Vladimir Lomov
2018-Oct-18 13:15 UTC
[nsd-users] How to "debug" REFUSED for notify request
Hello, I have two hosts running NSD: the primary and the secondary. The first is configured to send updates of zone to the secondary and the second is configured to get updates from the first host. Until I added additional IPv6 addresses (one additional for each host) this setup worked well. After I added second IPv6 address I see errors on primary host: -------------------- 8< -------------------- 8< ------------------------ "xfrd: zone ZONE: received notify response error REFUSED from [IPV6]" -------------------- 8< -------------------- 8< ------------------------ How I could "debug" this "REFUSED" error? This is configuration for primary host: -------------------- 8< -------------------- 8< ------------------------ server: server-count: 1 ip-address: 185.185.68.15 ip-address: 2a0a:2b40::4:140 ip-transparent: yes identity: "VL-LOMOV domain master DNS" zonesdir: "/etc/nsd" zone: name: "vl-lomov.ru" zonefile: "vl-lomov.ru.forward" notify: 88.99.227.228 NOKEY provide-xfr: 88.99.227.228 NOKEY notify: 2a01:4f8:c0c:14c9::2 NOKEY provide-xfr: 2a01:4f8:c0c:14c9::2 NOKEY remote-control: control-enable: yes -------------------- 8< -------------------- 8< ------------------------ This is coniguration for secondary host. -------------------- 8< -------------------- 8< ------------------------ server: server-count: 1 ip-address: 172.31.1.100 # ip-address: 88.99.227.228 ip-address: 2a01:4f8:c0c:14c9::2 ip-transparent: yes identity: "VL-LOMOV domain reserve DNS" zonesdir: "/etc/nsd" zone: name: "vl-lomov.ru" zonefile: "vl-lomov.ru.forward" allow-notify: 185.185.68.15 NOKEY request-xfr: AXFR 185.185.68.15 NOKEY allow-notify: 2a0a:2b40::4:140 NOKEY request-xfr: AXFR 2a0a:2b40::4:140 NOKEY remote-control: control-enable: yes -------------------- 8< -------------------- 8< ------------------------ P.S. I don't see reason to hide the IPs of the hosts so I shown the configuration as is. --- WBR, Vladimir Lomov -- Persistence in one opinion has never been considered a merit in political leaders. -- Marcus Tullius Cicero, "Ad familiares", 1st century BC -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20181018/d41c8670/attachment.bin>
Anand Buddhdev
2018-Oct-18 14:15 UTC
[nsd-users] How to "debug" REFUSED for notify request
On 18/10/2018 15:15, Vladimir Lomov wrote: Hi Vladimir,> Until I added additional IPv6 addresses (one additional for each host) > this setup worked well. After I added second IPv6 address I see errors > on primary host: > -------------------- 8< -------------------- 8< ------------------------ > "xfrd: zone ZONE: received notify response error REFUSED from [IPV6]" > -------------------- 8< -------------------- 8< ------------------------If you have 2 IPv6 addresses on the same interface on the primary, then the NOTIFY message over IPv6 may be originating from the wrong IPv6 address. See below.> How I could "debug" this "REFUSED" error? > > This is configuration for primary host: > -------------------- 8< -------------------- 8< ------------------------ > server: > server-count: 1 > ip-address: 185.185.68.15 > ip-address: 2a0a:2b40::4:140NSD binds to this address for answering queries, but when it *originates* a NOTIFY message, it does not use this address. It may be using the other address. See below for how to solve it.> ip-transparent: yes > identity: "VL-LOMOV domain master DNS" > zonesdir: "/etc/nsd" > > zone: > name: "vl-lomov.ru" > zonefile: "vl-lomov.ru.forward" > notify: 88.99.227.228 NOKEY > provide-xfr: 88.99.227.228 NOKEY > notify: 2a01:4f8:c0c:14c9::2 NOKEYAdd "outgoing-interface: 2a0a:2b40::4:140" here. This allows NSD to send NOTIFY messages from the address that the secondary is expecting. Regards, Anand