[nsd-users] NSD no receiving Notifies

Tue Feb 4 14:28:17 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Wouter,

I couldn't set up Nsd to use syslog, however it is logging to a file.
I actually see a lot of lines but nothing about receiving notifies
from the master.

I increased verbosity from 2 to 5 and run tail -f on the logfile
while, on the master I incremented the serial of a zone and reloaded
it. The master sent notifies and another slave got the zone transfered
but NOT this slave (the nsd). The Nsd didn't get any notify.

What am I doing wrong? :)

Regards,

Sofía

El 04/02/14 11:22, W.C.A. Wijngaards escribió:
> Hi Sofia,
> 
> You you getting logs from NSD at all?  Or does it have similar
> trouble like unbound (it has very similar log code) had for you
> (the logfile was not inside the chroot)?  Then you can see what it
> says about the Notify or about the zone transfers (increase
> verbosity from 2 to 5 to see more and more).
> 
> Best regards, Wouter
> 
> On 02/03/2014 05:01 PM, Sofía Silva Berenguer wrote:
>> Wouter,
> 
>> Iptables is accepting connections in the port 53530. I telneted
>> it from the master and it worked.
> 
>> I also verified with "lsof -ni:53530" that NSD is actually 
>> listening on that port, both in TCP and UDP.
> 
>> Regards,
> 
>> Sofía
> 
>> El 03/02/14 13:49, W.C.A. Wijngaards escribió:
>>> Hi Sofia,
> 
>>> Is your computer configured with a firewall that blocks
>>> traffic to port 53530?  Otherwise, I am also getting out of
>>> ideas, with the zone and allow-notify configured, NSD prints
>>> what happens with verbosity
>>>> =2.  Nothing is printed, so I assume NSD does not actually
>>>> get the
>>> packet.
> 
>>> Best regards, Wouter
> 
>>> On 02/03/2014 04:38 PM, Sofía Silva Berenguer wrote:
>>>> Wouter,
> 
>>>> I defined the pattern in nsd.conf and then added the zone
>>>> with nsd-control addzone <zone> <pattern>. I didn't edit the
>>>> file manually.
> 
>>>> I do see the zone with nsd-control zonestatus <zone>.
> 
>>>> Regards,
> 
>>>> Sofia
> 
>>>> El 03/02/14 13:13, W.C.A. Wijngaards escribió:
>>>>> Hi,
> 
>>>>> How did you add it to the zone.list file?  If you edit the 
>>>>> file manually, NSD does not pickup the changes while it is
>>>>>  running; and in fact (may) overwrite your edits when it 
>>>>> closes. Do you see the zone with nsd-control zonestatus ?
> 
>>>>> Best regards, Wouter
> 
>>>>> On 02/03/2014 03:55 PM, Sofía Silva Berenguer wrote:
>>>>>> Thank you for replying Wouter!
> 
>>>>>> The zone is listed in the zone.list file and it's spelled
>>>>>>  correctly. I added it using a pattern which includes
>>>>>> both the allow-notify and the request-xfr lines:
> 
>>>>>> allow-notify: <master> NOKEY request-xfr: <master> NOKEY
> 
>>>>>> How can I check that the zone was correctly added?
> 
>>>>>> I'm sorry for asking so basic questions but I'm a newby 
>>>>>> with NSD.
> 
>>>>>> Thank you a lot for your help!
> 
>>>>>> Regards,
> 
>>>>>> Sofía
> 
>>>>>> El 03/02/14 12:35, W.C.A. Wijngaards escribió:
>>>>>>> Hi Sofía,
> 
>>>>>>> On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
>>>>>>>> Dear nsd-users members,
> 
>>>>>>>> I've installed Unbound and Nsd on a Centos 6.5
>>>>>>>> server.
> 
>>>>>>>> NSD is the secondary (slave) name server for some 
>>>>>>>> zones. The primary (master) for those zones is a
>>>>>>>> BIND server.
> 
>>>>>>>> Unbound is listening on the port 53 and NSD is 
>>>>>>>> listening on the port 53530.
> 
>>>>>>>> The master is set up to send notifies to the port 
>>>>>>>> 53530 of the slave server. (also-notify <slave IP 
>>>>>>>> address> port 53530)
> 
>>>>>>>> I'm having some issues when a zone is updated on the
>>>>>>>>  master. The master sends the notifies to the right
>>>>>>>> port (53530). I can see the notifies with a tcpdump
>>>>>>>> but NSD doesn't transfer the zone. I don't even see
>>>>>>>> any message in the NSD log saying it received the
>>>>>>>> notifies. (the "verbosity" parameter is set to 2).
> 
>>>>>>>> If NSD requests the transfer (nsd-control transfer 
>>>>>>>> <zone>) the transfer works. It just doesn't work
>>>>>>>> when the transfer is support to be initiated by a
>>>>>>>> notify sent by the master.
> 
>>>>>>>> I've already checked iptables and it is accepting 
>>>>>>>> connections to the port 53530.
> 
>>>>>>>> I've even trying stopping Unbound and setting up NSD
>>>>>>>> to listen on the port 53 just in case this issue has
>>>>>>>>  anything to do with the non-standard port being
>>>>>>>> used, but it didn't work either.
> 
>>>>>>>> Is there anything else I could check?
> 
>>>>>>> Have you checked that your NSD configuration allows the
>>>>>>>  notify, with the allow-notify: <master-ipaddress>
>>>>>>> NOKEY statement. With verbosity 2 it should print
>>>>>>> allowed or refused for almost all notifies.
> 
>>>>>>> If NSD does not host the zone, then it prints nothing
>>>>>>> at verbosity 2, instead it returns 'nxdomain' rcode to
>>>>>>> the master. Do you have the zone name spelled correctly
>>>>>>> in the NSD configuration?
> 
>>>>>>> The zone should also have a request-xfr: <master 
>>>>>>> ipadress> NOKEY in the nsd.conf file, so that it knows 
>>>>>>> where to transfer the zone from.
> 
>>>>>>> If you are using TSIG, try to disable it, if the TSIG 
>>>>>>> fails (i.e. you have the wrong TSIG key) then NSD will 
>>>>>>> also not print a log entry.
> 
>>>>>>>> Are you aware of any incompatibility between a BIND 
>>>>>>>> master and a NSD slave?
> 
>>>>>>> No, this should work.
> 
>>>>>>> Best regards, Wouter
> 
>>>>>>> _______________________________________________
>>>>>>> nsd-users mailing list nsd-users at NLnetLabs.nl 
>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLw+QEACgkQ6pdkzarU61/NnAD9HOJyeOFTGwG+yBEzzzP5XRcP
q3zx2Ipv9vE1iyZhKw8A/1iXaCqb5Qp56IY0o8c5RpzCB3XxnpobKT6bKQyPXf9r
=Ff2v
-----END PGP SIGNATURE-----