<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div>Hello there,</div><div></div><div><br></div><div>Apologies for my last message.  I'm having some errors with my config: my ns1 and ns2 are not transferring between each other.  I'm receiving "received notify response error REFUSED" when I attempt zone transfers (using nsd-control notify and nsd-control force_update, respectively).</div><div><br></div><div></div><div>My setup:  I'm using OpenBSD 6.7.  Unbound is resovling on port 53; if an authoratitive request is received, Unbound passes to it nsd on localhost over port 5335.  This setup works well, except for the problem with ns1 and ns2.<br></div><div><br></div><div>I saw another thread that recommeded using the outgoing-interface: attribute, I tried using it without success, specificying specific ports and using defaults, on ipv4 and ipv6. I have also tried with my key and NOKEY, the same errors are logged. I can provide my unbound.conf, forward & reverse zone files if needed. <br></div><div></div><div></div><div><br></div><div>#ns1 nsd.conf</div><div><br></div><div>server: <br></div><div style="margin-left:40px">port: 5335</div><div style="margin-left:40px">ip-address: 10.x.y.211</div><div style="margin-left:40px">ip-address: fd00:abc::d3</div><div style="margin-left:40px">ip-address: 127.0.0.1</div><div style="margin-left:40px">ip-address: ::1<br></div><div style="margin-left:40px"><br></div><div style="margin-left:40px">server-count: 1</div><div style="margin-left:40px">do-ip4: yes</div><div style="margin-left:40px">do-ip6: yes</div><div style="margin-left:40px"><br></div><div style="margin-left:40px">hide-version: yes</div><div style="margin-left:40px">identity: "<a href="http://ns1.whatever.xyz" target="_blank">ns1.whatever.xyz</a>"</div><div style="margin-left:40px">zonesdir: "/var/nsd/etc"</div><div style="margin-left:40px"><br></div><div style="margin-left:40px">logfile: nsd.log</div><div style="margin-left:40px">verbosity: 2</div><div><br></div><div>remote-control:</div><div style="margin-left:40px">control-enable: yes</div><div style="margin-left:40px">control-interface: 127.0.0.1</div><div style="margin-left:40px">control-port: 8952</div><div style="margin-left:40px">server-key-file: nsd_server.key</div><div style="margin-left:40px">server-cert-file: nsd_server.pem</div><div style="margin-left:40px">control-key-file: nsd_control.key</div><div style="margin-left:40px">control-cert-file: nsd_control.pem</div>key:</div><div style="margin-left:40px">name: "sec_key"</div><div style="margin-left:40px">algorithm: hmac-md5</div><div style="margin-left:40px">secret: "redacted"</div>zone:</div><div class="gmail_quote" style="margin-left:40px">name: "<a href="http://whatever.xyz">whatever.xyz</a>"</div><div class="gmail_quote" style="margin-left:40px">zonefile: whatever.xyz.forward"</div><div class="gmail_quote" style="margin-left:40px">notify: 10.x.y.212 sec_key</div><div class="gmail_quote" style="margin-left:40px">provide-xfr: 10.x.y.212 sec_key</div><div class="gmail_quote" style="margin-left:40px"><br></div><div class="gmail_quote" style="margin-left:40px">notify: 
fd00:abc::d4 sec_key</div><div class="gmail_quote" style="margin-left:40px">provide-xfr: 
fd00:abc::d4 sec_key</div><div class="gmail_quote">zone:</div><div class="gmail_quote" style="margin-left:40px">name: "x.10.in-addr.arpa"</div><div class="gmail_quote" style="margin-left:40px">zonefile: "whatever.xyz.reverse"</div><div class="gmail_quote" style="margin-left:40px"></div><div class="gmail_quote" style="margin-left:40px"><br></div><div class="gmail_quote">
