John Griessen
2017-May-14 04:18 UTC
[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary
I get error log messages like [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com: max notify send count reached, 104.245.34.178 at 53 unreachable [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cottagematic.com: max notify send count reached, 104.245.34.178 at 53 unreachable [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max notify send count reached, 104.245.34.178 at 53 unreachable [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max notify send count reached, 104.245.34.178 at 53 unreachable [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com: max notify send count reached, 104.245.34.178 at 53 unreachable [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com: max notify send count reached, 104.245.34.178 at 53 unreachable [2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from 127.0.0.1 [2017-05-13 23:42:25.436] nsd[13764]: info: control cmd: reload [2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from 216.218.133.2 refused, no acl matches [2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from 127.0.0.1 [2017-05-14 00:35:55.692] nsd[13764]: info: control cmd: reload on the master, and on the slave: [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from 104.245.34.178 refused, no acl matches [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com. from 104.245.34.178 refused, no acl matches [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com. from 104.245.34.178 refused, no acl matches [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for 34.245.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for 54.219.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone 34.245.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53 [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone 54.219.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53 Does this look familiar to anyone? have I got a mistake in nsd.conf? The master works OK, looks good at https://intodns.com/ecosensory.com ==master nsd.conf======================= # ns1.cibolo.us # See the nsd.conf(5) man page. server: port: 53 server-count: 1 ip-address: 104.219.54.106 do-ip4: yes do-ip6: no verbosity: 2 database: "/var/lib/nsd/nsd.db" # the database to use hide-version: yes # don't answer VERSION.BIND queries logfile: "/var/log/nsd.log" pidfile: "/run/nsd/nsd.pid" zonesdir: "/etc/nsd" tcp-query-count: 180 # queries served on a single TCP conn xfrdfile: "/var/lib/nsd/xfrd.state" nsid: "ascii_ns1.cibolo.us" # NSID identity (hex string, or "ascii_somestring"). remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 8952 server-key-file: "/etc/nsd/nsd_server.key" server-cert-file: "/etc/nsd/nsd_server.pem" control-key-file: "/etc/nsd/nsd_control.key" control-cert-file: "/etc/nsd/nsd_control.pem" key: name: "ns1-cibolo-us-key" algorithm: hmac-md5 secret: "xxxxxXXXXXxxxxxXXXX" pattern: name: "toslave" notify: 104.245.34.178 NOKEY provide-xfr: 104.245.34.178 NOKEY notify: 216.218.131.2 NOKEY provide-xfr: 216.218.131.2 NOKEY zone: name: 54.219.104.in-addr.arpa zonefile: 54.219.104.in-addr.arpa include-pattern: "toslave" ==master nsd.conf======================= ==slave nsd.conf=======================server: server-count: 1 port: 53 ip-address: 104.245.34.178 do-ip4: yes do-ip6: no verbosity: 2 database: "/var/lib/nsd/nsd.db" # the database to use hide-version: yes # don't answer VERSION.BIND queries logfile: "/var/log/nsd.log" pidfile: "/run/nsd/nsd.pid" zonesdir: "/etc/nsd" tcp-query-count: 180 # queries served on a single TCP connection. xfrdfile: "/var/lib/nsd/xfrd.state" nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or "ascii_somestring"). remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 8952 server-cert-file: "/etc/nsd/nsd_server.pem" control-key-file: "/etc/nsd/nsd_control.key" control-cert-file: "/etc/nsd/nsd_control.pem" key: name: "ns1-cibolo-us-key" algorithm: hmac-md5 secret: "xxxXXXxxxXXX" pattern: name: "frommaster" allow-notify: 104.245.34.178 NOKEY request-xfr: 104.245.34.178 NOKEY zone: name: 54.219.104.in-addr.arpa zonefile: 54.219.104.in-addr.arpa include-pattern: "frommaster" ==slave nsd.conf=======================-- John Griessen
Anand Buddhdev
2017-May-14 06:46 UTC
