Hello there,
Apologies for my last message. I'm having some errors with my config: my
ns1 and ns2 are not transferring between each other. I'm receiving
"received notify response error REFUSED" when I attempt zone transfers
(using nsd-control notify and nsd-control force_update, respectively).
My setup: I'm using OpenBSD 6.7. Unbound is resovling on port 53; if an
authoratitive request is received, Unbound passes to it nsd on localhost
over port 5335. This setup works well, except for the problem with ns1 and
ns2.
I saw another thread that recommeded using the outgoing-interface:
attribute, I tried using it without success, specificying specific ports
and using defaults, on ipv4 and ipv6. I have also tried with my key and
NOKEY, the same errors are logged. I can provide my unbound.conf, forward &
reverse zone files if needed.
#ns1 nsd.conf
server:
port: 5335
ip-address: 10.x.y.211
ip-address: fd00:abc::d3
ip-address: 127.0.0.1
ip-address: ::1
server-count: 1
do-ip4: yes
do-ip6: yes
hide-version: yes
identity: "ns1.whatever.xyz"
zonesdir: "/var/nsd/etc"
logfile: nsd.log
verbosity: 2
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
control-key-file: nsd_control.key
control-cert-file: nsd_control.pem
key:
name: "sec_key"
algorithm: hmac-md5
secret: "redacted"
zone:
name: "whatever.xyz"
zonefile: whatever.xyz.forward"
notify: 10.x.y.212 sec_key
provide-xfr: 10.x.y.212 sec_key
notify: fd00:abc::d4 sec_key
provide-xfr: fd00:abc::d4 sec_key
zone:
name: "x.10.in-addr.arpa"
zonefile: "whatever.xyz.reverse"
notify: 10.x.y.212 sec_key
provide-xfr: 10.x.y.212 sec_key
notify: fd00:abc::d4 sec_key
provide-xfr: fd00:abc::d4 sec_key
#ns2 nsd.conf
server:
port: 5335
ip-address: 10.x.y.212
ip-address: fd00:abc::d4
ip-address: 127.0.0.1
ip-address: ::1
server-count: 1
do-ip4: yes
do-ip6: yes
hide-version: yes
identity: "ns2.whatever.xyz <http://ns1.whatever.xyz>"
zonesdir: "/var/nsd/etc"
logfile: nsd.log
verbosity: 2
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
control-key-file: nsd_control.key
control-cert-file: nsd_control.pem
key:
name: "sec_key"
algorithm: hmac-md5
secret: "redacted"
zone:
name: "whatever.xyz"
zonefile: whatever.xyz.forward"
allow-notify: 10.x.y.211 sec_key
provide--xfr: 10.x.y.211 sec_key
allow-notify: fd00:abc::d3 sec_key
provide-xfr: fd00:abc::d3 sec_key
zone:
name: "x.10.in-addr.arpa"
zonefile: "whatever.xyz.reverse"
allow-notify: 10.x.y.211 sec_key
request-xfr: 10.x.y.211 sec_key
allow-notify: fd00:abc::d3 sec_key
request-xfr: fd00:abc::d3 sec_key
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20210327/34587bbc/attachment.htm>