Poison in AXFR transport from Windows Server DNS

Richard_Kuchar · November 12, 2010, 4:33pm

Hi,

more primary DNS servers. Thers no problem using it with BIND primary
server. However AXFR transfer from primary Windows Server 200(3|8) DNS
servers include poison A entry like:

; NSD version 2.3.7
; zone 'domain.tld.' first transfer
; from 1.2.3.4 using AXFR at Fri Nov 12 17:18:53 2010
; NOT TSIG verified
$ORIGIN tld.
domain 3600 IN SOA ns.windows.tld.
hostmaster.domain.tld. ( 73 900 600 86400 3600 )
3600 IN NS ns.windows.tld.
3600 IN NS ns2.nsd.tld.

...

$ORIGIN windows.tld.
ns 3600 IN A 1.2.3.4
$ORIGIN nsd.tld.
ns2 3600 IN A 10.20.30.40
$ORIGIN domain.tld.

That A entry in transfered data cause compile error in zonec.
Both (zonec and nsd-xfer) are called by nsdc.

Is there any solution to discard this poison entry on transfer?

Ondrej_Sury · November 14, 2010, 10:13am

Hi Richard,

I would guess that there would be an option on Microsoft DNS to not
inject those lines into the zone transfer, but if there is not, then
you can try to run it from a cron using script like this:

#!/bin/bash
set -e
TMPFILE1=$(mktemp zone.XXXXXX)
dig IN AXFR @windows_primary zone > $TMPFILE1
TMPFILE2=$(mktemp zone.XXXXXX)
< $TMPFILE1 grep -v "remove_the_poison" > $TMPFILE2
cp $TMPFILE2 $ZONEFILE
rndc reload
# temp files are retained if something goes wrong
rm -f $TMPFILE1 $TMPFILE2

Ondrej

Richard_Kuchar · December 23, 2010, 8:21am

Hi Ondrej,

I try to find this option without success. So I create a small script
called nsd-xfer-eve (located behind nsd-xfer):

## Run nsd-xfer in standard way
/usr/sbin/nsd-xfer $*
# Remember exit status
EXIT_STATUS=$?

## Now do some magic on arguments
ZONE=`echo $* | sed "s/.*-z[\ ]*// ; s/[\ ].*//g"`
AXFR_FILE=`echo $* | sed "s/.*-f[\ ]*// ; s/[\ ].*//g"`

if [[ "$EXIT_STATUS" == "3" ]]
then
echo "$ZONE"
exit $EXIT_STATUS
fi

if [ ! -f $AXFR_FILE ]
then
exit $EXIT_STATUS
fi

mv $AXFR_FILE $AXFR_FILE.2ck
echo > $AXFR_FILE
POISON=0

IFS_OLD=$IFS
IFS=$'\n'
for LINE in `cat $AXFR_FILE.2ck`
do

  if [[ "$LINE" == *\$ORIGIN* ]]
  then
    if [[ "$ZONE." == *`echo $LINE | sed 's/$ORIGIN //g'`* ]]
    then
      echo "$LINE" >> $AXFR_FILE;
      POISON=0
    else
      POISON=1
    fi
  else
    if (( POISON == 0 ))
    then
      echo "$LINE" >> $AXFR_FILE;
    fi
  fi
done

# CleanUp
rm $AXFR_FILE.2ck
IFS=$IFS_OLD

exit $EXIT_STATUS
</script>

In debian, nsdc use conf file /etc/default/nsd. So I change the option
"nsdxfer" to this script. Now nsdc call as xfer nsd-xfer-eve script
which do POISON zone control and remove after AXFR transfer.
It's not the best solution and script is not wrote in best way. But now
it's fast and work.
Maybe they inspire you to do this inside nsdc.