Problems with DNS IXFR/AXFR

asked 2021-03-10 15:44:59 +0000

m.lanzuisi gravatar image

updated 2021-03-10 15:47:05 +0000

I have a problem with DNS IXFR/AXFR, that receives an answer in multiple packets. The situation is:

1- RFC1995 determines that IXFR can have an AXFR as a response;

2- RFC5936 says that AXFR can be sent over multiple responses.

So we have:

IXFR request -> Transaction ID 0x0001

First response -> Transaction ID 0x0001 (beginning with a SOA Type)

Following responses -> Transaction ID 0x0001 (until the end, ending with a SOA Type).

On responses from 2nd to last one, when clicking on the Transaction ID, wireshark says:

Expert Info (Warning/Protocol): DNS response retransmission. Original response in frame 340

Is it normal? Is there anything wrong with packets? Or wireshark is not ready for multiple response AXFR?

edit retag flag offensive close merge delete


Can you share a capture with the packets at issue? Use a public share such as Google Drive, DropBox etc. and post a link to it back here.

grahamb gravatar imagegrahamb ( 2021-03-11 14:02:29 +0000 )edit

Unfortunately I cannot share a pcap, but can share some dropbox link to pkt images.

You can see query, first response pkt and second pkt.

Let me know if you need more

I can add to these pngs that first and last response are SOA type.

m.lanzuisi gravatar imagem.lanzuisi ( 2021-03-11 16:15:36 +0000 )edit

As far as I can see WS has no support to handle multiple response records for one transaction ID so far. Can you open an issue at and attach a sample capture (not screenshots)?

Uli gravatar imageUli ( 2021-03-14 20:22:15 +0000 )edit

Issue 17293 opened.

grahamb gravatar imagegrahamb ( 2021-03-15 15:47:31 +0000 )edit

Is the issue marked as confidential? I'm not able to see it...

Uli gravatar imageUli ( 2021-03-15 20:58:57 +0000 )edit