<!DOCTYPE html><html><body>Hello,<br><br>I'am new to nsd and i tried to setup two ns dns1 and dns2 and unbound as a resolver on each ns.<br><br>unbound is listening on port 53 therefore i used port 5353 for nsd.<br><br><br>dns1 should do a zonetransfer to dns2.<br><br>To keep things simple i use no encryption (NOKEY)<br><br><br>nsd-checkconf gives no errors<br><br>nsd-checkzone gives no errors in forward or reverse zone<br><br>The zonetransfer between the two fails with the following error(s)<br><br><br>dns1:<br><br>Aug 31 08:32:34 dns1 nsd[37829]: xfrd: zone example.com: max notify send count reached, 45.xx.yy.195@5353 unreachable<br>Aug 31 08:40:23 dns1 nsd[37833]: axfr for example.com. from 45.xx.yy.195 refused, no acl matches<br><br><br>dns2:<br>Aug 31 08:32:34 dns2 nsd[5149]: notify for example.com. from 45.xx.yy.194 refused, no acl matches.<br><br><br>I tried to leave out the "@5353" but then there is no communication at all..<br><br><br>tcpdump:<br><br>09:07:26.130431 IP 45.xx.yy.194.47272 > 45.xx.yy.195.5353: 60694 notify [b2&3=0x2400] [1a] SOA (QM)? 2.0.192.in-addr.arpa. (126)<br>09:07:26.130546 IP 45.xx.yy.194.36486 > 45.xx.yy.195.5353: 42430 notify [b2&3=0x2400] [1a] SOA (QM)? example.com. (108)<br>09:07:26.131360 IP 45.xx.yy.195.5353 > 45.xx.yy.194.47272: 60694 notify Refused*- [0q] 0/0/0 (12)<br>09:07:26.131377 IP 45.xx.yy.195.5353 > 45.xx.yy.194.36486: 42430 notify Refused*- [0q] 0/0/0 (12)<br><br><br>dns1-config:<br><br># See /usr/share/doc/nsd/examples/nsd.conf for a commented<br># reference config file.<br><br> include: "/etc/nsd/nsd.conf.d/*.conf"<br># include: "/etc/nsd/zones/zones.conf"<br><br>server:<br> # log only to syslog.<br> log-only-syslog: yes<br> debug-mode: yes<br> verbosity: 5<br><br> username: nsd<br><br> pidfile: "/run/nsd/nsd.pid"<br> <br> # uncomment to specify specific interfaces to bind (default all).<br> #ip-address: 45.xx.yy.194<br><br> # port to answer queries on. default is 53.<br> port: 5353<br><br> # Number of NSD servers to fork.<br> server-count: 1<br><br> # listen only on IPv4 connections<br> ip4-only: yes<br><br> # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries<br> hide-version: yes<br><br> # identify the server (CH TXT ID.SERVER entry).<br> identity: "serverteam"<br><br> # The directory for zonefile: files.<br> zonesdir: "/etc/nsd"<br><br>key:<br> name: "sec_key"<br> algorithm: hmac-md5<br> secret: "TAXxQRTb0ZL9eWqImm3nWFRBc3yhfrBVLCGxzE/8jYg="<br><br><br>remote-control:<br> # this allows the use of 'nsd-control' to control NSD. The default is "no"<br> control-enable: yes<br> # the interface NSD listens to for nsd-control. The default is 127.0.0.1<br> control-interface: 127.0.0.1<br> # the key files that allow the use of 'nsd-control'. The default path is "/etc/nsd/". Create these using the 'nsd-control-setup' utility<br> server-key-file: /etc/nsd/nsd_server.key<br> server-cert-file: /etc/nsd/nsd_server.pem<br> control-key-file: /etc/nsd/nsd_control.key<br> control-cert-file: /etc/nsd/nsd_control.pem<br><br>zone:<br> name: "example.com"<br> zonefile: "db.example"<br> notify: 45.xx.yy.195@5353 NOKEY<br> provide-xfr: 45.xx.yy.195@5353 NOKEY<br> outgoing-interface: 45.xx.yy.194<br><br>zone:<br> name: "2.0.192.in-addr.arpa"<br> zonefile: "db.192"<br> notify: 45.xx.yy.195@5353 NOKEY<br> provide-xfr: 45.xx.yy.195@5353 NOKEY<br> outgoing-interface: 45.xx.yy.194<br><br><br>dns2-config ist the same except the listining address and the zone-part<br><br>zone:<br> name: "example.com"<br> zonefile: "db.example" <br> allow-notify: 45.xx.yy.194@5353 NOKEY <br> request-xfr: 45.xx.yy.194@5353 NOKEY<br> outgoing-interface: 45.xx.yy.195<br>zone: <br> name: "2.0.192.in-addr.arpa" <br> zonefile: "db.192" <br> allow-notify: 45.xx.yy.194@5353 NOKEY<br> request-xfr: 45.xx.yy.194@5353 NOKEY<br> outgoing-interface: 45.xx.yy.195<br><br><br>I don't know what i'm missing any advice would be helpful thank you in advance.<br><br><br>Oliver<br></body></html>