Hello, I'am new to nsd and i tried to setup two ns dns1 and dns2 and unbound as a resolver on each ns. unbound is listening on port 53 therefore i used port 5353 for nsd. dns1 should do a zonetransfer to dns2. To keep things simple i use no encryption (NOKEY) nsd-checkconf gives no errors nsd-checkzone gives no errors in forward or reverse zone The zonetransfer between the two fails with the following error(s) dns1: Aug 31 08:32:34 dns1 nsd[37829]: xfrd: zone example.com: max notify send count reached, 45.xx.yy.195 at 5353 unreachable Aug 31 08:40:23 dns1 nsd[37833]: axfr for example.com. from 45.xx.yy.195 refused, no acl matches dns2: Aug 31 08:32:34 dns2 nsd[5149]: notify for example.com. from 45.xx.yy.194 refused, no acl matches. I tried to leave out the "@5353" but then there is no communication at all.. tcpdump: 09:07:26.130431 IP 45.xx.yy.194.47272 > 45.xx.yy.195.5353: 60694 notify [b2&3=0x2400] [1a] SOA (QM)? 2.0.192.in-addr.arpa. (126) 09:07:26.130546 IP 45.xx.yy.194.36486 > 45.xx.yy.195.5353: 42430 notify [b2&3=0x2400] [1a] SOA (QM)? example.com. (108) 09:07:26.131360 IP 45.xx.yy.195.5353 > 45.xx.yy.194.47272: 60694 notify Refused*- [0q] 0/0/0 (12) 09:07:26.131377 IP 45.xx.yy.195.5353 > 45.xx.yy.194.36486: 42430 notify Refused*- [0q] 0/0/0 (12) dns1-config: # See /usr/share/doc/nsd/examples/nsd.conf for a commented # reference config file. ??????? include: "/etc/nsd/nsd.conf.d/*.conf" #?????? include: "/etc/nsd/zones/zones.conf" server: ??????? # log only to syslog. ??????? log-only-syslog: yes ??????? debug-mode: yes ??????? verbosity: 5 ??????? username: nsd ??????? pidfile: "/run/nsd/nsd.pid" ? ? # uncomment to specify specific interfaces to bind (default all). ??????? #ip-address: 45.xx.yy.194 ? # port to answer queries on. default is 53. ??????? port: 5353 ? # Number of NSD servers to fork. ??????? server-count: 1 ? # listen only on IPv4 connections ??????? ip4-only: yes ? # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries ??????? hide-version: yes ? # identify the server (CH TXT ID.SERVER entry). ??????? identity: "serverteam" ? # The directory for zonefile: files. ??????? zonesdir: "/etc/nsd" key: ?? name: "sec_key" ?? algorithm: hmac-md5 ?? secret: "TAXxQRTb0ZL9eWqImm3nWFRBc3yhfrBVLCGxzE/8jYg=" remote-control: ??? # this allows the use of 'nsd-control' to control NSD. The default is "no" ??????? control-enable: yes ??? # the interface NSD listens to for nsd-control. The default is 127.0.0.1 ??????? control-interface: 127.0.0.1 ??? # the key files that allow the use of 'nsd-control'. The default path is "/etc/nsd/". Create these using the 'nsd-control-setup' utility ??????? server-key-file: /etc/nsd/nsd_server.key ??????? server-cert-file: /etc/nsd/nsd_server.pem ??????? control-key-file: /etc/nsd/nsd_control.key ??????? control-cert-file: /etc/nsd/nsd_control.pem zone: ??? name: "example.com" ??? zonefile: "db.example" ??? notify: 45.xx.yy.195 at 5353 NOKEY ??? provide-xfr: 45.xx.yy.195 at 5353 NOKEY ??? outgoing-interface: 45.xx.yy.194 zone: ?? name: "2.0.192.in-addr.arpa" ?? zonefile: "db.192" ?? notify: 45.xx.yy.195 at 5353 NOKEY ?? provide-xfr: 45.xx.yy.195 at 5353 NOKEY ?? outgoing-interface: 45.xx.yy.194 dns2-config ist the same except the listining address and the zone-part zone: ??????? name: "example.com" ??????? zonefile: "db.example"?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ? ??????? allow-notify: 45.xx.yy.194 at 5353 NOKEY ? ??????? request-xfr: 45.xx.yy.194 at 5353 NOKEY ??????? outgoing-interface: 45.xx.yy.195 zone:????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ? ??????? name: "2.0.192.in-addr.arpa"??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ? ??????? zonefile: "db.192"???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ? ??????? allow-notify: 45.xx.yy.194 at 5353 NOKEY ??????? request-xfr: 45.xx.yy.194 at 5353 NOKEY ??????? outgoing-interface: 45.xx.yy.195 I don't know what i'm missing any advice would be helpful thank you in advance. Oliver -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220831/6b50295a/attachment.htm>
On 31/08/2022 10:01, Oliver Niesner via nsd-users wrote: Hi Oliver, [snip]> dns2-config ist the same except the listining address and the zone-part > > zone: > ??????? name: "example.com" > ??????? zonefile: "db.example" > ??????? allow-notify: 45.xx.yy.194 at 5353 NOKEY^^^^^ This is your problem with notifies. You're telling the dns2 server to accept notifies only from the .194 address, and from a SOURCE port of 5353. However, the dns1 server, even though it is LISTENING for INCOMING queries on port 5353, will send notify to the dns2 server from a RANDOM source port. You need to remove the @5353, so that notify any ANY source port on dns1 is accepted by NSD on dns2. You can see the random source ports in the tcpdump, where dns1 has sent notifies first from port 47272 and then from 36486. It is a common misunderstanding that if a DNS server is LISTENING on port X, that it will make OUTGOING connections (such as zone transfers and notifies) using source port X. That isn't true. Outgoing DNS messages have nothing to do with the listening address, and will use random source ports, like any other outgoing connections from that server. Regards, Anand