Hello again, here is my second problem for today. nsdc update at a slave server failed with this: Sending notify to localhost to update secondary zones... Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches remote address family, skipping server '127.0.0.1' Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone example.com., error response REFUSED (5). If I remove the difffile, xfrdfile and database, rebuild the database and start nsd, then the slave fetches the zones from the master. All zonetransfer and notify is configured to use IPv6 and TSIG. Both server do not listen to 127.0.0.1 or ::1 nsd-master.conf zone: name: "example.com" zonefile: "/etc/nsd/zones/example.com" notify: <slaves ipv6 address> notify-key provide-xfr: <slaves ipv6 address> xfer-key outgoing-interface: master ipv6 address> NOKEY allow-axfr-fallback: yes nsd-slave.conf zone: name "example.com" zonefile: "/etc/nsd/zones.slave/example.com" allow-notify: 127.0.0.1 NOKEY allow-notify: ::1 NOKEY allow-notify: <master ipv6 address> notify-key request-xfr: AXFR <master ipv6 address> xfer-key outgoing-interface: <slave ipv6 address> NOKEY allow-axfr-fallback: yes both config-files: key: name: "notify-key" algorithm: "hmac-md5" secret: "<base64-data>" key: name: "xfer-key" algorithm: "hmac-sha256" secret: "<base64-data>" Funny to note, that the notify-key cannot be a hmac-sha256 ... -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider J?rg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen
Am 03.01.2011 14:00 schrieb Andreas Schulze: with "sh -x nsdc update" I found that nsdc-notify is called like this: /usr/sbin/nsd-notify -a <outgoing-interface> -p 53 -z example.com 127.0.0.1 and /usr/sbin/nsd-notify -a <outgoing-interface> -p 53 -z example.com ::1 I now managed an update by 1) make nsd listen to 127.0.0.1 ( which is not always possible ) 2) remove "allow-notify: ::1 NOKEY" 3) patching nsdc to not use -a <outgoing-interface> when calling nsd-notify # diff /usr/sbin/nsdc.orig /usr/sbin/nsdc 261a262> ifc_spec=""# But this does not look like a clean solution ... Andreas> Hello again, > > here is my second problem for today. > nsdc update at a slave server failed with this: > > Sending notify to localhost to update secondary zones... > Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches remote address family, skipping server '127.0.0.1' > Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone example.com., error response REFUSED (5). > > If I remove the difffile, xfrdfile and database, > rebuild the database and start nsd, then the slave fetches the zones from the master. > All zonetransfer and notify is configured to use IPv6 and TSIG. > Both server do not listen to 127.0.0.1 or ::1 > > nsd-master.conf > zone: > name: "example.com" > zonefile: "/etc/nsd/zones/example.com" > notify: <slaves ipv6 address> notify-key > provide-xfr: <slaves ipv6 address> xfer-key > outgoing-interface: master ipv6 address> NOKEY > allow-axfr-fallback: yes > > nsd-slave.conf > zone: > name "example.com" > zonefile: "/etc/nsd/zones.slave/example.com" > allow-notify: 127.0.0.1 NOKEY > allow-notify: ::1 NOKEY > allow-notify: <master ipv6 address> notify-key > request-xfr: AXFR <master ipv6 address> xfer-key > outgoing-interface: <slave ipv6 address> NOKEY > allow-axfr-fallback: yes > > both config-files: > key: > name: "notify-key" > algorithm: "hmac-md5" > secret: "<base64-data>" > > key: > name: "xfer-key" > algorithm: "hmac-sha256" > secret: "<base64-data>" > > Funny to note, that the notify-key cannot be a hmac-sha256 ... > > -- > Andreas Schulze > Internetdienste | P252 > > DATEV eG > 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 > E-Mail info @datev.de | Internet www.datev.de > Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 > Vorstand > Prof. Dieter Kempf (Vorsitzender) > Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) > Dipl.-Kfm. Michael Leistenschneider > J?rg Rabe v. Pappenheim > Dipl.-Vw. Eckhard Schwarzer > Vorsitzender des Aufsichtsrates: Reinhard Verholen > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users-- Andreas Schulze Internetdienste | P252 DATEV eG 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider J?rg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again:), The nsdc update bug should now have been fixed in trunk. Also, nsdc can now handle tsig algorithms other than hmac-md5. Thanks for your reports. Best regards, Matthijs On 01/03/2011 02:00 PM, Andreas Schulze wrote:> Hello again, > > here is my second problem for today. > nsdc update at a slave server failed with this: > > Sending notify to localhost to update secondary zones... > Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches remote address family, skipping server '127.0.0.1' > Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone example.com., error response REFUSED (5). > > If I remove the difffile, xfrdfile and database, > rebuild the database and start nsd, then the slave fetches the zones from the master. > All zonetransfer and notify is configured to use IPv6 and TSIG. > Both server do not listen to 127.0.0.1 or ::1 > > nsd-master.conf > zone: > name: "example.com" > zonefile: "/etc/nsd/zones/example.com" > notify: <slaves ipv6 address> notify-key > provide-xfr: <slaves ipv6 address> xfer-key > outgoing-interface: master ipv6 address> NOKEY > allow-axfr-fallback: yes > > nsd-slave.conf > zone: > name "example.com" > zonefile: "/etc/nsd/zones.slave/example.com" > allow-notify: 127.0.0.1 NOKEY > allow-notify: ::1 NOKEY > allow-notify: <master ipv6 address> notify-key > request-xfr: AXFR <master ipv6 address> xfer-key > outgoing-interface: <slave ipv6 address> NOKEY > allow-axfr-fallback: yes > > both config-files: > key: > name: "notify-key" > algorithm: "hmac-md5" > secret: "<base64-data>" > > key: > name: "xfer-key" > algorithm: "hmac-sha256" > secret: "<base64-data>" > > Funny to note, that the notify-key cannot be a hmac-sha256 ... >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNJEocAAoJEA8yVCPsQCW5KckH/ihkynZOjou9eeFgRjOOXvgI KWq/Ik8Lqplzn7xYJrFcRwHZGIOiiYap60KdXYcr64fZO0WfAhlrU6qCaw5bENbg ExZV2aHysRAWp3khJP7JemAXSfBJPl51DteMHTLWwG3tmIjGG0aAjkwaMAwEUX2V Gwb98V+Ak4L6QUJFLJ4hku05CzhjcHrrpQNoAYywt92ldT3wAlGJ+hNenXY02GeL aaoiX14wt3eyIkjkJ/ytPOkTxJENtiJjLHt4mOGUiiJi52UqKcEyCLcyog+3W67V O/seq/8HWyk4eVO69zy3K2RlUOB0SdZT046ACZKmwTMGs9iQcKfCJCaAYx+R7zo=AQCz -----END PGP SIGNATURE-----