Re: massive unapproved AXFR's and odd rcvd NOTIFY's

[paul () XTDNET NL (Paul Wouters)]

I wrote that I saw a lot of:

> Feb  9 08:35:59 duplo named[543]: unapproved AXFR from [216.0.52.138].1041
> for"domainname.com" (acl)

> Feb  9 08:36:00 duplo named[543]: rcvd NOTIFY(domainname.com, IN, SOA) from
> [216.0.52.138].1024

What was it again, never attribute to malice what can be adequately explained
by stupidity.
The ISP that runs our secondaries upgraded to a new machine, gave away the old
machine, without killing the harddrive contents, and now someone has
reconnected the server half a world away, and enabled the nameserver. I've
notified the SOA address and the postmaster of the client that took the machine
with him.

> Feb  9 08:36:00 duplo named[543]: NOTIFY(SOA) from non-master server (zone
> domainname.com), from [216.0.52.138].1024
>
> Note that 216.0.52.138 is not a master for ANY of the slave zones I run,
> yet for some it seems to fake bind into thinking it is a master zone.

That was because for some of the zones I am still a slave, but some of the
zones, I'm no longer a slave, as the client who left and took the machine
took some, not all, domains with him.

> Running named 8.2.2-P3
Though I did upgrade to P5 just in case :)

I was properly punished for not realising this before posting with roughly 8
or so Out of Office replies by our fellow members (and I guess I will get
another 8 for this posting as well). Thank you :)

Paul

PS. Anyone know how to recognise an Out of Office reply to an email to a list? I
noticed all of them removed special headers (eg Bulk:) and most butchered the
subject line. Grrrr :)