<div dir="ltr"><div>There are 3 stealths, one good, one old (allowing queries) and one old (not allowing queries).</div><div><br></div>So I think only one stealth server had the latest greatest SOA serial, 2020104062, Call this goodstealth.<div>There are 2 that have lesser ones, 2020104059 and 10010102. The first one allows SOA queries, the second is refusing them. Callt this badstealth1 and badstealth2.</div><div><br><div>25-May-2022 12:00:04.322 zone <a href="http://XXX.noaa.gov/IN/unsigned">XXX.noaa.gov/IN/unsigned</a>: notify from goodsteatth#46101: serial 2020104062<br>25-May-2022 12:00:07.495 zone <a href="http://XXX.noaa.gov/IN/unsigned">XXX.noaa.gov/IN/unsigned</a>: serial number (2020103853) received from master badstealh1#53 < ours (2020104059)<br>25-May-2022 12:00:10.103 zone <a href="http://XXX.noaa.gov/IN/unsigned">XXX.noaa.gov/IN/unsigned</a>: transferred serial 10010102: TSIG 'XXX'<br></div><div><br></div><div>So what it seems it gets a notify for the zone from the stealth.. It queries the badstealth1 (the one it can query) and knows it has a lesser serial so it ignores.</div><div><br></div><div>Yet it continues on and transfers the zone from badstealth2 even with a lower soa serial (serial 10010102).</div><div><br></div><div>I can see in the xfer in log:</div><div>25-May-2022 12:00:10.103 transfer of '<a href="http://XXX.noaa.gov/IN/unsigned">XXX.noaa.gov/IN/unsigned</a>' from #53: Transfer status: success<br>25-May-2022 12:00:10.103 transfer of '<a href="http://XXX.noaa.gov/IN/unsigned">XXX.noaa.gov/IN/unsigned</a>' from badstealth2#53: Transfer completed: 21 messages, 8474 records, 286239 bytes, 0.096 secs (2981656 bytes/sec)<br></div><div><br></div><div>The failure to query for SOA should invalidate badstealth2 for zone transfer. Yet it seems to use it.</div></div><div><br></div><div>Thanks in advance. I instructed the DNS admin of the stealth zone to allow queries, which probably fixes the issue. This just blew my assumption about soa serial, albeit a bit esoteric.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 27, 2022 at 3:25 AM Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Also was the zone in expired state. <br>
<br>
-- <br>
Mark Andrews<br>
<br>
> On 27 May 2022, at 03:48, Wes Hardaker <<a href="mailto:wjhns1@hardakers.net" target="_blank">wjhns1@hardakers.net</a>> wrote:<br>
> <br>
> Eugene Tsuno - NOAA Affiliate via dns-operations<br>
> <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>> writes:<br>
> <br>
>> So a test stealth server was setup with an existing zone. It had a lower SOA<br>
>> serial than the running one, yet the master accepted a zone transfer and started<br>
>> using the outdated zone.<br>
> <br>
> How *much* lower?<br>
> <br>
> See RFC1982 for example.<br>
> -- <br>
> Wes Hardaker<br>
> USC/ISI<br>
> <br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> <a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
> <a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>