none
DNSSEC Incremental Zone Transfer not transferring all changed records RRS feed

  • Question

  • Hi,

    My server: Windows Server 2012 R2 DNS Server with a DNSSEC signed zone - fully updated as of 2015-06-13.

    I've been doing some experiments recently to figure out why my DNS slaves were having a bad RRSIG record for the SOA record. I checked everything, the SOA serial, the transfers, I changed data to trigger transfers and so on - but nothing helped. Then I finally did queries on the RRSIG for the SOA, to see what it actually was everywhere. I found out the details in the following screenshots:

    [s1] SOA Serials - https://imgur.com/MDfVsMH
    [s2] SOA Signatures - https://imgur.com/ppXsaFj

    In these screenshots, we can see that the SOA Serials across my master server (cz.mbwarez.dk) is the same as for two of the many slaves (cloudns.net - very helpful people :)). But when doing a query for the RRSIG values, I find that the signatures for the SOA value is different across them all (basically - they're all stuck at some value).

    I started investigating, as I could now see that even if I changed the SOA Serial, and they all replicated successfully, the SOA Signature was static. I did a packet capture at my server (cz.mbwarez.dk) to see one of these transfers, and I noticed that the target server was doing an IXFR (Incremental Transfer) - but was NOT receiving the RRSIG for the SOA record.

    [s3] Wireshark Capture of IXFR: http://imgur.com/EYH2Qxj

    In the above Wireshark screenshot, we can see the IXFR performed when I added the TXT record "test-record.lordmike.dk.". All kinds of records are transferred, but not an RRSIG for the apex domain (lordmike.dk.), even though it has (obviously) changed since the serial number has changed.

    Another bug here on Technet which I stumbled across ([1]) said that when the DNS server automatically rolled keys, or otherwise signed the records again to refresh the RRSIGs, it would not update the SOA serial and thus the secondary servers never got the new data. I think this is the same kind of issue - when a record (the SOA) is signed again, it is not marked as updated, and will not be updated in an IXFR. 

    I verified with CloudNS.net, that if they do an AXFR - all is fine. So the issue is only with IXFR's.

    Notes.
    [1] DNSSEC in Windows Server 2012 signature refresh on secondary - https://social.technet.microsoft.com/Forums/windowsserver/en-US/7f92cb07-7a23-4d24-a5d2-0d8eac3100ad/dnssec-in-windows-server-2012-signature-refresh-on-secondary

    Regards,
    Mike




    • Edited by Michael G. Bisbjerg Saturday, June 13, 2015 10:20 AM Added screenshot of Wireshark IXFR capture
    Saturday, June 13, 2015 10:12 AM

Answers