nsd users - Jul 2013 - nsd can't bind udp socket: Address already in use

Greetings,

Unbound 1.4.20
OS X 10.8.4 - Server
NSD 3.2.15

I have installed 'unbound' and it works nicely on my client (test 
purpose) - Client is MacBook Air.
I have installed NSD (will be in replacement of BIND) on said client.
All is good but when i try to start NSD

Error --> nsd can't bind udp socket: address already in use.
Everything is configured to bind to 127.0.0.1.
# netstat -anp tcp | grep 127.0.0.1
tcp4       0      0  127.0.0.1.8953         *.* LISTEN
tcp4       0      0  127.0.0.1.53           *.* LISTEN
tcp4       0      0  127.0.0.1.311          *.* LISTEN
tcp4       0      0  127.0.0.1.631          *.* LISTEN

So I understand that 127.0.01 is just booked by other processes and in 
particular unbound.

What troubles me is how to solve that issue ?

Kind Regards,

zongo saiba

On 10/07/2013 11:45, zongo saiba wrote:

Hi Zongo,
> So I understand that 127.0.01 is just booked by other processes and in
> particular unbound.
> 
> What troubles me is how to solve that issue ?
You can't have two different processes bound to the same address+port
combination.

You need to configure Unbound and NSD to listen on different ports,
depending on what you are trying to achieve with your setup.

Regards,

Anand

Hi,
> Also i am getting this error 
> 10/07/2013 14:03:12.523 unbound[705]: [705:0] error: could not open
autotrust file for writing, /usr/local/etc/unbound/root.key.705-0: Permission
denied
> Is it safe to disregard?  Was reading that it appears to not affect unbound
process. I can tell that unbound is still working properly :)
This looks like it is downloading the root key for DNS and attempting to pin it
by storing it into the filesystem.  You do want that, or you will be vulnerable
to arbitrary DNSKEYs being claimed for . (the DNS root) which is probably not in
line with the ideas you had when you rolled out DNSSEC.

You should probably find some evidence to the root key stored here as well.  A
few hints are your OS might provide it by now, or you could look for signatures
by people you rely on.

-Rick

On Wed, 10 Jul 2013, zongo saiba wrote:
> I have installed 'unbound' and it works nicely on my client (test
purpose) -
> Client is MacBook Air.
> I have installed NSD (will be in replacement of BIND) on said client.
> All is good but when i try to start NSD
>
> Error --> nsd can't bind udp socket: address already in use.
> Everything is configured to bind to 127.0.0.1.
> So I understand that 127.0.01 is just booked by other processes and in 
> particular unbound.
>
> What troubles me is how to solve that issue ?
that depends on what you want to do.

You can make unbound or nsd listen on another IP address or port. But
clearly if you use unbound for resolving, you cannot replace it with
nsd, as your resolving would break.

If you want to use nsd to host some domains, and use unbound for
resolving the normal way with a special forward to those nsd domains,
you should run nsd on another port like 5353 and configure unbound
forward zones to point to 127.0.0.1 at 5353 for those zones.

Paul

Hi,
> I know Rick answered me once already on this: But the fact that i validate
DNSSEC with known good RRSIG would that mean its safe to ignore ? I think I did
not quite get the meaning of the answer from Rick. My apologies for that :)
The unbound daemon is trying to download the trust anchor for the entire
Internet.  You are not permitting it to save that.  I suppose it will continue
to work with a memory-stored version, but it'll be risky every time you
restart Unbound, because at that time it probably accepts whatever is offered at
that time.  Normally, it would find the root key among its configuration files
and have a solid anchor point.

You should download it manually, verify it, and install it in
/usr/local/etc/unbound/root.key.  I'm including my file below, but of course
you should seriously wonder if I can be trusted?  a few other links are here,
but I also have write access there so it hardly adds trust.

https://dnssec.surfnet.nl/?p=371

Oh? and if your Mac tells you the attachment is a keynote document? it's not
;-) it's ASCII

-Rick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: root.key
Type: application/octet-stream
Size: 759 bytes
Desc: not available
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20130710/e4004209/attachment.obj>