[nsd-users] allow-notify SUBNET and request-xfr inconsistency

Ilya Bakulin Ilya_Bakulin at genua.de
Tue Jul 24 11:52:39 UTC 2012

Hi Yuri,

On Monday 23 July 2012 21:49:21 Yuri Schaeffer wrote:
> Hi Ilya,
> >>>> RFC-1996, Section 3.11
> >> says:
> >>>>> Because a deep server dependency graph may have multiple paths
> >>>>>       from the primary master to any given slave, it is possible that
> >>>>>       a slave will receive a NOTIFY from one of its known masters
> >>>>> even though the rest of its known masters have not yet updated their
> >>>>> copies of the zone.  Therefore, when issuing a QUERY for the zone's
> >>>>> SOA, the query should be directed at the known master who was the
> >>>>> source of the NOTIFY event, and not at any of the other known masters
> This is in fact what NSD does. I took a look at it today and it seems
> that there is a bug when allow-notify specifies a subnet. The notifier
> is than not properly matched with the request-xfr entries.
> Tomorrow I will spend some time fixing it. Untested, but as a work
> around specify all hosts separately in allow-notify exactly like in
> request-xfr.
> Regards,
> Yuri Schaeffer

I have tested suggested workaround and it works as expected.
We will now wait for your fix.
Thank you for looking into this!

Ilya Bakulin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120724/9fffd007/attachment.bin>

More information about the nsd-users mailing list