[dns-operations] dns-operationsIgnored SOA serial SOA query refused
Eugene Tsuno - NOAA Affiliate
eugene.tsuno at noaa.gov
Fri May 27 16:34:34 UTC 2022
There are 3 stealths, one good, one old (allowing queries) and one old (not
So I think only one stealth server had the latest greatest SOA serial,
2020104062, Call this goodstealth.
There are 2 that have lesser ones, 2020104059 and 10010102. The first one
allows SOA queries, the second is refusing them. Callt this badstealth1
25-May-2022 12:00:04.322 zone XXX.noaa.gov/IN/unsigned: notify from
goodsteatth#46101: serial 2020104062
25-May-2022 12:00:07.495 zone XXX.noaa.gov/IN/unsigned: serial number
(2020103853) received from master badstealh1#53 < ours (2020104059)
25-May-2022 12:00:10.103 zone XXX.noaa.gov/IN/unsigned: transferred serial
10010102: TSIG 'XXX'
So what it seems it gets a notify for the zone from the stealth.. It
queries the badstealth1 (the one it can query) and knows it has a lesser
serial so it ignores.
Yet it continues on and transfers the zone from badstealth2 even with a
lower soa serial (serial 10010102).
I can see in the xfer in log:
25-May-2022 12:00:10.103 transfer of 'XXX.noaa.gov/IN/unsigned' from #53:
Transfer status: success
25-May-2022 12:00:10.103 transfer of 'XXX.noaa.gov/IN/unsigned' from
badstealth2#53: Transfer completed: 21 messages, 8474 records, 286239
bytes, 0.096 secs (2981656 bytes/sec)
The failure to query for SOA should invalidate badstealth2 for zone
transfer. Yet it seems to use it.
Thanks in advance. I instructed the DNS admin of the stealth zone to allow
queries, which probably fixes the issue. This just blew my assumption
about soa serial, albeit a bit esoteric.
On Fri, May 27, 2022 at 3:25 AM Mark Andrews <marka at isc.org> wrote:
> Also was the zone in expired state.
> Mark Andrews
> > On 27 May 2022, at 03:48, Wes Hardaker <wjhns1 at hardakers.net> wrote:
> > Eugene Tsuno - NOAA Affiliate via dns-operations
> > <dns-operations at dns-oarc.net> writes:
> >> So a test stealth server was setup with an existing zone. It had a
> lower SOA
> >> serial than the running one, yet the master accepted a zone transfer
> and started
> >> using the outdated zone.
> > How *much* lower?
> > See RFC1982 for example.
> > --
> > Wes Hardaker
> > USC/ISI
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations