Hi, I tried using BIND 9.18.10 as a downstream name server of an OpenDNSSEC 2.1.8 installation, but after sorting out the ACL issues on the OpenDNSSEC side, zone transfers failed with messages such as these:
Jan 21 17:15:34 new-ns named[22056]: transfer of '4.38.158.in-addr.arpa/IN' from 158.38.x.yy#53: failed while receiving responses: not exact Jan 21 17:16:42 new-ns named[22056]: transfer of 'ufisa.no/IN' from 158.38.x.yy#53: failed while receiving responses: not exact Downgrading BIND to 9.16.36 made this work, so this appears to be a new consistency check introduced with the newer version which isn't being done by 9.16.36. Any idea what this new check consists of, and what I should hint to the OpenDNSSEC developers to fix? I did a "dig axfr -y <whatever>" of one of the zones from the OpenDNSSEC host, and I found the TSIG record used to support the zone transfer embedded in the result (twice!), and when I fed the resulting file to named-checkzone, it didn't want to validate the zone before I removed the two TSIG records. This, however, may be unrelated; I do not know. Best regards, - HÃ¥vard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
