nsd users - Aug 2020 - Confused error with code REFUSED

Hello,

I faced with strange behaviour of two my DNS servers served by NSD.

Recently I switched these two hosts to IPv6 only but I saw the same errors
earlier but the hosts had IPv4 addresses and DNS servers (seems) worked fine.

Host A is a master DNS server and served two domains.
Host B is a reserved (secondary) DNS server and gets updates from Host A.

Host A configuration:
--------------------------------- 8< ------------------------------------
server:
  server-count:       1
  ip-address:         2a0a:2b40::4:14f
  ip-address:         2a0a:2b40::4:3a2f
  ip-transparent:     yes
  identity:           "BKOTY domain master DNS"
  zonesdir:           "/etc/nsd"

pattern:
  name:               "secondary"
  notify:             2a01:4f8:c2c:c813::14f   NOKEY
  provide-xfr:        2a01:4f8:c2c:c813::14f   NOKEY
  notify:             2a01:4f8:c2c:c813::3a2f  NOKEY
  provide-xfr:        2a01:4f8:c2c:c813::3a2f  NOKEY
  outgoing-interface: 2a0a:2b40::4:14f
  outgoing-interface: 2a0a:2b40::4:3a2f

zone:
  name:             "bkoty.ru"
  zonefile:         "bkoty.ru.forward.signed"
  include-pattern:  "secondary"

zone:
  name:             "bkoty.work"
  zonefile:         "bkoty.work.forward.signed"
  include-pattern:  "secondary"

remote-control:
  control-enable: yes
--------------------------------- 8< ------------------------------------

Host B configuration:
--------------------------------- 8< ------------------------------------
server:
  server-count:   1
  ip-address:     2a01:4f8:c2c:c813::14f
  ip-address:     2a01:4f8:c2c:c813::3a2f
  ip-transparent: yes
  identity:       "BKOTY domain secondary/reserve DNS"
  zonesdir:       "/etc/nsd"

pattern:
  name:               "primary"
  allow-notify:       2a0a:2b40::4:14f   NOKEY
  request-xfr:  AXFR  2a0a:2b40::4:14f   NOKEY
  allow-notify:       2a0a:2b40::4:3a2f  NOKEY
  request-xfr:  AXFR  2a0a:2b40::4:3a2f  NOKEY

zone:
  name:             "bkoty.ru"
  zonefile:         "bkoty.ru.forward.signed"
  include-pattern:  "primary"

zone:
  name:             "bkoty.work"
  zonefile:         "bkoty.work.forward.signed"
  include-pattern:  "primary"

remote-control:
  control-enable: yes
--------------------------------- 8< ------------------------------------

Both servers managed by systemd.

Host A output (systemctl status ...):
--------------------------------- 8< ------------------------------------
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address 2a0a:2b40::4:14f
at 53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.886] nsd[23969]:
notice: listen on ip-address 2a0a:2b40::4:14f at 53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address 2a0a:2b40::4:14f
at 53 (tcp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.887] nsd[23969]:
notice: listen on ip-address 2a0a:2b40::4:14f at 53 (tcp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address
2a0a:2b40::4:3a2f at 53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.888] nsd[23969]:
notice: listen on ip-address 2a0a:2b40::4:3a2f at 53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address
2a0a:2b40::4:3a2f at 53 (tcp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.889] nsd[23969]:
notice: listen on ip-address 2a0a:2b40::4:3a2f at 53 (tcp) with server(s): *
Aug 30 06:42:20 node1.bkoty.ru nsd[23970]: nsd started (NSD 4.3.0), pid 23969
Aug 30 06:42:20 node1.bkoty.ru nsd[23970]: [2020-08-30 06:42:20.214] nsd[23970]:
notice: nsd started (NSD 4.3.0), pid 23969
--------------------------------- 8< ------------------------------------

Host B output:
--------------------------------- 8< ------------------------------------
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.303] nsd[17455]:
error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.362] nsd[17455]:
error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.364] nsd[17455]:
error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error
code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.423] nsd[17455]:
error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error
code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.425] nsd[17455]:
error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:3a2f
--------------------------------- 8< ------------------------------------

According to journald on Host B I see that TCP is reset by peer but I don't
understand the reason:
--------------------------------- 8< ------------------------------------
Aug 30 05:35:22 node2.bkoty.ru nsd[17456]: [2020-08-30 05:35:22.489] nsd[17456]:
notice: nsd started (NSD 4.3.0), pid 17455
Aug 30 05:40:24 node2.bkoty.ru nsd[17457]: failed reading from 2a0a:2b40::4:3a2f
tcp: Connection reset by peer
Aug 30 05:40:24 node2.bkoty.ru nsd[17457]: [2020-08-30 05:40:24.626] nsd[17457]:
error: failed reading from 2a0a:2b40::4:3a2f tcp: Connection reset by peer
Aug 30 05:40:35 node2.bkoty.ru nsd[17457]: failed reading from 2a0a:2b40::4:3a2f
tcp: Connection reset by peer
Aug 30 05:40:35 node2.bkoty.ru nsd[17457]: [2020-08-30 05:40:35.555] nsd[17457]:
error: failed reading from 2a0a:2b40::4:3a2f tcp: Connection reset by peer
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.work. from
2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.238] nsd[17457]:
info: notify for bkoty.work. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.238] nsd[17457]:
info: notify for bkoty.ru. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.238] nsd[17457]:
info: notify for bkoty.ru. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.239] nsd[17457]:
info: notify for bkoty.work. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.ru. from
2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.ru. from
2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.work. from
2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.300] nsd[17455]:
error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.303] nsd[17455]:
error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.362] nsd[17455]:
error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error
code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.364] nsd[17455]:
error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error
code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.423] nsd[17455]:
error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error
code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.425] nsd[17455]:
error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:3a2f
--------------------------------- 8< ------------------------------------

---
WBR, Vladimir Lomov

-- 
But you'll notice Perl has a goto.
		-- Larry Wall in <199710211624.JAA17833 at wall.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20200830/19771064/attachment.bin>

Am 30.08.20 um 06:12 schrieb Vladimir Lomov via
nsd-users:
> Both servers managed by systemd.
Hi,

I've no clear idea about the implications of "managed by systemd"
But I know,
systemd could listen for inbound connection on a specified IP+Port. Inbound
traffic is the n magically relayed to an application.
I guess systemd must be configured for this task somehow. Maybe incoming notify
connections are affected.

I reviewed your configuration and for me it looks not obviously wrong.

two points:
 - As you configured multiple IPv6 addresses and also enabled
"ip-transparent"
   the ip addresses on each host would worth a look.
 - I never used two "outgoing-interface" statements. You may try to
reconfig using only one "outgoing-interface"
   and see if this solved your issue.

Andreas