Your message dated Sun, 22 Oct 2017 13:19:11 +0200
with message-id
<1508671151.815349.1146906880.773a8...@webmail.messagingengine.com>
and subject line Closing bugs in old-old-stable bind9 versions
has caused the Debian Bug report #285763,
regarding bind9 can't send transfer requests from port 53
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
285763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285763
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bind9
Version: 1:9.2.1-2.woody.2
Severity: normal
A problem which is apparently also present in bind 9.3.0:
/etc/bind/named.conf config file:
options {
directory "/var/cache/bind";
query-source address * port 53;
notify-source * port 53;
transfer-source * port 53;
auth-nxdomain no; # conform to RFC1035
};
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "whatever.ch" {
type slave;
file "/var/cache/bind/whatever.ch.cache";
masters {1.2.3.4;};
};
It doesn't seem possible to force BIND to issue requests
from port 53 to get the zone data although it is requested!
Some broken firewall configurations (Cisco, see
DNS_ZONE_XFER_REQUEST_HIGH) will reject some kind of DNS requests (e.g.
zone AXFR) when the port is not 53.
The zone then cannot be transferred and the error message is:
failed while receiving responses: connection reset
the symptom on the wire is that the slave nameserver does an UDP SOA
request, then opens a TCP connection (3 phases as usual). Then it sends
some data, gets an ACK from the other side. Then, the local side tcpdump
shows some data sent, followed by a RST/ACK; the other side sees the
RST/ACK in place of the data. A Cisco firewall in between. Its
configuration will be fixed, however the fact that you don't seem to be
able to set source ports is puzzling.
I could manage to get the zone transferred with the following hack:
1. modify bind source code:
schaefer@defian:/scratch/bind9/bind-9.3.0% diff ./lib/dns/xfrin.c.ORIG
./lib/dns/xfrin.c
789c789
< isc_sockaddr_setport(&xfr->sourceaddr, 0);
---
> isc_sockaddr_setport(&xfr->sourceaddr, 53); /* no htons() */
2. start named manually:
./bin/named/named -c /etc/bind/named.conf -p 5353
PS: I could not reproduce the problem with host -t axfr, which is
strange.
PS/2: if I don't get any comment I will see with upstream, since
query-source and transfer-source should work.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux defian 2.4.21 #1 Tue Apr 20 15:30:51 MEST 2004 i686
Locale: LANG=C, LC_CTYPE=fr_CH
Versions of packages bind9 depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libdns5 1:9.2.1-2.woody.2 DNS Shared Library used by BIND
ii libisc4 1:9.2.1-2.woody.2 ISC Shared Library used by BIND
ii libisccc0 1:9.2.1-2.woody.2 Command Channel Library used by BI
ii libisccfg0 1:9.2.1-2.woody.2 Config File Handling Library used
ii liblwres1 1:9.2.1-2.woody.2 Lightweight Resolver Library used
ii libssl0.9.6 0.9.6c-2.woody.7 SSL shared libraries
ii netbase 4.07 Basic TCP/IP networking system
--- End Message ---
--- Begin Message ---
Version: 1:9.10.3.dfsg.P4-12.3
Hi,
the bind9 bug list grew too much and the Debian BIND team cannot
simply test all the reported bugs against versions not in stable, so
this is mass bug close, as either the version is no longer relevant
(because of old-old-stable 9.8.x or old-stable 9.9.5 or even older
version of bind9) or the bug was already fixed.
However, if you can reproduce the bug with a current version in stable,
please use Debian BTS 'found <bug> <version_you_reproduced_the_issue>'
command to retag the bug and reopen it.
Cheers,
Ondrej
signature.asc
Description: PGP signature
--- End Message ---
