Hi list.
I have a BIND server that is acting as a secondary to replicate a zone
from SpamHaus/Deteque, which is then used internally as a Response
Policy Zone. This had been working fine for several years, but recently
I noticed that BIND was reporting that the zone had expired. When I
looked closer I realised that I'd only specified the 2 x IPv6 addresses
for the SpamHaus servers, and for some reason neither of those were
responding to DNS queries, so I added in the IPv4 addresses. My
configuration basically looked like this:
primaries deteque-primary {
2600:1f18:215e:b701:8624:5523:94aa:f163;
2a05:d014:1bf:db01:c11:ab37:1f20:3358;
34.194.195.25;
35.156.219.71;
};
...
view "xxx" {
zone "drop.ip.dtq" {
type secondary;
file "db.drop.ip.dtq";
primaries { deteque-primary; };
notify explicit;
also-notify { nick-secondary-deteque; };
allow-transfer { nick-nameservers-private; };
allow-query { nick-nameservers-private; loopback-networks;
};
};
};
My expectation was that BIND would try the first IPv6 address
(2600:1f18:215e:b701:8624:5523:94aa:f163), then when that timed out due
to no response, it would try the second one
(2a05:d014:1bf:db01:c11:ab37:1f20:3358), then after that timed out it
would try the first IPv4 address (34.194.195.25) which should succeed.
However after restarting BIND I was finding that the zone still wasn't
being transferred. And Wireshark revealed that SOA query packets were
being sent every 15 seconds to the first address only
(2600:1f18:215e:b701:8624:5523:94aa:f163), which wasn't replying (as
expected), and no packets were being sent to any of the other IP
addresses listed in the 'primaries' statement. (I left the packet
capture running for >15 minutes without seeing any packets being sent to
the other 3 addresses.)
So my question is: For a secondary zone, are there any circumstances
where BIND would try the servers listed after the first entry in the
primaries stanza? And if so, should the lack of response from the first
primary be one of those circumstances?
In other words, is the behaviour I'm seeing a bug, or does BIND always
only use the first entry in a primaries stanza of a secondary zone?
FYI BIND version is: 9.18.1
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users