nsd users - Jan 2011 - nsdc update failed

Hello again,

here is my second problem for today.
nsdc update at a slave server failed with this:

Sending notify to localhost to update secondary zones...
Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches
remote address family, skipping server '127.0.0.1'
Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone
example.com., error response REFUSED (5).

If I remove the difffile, xfrdfile and database,
rebuild the database and start nsd, then the slave fetches the zones from the
master.
All zonetransfer and notify is configured to use IPv6 and TSIG.
Both server do not listen to 127.0.0.1 or ::1 

nsd-master.conf
zone:
	name: "example.com"
	zonefile: "/etc/nsd/zones/example.com"
	notify: <slaves ipv6 address> notify-key
	provide-xfr: <slaves ipv6 address> xfer-key
	outgoing-interface: master ipv6 address> NOKEY
	allow-axfr-fallback: yes

nsd-slave.conf
zone:
	name "example.com"
	zonefile: "/etc/nsd/zones.slave/example.com"
	allow-notify: 127.0.0.1 NOKEY
	allow-notify: ::1 NOKEY
	allow-notify: <master ipv6 address> notify-key
	request-xfr: AXFR <master ipv6 address> xfer-key
	outgoing-interface: <slave ipv6 address> NOKEY
	allow-axfr-fallback: yes

both config-files:
key:
        name: "notify-key"
        algorithm: "hmac-md5"
        secret: "<base64-data>"

key:
        name: "xfer-key"
        algorithm: "hmac-sha256"
        secret: "<base64-data>"

Funny to note, that the notify-key cannot be a hmac-sha256 ...

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
J?rg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen

Am 03.01.2011 14:00 schrieb Andreas Schulze:

with "sh -x nsdc update" I found that nsdc-notify is called like this:

/usr/sbin/nsd-notify -a <outgoing-interface> -p 53 -z example.com
127.0.0.1
and
/usr/sbin/nsd-notify -a <outgoing-interface> -p 53 -z example.com ::1

I now managed an update by
1)
	make nsd listen to 127.0.0.1 ( which is not always possible )

2)
	remove "allow-notify: ::1 NOKEY"

3)
	patching nsdc to not use -a <outgoing-interface> when calling nsd-notify
# diff /usr/sbin/nsdc.orig /usr/sbin/nsdc
261a262
>                       ifc_spec=""
#

But this does not look like a clean solution ...

Andreas
> Hello again,
> 
> here is my second problem for today.
> nsdc update at a slave server failed with this:
> 
> Sending notify to localhost to update secondary zones...
> Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches
remote address family, skipping server '127.0.0.1'
> Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone
example.com., error response REFUSED (5).
> 
> If I remove the difffile, xfrdfile and database,
> rebuild the database and start nsd, then the slave fetches the zones from
the master.
> All zonetransfer and notify is configured to use IPv6 and TSIG.
> Both server do not listen to 127.0.0.1 or ::1 
> 
> nsd-master.conf
> zone:
> 	name: "example.com"
> 	zonefile: "/etc/nsd/zones/example.com"
> 	notify: <slaves ipv6 address> notify-key
> 	provide-xfr: <slaves ipv6 address> xfer-key
> 	outgoing-interface: master ipv6 address> NOKEY
> 	allow-axfr-fallback: yes
> 
> nsd-slave.conf
> zone:
> 	name "example.com"
> 	zonefile: "/etc/nsd/zones.slave/example.com"
> 	allow-notify: 127.0.0.1 NOKEY
> 	allow-notify: ::1 NOKEY
> 	allow-notify: <master ipv6 address> notify-key
> 	request-xfr: AXFR <master ipv6 address> xfer-key
> 	outgoing-interface: <slave ipv6 address> NOKEY
> 	allow-axfr-fallback: yes
> 
> both config-files:
> key:
>         name: "notify-key"
>         algorithm: "hmac-md5"
>         secret: "<base64-data>"
> 
> key:
>         name: "xfer-key"
>         algorithm: "hmac-sha256"
>         secret: "<base64-data>"
> 
> Funny to note, that the notify-key cannot be a hmac-sha256 ...
> 
> -- 
> Andreas Schulze
> Internetdienste | P252
> 
> DATEV eG
> 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
> E-Mail info @datev.de | Internet www.datev.de
> Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg,
GenReg Nr.70
> Vorstand
> Prof. Dieter Kempf (Vorsitzender)
> Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
> Dipl.-Kfm. Michael Leistenschneider
> J?rg Rabe v. Pappenheim
> Dipl.-Vw. Eckhard Schwarzer
> Vorsitzender des Aufsichtsrates: Reinhard Verholen
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
J?rg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again:),

The nsdc update bug should now have been fixed in trunk.
Also, nsdc can now handle tsig algorithms other than hmac-md5.

Thanks for your reports.

Best regards,

Matthijs

On 01/03/2011 02:00 PM, Andreas Schulze wrote:
> Hello again,
> 
> here is my second problem for today.
> nsdc update at a slave server failed with this:
> 
> Sending notify to localhost to update secondary zones...
> Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches
remote address family, skipping server '127.0.0.1'
> Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone
example.com., error response REFUSED (5).
> 
> If I remove the difffile, xfrdfile and database,
> rebuild the database and start nsd, then the slave fetches the zones from
the master.
> All zonetransfer and notify is configured to use IPv6 and TSIG.
> Both server do not listen to 127.0.0.1 or ::1 
> 
> nsd-master.conf
> zone:
> 	name: "example.com"
> 	zonefile: "/etc/nsd/zones/example.com"
> 	notify: <slaves ipv6 address> notify-key
> 	provide-xfr: <slaves ipv6 address> xfer-key
> 	outgoing-interface: master ipv6 address> NOKEY
> 	allow-axfr-fallback: yes
> 
> nsd-slave.conf
> zone:
> 	name "example.com"
> 	zonefile: "/etc/nsd/zones.slave/example.com"
> 	allow-notify: 127.0.0.1 NOKEY
> 	allow-notify: ::1 NOKEY
> 	allow-notify: <master ipv6 address> notify-key
> 	request-xfr: AXFR <master ipv6 address> xfer-key
> 	outgoing-interface: <slave ipv6 address> NOKEY
> 	allow-axfr-fallback: yes
> 
> both config-files:
> key:
>         name: "notify-key"
>         algorithm: "hmac-md5"
>         secret: "<base64-data>"
> 
> key:
>         name: "xfer-key"
>         algorithm: "hmac-sha256"
>         secret: "<base64-data>"
> 
> Funny to note, that the notify-key cannot be a hmac-sha256 ...
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNJEocAAoJEA8yVCPsQCW5KckH/ihkynZOjou9eeFgRjOOXvgI
KWq/Ik8Lqplzn7xYJrFcRwHZGIOiiYap60KdXYcr64fZO0WfAhlrU6qCaw5bENbg
ExZV2aHysRAWp3khJP7JemAXSfBJPl51DteMHTLWwG3tmIjGG0aAjkwaMAwEUX2V
Gwb98V+Ak4L6QUJFLJ4hku05CzhjcHrrpQNoAYywt92ldT3wAlGJ+hNenXY02GeL
aaoiX14wt3eyIkjkJ/ytPOkTxJENtiJjLHt4mOGUiiJi52UqKcEyCLcyog+3W67V
O/seq/8HWyk4eVO69zy3K2RlUOB0SdZT046ACZKmwTMGs9iQcKfCJCaAYx+R7zo=AQCz
-----END PGP SIGNATURE-----