[nsd-users] NSD no receiving Notifies

Sofía Silva Berenguer sofia at lacnic.net
Mon Feb 3 14:55:51 UTC 2014

Hash: SHA256

Thank you for replying Wouter!

The zone is listed in the zone.list file and it's spelled correctly. I
added it using a pattern which includes both the allow-notify and the
request-xfr lines:

allow-notify: <master> NOKEY
request-xfr: <master> NOKEY

How can I check that the zone was correctly added?

I'm sorry for asking so basic questions but I'm a newby with NSD.

Thank you a lot for your help!



El 03/02/14 12:35, W.C.A. Wijngaards escribió:
> Hi Sofía,
> On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
>> Dear nsd-users members,
>> I've installed Unbound and Nsd on a Centos 6.5 server.
>> NSD is the secondary (slave) name server for some zones. The 
>> primary (master) for those zones is a BIND server.
>> Unbound is listening on the port 53 and NSD is listening on the 
>> port 53530.
>> The master is set up to send notifies to the port 53530 of the 
>> slave server. (also-notify <slave IP address> port 53530)
>> I'm having some issues when a zone is updated on the master. The 
>> master sends the notifies to the right port (53530). I can see
>> the notifies with a tcpdump but NSD doesn't transfer the zone. I
>> don't even see any message in the NSD log saying it received the 
>> notifies. (the "verbosity" parameter is set to 2).
>> If NSD requests the transfer (nsd-control transfer <zone>) the 
>> transfer works. It just doesn't work when the transfer is
>> support to be initiated by a notify sent by the master.
>> I've already checked iptables and it is accepting connections to 
>> the port 53530.
>> I've even trying stopping Unbound and setting up NSD to listen
>> on the port 53 just in case this issue has anything to do with
>> the non-standard port being used, but it didn't work either.
>> Is there anything else I could check?
> Have you checked that your NSD configuration allows the notify,
> with the allow-notify: <master-ipaddress> NOKEY   statement.  With 
> verbosity 2 it should print allowed or refused for almost all
> notifies.
> If NSD does not host the zone, then it prints nothing at verbosity
> 2, instead it returns 'nxdomain' rcode to the master.  Do you have
> the zone name spelled correctly in the NSD configuration?
> The zone should also have a request-xfr: <master ipadress> NOKEY
> in the nsd.conf file, so that it knows where to transfer the zone
> from.
> If you are using TSIG, try to disable it, if the TSIG fails (i.e.
> you have the wrong TSIG key) then NSD will also not print a log
> entry.
>> Are you aware of any incompatibility between a BIND master and a 
>> NSD slave?
> No, this should work.
> Best regards, Wouter
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the nsd-users mailing list