info at mail.jeaholding.com
2022-Dec-11 03:21 UTC
[nsd-users] Getting Refused from stub-zone authoritative query record_Follow_up
I would like to follow up on my previous message on the mailing list by saying that I have finally focused my issue to the tsig/ key ... The authoritative nsd1(master) & nsd2 (slave) after NOKEY change works without an issue and I'm able to get zone records; having said that, I would like to have the keys set up / DNSSEC. When setting up keys, setting up allow-query, and setting up patterns on each zone the previous unbound log still occurs (refuse) BUT now I can see new logs in the NSD not previously available (SLAVE ns2 works with keys and without keys meaning it gets serial from each of the zones in master / no error in nsd log)... The new logs entries after TSIG changes in nsd.log (Master): [2022-12-10 19:17:57.370] nsd[6338]: info: query example.com. from DNS1 (unbound1_Global) refused, no acl matches . [2022-12-10 19:17:57.778] nsd[6338]: info: query example.com. from DNS1 (unbound1_Local_Alias) refused, no acl matches . [2022-12-10 19:17:57.370] nsd[6338]: info: query example.com. from DNS2 (unbound1_Global) refused, no acl matches . [2022-12-10 19:17:57.778] nsd[6338]: info: query example.com. from DNS2 (unbound1_Local_Alias) refused, no acl matches . This occurs every time I used drill/dig to get information on the NSD zones I set up with the key. I have looked into the issues but I have not been able to find exactly what the log means no acl matches or how to remedy it because I was under the impression that with the allow-query option in the pattern section and adding it to the zones it would serve as an access control list for NSD (maybe there is something else I must add as an acl). Any assistance on properly configuring this final step would be appreciated, I am kind of stuck at the moment. - Josh
Jeroen Koekkoek
2022-Dec-14 11:04 UTC
[nsd-users] Getting Refused from stub-zone authoritative query record_Follow_up
Hi Josh, Setting up an acl does not relate to DNSSEC. It's really just specifying which machines are allowed to query, xfr, etc. Normally, you'd want to limit which machines are allowed to IXFR/AXFR the zone, I'm not sure that applies in this situation though as it seems you just want Unbound to redirect queries for internal domains to your authoratative servers? In that case, I think you only want to specify provide-xfr, etc and leave allow-query alone(?) If you really want to limit the machines that are allowed to query as well, you probably want to check which source address is used for the query. Perhaps just list all IPs assigned to your Unbound machines in the NSD configuration(?) I'd try limiting to IP first, and include TSIG after you're sure that works (assuming you're still in a lab environment). Hope that helps. Of course, feel free to follow up if you need additional help. - Jeroen On Sat, 2022-12-10 at 22:21 -0500, info--- via nsd-users wrote:> I would like to follow up on my previous message on the mailing list > by > saying that I have finally focused my issue to the tsig/ key ... The > authoritative nsd1(master) & nsd2 (slave) after NOKEY change works > without an issue and I'm able to get zone records; having said that, > I > would like to have the keys set up / DNSSEC. > > When setting up keys, setting up allow-query, and setting up patterns > on > each zone the previous unbound log still occurs (refuse) BUT now I > can > see new logs in the NSD not previously available (SLAVE ns2 works > with > keys and without keys meaning it gets serial from each of the zones > in > master / no error in nsd log)... > > ? The new logs entries after TSIG changes in nsd.log (Master): > > [2022-12-10 19:17:57.370] nsd[6338]: info: query example.com. from > DNS1 > (unbound1_Global) refused, no acl matches . > [2022-12-10 19:17:57.778] nsd[6338]: info: query example.com. from > DNS1 > (unbound1_Local_Alias) refused, no acl matches . > [2022-12-10 19:17:57.370] nsd[6338]: info: query example.com. from > DNS2 > (unbound1_Global) refused, no acl matches . > [2022-12-10 19:17:57.778] nsd[6338]: info: query example.com. from > DNS2 > (unbound1_Local_Alias) refused, no acl matches . > > This occurs every time I used drill/dig to get information on the NSD > zones I set up with the key. > > I have looked into the issues but I have not been able to find > exactly > what the log means no acl matches or how to remedy it because I was > under the impression that with the allow-query option in the pattern > section and adding it to the zones it would serve as an access > control > list for NSD (maybe there is something else I must add as an acl). > Any > assistance on properly configuring this final step would be > appreciated, > I am kind of stuck at the moment. > > - > Josh > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users