AXFR from ns1.linode.com denied with "NotImp"
I'm trying to setup linode as a DNS master for a domain, with slaves at another site. DNS for my domain (xxxxxx.com below) is being served correctly from ns1.linode.com, I can request addresses from that server and get the appropriate response, but I'm having a hard time setting up domain transfers out from ns1.linode.com (the master), to inform the slaves. I have tried setting the "Domain Transfers" area with the appropriate IP addresses, also, "any" (seen in a blog post), also just leaving it blank, but domain transfers out from linode still fail: "NotImp" is the response from ns1.linode.com. Is anyone successfully setting up third party secondaries for their linode.com DNS master domains? Any hints? See below for a tcpdump trace of the request…
Thanks.
- Scott
07:50:53.118385 IP ring.yyyyy.net.55361 > ns1.linode.com.domain: Flags ~~, seq 3304760418, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
07:50:53.159277 IP ns1.linode.com.domain > ring.yyyyy.net.55361: Flags [S.], seq 3933255877, ack 3304760419, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
07:50:53.159356 IP ring.yyyyy.net.55361 > ns1.linode.com.domain: Flags [.], ack 1, win 4197, length 0
07:50:53.159508 IP ring.yyyyy.net.55361 > ns1.linode.com.domain: Flags [P.], seq 1:44, ack 1, win 4197, length 4341861 [1au] AXFR? xxxxxx.com. (41)
07:50:53.200746 IP ns1.linode.com.domain > ring.yyyyy.net.55361: Flags [.], ack 44, win 29, length 0
07:50:53.201130 IP ns1.linode.com.domain > ring.yyyyy.net.55361: Flags [P.], seq 1:44, ack 44, win 29, length 4341861 NotImp- 0/0/1 (41)
07:50:53.201135 IP ns1.linode.com.domain > ring.yyyyy.net.55361: Flags [F.], seq 44, ack 44, win 29, length 0
07:50:53.201183 IP ring.yyyyy.net.55361 > ns1.linode.com.domain: Flags [.], ack 45, win 4192, length 0
07:50:53.201765 IP ring.yyyyy.net.55361 > ns1.linode.com.domain: Flags [F.], seq 44, ack 45, win 4197, length 0
07:50:53.247207 IP ns1.linode.com.domain > ring.yyyyy.net.55361: Flags [.], ack 45, win 29, length 0~~
3 Replies
@dwfreed:
The servers that provide ns1-ns5 are run by Cloudflare, and are effectively proxies. In order to do AXFRs against a master zone, you need to use axfr1.linode.com - axfr5.linode.com (you can pick any one, or use them all in a round robin fashion)
Thank!