Discussion:
zone transfer
Peter Pentchev
2003-07-22 09:59:01 UTC
Permalink
Hi,
I am unable to get this zone transfer thing right.
On my server I have tinydns as,
[snip correct-looking tinydns configuration]
I tried
$ tcpclient 202.71.140.212 53 axfr-get tyskyshop.com tyskyshop-data
tyskyshop-tmp
tcpclient: unable to connect to 202.71.140.212 port 53: connection
refused
Well, tinydns by itself will not perform zone transfers; nor will it
listen on TCP port 53, as you seem to have already noticed :)
You need axfrdns for that. Configure a new axfrdns service using
axfrdns-conf and specifying tinydns's root directory, start it up,
and the zone transfers should work.

G'luck,
Peter
--
Peter Pentchev ***@ringlet.net ***@sbnd.net ***@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This sentence would be seven words long if it were six words shorter.
Peter Pentchev
2003-07-22 11:02:18 UTC
Permalink
Thanks it is working ok now. Still I have one problem given below.
Post by Peter Pentchev
Well, tinydns by itself will not perform zone transfers; nor will it
listen on TCP port 53, as you seem to have already noticed :)
I need to get rid of this BIND mentality :)
I have configured axfrdns with Gtinydns and Gdnslog account.
Post by Peter Pentchev
You need axfrdns for that. Configure a new axfrdns service using
axfrdns-conf and specifying tinydns's root directory, start it up,
and the zone transfers should work.
I can do it very well for the domain tyskyshop.com which is a real
domain.
Now I make a fake domain shantanu_fake1.com and test on it but it does
not work and get an error,
$ tcpclient 202.71.140.212 53 axfr-get shantanu_fake1.com
shantanu_fake1-data shantanu-tmp
axfr-get: fatal: unable to parse AXFR results: protocol error
Now my data file for this particular domain reads,
# cat data | grep shantanu
.shantanu_fake1.com:202.71.140.212:a:259200
@shantanu_fake1.com:202.71.140.212:a::86400
But this time it works not?
Sorry, but I left my oracle hat at home this morning; you just might
have to give me some more information to help :)

First, did you actually run 'make' in the tinydns's root/ directory
after modifying the data file, so that the data.cdb is rebuilt with
the new domain?

Second (to test the first), did you test that tinydns answers queries
about your new domain at all? Use dnsq, point it to your tinydns
address, and ask it a question about the new domain; if it does not
reply at all, or replies with NXDOMAIN, then you probably did not run
make at all, and tinydns (and axfrdns, too) is still using the old
data.cdb file.

Third, what is there in the 'tcp' file in the axfrdns service's
directory - did you explicitly set an AXFR variable to e.g. only
the tykyshop domain? If so, axfrdns will refuse any transfers for
domains other than those listed in the AXFR variable.

G'luck,
Peter
--
Peter Pentchev ***@ringlet.net ***@sbnd.net ***@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This sentence contradicts itself - or rather - well, no, actually it doesn't!
bda
2003-07-22 12:00:29 UTC
Permalink
$ dnsq ns shantanu_fake1.com 202.71.140.212
71 bytes, 1+1+0+1 records, response, authoritative, noerror
query: 2 shantanu_fake1.com
answer: shantanu_fake1.com 259200 NS a.ns.shantanu_fake1.com
additional: a.ns.shantanu_fake1.com 259200 A 202.71.140.212
axfr-get: fatal: unable to parse AXFR results: protocol error
While I have no idea if this would break axfr, "_" is not a valid
character in DNS.

I've never used axfr, this was just an FYI.
--
bda
Cyberpunk is dead. Long live cyberpunk.
http://mirrorshades.org
Peter Pentchev
2003-07-22 12:21:55 UTC
Permalink
[snip]
Post by Peter Pentchev
Third, what is there in the 'tcp' file in the axfrdns service's
directory - did you explicitly set an AXFR variable to e.g. only
the tykyshop domain? If so, axfrdns will refuse any transfers for
domains other than those listed in the AXFR variable.
Ok, that is a mistake I made, but I corrected it and still it does not
work.
# pwd
/service/axfrdns
#cat tcp
# sample line: 1.2.3.4:allow,AXFR="heaven.af.mil/3.2.1.in-addr.arpa"
:allow,AXFR="tyskyshop.com"
:allow,AXFR="shantanu_fake1.com"
:deny
# make
make: `tcp.cdb' is up to date.
I haven't understood the sample line exactly so I have allowed all to do
zone transfers.
[Do I have to put an allow line for all domains, no wildcards here?]
You have to put a *single* allow line for each IP address range;
since you want to allow everyone to perform zone transfers, you have
to list both the tyskyshop.com and shantanu_fake1.com domains in
a single line, something like:

