[BALUG-Admin] "all better now": Re: ns0.balug.org refusing AXFR request from ns1.linuxmafia.com, zone balug.org

Rick Moen rick@linuxmafia.com
Fri Jan 17 20:55:37 UTC 2020


Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> Thanks for catching that.
> Should be "all better now".

A slave nameserver admin running a well-tuned instance of logcheck is
the next best thing to automated service monitoring -- and less likely
to wake you up with SMS alerts.  ;->

> And, with whatever happened in this particular case, reload wasn't
> sufficient to get bind also listening on TCP on the primary Internet
> facing IPv4 IP address ...

Wow, that's subtle -- and pernicious, in that almost all DNS queries
will then work (because UDP), and the only things that won't are DNS
queries with answers longer than 512 bytes (requiring TCP transport)
and AXFR/IXFR zone transfers (requiring TCP transport).

(I'm explaining for the benefit of readers who may not be old hands at
this.)

That's the kind of non-obvious breakage one normally sees only with
attempting to pass DNS through firewall rules but forgetting that UDP
isn't always sufficient.

-- 
Cheers,                              Lost my car phone.
Rick Moen                                -- Matt Watson (@biorhythmist)  
rick@linuxmafia.com                 
McQ! (4x80)                        



More information about the BALUG-Admin mailing list