[nsd-users] NSD no receiving Notifies
wouter at nlnetlabs.nl
Mon Feb 3 14:35:18 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
> Dear nsd-users members,
> I've installed Unbound and Nsd on a Centos 6.5 server.
> NSD is the secondary (slave) name server for some zones. The
> primary (master) for those zones is a BIND server.
> Unbound is listening on the port 53 and NSD is listening on the
> port 53530.
> The master is set up to send notifies to the port 53530 of the
> slave server. (also-notify <slave IP address> port 53530)
> I'm having some issues when a zone is updated on the master. The
> master sends the notifies to the right port (53530). I can see the
> notifies with a tcpdump but NSD doesn't transfer the zone. I don't
> even see any message in the NSD log saying it received the
> notifies. (the "verbosity" parameter is set to 2).
> If NSD requests the transfer (nsd-control transfer <zone>) the
> transfer works. It just doesn't work when the transfer is support
> to be initiated by a notify sent by the master.
> I've already checked iptables and it is accepting connections to
> the port 53530.
> I've even trying stopping Unbound and setting up NSD to listen on
> the port 53 just in case this issue has anything to do with the
> non-standard port being used, but it didn't work either.
> Is there anything else I could check?
Have you checked that your NSD configuration allows the notify, with
the allow-notify: <master-ipaddress> NOKEY statement. With
verbosity 2 it should print allowed or refused for almost all notifies.
If NSD does not host the zone, then it prints nothing at verbosity 2,
instead it returns 'nxdomain' rcode to the master. Do you have the
zone name spelled correctly in the NSD configuration?
The zone should also have a request-xfr: <master ipadress> NOKEY in
the nsd.conf file, so that it knows where to transfer the zone from.
If you are using TSIG, try to disable it, if the TSIG fails (i.e. you
have the wrong TSIG key) then NSD will also not print a log entry.
> Are you aware of any incompatibility between a BIND master and a
> NSD slave?
No, this should work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the nsd-users