Bind9 rpz transfer not work

densin · 12 April 2026 19:09

config bind9 zone slave of ipfire rpz , but zone not download (no cache file saved).

other slave zones trasfer is ok so should be no problem with permission..

//example

zone “ads.rpz.ipfire.org” in { file “ads.rpz.ipfire.org.cache”; type slave; masters {81.3.27.55;}; ixfr-from-differences yes; };

// log ( strip zone name to ads.xxx due not allow 2 links for new user)

2026-04-13T00:55:53.351239+07:00 runes named[2183944]: zone ads.xxx/IN: Transfer started. 2026-04-13T00:55:53.544006+07:00 runes named[2183944]: transfer of ‘ads.xxx/IN’ from 81.3.27.55#53: connected using 81.3.27.55#53 2026-04-13T00:55:54.526570+07:00 runes named[2183944]: transfer of ‘ads.xxx/IN’ from 81.3.27.55#53: failed while receiving responses: end of file 2026-04-13T00:55:54.526795+07:00 runes named[2183944]: transfer of ‘ads.xxx/IN’ from 81.3.27.55#53: Transfer status: end of file 2026-04-13T00:55:54.526926+07:00 runes named[2183944]: transfer of ‘ads.xxx IN’ from 81.3.27.55#53: Transfer completed: 8 messages, 3747 records, 131262 bytes, 0.982 secs (133668 bytes/sec) (serial 1775984405)

ms · 13 April 2026 09:24

Hello Densin,

this looks like the connection is just being interrupted, or that BIND has downloaded some data that it cannot understand. I have not personally tested BIND myself, but I don’t see any reason why IPFire DBL should not work in it.

What you can do as a test from the same machine is to run a manual zone transfer like so:

dig @xfr.dbl.ipfire.org ads.rpz.ipfire.org AXFR

That should show you the entire zone and at least confirm that there is not a connectivity problem.

densin · 13 April 2026 09:43

…… long output ….

fine.bursthealth.com.au.ads.rpz.ipfire.org. 60 IN CNAME . *.fine.bursthealth.com.au.ads.rpz.ipfire.org. 60 IN CNAME .
;; communications error to 81.3.27.55#53: end of file
;; no servers could be reached

tested by two server in diffrent datacenter , same output.

ms · 13 April 2026 15:53

This seems to be running just fine for me:

...
*.adservice.google.co.zw.ads.rpz.ipfire.org. 60 IN CNAME .
stbg.stanbicbank.co.zw.ads.rpz.ipfire.org. 60 IN CNAME .
*.stbg.stanbicbank.co.zw.ads.rpz.ipfire.org. 60 IN CNAME .
ads.rpz.ipfire.org.     60      IN      SOA     primary.dbl.ipfire.org. hostmaster.ipfire.org. 1776081003 3600 600 3600000 60
;; Query time: 2296 msec
;; SERVER: 81.3.27.55#53(81.3.27.55)
;; WHEN: Mon Apr 13 16:52:16 BST 2026
;; XFR size: 281840 records (messages 645, bytes 10581144)

You might have a middleware on your network that is thinking that a DNS TCP connection might only be allowed to send a couple of bytes until it is being cut off?

Alternatively you can fetch the zone using TLS over port 853 on the same server, but Unbound does not support this, yet.