AXFR rejected

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

AXFR rejected

Erich Eckner
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I upgraded from bind 9.16.11 to 9.16.12 (on arch linux) and suddenly, AXFR
transfers were denied:

19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: TCP request
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: using view '_default'
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: request is not signed
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: recursion available
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): AXFR request
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): zone transfer setup failed
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): reset client
19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: freeing client

Relevant part of the config (I can post more/full config, if desired):

/etc/named.conf:

options {
   ...
   allow-recursion { any; };
   allow-transfer { none; };
   ...
}

...

zone "ddns.eckner.net" IN {
   type master;
   allow-transfer { 127.0.0.1; ...; };
}


I cannot find any relevant change in the changelog at
https://ftp.isc.org/isc/bind9/cur/9.16/CHANGES - did I miss something or
is this a bug?

(Adding 127.0.0.1 to allow-transfer in options clause did not help.)

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmAvuBYACgkQCu7JB1Xa
e1q+QQ//Z3UDNyeppdz1+FeWa/+0OSDze96dG6ZAFSO34/+oxb1xCqt+3wGGgazt
BXsfJJkF+z41BWUI3AwEysgz9y1G1enqd0wy37xi+RwdwSRbzwuyaGusHZ4hVeUK
uccJVQE9krwNLsmPu1Cb6AK8qOCC5sYa4cfR4zzlj0wFq7H9ju9AsuUI2nb+bs2H
dsueA2RclvLR3hHMmEhjCIIrGcbzCdWoBFCs7dBEmtHW9RbsmfyouMOuF259Oe1E
u5dp3B4xCx5KexCJK4Wk30Nn4slsX4/GLeUDMcRqEI141WkR8DydG2v+nM4qR+7J
m0R9Rjht5eaqWwW1SUGVbvB13azl0d0rMbSMc9zdRwfwBxvg4Cx1LIH9CgpxKpF9
tE4F26gsMe6esgiLcj6Lq7lkDevB+auvwt0Q5plthJFrRqNUiqixcqZltz9uQrla
yN96E5w+1mqxPNdUMZIHecvRpVWftO73MWaz8SNgGOcv1ExgrSbkfRCRor8GWrq0
hDAV8iDCZax9gVRgXt9AokxpbKLH4pRcbpiN5JnBDIVmhM1V431LOVRzqT4wDbrM
ncYIaatf4Adc1jNKKbJ+RQgsKFEJa7GdqT4yD9UYC72mZqWh18cK2UXZYlkmDndq
WPIt2t5IIeiCMH16rYm3XA+fdtAsqp9fiitAJXeMBnUz/chBRvI=
=wgll
-----END PGP SIGNATURE-----
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: AXFR rejected

Ondřej Surý
Hi Erich,

please fill an proper issue at our GitLab instance - https://gitlab.isc.org/isc-projects/bind9/issues and we’ll take it from here. We will need more information and mailing list is very clumsy way of tracking that.

Thanks,
Ondrej
--
Ondřej Surý (He/Him)
[hidden email]

> On 19. 2. 2021, at 14:07, Erich Eckner <[hidden email]> wrote:
>
> Signed PGP part
> Hi,
>
> I upgraded from bind 9.16.11 to 9.16.12 (on arch linux) and suddenly, AXFR
> transfers were denied:
>
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: TCP request
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: using view '_default'
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: request is not signed
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: recursion available
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): AXFR request
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): zone transfer setup failed
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139 (ddns.eckner.net): reset client
> 19-Feb-2021 13:56:01.276 client @0x7f37c8015028 127.0.0.1#57139: freeing client
>
> Relevant part of the config (I can post more/full config, if desired):
>
> /etc/named.conf:
>
> options {
>    ...
>    allow-recursion { any; };
>    allow-transfer { none; };
>    ...
> }
>
> ...
>
> zone "ddns.eckner.net" IN {
>    type master;
>    allow-transfer { 127.0.0.1; ...; };
> }
>
>
> I cannot find any relevant change in the changelog at
> https://ftp.isc.org/isc/bind9/cur/9.16/CHANGES - did I miss something or
> is this a bug?
>
> (Adding 127.0.0.1 to allow-transfer in options clause did not help.)
>
> regards,
> Erich
>
>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment