hello,
please can i have some help regarding this
ive setup nsd as primary with NOKEY
my domain registrar secondary DS cannot handle TSIG
my zone file is signed NSEC3SHA1
each time the designated secondary NS requests AXFR, my nsd server sends
REFUSED which i can see from tcpdumps
ive setup debug logging and it reports:
info: axfr for zone example.com. from client 1.2.3.4 refused, no acl matches
ive simply setup it as followed in nsd.conf & no problems with nsd-checkconf
zone:
name: example.com.
zonefile: example.com.signed
notify: 1.2.3.4 at 53 NOKEY
provide-xfr: 1.2.3.4 at 53 NOKEY
server:
ip-address: 4.3.2.1
port: 53
server-count: 1
username: nsd
do-ip4: yes
do-ip6: no
hide-version: yes
identity: ""
ipv4-edns-size: 4096
zonesdir: "/etc/nsd"
zonefiles-check: yes
verbosity: 2
debug-mode: yes
logfile: "/etc/nsd/nsd.log"
its running from debian jessie amd-64
what could it be ?
On 10/09/2014 14:20, shmick at riseup.net wrote: Dear shmuck,> each time the designated secondary NS requests AXFR, my nsd server sends > REFUSED which i can see from tcpdumps > > ive setup debug logging and it reports: > > info: axfr for zone example.com. from client 1.2.3.4 refused, no acl matches > > ive simply setup it as followed in nsd.conf & no problems with nsd-checkconf > > zone: > name: example.com. > zonefile: example.com.signed > notify: 1.2.3.4 at 53 NOKEY > provide-xfr: 1.2.3.4 at 53 NOKEYThis is your problem. You're telling the NSD master that the slave must connect from address 1.2.3.4 *and* source port 53. However, the slave will most likely use an ephemeral port number, so the ACL will not match. Change that to: provide-xfr: 1.2.3.4 NOKEY Regards, Anand Buddhdev RIPE NCC