Re: OT: dns zone transfer (was: public key is not available)

To: Hans Ekbrand <hans@sociologi.cjb.net>
Cc: debian-powerpc@lists.debian.org
Subject: Re: OT: dns zone transfer (was: public key is not available)
From: Michael Schmitz <schmitz@zirkon.biophys.uni-duesseldorf.de>
Date: Thu, 19 Jan 2006 10:52:08 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.44.0601191042420.1484-100000@zirkon.biophys.uni-duesseldorf.de>
In-reply-to: <[🔎] 20060119001631.GC2375@samir>

> > > His nameserver doesn't need to be broken, your's might very well be.
> > > His nameserver refuses to answer a zone transfer request (9 NOAUTH)
> > > because it's not authoritative on that zone (that's absolutely correct
> > > behaviour).
> >
> > OK I'll take your word for that my DNS is broken, his is not. As I
> > said, I am no DNS guru.
> >
> > I have bind running locally, could that explain it?
> >
> > > Your's does answer that request. The funny thing is that among the
> > > authoritative nameservers of the pgp.net zone, some answer the zone
> > > transfer request and sgme do not (5 REFUSED).
>
> I tried
>
> $ host -v -l pgp.net
>
> and it seems my dns is not queried to do zone transfers
>
> $ host -v -l pgp.net
> Query about pgp.net for record types A NS PTR
> Finding nameservers for pgp.net ...
> Query done, 6 answers, status: no error
> Found 1 address for ns1.pipex.net
> Found 1 address for procert.cert.dfn.de
> Found 1 address for auth01.ns.uu.net
> Found 1 address for dns0.cl.cam.ac.uk
> Found 1 address for nac.no
> Found 1 address for ns0.pipex.net
> Trying server 158.43.192.7 (ns1.pipex.net) ...
> Asking zone transfer for pgp.net ...
> Query failed, 0 answers, status: query refused
> pgp.net AXFR record query refused by ns1.pipex.net
> Asking SOA record for pgp.net ...
> Query done, 1 answer, authoritative status: no error
>
> [ my comment: host asked ns1.pipex.net for a zone transfer, got none]
> [ ... other servers in the list above tried, got no answers]
>
> If understand things correctly, host does not ask my dns for a zone
> transfer for pgp.net. So my DNS is not broken.

Right - your DNS server cannot know about zone data for pgp.net (only
cached parts of it). For zone transfers, it's always one of the
authoritative name servers that's asked.

Correct default behavior for authoritative name servers is to refuse zone
transfers from anyone not local (or even anyone not running a secondary).
In this case, where zone transfers are used to publish information about
which key servers to contact (according to the documentation even!), the
correct behavior would instead be to accept zone queries from anyone.
Seems the pgp.net servers are misconfigured.

> So my DNS is not broken, but why did
>
> $ host -l pgp.net | grep www
>
> not work for Paul J. Lucas?
>
> Because he used host from the "bind9-host" package while I used host
> from the "host" package.

Maybe both have different limits on how many servers to try, or even
different methods to query for zone data. Either way, the documented way
of figuring out key servers does not work reliably, and the documentation
should be fixed to suggest a more reliable method (or the pgp.net DNS
needs fixing if that's possible; they may have switched off zone queries
for a reason).

	Michael

Reply to:

References:
- Re: OT: dns zone transfer (was: public key is not available)
  - From: Hans Ekbrand <hans@sociologi.cjb.net>

Prev by Date: Re: AGPGART driver for ArticiaS - ioremap() problem
Next by Date: Re: AGPGART driver for ArticiaS - ioremap() problem
Previous by thread: Re: OT: dns zone transfer (was: public key is not available)
Next by thread: Re: OT: dns zone transfer (was: public key is not available)
Index(es):
- Date
- Thread