[nsd-users] n00b troubles with slaves

Glenn English ghe at slsware.com
Mon Jul 8 19:40:43 UTC 2013


I'm trying to set up NSD as the main DNS server for my domain and my virtual users' domains. The master (192.168.2.205) is a BIND server on a local network protected from the 'Net -- the NSD zones are all slaves. The server I'm working on is at 192.168.2.202.

I'm seeing what seem to be contradictions in the books I have, on the 'Net, and the man page. I'm told by most of them that "allow-notify" and "request-xfer" should be the same IP: that of the master. But when that's what I set, 'nsdc update' throws an error saying "allow-notify" isn't set to 127.0.0.1, and several 'Net sites agree. When I set that, nobody complains, but as best I can tell, no zones are transferred. Since the majority (including Evi Nemeth and the man page) votes for the IP of the master, I suspect I'm misunderstanding something.

Here's my config (just making changes to the sample so far):

> root at server:/etc/nsd3# cat nsd.conf
> # 2013-07-05
> #
> # nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
> #
> # Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
> #
> # See LICENSE for the license.
> #
> 
> # options for the nsd server
> server:
> 	# uncomment to specify specific interfaces to bind (default wildcard interface).
> 	# ip-address: 1.2.3.4
> 	# ip-address: 1.2.3.4 at 5678
> 	# ip-address: 12fe::8ef0
> 
> 	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
> 	# hide-version: no
> 	hide-version: yes
> 
> 	# enable debug mode, does not fork daemon process into the background.
> 	# debug-mode: no
> 
> 	# listen only on IPv4 connections
> 	# ip4-only: no
> 	ip4-only: yes
> 
> 	# listen only on IPv6 connections
> 	# ip6-only: no
> 	
> 	# the database to use
> 	# database: "/var/lib/nsd3/nsd.db"
> 	database: "/var/cache/dns/nsd.db"
> 
> 	# identify the server (CH TXT ID.SERVER entry).
> 	# identity: "unidentified server"
> 	identity: ""
> 
> 	# NSID identity (hex string). default disabled.
> 	# nsid: "aabbccdd"
> 
> 	# log messages to file. Default to stderr and syslog (with facility LOG_DAEMON).
> 	# logfile: "/var/log/nsd.log"
> 
> 	# Number of NSD servers to fork.
> 	# server-count: 1
> 	server-count: 4
> 
> 	# Maximum number of concurrent TCP connections per server.
> 	# This option should have a value below 1000.
> 	# tcp-count: 10
> 
> 	# Maximum number of queries served on a single TCP connection.
> 	# By default 0, which means no maximum.
> 	# tcp-query-count: 0
> 	tcp-query-count: 5
> 
> 	# Override the default (120 seconds) TCP timeout.
> 	# tcp-timeout: 120
> 
> 	# Preferred EDNS buffer size for IPv4.
> 	# ipv4-edns-size: 4096
> 	ipv4-edns-size: 256 
> 
> 	# Preferred EDNS buffer size for IPv6.
> 	# ipv6-edns-size: 4096
> 
> 	# File to store pid for nsd in.
> 	# pidfile: "/var/run/nsd3/nsd.pid"
> 	pidfile: "/var/run/nsd3/nsd.pid"
> 
> 	# port to answer queries on. default is 53.
> 	# port: 53
> 
> 	# statistics are produced every number of seconds.
> 	# statistics: 3600
> 
> 	# if per zone statistics is enabled, file to store statistics.
> 	# zone-stats-file: "/var/log/nsd.stats"
> 
> 	# Run NSD in a chroot-jail.
> 	# make sure to have pidfile and database reachable from there.
> 	# by default, no chroot-jail is used.
> 	# chroot: "/etc/nsd3"
> 
> 	# After binding socket, drop user privileges.
> 	# can be a username, id or id.gid.
> 	# username: nsd
> 	username: nsd
> 
> 	# The directory for zonefile: files.
> 	# zonesdir: "/etc/nsd3"
> 	zonesdir: "/var/cache/dns/slaves"
> 
> 	# The file where incoming zone transfers are stored.
> 	# run nsd-patch to update zone files, then you can safely delete it.
> 	# difffile: "/var/lib/nsd3/ixfr.db"
> 	difffile: "/var/cache/dns/ixfr.db"
> 
> 	# The file where secondary zone refresh and expire timeouts are kept.
> 	# If you delete this file, all secondary zones are forced to be 
> 	# 'refreshing' (as if nsd got a notify).
> 	# xfrdfile: "/var/lib/nsd3/xfrd.state"
> 	xfrdfile: "/var/cache/dns/xfrd.state"
> 
> 	# Number of seconds between reloads triggered by xfrd.
> 	# xfrd-reload-timeout: 10
> 
> 	# Verbosity level.
> 	# verbosity: 0
> 
> 	# RRLconfig
> 	# Response Rate Limiting, size of the hashtable. Default 1000000.
> 	# rrl-size: 1000000
> 
> 	# Response Rate Limiting, maximum QPS allowed (from one query source).
> 	# Default 200. If set to 0, ratelimiting is disabled. Also set
> 	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
> 	# rrl-ratelimit: 200
> 
> 	# Response Rate Limiting, maximum QPS allowed (from one query source)
> 	# for whitelisted types. Default 2000.
> 	# rrl-whitelist-ratelimit: 2000
> 	# RRLend
> 
> # key for local zones
> key:
> 	name: mskey
> 	algorithm: hmac-md5
> 	secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
> 
> # Slave zones
> 
> zone:
> 	name: "aerco.net"
> 	zonefile: "db.aerco.net"
> 	include: "/etc/nsd3/zoneInclude.txt"

and the include file of everything that's the same in all the zones:

> root at server:/etc/nsd3# cat zoneInclude.txt 
> 
>         # By default, a slave will request a zone transfer with IXFR/TCP.
>         # If you want to make use of IXFR/UDP use
>         allow-notify: 127.0.0.1 NOKEY
>         request-xfr: 192.168.2.205 NOKEY
> 
>         # Allow AXFR fallback if the master does not support IXFR. Default
>         # is yes.
>         allow-axfr-fallback: "yes"
> 
>         # set local interface for sending zone transfer requests.
>         outgoing-interface: 192.168.2.202


Just one of the zones is here -- all the others are identical except for the names. The zone files are BIND syntax, and the server is serving DNS quite nicely when I transfer by hand (or rsync), rebuild the database, and reload.

Can someone tell me what I'm doing wrong, and why it's wrong? Is there a book yet explaining how NSD works and what the various config options mean? 

BTW, 'nsdc restart' just stops NSD. So does Debian's /etc/init.d/nsd startup file. I've looked at the code, and they aren't the same. A 'nsdc stop' followed by 'nsdc start' do the job.

And there is no log file.

-- 
Glenn English




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4127 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20130708/8e8fbe92/attachment.bin>


More information about the nsd-users mailing list