Symptoms

If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message. DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'. There is no indication that the IXFR was incomplete. DNS Express might then have, and might serve, incorrect data for that Zone.

Impact

This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.

Conditions

An IXFR response from a DNS server spans multiple DNS messages. Note: This is not a common condition, but it is possible.

Workaround

Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server. To workaround this issue: 1. Stop zxfrd. 2. Remove the database /var/db/zxfrd.bin. 3. Restart zxfrd. This triggers a full transfer (AXFR) of the zone, as well as all the other zones.

Fix Information

The system now continues the processing of DNS messages until the closing SOA RR is encountered.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips