[nsd-users] NSD no receiving Notifies

Sofía Silva Berenguer sofia at lacnic.net
Tue Feb 4 14:59:44 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Wouter,

Yes, if I run nsd-control transfer <zone>, the zone gets transfered.

I will compile NSD again with the options you told me and I'll let you
know what happens.

Regards,

Sofía


El 04/02/14 12:53, W.C.A. Wijngaards escribió:
> Hi Sofia,
> 
> So, nsd the zone configured correctly, it has allow-notify and 
> request-xfr set and the name.  The notify packet arrives on
> tcpdump. lsof says NSD listens on that port, but NSD4 prints
> nothing.    With verbosity it should print something, but it does
> not.
> 
> If you compile NSD with --enable-checking and start nsd with -F 20
> -L 2 options it will print even more than it prints now (it should
> simply print that a notify has been received, for every notify
> packet).
> 
> Can you transfer the zone if you specify nsd-control transfer 
> <zonename>  ?  This pretends a notify has been received internally 
> (but without the actual packet), and does the same zone transfer
> code.
> 
> Best regards, Wouter
> 
> On 02/04/2014 03:28 PM, Sofía Silva Berenguer wrote:
>> Hi Wouter,
> 
>> I couldn't set up Nsd to use syslog, however it is logging to a 
>> file. I actually see a lot of lines but nothing about receiving 
>> notifies from the master.
> 
>> I increased verbosity from 2 to 5 and run tail -f on the logfile
>>  while, on the master I incremented the serial of a zone and 
>> reloaded it. The master sent notifies and another slave got the 
>> zone transfered but NOT this slave (the nsd). The Nsd didn't get 
>> any notify.
> 
>> What am I doing wrong? :)
> 
>> Regards,
> 
>> Sofía
> 
>> El 04/02/14 11:22, W.C.A. Wijngaards escribió:
>>> Hi Sofia,
> 
>>> You you getting logs from NSD at all?  Or does it have similar
>>>  trouble like unbound (it has very similar log code) had for
>>> you (the logfile was not inside the chroot)?  Then you can see
>>> what it says about the Notify or about the zone transfers
>>> (increase verbosity from 2 to 5 to see more and more).
> 
>>> Best regards, Wouter
> 
>>> On 02/03/2014 05:01 PM, Sofía Silva Berenguer wrote:
>>>> Wouter,
> 
>>>> Iptables is accepting connections in the port 53530. I 
>>>> telneted it from the master and it worked.
> 
>>>> I also verified with "lsof -ni:53530" that NSD is actually 
>>>> listening on that port, both in TCP and UDP.
> 
>>>> Regards,
> 
>>>> Sofía
> 
>>>> El 03/02/14 13:49, W.C.A. Wijngaards escribió:
>>>>> Hi Sofia,
> 
>>>>> Is your computer configured with a firewall that blocks 
>>>>> traffic to port 53530?  Otherwise, I am also getting out of
>>>>>  ideas, with the zone and allow-notify configured, NSD
>>>>> prints what happens with verbosity
>>>>>> =2.  Nothing is printed, so I assume NSD does not
>>>>>> actually get the
>>>>> packet.
> 
>>>>> Best regards, Wouter
> 
>>>>> On 02/03/2014 04:38 PM, Sofía Silva Berenguer wrote:
>>>>>> Wouter,
> 
>>>>>> I defined the pattern in nsd.conf and then added the zone
>>>>>>  with nsd-control addzone <zone> <pattern>. I didn't
>>>>>> edit the file manually.
> 
>>>>>> I do see the zone with nsd-control zonestatus <zone>.
> 
>>>>>> Regards,
> 
>>>>>> Sofia
> 
>>>>>> El 03/02/14 13:13, W.C.A. Wijngaards escribió:
>>>>>>> Hi,
> 
>>>>>>> How did you add it to the zone.list file?  If you edit 
>>>>>>> the file manually, NSD does not pickup the changes
>>>>>>> while it is running; and in fact (may) overwrite your
>>>>>>> edits when it closes. Do you see the zone with
>>>>>>> nsd-control zonestatus ?
> 
>>>>>>> Best regards, Wouter
> 
>>>>>>> On 02/03/2014 03:55 PM, Sofía Silva Berenguer wrote:
