[nsd-users] NSD no receiving Notifies

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Feb 3 14:35:18 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sofía,

On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
> Dear nsd-users members,
> 
> I've installed Unbound and Nsd on a Centos 6.5 server.
> 
> NSD is the secondary (slave) name server for some zones. The
> primary (master) for those zones is a BIND server.
> 
> Unbound is listening on the port 53 and NSD is listening on the
> port 53530.
> 
> The master is set up to send notifies to the port 53530 of the
> slave server. (also-notify <slave IP address> port 53530)
> 
> I'm having some issues when a zone is updated on the master. The
> master sends the notifies to the right port (53530). I can see the
> notifies with a tcpdump but NSD doesn't transfer the zone. I don't
> even see any message in the NSD log saying it received the
> notifies. (the "verbosity" parameter is set to 2).
> 
> If NSD requests the transfer (nsd-control transfer <zone>) the
> transfer works. It just doesn't work when the transfer is support
> to be initiated by a notify sent by the master.
> 
> I've already checked iptables and it is accepting connections to
> the port 53530.
> 
> I've even trying stopping Unbound and setting up NSD to listen on
> the port 53 just in case this issue has anything to do with the
> non-standard port being used, but it didn't work either.
> 
> Is there anything else I could check?

Have you checked that your NSD configuration allows the notify, with
the allow-notify: <master-ipaddress> NOKEY   statement.  With
verbosity 2 it should print allowed or refused for almost all notifies.

If NSD does not host the zone, then it prints nothing at verbosity 2,
instead it returns 'nxdomain' rcode to the master.  Do you have the
zone name spelled correctly in the NSD configuration?

The zone should also have a request-xfr: <master ipadress> NOKEY  in
the nsd.conf file, so that it knows where to transfer the zone from.

If you are using TSIG, try to disable it, if the TSIG fails (i.e. you
have the wrong TSIG key) then NSD will also not print a log entry.

> Are you aware of any incompatibility between a BIND master and a
> NSD slave?

No, this should work.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS76kmAAoJEJ9vHC1+BF+N2XkQAIf+nM4wpWCwPcLUepz19pDA
X5EWbbtZFYE4bwvQBZaTRQz7L4dXAVN8gfL9L0ulZZ0pzcXYEUtwlZKovH8TAtLb
Sflgp9ygYygZ2ZGkUU3AlXE9Lmqd+MIbmwv7zlBBkpvA4Im4SFgF9MnJKst2wzaB
aoTDPieV1Q7x0rYaUDF7RXcxaIWgbaJB603GLCZsp3buNILHAeWtmA+Ij12DSpFp
YNGVWVyXujxiQ1zuQ9DXULRxOuUUkJAINLPHdr0AjBkiCcutQvMLqJwCOwKl0gou
5RWJ4qmQzp4yqQBvIGmt0HIc9auXi1iMCH8qw8NpkuoRdcFDgyfq3GntXaDRgD4z
i9fXrEj0yXbvsj8BcHQszKCDmxwYfrbdt2YgtqI+0ALTvYUdtJKzul0yS8ZtIsyF
sPltamD/RcpQJJdQTLf8+e3fH59b7DxOlTS56NYC/Uu7vFCAO3Qur7InpLFd/8By
B6EffO7IkK+tyrrZKyhFeYVlIC2Td/UaL5FFuJQiYrJ+dtEoWjTVB0VQrtiipRGj
T9u0Zxd8LrQjbutvUufqYBWPQlvdbzxmOoX8IO7dyLAUaz6RE2ugTbFepRslDa+s
lOPOfJSbnJ6+UB5F1JtzWBVr4sRsRTd346//JHu14qSU+HjtPR5k+5nRdxJsJaHW
ytd3b8pfSG8i/9/tpmji
=8n8N
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list