I have a problem with DNS IXFR/AXFR, that receives an answer in multiple packets. The situation is:

1- RFC1995 determines that IXFR can have an AXFR as a response;

2- RFC5936 says that AXFR can be sent over multiple responses.

So we have:

IXFR request -> Transaction ID 0x0001

First response -> Transaction ID 0x0001 (beginning with a SOA Type)

Following responses -> Transaction ID 0x0001 (until the end, ending with a SOA Type).

On responses from 2nd to last one, when clicking on the Transaction ID, wireshark says:

Expert Info (Warning/Protocol): DNS response retransmission. Original response in frame 340

Is it normal? Is there anything wrong with packets? Or wireshark is not ready for multiple response AXFR?

Can you share a capture with the packets at issue? Use a public share such as Google Drive, DropBox etc. and post a link to it back here.

grahamb gravatar imagegrahamb ( 2021-03-11 14:02:29 +0000 )edit

Unfortunately I cannot share a pcap, but can share some dropbox link to pkt images.

You can see query, first response pkt and second pkt.

Let me know if you need more

I can add to these pngs that first and last response are SOA type.

m.lanzuisi gravatar imagem.lanzuisi ( 2021-03-11 16:15:36 +0000 )edit

As far as I can see WS has no support to handle multiple response records for one transaction ID so far. Can you open an issue at and attach a sample capture (not screenshots)?

Uli gravatar imageUli ( 2021-03-14 20:22:15 +0000 )edit

Issue 17293 opened.

grahamb gravatar imagegrahamb ( 2021-03-15 15:47:31 +0000 )edit

Is the issue marked as confidential? I'm not able to see it...

Uli gravatar imageUli ( 2021-03-15 20:58:57 +0000 )edit