3.0.1 secondary issues.

Måns Nilsson mansaxel at sunet.se
Tue Sep 19 07:43:09 UTC 2006 

Hi, 

I'm having a number of problems with my NSD 3. I am trying to serve SE, as
a AXFR client, with the following config file: (some obfuscation
performed.. )

server:
        # uncomment to specify specific interfaces to bind (default all).
        ip-address: 192.36.125.102
        ip-address: 127.0.0.1
        ip-address: ::1
        # enable debug mode for nsd, does not fork daemon process.
        # (debug mode disables slave zone functionalities)
        # debug-mode: no
        # ip4-only: no
        # ip6-only: no
        # the database to use
        database: "/var/nsd/nsd.db"
        # identify the server (CH TXT ID.SERVER entry).
        identity: "F.NS.SE"

        # log messages to file. Default to stderr and syslog.
        logfile: "/var/nsd/nsd.log"

        # Number of NSD servers to fork.
        # server-count: 1

        # Maximum number of concurrent TCP connections per server.
        # tcp-count: 10

        # File to store pid for nsd in.
        pidfile: "/var/run/nsd.pid"

        # port to answer queries on. default is 53.
        port: 53

        # statistics are produced every number of seconds.
        statistics: 300

        # After binding socket, drop user privileges.
        # can be a username, id or id.gid.
        username: nsd

        # The directory for zonefile: files.
        zonesdir: /var/nsd

        # The file where incoming zone transfers are stored.
        # run nsd-patch to update zone files, then you can safely delete it.
        difffile: "/var/nsd/ixfr.db"

        # The file where secondary zone refresh and expire timeouts are
kept.
        # If you delete this file, all secondary zones are forced to be 
        # 'refreshing' (as if nsd got a notify).
        xfrdfile: "/var/nsd/xfrd.state"

        # Number of seconds between reloads triggered by xfrd.
        # xfrd-reload-timeout: 10

# Sample zone 1
zone:
        name: "se"
        zonefile: "/var/nsd/se.zone"

        # This is a slave zone. Masters are listed below.

        allow-notify: 192.0.2.47 secret-key
        request-xfr:  192.0.2.47 secret-key
        allow-notify: 192.0.2.11 secret-key
        request-xfr: 192.0.2.11 secret-key
        # uncomment to provide AXFR to all the world
        provide-xfr: 192.36.125.0/24 secret-key
        # for nsdc
        allow-notify: ::1 NOKEY
        allow-notify: 127.0.0.1 NOKEY

key:
        name: secret-key
        algorithm: hmac-md5
        secret: "DEADBEEFDEADBEEF"

The symptoms are that even when I'm manually triggering updates (nsdc
update) there is no zone update performed. The masters are said to be
sending notifies. 

The only way I can get new zones in is by stopping NSD, and removing old
data files. 

Very little is logged, no notifies, nothing. A 'bash-x nsdc update' yields: 

ash-3.00# bash -x nsdc update 
+ ulimit -m unlimited
+ ulimit -d unlimited
+ configfile=/etc/nsd/nsd.conf
+ sbindir=/usr/local/sbin
+ ZONEC_VERBOSE=-v
+ test xupdate = x-c
+ nsd_checkconf=
+ '[' -e /usr/local/sbin/nsd-checkconf ']'
+ nsd_checkconf=/usr/local/sbin/nsd-checkconf
+ /usr/local/sbin/nsd-checkconf /etc/nsd/nsd.conf
+ test 0 -ne 0
++ /usr/local/sbin/nsd-checkconf -o database /etc/nsd/nsd.conf
+ dbfile=/var/nsd/nsd.db
++ /usr/local/sbin/nsd-checkconf -o pidfile /etc/nsd/nsd.conf
+ pidfile=/var/run/nsd.pid
+ lockfile=/var/nsd/nsd.db.lock
++ dirname /usr/local/sbin/nsd-checkconf
+ sbindir=/usr/local/sbin
+ noclobber_set='set -C'
+ echo /usr/pkg/bin/bash
+ grep tcsh
+ case "$1" in
+ echo 'Sending notify to localhost to update secondary zones...'
Sending notify to localhost to update secondary zones...
+ '[' -s /var/run/nsd.pid ']'
++ /usr/local/sbin/nsd-checkconf -o zones /etc/nsd/nsd.conf
+ zoneslist=se
+ for zonename in '${zoneslist}'
++ /usr/local/sbin/nsd-checkconf -z se -o allow-notify /etc/nsd/nsd.conf
+ notify_allow='192.0.2.47 secret-key
192.0.2.11 secret-key
::1 NOKEY
127.0.0.1 NOKEY'
+ send_updates se 192.0.2.47 secret-key 192.0.2.11 secret-key
+ local zonename=se
+ shift
++ /usr/local/sbin/nsd-checkconf -o port /etc/nsd/nsd.conf
+ port=53
+ test -n 53
+ port='-p 53'
+ update_sent=no
+ (( 8 > 0 ))
+ ip_spec=192.0.2.47
+ key_spec=secret-key
+ shift 2
+ test Z192.0.2.47 = Z127.0.0.1 -o Z192.0.2.47 = Z::1
+ (( 6 > 0 ))
+ ip_spec=192.0.2.11
+ key_spec=secret-key
+ shift 2
+ test Z1192.0.2.11 = Z127.0.0.1 -o Z192.0.2.11 = Z::1
+ (( 4 > 0 ))
+ ip_spec=::1
+ key_spec=NOKEY
+ shift 2
+ test Z::1 = Z127.0.0.1 -o Z::1 = Z::1
+ secret=
+ test KNOKEY '!=' KNOKEY -a KNOKEY '!=' KBLOCKED
+ test KNOKEY '!=' KBLOCKED
+ /usr/local/sbin/nsd-notify -p 53 -z se ::1
+ update_sent=yes
+ (( 2 > 0 ))
+ ip_spec=127.0.0.1
+ key_spec=NOKEY
+ shift 2
+ test Z127.0.0.1 = Z127.0.0.1 -o Z127.0.0.1 = Z::1
+ secret=
+ test KNOKEY '!=' KNOKEY -a KNOKEY '!=' KBLOCKED
+ test KNOKEY '!=' KBLOCKED
+ /usr/local/sbin/nsd-notify -p 53 -z se 127.0.0.1
+ update_sent=yes
+ (( 0 > 0 ))
+ test yes = no
+ exit 0

Looks like it is doing the right thing. Is it correct that nsd should not
log anything about that? 

Am I doing anytrhing blatantly wrong? 

-- 
Måns Nilsson                     Systems Specialist
+46 70 681 7204   cell                       KTHNOC
+46 8 790 6518  office                  MN1334-RIPE

We just joined the civil hair patrol!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20060919/b79664f3/attachment.bin>

More information about the nsd-users mailing list