[Opendnssec-user] Re: Bind AXFR problem

Matthijs Mekking matthijs at nlnetlabs.nl
Fri May 18 08:16:54 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When I try a simple drill, it seems to be working for me...

drill -p 5398 -y <tsigstuff> @<opendnssec> example.com soa

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21616
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;; example.com.	IN	SOA

;; ANSWER SECTION:
example.com.	3600	IN	SOA	ns1.example.com. hostmaster.example.com. 2539
28800 7200 604800 3600
example.com.	3600	IN	RRSIG	SOA 8 2 3600 20120518081431 20120518080829
42244 example.com.
2czTwGPxjYue6kSIxU/G9IueI6Kw6u4tOjJxfvGYKmUUQyxtlHgNpIbcYjDdDDqdrnx/II6iVvtvBTb/DeBMWjcWkTizDgDudUZRM+Mr5rXitq9neaw+XFO0zo3JoW3Le7ibzd4tezKduMXAoSt+3oAB+kdqG1BUr1GL+krox/M=

;; AUTHORITY SECTION:
example.com.	3600	IN	NS	ns2.example.com.
example.com.	3600	IN	NS	ns1.example.com.
example.com.	3600	IN	RRSIG	NS 8 2 3600 20120518081432 20120518080829
42244 example.com.
4isFLIZ0HbOCa0h9hiQwQKW3YjG/XTFwhKCLMnnLscembkVsRo/o26muRM/QEaUvp2mc7ocCtJDNIQi2sQUxE9NZ5F11bJoJDac7DYQx8pWg/2ZTFkA9sI0vGIgJodrx+5/wzneEyajJ+nB+AJkivDMuEOWw0WpvoiWyf/p7/LA=

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; TSIG:
;; tsig.	0	ANY	TSIG	hmac-sha256. 1337327616  300 32
tyY1srt5+FYUNV1PHuIztv21axyItvbwgzCbqS72oYE= 21616 0 0

;; SERVER: 213.154.224.18
;; WHEN: Fri May 18 10:09:35 2012
;; MSG SIZE  rcvd: 650


Logs:

May 18 10:13:07 zoidberg ods-signerd: [socket] incoming udp message
May 18 10:13:07 zoidberg ods-signerd: [query] zone pletterpet.nl. not
found
May 18 10:13:07 zoidberg ods-signerd: [query] tsig ok
May 18 10:13:07 zoidberg ods-signerd: [query] incoming query qtype=SOA
for zone pletterpet.nl
May 18 10:13:07 zoidberg ods-signerd: [acl] match 213.154.224.30
May 18 10:13:07 zoidberg ods-signerd: [socket] query processed qstate=0
May 18 10:13:07 zoidberg ods-signerd: [socket] sending 650 bytes over udp
May 18 10:13:07 zoidberg ods-signerd: [dnshandler] netio dispatch


On 05/17/2012 05:03 PM, Daniel Salzman wrote:
> It seems that Bind doesn't send AXFR at first but sends standard
> query SOA with TSIG. OpenDNSSEC responses without TSIG on standard
> query...
> 
> Dan
> 
> 
> On 05/16/2012 05:06 PM, Daniel Salzman wrote:
>> Hi,
>> 
>> I'm not sure where the problem is, but Bind (9.7.3, 9.8.1-P1)
>> rarely downloads zone from OpenDNSSEC (1.4.0-trunk r6339). Dig
>> utility or KnotDNS downloads zone each time.
>> 
>> Logs for unsuccessful case:
>> 
>> == 172.20.20.215 == May 16 16:56:11 nic ods-signerd: [socket]
>> incoming udp message May 16 16:56:11 nic ods-signerd: [query]
>> tsig ok May 16 16:56:11 nic ods-signerd: [query] incoming query
>> qtype=SOA for zone ccc.cz May 16 16:56:11 nic ods-signerd: [acl]
>> match 172.20.20.201 May 16 16:56:11 nic ods-signerd: [socket]
>> query processed qstate=0 May 16 16:56:11 nic ods-signerd:
>> [socket] sending 594 bytes over udp May 16 16:56:11 nic
>> ods-signerd: [dnshandler] netio dispatch
>> 
>> == 172.20.20.201 == May 16 16:55:41 dan named[26167]: zone
>> ccc.cz/IN: refresh: failure trying master 172.20.20.215#1053
>> (source 0.0.0.0#0): expected a TSIG or SIG(0)
>> 
>> 
>> (sorry for spamming) Dan
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPtgV1AAoJEA8yVCPsQCW5YesIAJ+i+kJo2mEB0FnaVH8/K8I9
LwiWlogsLYWx2yDK5ZGIMGh6hybcQNIo6fh7sypkSO5d8XmhjZE0Fn9EJy5boMdq
rri2sM0Qp4eFjIy1q9eYD1Bz9llGShU01VzSSzxS6UYUz34cF+EC+t/0mwr+Kv2Z
h4Bo2e7ByCqhWxMQ4odS48INGf/eP4iK/f+v9ldMc9gv5Sf2/7yeDjiqLMJXxGXg
2ZLj0p3lyF5VqTnCIJbQJb7e85ih4fut4zPkIKlKBtju6HVg1CCgnddkIP0jrhda
wApmsuNz0YY6NzHlhGJE/IAE/FY37MD1ZoExE4urEkuL5nkNYijTsmOLxH4scZ0=
=pDay
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list