Lawrence,
I've seen this where a firewall blocks UDP packets between slave and master,
typically because it doesn't understand EDNS. The refresh query fails, so at
expiry time, it just initiates a zone transfer anyway, and that succeeds (over
TCP).
Checkpoint firewalls are the most common offenders in my experience.
Regards,
Chris Buxton
Sent from my iPhone
> On Nov 13, 2015, at 10:12 PM, Lawrence K. Chen, P.Eng. wrote:
>
> So, the last couple of days I've been banging my head on this problem
>
> Where I'm seeing this strangeness.
>
> 13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal:
> refresh: retry limit for master 10.133.253.128#53 exceeded (source 0.0.0.0#0)
> 13-Nov-2015 18:00:27.896 general: info: zone salina.k-state.edu/IN/internal:
> Transfer started.
> 13-Nov-2015 18:00:27.900 xfer-in: info: transfer of
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using
> 129.130.254.21#65439
>
> Among the things I tried, included setting 'transfer-source'.
>
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal:
> refresh: retry limit for master 10.133.253.128#53 exceeded (source
> 129.130.254.21#0)
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal:
> Transfer started.
> 13-Nov-2015 23:03:42.393 xfer-in: info: transfer of
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using
> 129.130.254.21#34391
>
> No help.
>
> Also disabled the host's firewall though it was wide open for tcp/udp
> involving port 53
>
> The fuller logs context is:
>
> 13-Nov-2015 23:03:03.298 notify: info: client 10.133.253.128#17589: view
> internal: received notify for zone 'salina.k-state.edu'
> 13-Nov-2015 23:03:03.298 notify: info: client 10.133.253.128#17589: view
> internal: received notify for zone '178.130.129.in-addr.arpa'
> 13-Nov-2015 23:03:03.298 general: info: zone salina.k-state.edu/IN/internal:
> notify from 10.133.253.128#17589: refresh in progress, refresh check queued
> 13-Nov-2015 23:03:03.298 general: info: zone
> 178.130.129.in-addr.arpa/IN/internal: notify from 10.133.253.128#17589:
> refresh in progress, refresh check queued
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal:
> refresh: retry limit for master 10.133.253.128#53 exceeded (source
> 129.130.254.21#0)
> 13-Nov-2015 23:03:42.388 general: info: zone salina.k-state.edu/IN/internal:
> Transfer started.
> 13-Nov-2015 23:03:42.393 xfer-in: info: transfer of
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: connected using
> 129.130.254.21#34391
> 13-Nov-2015 23:03:42.443 general: info: zone salina.k-state.edu/IN/internal:
> transferred serial 2015113475
> 13-Nov-2015 23:03:42.443 xfer-in: info: transfer of
> 'salina.k-state.edu/IN/internal' from 10.133.253.128#53: Transfer completed:
> 9 messages, 654 records, 17889 bytes, 0.049 secs (365081 bytes/sec)
> 13-Nov-2015 23:03:42.443 notify: info: zone salina.k-state.edu/IN/internal:
> sending notifies (serial 2015113475)
> 13-Nov-2015 23:03:43.395 general: info: zone
> 178.130.129.in-addr.arpa/IN/internal: refresh: retry limit for master
> 10.133.253.128#53 exceeded (source 129.130.254.21#0)
> 13-Nov-2015 23:03:43.396 general: info: zone
> 178.130.129.in-addr.arpa/IN/internal: Transfer started.
> 13-Nov-2015 23:03:43.400 xfer-in: info: transfer of
> '178.130.129.in-addr.arpa/IN/internal' from 10.133.253.128#53: connected
> using 129.130.254.21#34392
> 13-Nov-2015 23:03:43.438 general: info: zone
> 178.130.129.in-addr.arpa/IN/internal: transferred serial 2015113421
> 13-Nov-2015 23:03:43.439 xfer-in: info: transfer of
> '178.130.129.in-addr.arpa/IN/internal' from 10.133.253.128#53: Transfer
> completed: 5 messages, 223 records, 6184 bytes, 0.038 secs (162736 bytes/sec)
> 13-Nov-2015 23:03:43.439 notify: info: zone
> 178.130.129.in-addr.arpa/IN/internal: sending notifies (serial 2015113421)
>
> zone "salina.k-state.edu" {
>type slave;
>file "sec/internal/zone.salina.k-state.edu";
>masters {
>10.133.253.128;
>10.133.253.129;
>129.130.254.20 key "int-tsig";
>}
>also-notify { 129.130.254.20 key "int-tsig"; };
>transfer-source 129.130.254.21;
> };
>
> I have 4 nameservers...one stealth master and 3 exposed secondariesthis
> is the zone on 'ns-1.ksu.edu', and where I've just given away the IP of our
> stealth master...
>
> The intent (temporary at the time) was so delegated zones sending to
> 'ns-1.ksu.edu' would workby having that server send it to stealth master,
> which will then distribute it everywhere as if it had gotten it directly
>
> Of all the delegated subodmainsonly the ones involving 10.133.253.128 are
> experiencing this. So, wondering if there's something about this that's
> causing problems, or something special that needs to be set, etc. Been
> staring at the ARM, but ev