[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary
Hi John, In your slave's config, you have: request-xfr: 104.245.34.178 NOKEY You've configured the slave's own IP address there, instead of the master's IP address (104.219.54.106). Regards, Anand Buddhdev On 14/05/2017 06:18, John Griessen wrote:> I get error log messages like > > > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com: > max notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone > cottagematic.com: max notify send count reached, 104.245.34.178 at 53 > unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max > notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max > notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com: > max notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com: > max notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from > 127.0.0.1 > [2017-05-13 23:42:25.436] nsd[13764]: info: control cmd: reload > [2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from > 216.218.133.2 refused, no acl matches > [2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from > 127.0.0.1 > [2017-05-14 00:35:55.692] nsd[13764]: info: control cmd: reload > > > > on the master, > and on the slave: > > [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from > 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com. > from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com. > from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for > 34.245.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for > 54.219.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone > 34.245.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone > 54.219.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53 > > > Does this look familiar to anyone? have I got a mistake in nsd.conf? > > The master works OK, looks good at https://intodns.com/ecosensory.com > > > ==master nsd.conf=======================> > # ns1.cibolo.us > # See the nsd.conf(5) man page. > > server: > port: 53 > server-count: 1 > ip-address: 104.219.54.106 > do-ip4: yes > do-ip6: no > verbosity: 2 > > database: "/var/lib/nsd/nsd.db" # the database to use > hide-version: yes # don't answer VERSION.BIND queries > logfile: "/var/log/nsd.log" > pidfile: "/run/nsd/nsd.pid" > zonesdir: "/etc/nsd" > tcp-query-count: 180 # queries served on a single TCP conn > xfrdfile: "/var/lib/nsd/xfrd.state" > nsid: "ascii_ns1.cibolo.us" # NSID identity (hex string, or > "ascii_somestring"). > > remote-control: > control-enable: yes > control-interface: 127.0.0.1 > control-port: 8952 > server-key-file: "/etc/nsd/nsd_server.key" > server-cert-file: "/etc/nsd/nsd_server.pem" > control-key-file: "/etc/nsd/nsd_control.key" > control-cert-file: "/etc/nsd/nsd_control.pem" > > key: > name: "ns1-cibolo-us-key" > algorithm: hmac-md5 > secret: "xxxxxXXXXXxxxxxXXXX" > > pattern: > name: "toslave" > notify: 104.245.34.178 NOKEY > provide-xfr: 104.245.34.178 NOKEY > notify: 216.218.131.2 NOKEY > provide-xfr: 216.218.131.2 NOKEY > > zone: > name: 54.219.104.in-addr.arpa > zonefile: 54.219.104.in-addr.arpa > include-pattern: "toslave" > > ==master nsd.conf=======================> > ==slave nsd.conf=======================> server: > server-count: 1 > port: 53 > ip-address: 104.245.34.178 > do-ip4: yes > do-ip6: no > verbosity: 2 > > database: "/var/lib/nsd/nsd.db" # the database to use > hide-version: yes # don't answer VERSION.BIND queries > logfile: "/var/log/nsd.log" > pidfile: "/run/nsd/nsd.pid" > zonesdir: "/etc/nsd" > tcp-query-count: 180 # queries served on a single TCP connection. > xfrdfile: "/var/lib/nsd/xfrd.state" > nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or > "ascii_somestring"). > > remote-control: > control-enable: yes > control-interface: 127.0.0.1 > control-port: 8952 > server-cert-file: "/etc/nsd/nsd_server.pem" > control-key-file: "/etc/nsd/nsd_control.key" > control-cert-file: "/etc/nsd/nsd_control.pem" > > key: > name: "ns1-cibolo-us-key" > algorithm: hmac-md5 > secret: "xxxXXXxxxXXX" > > > pattern: > name: "frommaster" > allow-notify: 104.245.34.178 NOKEY > request-xfr: 104.245.34.178 NOKEY > > zone: > name: 54.219.104.in-addr.arpa > zonefile: 54.219.104.in-addr.arpa > include-pattern: "frommaster" > > ==slave nsd.conf========================