:allow,AXFR="tykyshop.com/shantanu_fake1.com"

Or, a bit simpler, a line that would allow zone transfers for all
domains in the tinydns database:

:allow

Do *not* confuse the above with the following line, which will *deny*
transfers for any domains:

:allow,AXFR=""

The AXFR="" line, which disallows any transfers, is used by servers
which do not really need to provide zone transfer functionality, but
just use axfrdns's ability to answer DNS requests arriving over TCP
(when the response is bigger than the DNS UDP response size limit,
which I believe is 512 bytes). It is a very rare situation which
would *require* serving DNS over TCP (yet I do it for my servers,
just in case), and it is even more rare to provide TCP DNS service
without zone transfers, so you'd probably never really need to use
the AXFR="" line. Either list all the domains in a single 'allow'
line, separated by slashes, or simply do not put an AXFR=... part
and let axfrdns service all zone transfer requests.

Hope that helped :)

G'luck,
Peter
--
Peter Pentchev ***@ringlet.net ***@sbnd.net ***@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
I am not the subject of this sentence.
shantanu
2003-07-22 14:25:47 UTC
Permalink
Tuesday, July 22, 2003, 5:51:55 PM, you wrote:


PP> You have to put a *single* allow line for each IP address range;
PP> since you want to allow everyone to perform zone transfers, you have
PP> to list both the tyskyshop.com and shantanu_fake1.com domains in
PP> a single line, something like:

PP> :allow,AXFR="tykyshop.com/shantanu_fake1.com"

PP> Or, a bit simpler, a line that would allow zone transfers for all
PP> domains in the tinydns database:

PP> :allow


Great. That is what I wanted.
Still some problems.

data file contains,
.shantanu1234.com:202.71.140.212:a:259200
+www.shantanu1234.com:202.71.140.212:86400
@shantanu1234.com:202.71.140.212:a::86400

I have recomiled database using make again.

# svc -t /service/tinydns/
# svc -t /service/axfrdns/
# svstat /service/tinydns/ /service/axfrdns/
/service/tinydns/: up (pid 21242) 9 seconds
/service/axfrdns/: up (pid 21244) 7 seconds

# cat tcp
# sample line: 1.2.3.4:allow,AXFR="heaven.af.mil/3.2.1.in-addr.arpa"
:allow,AXFR="tyskyshop.com"
:allow
:deny

# make
make: `tcp.cdb' is up to date.

# tcpclient 202.71.140.212 53 axfr-get shantanu1234.com sha-data shan-tmp
axfr-get: fatal: unable to parse AXFR results: protocol error

Can someone try this from their machine and let me know where the
exact problem lies?

With respects,
Shantanu
--
Best regards,
shantanu mailto:shantanu-***@dcpl.co.in
Peter Pentchev
2003-07-22 14:43:39 UTC
Permalink
Post by shantanu
PP> You have to put a *single* allow line for each IP address range;
PP> since you want to allow everyone to perform zone transfers, you have
PP> to list both the tyskyshop.com and shantanu_fake1.com domains in
PP> :allow,AXFR="tykyshop.com/shantanu_fake1.com"
PP> Or, a bit simpler, a line that would allow zone transfers for all
PP> :allow
[snip]
Post by shantanu
# cat tcp
# sample line: 1.2.3.4:allow,AXFR="heaven.af.mil/3.2.1.in-addr.arpa"
:allow,AXFR="tyskyshop.com"
Go back to reading Prof. Bernstein's page describing the UCSPI-TCP rule
file format at http://cr.yp.to/ucspi-tcp/tcprules.html
After you've read that page, come back to your file and check if you
understand why you should remove this line and leave only the next one.
Post by shantanu
:allow
:deny
Also, after reading the tcprules.html page, check if you understand
why this last line is unnecessary.

G'luck,
Peter
--
Peter Pentchev ***@ringlet.net ***@sbnd.net ***@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
You have, of course, just begun reading the sentence that you have just finished reading.
Continue reading on narkive:
Loading...