<div class="gmail_quote" style="margin-left:40px">notify: 10.x.y.212 sec_key</div><div class="gmail_quote" style="margin-left:40px">provide-xfr: 10.x.y.212 sec_key</div><div class="gmail_quote" style="margin-left:40px"><br></div><div class="gmail_quote" style="margin-left:40px">notify: 
fd00:abc::d4 sec_key</div><div class="gmail_quote" style="margin-left:40px">provide-xfr: 
fd00:abc::d4 sec_key</div>

<div style="margin-left:40px"><br></div><div style="margin-left:40px"><br></div>
<div class="gmail_quote"><div dir="ltr"><div>#ns2 nsd.conf</div><div><br></div><div>server: <br></div><div style="margin-left:40px">port: 5335</div><div style="margin-left:40px">ip-address: 10.x.y.212</div><div style="margin-left:40px">ip-address: fd00:abc::d4</div><div style="margin-left:40px">ip-address: 127.0.0.1</div><div style="margin-left:40px">ip-address: ::1<br></div><div style="margin-left:40px"><br></div><div style="margin-left:40px">server-count: 1</div><div style="margin-left:40px">do-ip4: yes</div><div style="margin-left:40px">do-ip6: yes</div><div style="margin-left:40px"><br></div><div style="margin-left:40px">hide-version: yes</div><div style="margin-left:40px">identity: "<a href="http://ns1.whatever.xyz" target="_blank">ns2.whatever.xyz</a>"</div><div style="margin-left:40px">zonesdir: "/var/nsd/etc"</div><div style="margin-left:40px"><br></div><div style="margin-left:40px">logfile: nsd.log</div><div style="margin-left:40px">verbosity: 2</div><div><br></div><div>remote-control:</div><div style="margin-left:40px">control-enable: yes</div><div style="margin-left:40px">control-interface: 127.0.0.1</div><div style="margin-left:40px">control-port: 8952</div><div style="margin-left:40px">server-key-file: nsd_server.key</div><div style="margin-left:40px">server-cert-file: nsd_server.pem</div><div style="margin-left:40px">control-key-file: nsd_control.key</div><div style="margin-left:40px">control-cert-file: nsd_control.pem</div>key:</div><div style="margin-left:40px">name: "sec_key"</div><div style="margin-left:40px">algorithm: hmac-md5</div><div style="margin-left:40px">secret: "redacted"</div>zone:</div><div class="gmail_quote" style="margin-left:40px">name: "<a href="http://whatever.xyz">whatever.xyz</a>"</div><div class="gmail_quote" style="margin-left:40px">zonefile: whatever.xyz.forward"</div><div class="gmail_quote" style="margin-left:40px">allow-notify: 10.x.y.211 sec_key</div><div class="gmail_quote" style="margin-left:40px">provide--xfr: 10.x.y.211 sec_key</div><div class="gmail_quote" style="margin-left:40px"><br></div><div class="gmail_quote" style="margin-left:40px">allow-notify: 
fd00:abc::d3 sec_key</div><div class="gmail_quote" style="margin-left:40px">provide-xfr: 
fd00:abc::d3 sec_key</div><div class="gmail_quote">zone:</div><div class="gmail_quote" style="margin-left:40px">name: "x.10.in-addr.arpa"</div><div class="gmail_quote" style="margin-left:40px">zonefile: "whatever.xyz.reverse"</div><div class="gmail_quote" style="margin-left:40px"><br></div><div class="gmail_quote">
<div class="gmail_quote" style="margin-left:40px">allow-notify: 10.x.y.211 sec_key</div><div class="gmail_quote" style="margin-left:40px">request-xfr: 10.x.y.211 sec_key</div><div class="gmail_quote" style="margin-left:40px"><br></div><div class="gmail_quote" style="margin-left:40px">allow-notify: 
fd00:abc::d3 sec_key</div><div class="gmail_quote" style="margin-left:40px">request-xfr: 
fd00:abc::d3 sec_key</div></div>

</div></div>