[dns-operations] dns-operationsIgnored SOA serial SOA query refused

Eugene Tsuno - NOAA Affiliate eugene.tsuno at noaa.gov
Fri May 27 16:34:34 UTC 2022 

There are 3 stealths, one good, one old (allowing queries) and one old (not
allowing queries).

So I think only one stealth server had the latest greatest SOA serial,
2020104062, Call this goodstealth.
There are 2 that have lesser ones, 2020104059 and 10010102.  The first one
allows SOA queries, the second is refusing them.  Callt this badstealth1
and badstealth2.

25-May-2022 12:00:04.322 zone XXX.noaa.gov/IN/unsigned: notify from
goodsteatth#46101: serial 2020104062
25-May-2022 12:00:07.495 zone XXX.noaa.gov/IN/unsigned: serial number
(2020103853) received from master badstealh1#53 < ours (2020104059)
25-May-2022 12:00:10.103 zone XXX.noaa.gov/IN/unsigned: transferred serial
10010102: TSIG 'XXX'

So what it seems it gets a notify for the zone from the stealth..  It
queries the badstealth1 (the one it can query) and knows it has a lesser
serial so it ignores.

Yet it continues on and transfers the zone from badstealth2 even with a
lower soa serial (serial 10010102).

I can see in the xfer in log:
25-May-2022 12:00:10.103 transfer of 'XXX.noaa.gov/IN/unsigned' from #53:
Transfer status: success
25-May-2022 12:00:10.103 transfer of 'XXX.noaa.gov/IN/unsigned' from
badstealth2#53: Transfer completed: 21 messages, 8474 records, 286239
bytes, 0.096 secs (2981656 bytes/sec)

The failure to query for SOA should invalidate badstealth2 for zone
transfer.  Yet it seems to use it.

Thanks in advance.  I instructed the DNS admin of the stealth zone to allow
queries, which probably fixes the issue.  This just blew my assumption
about soa serial, albeit a bit esoteric.

On Fri, May 27, 2022 at 3:25 AM Mark Andrews <marka at isc.org> wrote:

> Also was the zone in expired state.
>
> --
> Mark Andrews
>
> > On 27 May 2022, at 03:48, Wes Hardaker <wjhns1 at hardakers.net> wrote:
> >
> > Eugene Tsuno - NOAA Affiliate via dns-operations
> > <dns-operations at dns-oarc.net> writes:
> >
> >> So a test stealth server was setup with an existing zone.  It had a
> lower SOA
> >> serial than the running one, yet the master accepted a zone transfer
> and started
> >> using the outdated zone.
> >
> > How *much* lower?
> >
> > See RFC1982 for example.
> > --
> > Wes Hardaker
> > USC/ISI
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220527/45d511c6/attachment-0001.html>

More information about the dns-operations mailing list