Bug 600 - IXFR does not seem to work
IXFR does not seem to work
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
4.0.x
i386 FreeBSD
: P5 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-05 10:26 CEST by jeroen
Modified: 2014-08-05 11:35 CEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jeroen 2014-08-05 10:26:39 CEST
It seems that ixfr requests are broken in NSD 4.0.3. I am able to do AXFR requests from my client, and have done so twice below. I resigned the zone in between, so it also has a newer serial. Both AXFR requests work fine. The IXFR request however fails after giving a strange SOA record.

% dig -t axfr 1sand0s.nl @ns1.dckd.nl

; <<>> DiG 9.8.3-P1 <<>> -t axfr 1sand0s.nl @ns1.dckd.nl
;; global options: +cmd
1sand0s.nl.		86400	IN	SOA	ns1.dckd.nl. hostmaster.dckd.nl. 2014080201 28800 14400 864000 86400
1sand0s.nl.		86400	IN	RRSIG	SOA 8 2 86400 20140904000000 20140802174749 30870 1sand0s.nl. r1iVV2QX19wSMmdsni+Wlrzmdxn9xhtTPVcvPQm2RPlytimdJWm12Mh+ Y89ACMGwpk/OvtgLwlEceu4pwSQV4gVIxkqSAkYLBAIYfBzRBIP1NVbA 8GJuglE8sMH+zwj0CRmq7ddAP6cRnx6BEl2fBgeU4PH5udUWmiFCywzV Tyw=

[...]

1sand0s.nl.		86400	IN	SOA	ns1.dckd.nl. hostmaster.dckd.nl. 2014080201 28800 14400 864000 86400
;; Query time: 40 msec
;; SERVER: 94.142.246.99#53(94.142.246.99)
;; WHEN: Tue Aug  5 10:06:31 2014
;; XFR size: 40 records (messages 1, bytes 3878)

I resigned the zone here:

% dig -t axfr 1sand0s.nl @ns1.dckd.nl

; <<>> DiG 9.8.3-P1 <<>> -t axfr 1sand0s.nl @ns1.dckd.nl
;; global options: +cmd
1sand0s.nl.		86400	IN	SOA	ns1.dckd.nl. hostmaster.dckd.nl. 2014080500 28800 14400 864000 86400
1sand0s.nl.		86400	IN	RRSIG	SOA 8 2 86400 20140907000000 20140805080723 30870 1sand0s.nl. wtkLZ8sxlmyYnuUDC5xoLQRBkfDXwcsOb14XCysfZe6JtKlgoXBIYZ2U fvwPk/RjJy6prIws5c7GQwUUYtNAzpGp6N0wIc0vgZNq5bDZD57dundt /+hmPVXYmKyVYhxt/q7A4OpIknc/tmYVTBD9cyWZ8z0n5K7cspCNjjzm SD8=

[...]

1sand0s.nl.		86400	IN	SOA	ns1.dckd.nl. hostmaster.dckd.nl. 2014080500 28800 14400 864000 86400
;; Query time: 16 msec
;; SERVER: 94.142.246.99#53(94.142.246.99)
;; WHEN: Tue Aug  5 10:07:28 2014
;; XFR size: 40 records (messages 1, bytes 3878)

 % dig -t ixfr=2014080201 1sand0s.nl @ns1.dckd.nl

; <<>> DiG 9.8.3-P1 <<>> -t ixfr=2014080201 1sand0s.nl @ns1.dckd.nl
;; global options: +cmd
1sand0s.nl.		0	IN	SOA	. . 2014080201 0 0 0 0
; Transfer failed.

% dig  ixfr=2014080201 1sand0s.nl @ns1.dckd.nl

; <<>> DiG 9.8.3-P1 <<>> ixfr=2014080201 1sand0s.nl @ns1.dckd.nl
;; global options: +cmd
1sand0s.nl.		0	IN	SOA	. . 2014080201 0 0 0 0
; Transfer failed.
Comment 1 Wouter Wijngaards 2014-08-05 10:43:27 CEST
Hi Jeroen,

Are you making IXFR requests to NSD?  NSD does not implement the server for IXFR.  It implements IXFR as a client, downloading IXFR changes from another server.

Best regards,
   Wouter
Comment 2 Wouter Wijngaards 2014-08-05 10:44:16 CEST
Hi Jeroen,

Also, what you are seeing may be the IXFR response with a single SOA record when performed over UDP, or when there are no changes.

Best regards,
   Wouter
Comment 3 jeroen 2014-08-05 10:48:59 CEST
I resigned the zone, so all signatures should be different (and there's a "Failed." at the end also).

And yes, this is querying a NSD server with an IXFR request. It is not documented anywhere that NSD does not support IXFR. Could that be documented?

Also, is there a more graceful way of signalling this to a client?

Regards,
Jeroen.
Comment 4 Wouter Wijngaards 2014-08-05 11:06:16 CEST
Hi Jeroen,

The doc/REQUIREMENTS notes that:

   RFC 1995 (IXFR) support only for making requests to other servers.
                - IXFR is not served.

But I guess we should also note it somewhere else, what part of the documentation was is that you looked at, and would be a good place?

The NOTIMPL rcode is the RFC method to signal the non-implementation.

Best regards,
   Wouter
Comment 5 jeroen 2014-08-05 11:28:45 CEST
The first place I would look was at "man nsd.conf" in the "provide-xfr" description. It mentions AXFR, but does not say anywhere that IXFR is not supported.

In my view this is also an important difference with BIND, so it should be listed there.
Comment 6 Wouter Wijngaards 2014-08-05 11:35:36 CEST
Hi Jeroen,

Fixed the documentation, thanks for the report!

Best regards, Wouter