[Pdns-users] Block AXFR on PipeBackend only
Marcin Deranek
marcin.deranek at booking.com
Mon Oct 14 06:53:55 UTC 2013
Hi Aki,
On Fri, 11 Oct 2013 21:01:02 +0300
Aki Tuomi <cmouse at youzen.ext.b2.fi> wrote:
> Are you actually using AXFR to something on pipebackend? If not, why
> not just send FAIL when you get one? I can't imagine this being
> performance issue as it's clearly identifiable. It's hardly worth the
> trouble you are going thru now.
No - I'm trying to actually disable AXFR on PipeBackend as it's not
needed/used.
The reason why initially I did not go with FAIL was because I thought
backend got cycled after failed zone transfer when FAIL was used:
pdns[6965]: TCP Connection Thread unable to answer a question because
of a backend error, cycling
(In fact all backend processes are intact after such failed transfer, so
I'm a bit confused here)
This seems to be only happening when something was already sent back to
the client (SOA which precedes AXFR). When END is used instead I did
not get that message, so that why I went with END instead.
Just noticed when I filter out SOA when remote_ip == '0.0.0.0' both END
and FAIL give identical results: transfer failure (nothing gets send
back to the client) and no cycle message, so most likely I with FAIL
instead.
Thanx,
Marcin
More information about the Pdns-users
mailing list