I'm trying to set up NSD as the main DNS server for my domain and my virtual
users' domains. The master (192.168.2.205) is a BIND server on a local
network protected from the 'Net -- the NSD zones are all slaves. The server
I'm working on is at 192.168.2.202.
I'm seeing what seem to be contradictions in the books I have, on the
'Net, and the man page. I'm told by most of them that
"allow-notify" and "request-xfer" should be the same IP:
that of the master. But when that's what I set, 'nsdc update' throws
an error saying "allow-notify" isn't set to 127.0.0.1, and several
'Net sites agree. When I set that, nobody complains, but as best I can tell,
no zones are transferred. Since the majority (including Evi Nemeth and the man
page) votes for the IP of the master, I suspect I'm misunderstanding
something.
Here's my config (just making changes to the sample so far):
> root at server:/etc/nsd3# cat nsd.conf
> # 2013-07-05
> #
> # nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
> #
> # Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
> #
> # See LICENSE for the license.
> #
>
> # options for the nsd server
> server:
> # uncomment to specify specific interfaces to bind (default wildcard
interface).
> # ip-address: 1.2.3.4
> # ip-address: 1.2.3.4 at 5678
> # ip-address: 12fe::8ef0
>
> # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
> # hide-version: no
> hide-version: yes
>
> # enable debug mode, does not fork daemon process into the background.
> # debug-mode: no
>
> # listen only on IPv4 connections
> # ip4-only: no
> ip4-only: yes
>
> # listen only on IPv6 connections
> # ip6-only: no
>
> # the database to use
> # database: "/var/lib/nsd3/nsd.db"
> database: "/var/cache/dns/nsd.db"
>
> # identify the server (CH TXT ID.SERVER entry).
> # identity: "unidentified server"
> identity: ""
>
> # NSID identity (hex string). default disabled.
> # nsid: "aabbccdd"
>
> # log messages to file. Default to stderr and syslog (with facility
LOG_DAEMON).
> # logfile: "/var/log/nsd.log"
>
> # Number of NSD servers to fork.
> # server-count: 1
> server-count: 4
>
> # Maximum number of concurrent TCP connections per server.
> # This option should have a value below 1000.
> # tcp-count: 10
>
> # Maximum number of queries served on a single TCP connection.
> # By default 0, which means no maximum.
> # tcp-query-count: 0
> tcp-query-count: 5
>
> # Override the default (120 seconds) TCP timeout.
> # tcp-timeout: 120
>
> # Preferred EDNS buffer size for IPv4.
> # ipv4-edns-size: 4096
> ipv4-edns-size: 256
>
> # Preferred EDNS buffer size for IPv6.
> # ipv6-edns-size: 4096
>
> # File to store pid for nsd in.
> # pidfile: "/var/run/nsd3/nsd.pid"
> pidfile: "/var/run/nsd3/nsd.pid"
>
> # port to answer queries on. default is 53.
> # port: 53
>
> # statistics are produced every number of seconds.
> # statistics: 3600
>
> # if per zone statistics is enabled, file to store statistics.
> # zone-stats-file: "/var/log/nsd.stats"
>
> # Run NSD in a chroot-jail.
> # make sure to have pidfile and database reachable from there.
> # by default, no chroot-jail is used.
> # chroot: "/etc/nsd3"
>
> # After binding socket, drop user privileges.
> # can be a username, id or id.gid.
> # username: nsd
> username: nsd
>
> # The directory for zonefile: files.
> # zonesdir: "/etc/nsd3"
> zonesdir: "/var/cache/dns/slaves"
>
> # The file where incoming zone transfers are stored.
> # run nsd-patch to update zone files, then you can safely delete it.
> # difffile: "/var/lib/nsd3/ixfr.db"
> difffile: "/var/cache/dns/ixfr.db"
>
> # The file where secondary zone refresh and expire timeouts are kept.
> # If you delete this file, all secondary zones are forced to be
> # 'refreshing' (as if nsd got a notify).
> # xfrdfile: "/var/lib/nsd3/xfrd.state"
> xfrdfile: "/var/cache/dns/xfrd.state"
>
> # Number of seconds between reloads triggered by xfrd.
> # xfrd-reload-timeout: 10
>
> # Verbosity level.
> # verbosity: 0
>
> # RRLconfig
> # Response Rate Limiting, size of the hashtable. Default 1000000.
> # rrl-size: 1000000
>
> # Response Rate Limiting, maximum QPS allowed (from one query source).
> # Default 200. If set to 0, ratelimiting is disabled. Also set
> # rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
> # rrl-ratelimit: 200
>
> # Response Rate Limiting, maximum QPS allowed (from one query source)
> # for whitelisted types. Default 2000.
> # rrl-whitelist-ratelimit: 2000
> # RRLend
>
> # key for local zones
> key:
> name: mskey
> algorithm: hmac-md5
> secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
>
> # Slave zones
>
> zone:
> name: "aerco.net"
> zonefile: "db.aerco.net"
> include: "/etc/nsd3/zoneInclude.txt"
and the include file of everything that's the same in all the zones:
> root at server:/etc/nsd3# cat zoneInclude.txt
>
> # By default, a slave will request a zone transfer with IXFR/TCP.
> # If you want to make use of IXFR/UDP use
> allow-notify: 127.0.0.1 NOKEY
> request-xfr: 192.168.2.205 NOKEY
>
> # Allow AXFR fallback if the master does not support IXFR. Default
> # is yes.
> allow-axfr-fallback: "yes"
>
> # set local interface for sending zone transfer requests.
> outgoing-interface: 192.168.2.202
Just one of the zones is here -- all the others are identical except for the
names. The zone files are BIND syntax, and the server is serving DNS quite
nicely when I transfer by hand (or rsync), rebuild the database, and reload.
Can someone tell me what I'm doing wrong, and why it's wrong? Is there a
book yet explaining how NSD works and what the various config options mean?
BTW, 'nsdc restart' just stops NSD. So does Debian's /etc/init.d/nsd
startup file. I've looked at the code, and they aren't the same. A
'nsdc stop' followed by 'nsdc start' do the job.
And there is no log file.
--
Glenn English
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4127 bytes
Desc: not available
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20130708/8e8fbe92/attachment.bin>