>>>>>>>> Thank you for replying Wouter!
> 
>>>>>>>> The zone is listed in the zone.list file and it's 
>>>>>>>> spelled correctly. I added it using a pattern which 
>>>>>>>> includes both the allow-notify and the request-xfr 
>>>>>>>> lines:
> 
>>>>>>>> allow-notify: <master> NOKEY request-xfr: <master> 
>>>>>>>> NOKEY
> 
>>>>>>>> How can I check that the zone was correctly added?
> 
>>>>>>>> I'm sorry for asking so basic questions but I'm a
>>>>>>>> newby with NSD.
> 
>>>>>>>> Thank you a lot for your help!
> 
>>>>>>>> Regards,
> 
>>>>>>>> Sofía
> 
>>>>>>>> El 03/02/14 12:35, W.C.A. Wijngaards escribió:
>>>>>>>>> Hi Sofía,
> 
>>>>>>>>> On 02/03/2014 03:03 PM, Sofía Silva Berenguer
>>>>>>>>> wrote:
>>>>>>>>>> Dear nsd-users members,
> 
>>>>>>>>>> I've installed Unbound and Nsd on a Centos 6.5 
>>>>>>>>>> server.
> 
>>>>>>>>>> NSD is the secondary (slave) name server for some
>>>>>>>>>>  zones. The primary (master) for those zones is a
>>>>>>>>>>  BIND server.
> 
>>>>>>>>>> Unbound is listening on the port 53 and NSD is 
>>>>>>>>>> listening on the port 53530.
> 
>>>>>>>>>> The master is set up to send notifies to the port
>>>>>>>>>>  53530 of the slave server. (also-notify <slave
>>>>>>>>>> IP address> port 53530)
> 
>>>>>>>>>> I'm having some issues when a zone is updated on 
>>>>>>>>>> the master. The master sends the notifies to the 
>>>>>>>>>> right port (53530). I can see the notifies with
>>>>>>>>>> a tcpdump but NSD doesn't transfer the zone. I
>>>>>>>>>> don't even see any message in the NSD log saying
>>>>>>>>>> it received the notifies. (the "verbosity"
>>>>>>>>>> parameter is set to 2).
> 
>>>>>>>>>> If NSD requests the transfer (nsd-control
>>>>>>>>>> transfer <zone>) the transfer works. It just
>>>>>>>>>> doesn't work when the transfer is support to be
>>>>>>>>>> initiated by a notify sent by the master.
> 
>>>>>>>>>> I've already checked iptables and it is accepting
>>>>>>>>>>  connections to the port 53530.
> 
>>>>>>>>>> I've even trying stopping Unbound and setting up 
>>>>>>>>>> NSD to listen on the port 53 just in case this 
>>>>>>>>>> issue has anything to do with the non-standard
>>>>>>>>>> port being used, but it didn't work either.
> 
>>>>>>>>>> Is there anything else I could check?
> 
>>>>>>>>> Have you checked that your NSD configuration
>>>>>>>>> allows the notify, with the allow-notify: 
>>>>>>>>> <master-ipaddress> NOKEY statement. With verbosity
>>>>>>>>> 2 it should print allowed or refused for almost
>>>>>>>>> all notifies.
> 
>>>>>>>>> If NSD does not host the zone, then it prints 
>>>>>>>>> nothing at verbosity 2, instead it returns
>>>>>>>>> 'nxdomain' rcode to the master. Do you have the
>>>>>>>>> zone name spelled correctly in the NSD
>>>>>>>>> configuration?
> 
>>>>>>>>> The zone should also have a request-xfr: <master 
>>>>>>>>> ipadress> NOKEY in the nsd.conf file, so that it 
>>>>>>>>> knows where to transfer the zone from.
> 
>>>>>>>>> If you are using TSIG, try to disable it, if the
>>>>>>>>> TSIG fails (i.e. you have the wrong TSIG key) then
>>>>>>>>> NSD will also not print a log entry.
> 
>>>>>>>>>> Are you aware of any incompatibility between a
>>>>>>>>>> BIND master and a NSD slave?
> 
>>>>>>>>> No, this should work.
> 
>>>>>>>>> Best regards, Wouter
> 
>>>>>>>>> _______________________________________________ 
>>>>>>>>> nsd-users mailing list nsd-users at NLnetLabs.nl 
>>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>
>>>>>>>>> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLxAGAACgkQ6pdkzarU61/iBQD/bKN2CB5WjOj08xqn844vLPCa
Juqay1Xt2dBa8QKDA8kA/13SeExLIcsWBTendbkx8rStHwoUwXHQ3Yh3KpvKpZ7a
=d9Qu
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list