In article ,
Christian Smith wrote:

> In article ,
> Barry Margolin wrote:
>
> > > Because of this, there needs to be an explicit hole punched in the
> > > firewall at the master server to allow outgoing connections in the
> > > 1024-65535 range. And, at the slave end there needs to be a matching
> > > hole to allow in coming connections to those ports (sourced from port
> > > 53).

> >
> > This is totally wrong. The DNS protocol contains no mechanism like this.

>
> Then explain the difference. DIG works and can transfer the zone using
> AXFR, but actual transfers initiated by a BIND slave fail. I've seen
> this time and again and the problem is always with the firewall rules.
>
> What is different between the way DIG handles the transfer and how BIND
> handles it?


I don't know, but I know it's not what you said. To diagnose the
problem, I'd run a sniffer to see what the slave was sending.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***