John Griessen
2017-May-14 04:18 UTC
[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary
I get error log messages like
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com: max
notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cottagematic.com: max
notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max notify
send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max notify
send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com: max notify
send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com: max
notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from
127.0.0.1
[2017-05-13 23:42:25.436] nsd[13764]: info: control cmd: reload
[2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from
216.218.133.2 refused, no acl matches
[2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from
127.0.0.1
[2017-05-14 00:35:55.692] nsd[13764]: info: control cmd: reload
on the master,
and on the slave:
[2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com received
error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com received
error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com
received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from
104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com. from
104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com. from
104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for 34.245.104.in-addr.arpa.
from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for 54.219.104.in-addr.arpa.
from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com received
error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com
received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com received
error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone 34.245.104.in-addr.arpa
received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone 54.219.104.in-addr.arpa
received error code REFUSED from 104.245.34.178 at 53
Does this look familiar to anyone? have I got a mistake in nsd.conf?
The master works OK, looks good at https://intodns.com/ecosensory.com
==master nsd.conf=======================
# ns1.cibolo.us
# See the nsd.conf(5) man page.
server:
port: 53
server-count: 1
ip-address: 104.219.54.106
do-ip4: yes
do-ip6: no
verbosity: 2
database: "/var/lib/nsd/nsd.db" # the database to use
hide-version: yes # don't answer VERSION.BIND queries
logfile: "/var/log/nsd.log"
pidfile: "/run/nsd/nsd.pid"
zonesdir: "/etc/nsd"
tcp-query-count: 180 # queries served on a single TCP conn
xfrdfile: "/var/lib/nsd/xfrd.state"
nsid: "ascii_ns1.cibolo.us" # NSID identity (hex string, or
"ascii_somestring").
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: "ns1-cibolo-us-key"
algorithm: hmac-md5
secret: "xxxxxXXXXXxxxxxXXXX"
pattern:
name: "toslave"
notify: 104.245.34.178 NOKEY
provide-xfr: 104.245.34.178 NOKEY
notify: 216.218.131.2 NOKEY
provide-xfr: 216.218.131.2 NOKEY
zone:
name: 54.219.104.in-addr.arpa
zonefile: 54.219.104.in-addr.arpa
include-pattern: "toslave"
==master nsd.conf=======================
==slave nsd.conf=======================server:
server-count: 1
port: 53
ip-address: 104.245.34.178
do-ip4: yes
do-ip6: no
verbosity: 2
database: "/var/lib/nsd/nsd.db" # the database to use
hide-version: yes # don't answer VERSION.BIND queries
logfile: "/var/log/nsd.log"
pidfile: "/run/nsd/nsd.pid"
zonesdir: "/etc/nsd"
tcp-query-count: 180 # queries served on a single TCP connection.
xfrdfile: "/var/lib/nsd/xfrd.state"
nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or
"ascii_somestring").
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: "ns1-cibolo-us-key"
algorithm: hmac-md5
secret: "xxxXXXxxxXXX"
pattern:
name: "frommaster"
allow-notify: 104.245.34.178 NOKEY
request-xfr: 104.245.34.178 NOKEY
zone:
name: 54.219.104.in-addr.arpa
zonefile: 54.219.104.in-addr.arpa
include-pattern: "frommaster"
==slave nsd.conf=======================--
John Griessen
Anand Buddhdev
2017-May-14 06:46 UTC
[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary
Hi John, In your slave's config, you have: request-xfr: 104.245.34.178 NOKEY You've configured the slave's own IP address there, instead of the master's IP address (104.219.54.106). Regards, Anand Buddhdev On 14/05/2017 06:18, John Griessen wrote:> I get error log messages like > > > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com: > max notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone > cottagematic.com: max notify send count reached, 104.245.34.178 at 53 > unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max > notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max > notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com: > max notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com: > max notify send count reached, 104.245.34.178 at 53 unreachable > [2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from > 127.0.0.1 > [2017-05-13 23:42:25.436] nsd[13764]: info: control cmd: reload > [2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from > 216.218.133.2 refused, no acl matches > [2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from > 127.0.0.1 > [2017-05-14 00:35:55.692] nsd[13764]: info: control cmd: reload > > > > on the master, > and on the slave: > > [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from > 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com. > from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com. > from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for > 34.245.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for > 54.219.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com > received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone > 34.245.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53 > [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone > 54.219.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53 > > > Does this look familiar to anyone? have I got a mistake in nsd.conf? > > The master works OK, looks good at https://intodns.com/ecosensory.com > > > ==master nsd.conf=======================> > # ns1.cibolo.us > # See the nsd.conf(5) man page. > > server: > port: 53 > server-count: 1 > ip-address: 104.219.54.106 > do-ip4: yes > do-ip6: no > verbosity: 2 > > database: "/var/lib/nsd/nsd.db" # the database to use > hide-version: yes # don't answer VERSION.BIND queries > logfile: "/var/log/nsd.log" > pidfile: "/run/nsd/nsd.pid" > zonesdir: "/etc/nsd" > tcp-query-count: 180 # queries served on a single TCP conn > xfrdfile: "/var/lib/nsd/xfrd.state" > nsid: "ascii_ns1.cibolo.us" # NSID identity (hex string, or > "ascii_somestring"). > > remote-control: > control-enable: yes > control-interface: 127.0.0.1 > control-port: 8952 > server-key-file: "/etc/nsd/nsd_server.key" > server-cert-file: "/etc/nsd/nsd_server.pem" > control-key-file: "/etc/nsd/nsd_control.key" > control-cert-file: "/etc/nsd/nsd_control.pem" > > key: > name: "ns1-cibolo-us-key" > algorithm: hmac-md5 > secret: "xxxxxXXXXXxxxxxXXXX" > > pattern: > name: "toslave" > notify: 104.245.34.178 NOKEY > provide-xfr: 104.245.34.178 NOKEY > notify: 216.218.131.2 NOKEY > provide-xfr: 216.218.131.2 NOKEY > > zone: > name: 54.219.104.in-addr.arpa > zonefile: 54.219.104.in-addr.arpa > include-pattern: "toslave" > > ==master nsd.conf=======================> > ==slave nsd.conf=======================> server: > server-count: 1 > port: 53 > ip-address: 104.245.34.178 > do-ip4: yes > do-ip6: no > verbosity: 2 > > database: "/var/lib/nsd/nsd.db" # the database to use > hide-version: yes # don't answer VERSION.BIND queries > logfile: "/var/log/nsd.log" > pidfile: "/run/nsd/nsd.pid" > zonesdir: "/etc/nsd" > tcp-query-count: 180 # queries served on a single TCP connection. > xfrdfile: "/var/lib/nsd/xfrd.state" > nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or > "ascii_somestring"). > > remote-control: > control-enable: yes > control-interface: 127.0.0.1 > control-port: 8952 > server-cert-file: "/etc/nsd/nsd_server.pem" > control-key-file: "/etc/nsd/nsd_control.key" > control-cert-file: "/etc/nsd/nsd_control.pem" > > key: > name: "ns1-cibolo-us-key" > algorithm: hmac-md5 > secret: "xxxXXXxxxXXX" > > > pattern: > name: "frommaster" > allow-notify: 104.245.34.178 NOKEY > request-xfr: 104.245.34.178 NOKEY > > zone: > name: 54.219.104.in-addr.arpa > zonefile: 54.219.104.in-addr.arpa > include-pattern: "frommaster" > > ==slave nsd.conf========================