In article ,
Christian Smith wrote:

> In article ,
> Mark Jeftovic wrote:
>
> > What is the difference between doing an AXFR or IXFR from the command
> > line using dig, and then having bind9 timeout on the refresh when it
> > tries to do it in production?

>
> My understanding is thus:
>
> The difference is that when the slave BIND server issues the AXFR or
> IXFR, it then closes the connection instead of leaving the connection
> open and waiting for a response (which is what happens with dig).


This makes no sense. How would it get the data it's trying to transfer
if it closed the connection.

> Because of this, there needs to be an explicit hole punched in the
> firewall at the master server to allow outgoing connections in the
> 1024-65535 range. And, at the slave end there needs to be a matching
> hole to allow in coming connections to those ports (sourced from port
> 53).


This is totally wrong. The DNS protocol contains no mechanism like this.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***