence by the
06-Jul-2018 14:10:28.341 client x.x.x.x#10090: received notify for zone
'block.now'
At this point, the slave should refresh the zone from the master. Blason
says it's not refreshing.
Blason, try debugging by using "dig" on the slave to manually transfer
the zone from the master. Maybe that will give you a clue to the problem.
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!"

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Anand Buddhdev
2018-07-06 21:58:08 UTC
Permalink
On 06/07/2018 23:52, Sten Carlsen wrote:

Hello Sten,
Post by Sten Carlsen
Post by Anand Buddhdev
The slave is configured to listen on port 15455.
Where in the slave's configuration is that specified? Rather the master
sends notifys on two ports: 53 and 15455.
Blason has not shown his full config, but it must be listening on port
15455 to be receiving the NOTIFY message, as shown by the log entry.

The master has:

notify explicit;
also-notify {
2.2.2.2 port 15455;
};

This tells the master to notify 2.2.2.2 on port 15455. There is no
notify on port 53. What made you think that port 53 is being used?

Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Blason R
2018-07-07 03:37:21 UTC
Permalink
Yes Anand is right; I didnt diclose the full config at Slave but its been
configured to listen on port 15455 and that UDP port is listening and I can
connect to that port using nc.

It was in fact working absolutely fine but suddenly it stopped.

@Ananad - can you confirm what command should I run on slave to debug and
that is what I wanted which I am not aware of.
Post by Anand Buddhdev
Hello Sten,
Post by Sten Carlsen
Post by Anand Buddhdev
The slave is configured to listen on port 15455.
Where in the slave's configuration is that specified? Rather the master
sends notifys on two ports: 53 and 15455.
Blason has not shown his full config, but it must be listening on port
15455 to be receiving the NOTIFY message, as shown by the log entry.
notify explicit;
also-notify {
2.2.2.2 port 15455;
};
This tells the master to notify 2.2.2.2 on port 15455. There is no
notify on port 53. What made you think that port 53 is being used?
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Blason R
2018-07-07 04:25:59 UTC
Permalink
Well, I just tried transferring zone using dig and it was successful from
slave

On slave
dig AXFR block.now @xx.xx.xx.xx

On master xfer-out.log

07-Jul-2018 09:53:11.520 client xx.xx.xx.xx#16129 (immediate.block):
transfer of 'block.now/IN': AXFR started (serial 2018061016)
07-Jul-2018 09:53:11.521 client xx.xx.xx.xx#16129 (immediate.block):
transfer of 'block.now/IN': AXFR ended
Post by Blason R
Yes Anand is right; I didnt diclose the full config at Slave but its been
configured to listen on port 15455 and that UDP port is listening and I can
connect to that port using nc.
It was in fact working absolutely fine but suddenly it stopped.
@Ananad - can you confirm what command should I run on slave to debug and
that is what I wanted which I am not aware of.
Post by Anand Buddhdev
Hello Sten,
Post by Sten Carlsen
Post by Anand Buddhdev
The slave is configured to listen on port 15455.
Where in the slave's configuration is that specified? Rather the master
sends notifys on two ports: 53 and 15455.
Blason has not shown his full config, but it must be listening on port
15455 to be receiving the NOTIFY message, as shown by the log entry.
notify explicit;
also-notify {
2.2.2.2 port 15455;
};
This tells the master to notify 2.2.2.2 on port 15455. There is no
notify on port 53. What made you think that port 53 is being used?
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Blason R
2018-07-07 06:01:41 UTC
Permalink
Well after numerous try I could not succeed hence then I had to delete the
block.now.db file and had to restart the service
it then done the AXFR and later IXFR started as well.
Post by Blason R
Well, I just tried transferring zone using dig and it was successful from
slave
On slave
On master xfer-out.log
transfer of 'block.now/IN': AXFR started (serial 2018061016)
transfer of 'block.now/IN': AXFR ended
Post by Blason R
Yes Anand is right; I didnt diclose the full config at Slave but its been
configured to listen on port 15455 and that UDP port is listening and I can
connect to that port using nc.
It was in fact working absolutely fine but suddenly it stopped.
@Ananad - can you confirm what command should I run on slave to debug and
that is what I wanted which I am not aware of.
Post by Anand Buddhdev
Hello Sten,
Post by Sten Carlsen
Post by Anand Buddhdev
The slave is configured to listen on port 15455.
Where in the slave's configuration is that specified? Rather the master
sends notifys on two ports: 53 and 15455.
Blason has not shown his full config, but it must be listening on port
15455 to be receiving the NOTIFY message, as shown by the log entry.
notify explicit;
also-notify {
2.2.2.2 port 15455;
};
This tells the master to notify 2.2.2.2 on port 15455. There is no
notify on port 53. What made you think that port 53 is being used?
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Matus UHLAR - fantomas
2018-07-07 15:59:50 UTC
Permalink
Post by Blason R
Well after numerous try I could not succeed hence then I had to delete the
block.now.db file and had to restart the service
it then done the AXFR and later IXFR started as well.
have you incremented the serial number on master?

