SUMMARY: DNS zone transfer problems

From: Andrew M Townsend (ATOWNSEND@DOLETA.GOV)
Date: Tue Jul 21 1998 - 13:04:38 CDT


Warmest appreciation to:

Tim Carlson <tim@santafe.edu>
"Francisco Javier Arias Correa (NIC)" <farias@nic.mx>

Tim hit it right on. I finally got in touch with their admins, and we simply aren't a secondary in their domain anymore. Of course, the word never filtered down to those of us on the front lines. I gutted the zone information from named.boot and removed the zone db files, then restarted the server. Voila! Mail is flowing and all involved parties are happy.

Francisco suggested to also look at using the gatekeeper machine to perform the transfers, which he tested successfully. He also suggested checking for blocked traffic to the keymaster machine. As an afterthought to my posting, I did a snoop and was able to indeed communicate with keymaster, it just wouldn't provide the information for which my server was asking.

Thanks everyone! Sometimes this mailing list is the only thing between myself and insanity.

Andy Townsend

+--

Here is original posting:

+--

Hi everyone,

This is unfortunately a critical problem. The problem lies within DNS (details to follow). I hope someone can provide some insight - I did see a bit of info on this when I searched the sun manager archives, but nothing that told me how to fix the underlying problem.

Vital Stats: Solaris 2.4, Version = named 4.9.3-P1

I have a machine that is supposed to be a secondary server for the zone dol.gov. I am primary for my domain, which is doleta.gov.

Users started calling the other day to rightfully submit that mail was not getting from doleta.gov to dol.gov. They could not access the dol.gov web servers either. I check, and sure enough:

Default Server: hel.doleta.gov
Address: 199.183.144.5

> dol.gov
Server: hel.doleta.gov
Address: 199.183.144.5

*** hel.doleta.gov can't find dol.gov: Non-existent host/domain
> dol.gov.
Server: hel.doleta.gov
Address: 199.183.144.5

*** hel.doleta.gov can't find dol.gov.: Server failed
>

(The machine hel is designated as primary for our domain. Just for yucks I tried the nslookup with the trailer dot on dol.gov. the second time, and got a different error message)

I looked in my messages file and there are all sorts of entries similar to the following. They repeat over and over and over again.

Jul 20 16:44:10 hel named[4520]: secondary zone "dol.gov" expired
Jul 20 16:54:18 hel named[4520]: secondary zone "dol.gov" expired
Jul 20 16:55:55 hel named-xfer[4650]: [166.96.240.2] not authoritative for dol.gov, SOA query got rcode 0, aa 0, ancount 1, aucount 1
Jul 20 16:55:55 hel named[4649]: zoneref: Masters for secondary zone "dol.gov" unreachable
Jul 20 16:55:59 hel named[4649]: secondary zone "dol.gov" expired
Jul 20 17:01:35 hel named-xfer[4679]: [166.96.240.2] not authoritative for dol.gov, SOA query got rcode 0, aa 0, ancount 1, aucount 1
Jul 20 17:01:35 hel named[4678]: zoneref: Masters for secondary zone "dol.gov" unreachable
Jul 20 17:01:41 hel named[4678]: secondary zone "dol.gov" expired
Jul 20 17:06:26 hel named-xfer[4694]: [166.96.240.2] not authoritative for dol.gov, SOA query got rcode 0, aa 0, ancount 1, aucount 1
Jul 20 17:11:56 hel named[4678]: secondary zone "dol.gov" expired
Jul 20 17:22:03 hel named[4678]: secondary zone "dol.gov" expired
Jul 20 17:25:08 hel named-xfer[4748]: [166.96.240.2] not authoritative for dol.gov, SOA query got rcode 0, aa 0, ancount 1, aucount 1
Jul 20 17:31:00 hel named[4786]: secondary zone "dol.gov" expired
Jul 20 18:30:50 hel named-xfer[4829]: [166.96.240.2] not authoritative for dol.gov, SOA query got rcode 0, aa 0, ancount 1, aucount 1
Jul 20 18:32:34 hel named[4786]: secondary zone "dol.gov" expired

I get the following when I do a manual zone transfer:

Jul 21 11:10:26 hel named-xfer[5304]: [166.96.240.2] not authoritative for dol.gov, SOA query got rcode 0, aa 0, ancount 1, aucount 1

OK! Here*s where it gets even more interesting. I hop over to my ISP to test from there. I set the server to the IP of the server I am failing the zone transfers on:

> server 166.96.240.2
Default Server: [166.96.240.2]
Address: 166.96.240.2

> dol.gov
Server: [166.96.240.2]
Address: 166.96.240.2

Non-authoritative answer:
Name: dol.gov
Address: 166.96.240.1

> set type=soa
> dol.gov
Server: [166.96.240.2]
Address: 166.96.240.2

Non-authoritative answer:
dol.gov
 origin = keymaster.dol.gov
 mail addr = root.keymaster.dol.gov
 serial = 1998071801
 refresh = 10800 (3 hours)
 retry = 3600 (1 hour)
 expire = 432000 (5 days)
 minimum ttl = 86400 (1 day)
Authoritative answers can be found from:
(blank)

Aha! The server I am trying to transfer with apparently doesn*t know who is authoritative for its domain.

So, out of suspicion, from my ISP, I set the server to *another* DNS server within the domain I am trying to zone transfer with/to. From the following, it appears that the *other* server has been made authoritative for that domain.

> server gatekeeper.dol.gov
Default Server: gatekeeper.dol.gov
Address: 166.96.240.1

> set type=soa
> dol.gov
Server: gatekeeper.dol.gov
Address: 166.96.240.1

dol.gov
 origin = gatekeeper.dol.gov
 mail addr = root.gatekeeper.dol.gov
 serial = 98051101
 refresh = 10800 (3 hours)
 retry = 3600 (1 hour)
 expire = 432000 (5 days)
 minimum ttl = 86400 (1 day)
>

Note the absence of the *non-authoritative* flag.

So, I see two possible scenarios. The first possibility is I*ve fallen pray to one of the bind 4.9.3-p1 problems I read about in the sun manager archives, in which case, I don*t know where to turn other than this mailing list and I really hope someone can help.

The second possible scenario is that a) they changed their DNS structure and did not advise us they did so, and/or b) they are blocking the zone transfer traffic at a router level (they have recently shorn up their security).

If anyone has any ideas at all and would be willing to work with me on this, I will be greatly in your debt. I will happily provide all zone files and my named.boot file if that will assist in getting this resolved.

Please help! Any tidbit is appreciated! I will, of course, summarize anything thrown my way. Thank you all for your time.

Andy Townsend
Unix and Internet Admin
US Dept of Labor
atownsend@doleta.gov
(202) 219-5146 x131

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               !
!
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               !
!
                                                           !
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               !
!
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               !
!
                                                           !
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               !
!
                                                                                                                                                                                                                                                                                                                                                                                                            



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:44 CDT