Secondary DNS - AXFR Failing

N

nthobe

New Member
Hi, I have a few domains that are setup in Secondary mode. Today I noticed that DNS is failing to resolve for both of them. ZoneEdit is showing empty zones because the AXFR transfers are failing. I can see in my logs that the transfers were failing intermittently back on March 8th. But they now look to be failing every time. Before this happened I hadn't made any DNS changes in months, so I wonder if there has been a change in your transfer client?

This is what I'm seeing in my logs:
Rich (BB code): 
@4000000067cf715409d2658c tcpserver: pid 11751 from 64.68.198.91
@4000000067cf715409da25ec tcpserver: ok 11751 0:72.26.96.116:53 :64.68.198.91::37065
@4000000067cf715409f2a75c 4044c65b:90c9:c310 00fc organizedanarchy.net
@4000000067cf71540daab204 axfrdns: fatal: unable to read from network: connection reset
@4000000067cf71540db4f304 tcpserver: end 11751 status 28416
@4000000067cf71540db4fad4 tcpserver: status: 0/40
@4000000067cf7154100259bc tcpserver: status: 1/40
@4000000067cf7154100710c4 tcpserver: pid 55630 from 64.68.198.91
@4000000067cf715410097ddc tcpserver: ok 55630 0:72.26.96.116:53 :64.68.198.91::43151
@4000000067cf7154102147b4 4044c65b:a88f:c5bc 00fc th0.be
@4000000067cf715413afd15c axfrdns: fatal: unable to read from network: connection reset
@4000000067cf715413b8938c tcpserver: end 55630 status 28416

The AXFR request is coming in from ZoneEdit (64.68.198.91), but your client seems to be dropping the TCP connection. Are you able to see anything in your logs about why the transfers are failing?

I'm able to use "dig" to test that the response if coming through for me correctly:

Rich (BB code): 
$ dig @72.26.96.116 th0.be AXFR

; <<>> DiG 9.18.30 <<>> @72.26.96.116 th0.be AXFR
; (1 server found)
;; global options: +cmd
th0.be.                 2560    IN      SOA     dns1.zoneedit.com. hostmaster.th0.be. 1741644291 16384 2048 1048576 2560
th0.be.                 259200  IN      NS      dns1.zoneedit.com.
th0.be.                 259200  IN      NS      dns2.zoneedit.com.
th0.be.                 86400   IN      MX      0 mail.th0.be.
th0.be.                 86400   IN      MX      300 mail.organizedanarchy.net.
drop.th0.be.            86400   IN      A       72.26.96.116
th0.be.                 86400   IN      A       72.26.96.116
mail.th0.be.            86400   IN      A       72.26.96.116
testdev.th0.be.         300     IN      A       72.26.96.116
th0.be.                 2560    IN      SOA     dns1.zoneedit.com. hostmaster.th0.be. 1741644291 16384 2048 1048576 2560
;; Query time: 18 msec
;; SERVER: 72.26.96.116#53(72.26.96.116) (TCP)
;; WHEN: Mon Mar 10 16:49:47 PDT 2025
;; XFR size: 12 records (messages 12, bytes 614)
 
Brad C. said:
Hello, could you please try using a TTL of 86400 or lower for the NS records?
Click to expand...
Thanks for the reply. I tried lowering all of the TTLs for the NS records to 86400 and was still seeing the same failures. I then tried lowering them to 43200 and I'm still seeing the same "connection reset" on my "axfrdns" server.
 
I wanted to update you that I was able to get transfers working again by changing the DNS server I'm using on my primary. Previously, I was using "axfrdns" from the "djbdns" suite of programs. I've been running that for more than two decades. And, I don't think it's been updated in that time either. My best guess is your transfer client was updated with a change that no longer accepts something in the reply from axfrdns.

I was able to setup an instance of PowerDNS, transfer in my existing zones from djbdns (using AXFR). AXFR transfers are now working from ZE to PowerDNS without any changes to the zone data.

Hopefully this helps anyone else who's having issues recently.
 
You must log in or register to reply here.
Back
Top