if the serial on the slave is bigger or the same as the one on the master
(or the one in the NOTIFY), slave does not try to xfer the zone.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Blason R
2018-07-08 06:17:46 UTC
Permalink
OK - It seems there is a lot of confusion on setup as I didnt give the
entire config.

Here is my entire config

*Master config*
zone "block.now" {
type master;
file "/var/lib/bind/zones/block.now.db";
notify explicit;
also-notify {
2.2.2.2 port 15455;
};
allow-transfer {
2.2.2.2;
};



*Slave Config*
zone "block.now" {
type slave;
file "/var/lib/bind/zones/block.now.db";
masters { 3.3.3.3; };
allow-transfer { none; };
allow-query { localhost;};
allow-notify { 3.3.3.3; };
};



*/etc/bind/named.conf.options*
options {
version "custombind";
allow-query { localhost;subnets; };
directory "/var/cache/bind";
recursion yes;
querylog yes;
forwarders {
1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8;
};
// dnssec-validation auto;
request-ixfr yes;
auth-nxdomain no; # conform to RFC1035
// listen-on-v6 { any; };
listen-on port 53 { any; };
listen-on port 15455 {any;};
response-policy { zone "whitelist.allow" policy passthru;
zone "block.now"; };
};

@ Matus UHLAR - fantomas - Yes that is the basic stuff.
One clue I see here is whenever I do rndc reload there are no logs
generated in xfer-out.log however on slave notify logs are seen.
Even after zone refresh time it always shows 1 record transferred in fact
some time I even add added or deleted more than 1 records. Hence finally I
deleted the file from slave
and restarted the daemon and it done the trick.
Post by Matus UHLAR - fantomas
Post by Blason R
Well after numerous try I could not succeed hence then I had to delete the
block.now.db file and had to restart the service
it then done the AXFR and later IXFR started as well.
have you incremented the serial number on master?
if the serial on the slave is bigger or the same as the one on the master
(or the one in the NOTIFY), slave does not try to xfer the zone.
--
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Alan Clegg
2018-07-07 11:31:14 UTC
Permalink
Post by Blason R
Well, I just tried transferring zone using dig and it was successful
from slave
On slave
On master xfer-out.log
transfer of 'block.now/IN': AXFR started (serial 2018061016)
transfer of 'block.now/IN': AXFR ended
This isn't using port 15455.

AlanC
--
Why don't we wander and follow la vie dansante.
Anand Buddhdev
2018-07-07 12:48:27 UTC
Permalink
Post by Alan Clegg
Post by Blason R
Well, I just tried transferring zone using dig and it was successful
from slave
On slave
On master xfer-out.log
transfer of 'block.now/IN': AXFR started (serial 2018061016)
transfer of 'block.now/IN': AXFR ended
This isn't using port 15455.
That's right Alan, but how does that matter? Everyone here seems
obssessed by port 15455. It seems everyone here needs a lesson in how
BIND works:

master:
-------
- Listens on port 53
- Serves zone block.now
- Sends UDP NOTIFY to slave at 2.2.2.2, from a RANDOM source port, and
destination port 15455.

slave:
------
- Listens in port 15455
- Loads zone block.now from the master at xx.xx.xx.xx
- AXFRs zone block.now from master xx.xx.xx.xx by initiating a TCP query
with a RANDOM source port, and destination port 53 (the default).
- Gets NOTIFY from master, from a RANDOM source port, and to destination
port 15455, when the zone block.now is updated

This is a perfectly legal setup. Blason says it wasn't working, but I
can't explain why. There may be something else wrong.

Of course, Blason is also being awkward with all of us, by showing us
only parts of his configuration, instead of showing all of it. Normally
I would try to help folk, but I have very little patience for folk who
deliberately hide their configs from us, and expect us to guess what the
problem may be.

Are you paying attention Blason? Help yourself by sharing your FULL
configs, and avoid all this second-guessing from people.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Loading...