[nsd-users] NSD no receiving Notifies

Tue Feb 4 16:27:07 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This issue has been solved.

I had iptables' rules (iptables and ip6tables) accepting TCP traffic
on the port 53530 but the rules accepting UDP traffic were missing.

Once I added those missing rules, Nsd started receiving notifies from
the master :)

Thank you Wouter for your help!

Regards,

Sofía

El 04/02/14 12:59, Sofía Silva Berenguer escribió:
> Wouter,
> 
> Yes, if I run nsd-control transfer <zone>, the zone gets
> transfered.
> 
> I will compile NSD again with the options you told me and I'll let
> you know what happens.
> 
> Regards,
> 
> Sofía
> 
> 
> El 04/02/14 12:53, W.C.A. Wijngaards escribió:
>> Hi Sofia,
> 
>> So, nsd the zone configured correctly, it has allow-notify and 
>> request-xfr set and the name.  The notify packet arrives on 
>> tcpdump. lsof says NSD listens on that port, but NSD4 prints 
>> nothing.    With verbosity it should print something, but it
>> does not.
> 
>> If you compile NSD with --enable-checking and start nsd with -F
>> 20 -L 2 options it will print even more than it prints now (it
>> should simply print that a notify has been received, for every
>> notify packet).
> 
>> Can you transfer the zone if you specify nsd-control transfer 
>> <zonename>  ?  This pretends a notify has been received
>> internally (but without the actual packet), and does the same
>> zone transfer code.
> 
>> Best regards, Wouter
> 
>> On 02/04/2014 03:28 PM, Sofía Silva Berenguer wrote:
>>> Hi Wouter,
> 
>>> I couldn't set up Nsd to use syslog, however it is logging to a
>>>  file. I actually see a lot of lines but nothing about
>>> receiving notifies from the master.
> 
>>> I increased verbosity from 2 to 5 and run tail -f on the
>>> logfile while, on the master I incremented the serial of a zone
>>> and reloaded it. The master sent notifies and another slave got
>>> the zone transfered but NOT this slave (the nsd). The Nsd
>>> didn't get any notify.
> 
>>> What am I doing wrong? :)
> 
>>> Regards,
> 
>>> Sofía
> 
>>> El 04/02/14 11:22, W.C.A. Wijngaards escribió:
>>>> Hi Sofia,
> 
>>>> You you getting logs from NSD at all?  Or does it have
>>>> similar trouble like unbound (it has very similar log code)
>>>> had for you (the logfile was not inside the chroot)?  Then
>>>> you can see what it says about the Notify or about the zone
>>>> transfers (increase verbosity from 2 to 5 to see more and
>>>> more).
> 
>>>> Best regards, Wouter
> 
>>>> On 02/03/2014 05:01 PM, Sofía Silva Berenguer wrote:
>>>>> Wouter,
> 
>>>>> Iptables is accepting connections in the port 53530. I 
>>>>> telneted it from the master and it worked.
> 
>>>>> I also verified with "lsof -ni:53530" that NSD is actually
>>>>>  listening on that port, both in TCP and UDP.
> 
>>>>> Regards,
> 
>>>>> Sofía
> 
>>>>> El 03/02/14 13:49, W.C.A. Wijngaards escribió:
>>>>>> Hi Sofia,
> 
>>>>>> Is your computer configured with a firewall that blocks 
>>>>>> traffic to port 53530?  Otherwise, I am also getting out
>>>>>> of ideas, with the zone and allow-notify configured, NSD 
>>>>>> prints what happens with verbosity
>>>>>>> =2.  Nothing is printed, so I assume NSD does not 
>>>>>>> actually get the
>>>>>> packet.
> 
>>>>>> Best regards, Wouter
> 
>>>>>> On 02/03/2014 04:38 PM, Sofía Silva Berenguer wrote:
>>>>>>> Wouter,
> 
>>>>>>> I defined the pattern in nsd.conf and then added the
>>>>>>> zone with nsd-control addzone <zone> <pattern>. I
>>>>>>> didn't edit the file manually.
> 
>>>>>>> I do see the zone with nsd-control zonestatus <zone>.
> 
>>>>>>> Regards,
> 
>>>>>>> Sofia
> 
>>>>>>> El 03/02/14 13:13, W.C.A. Wijngaards escribió:
>>>>>>>> Hi,
> 
>>>>>>>> How did you add it to the zone.list file?  If you
>>>>>>>> edit the file manually, NSD does not pickup the
>>>>>>>> changes while it is running; and in fact (may)
>>>>>>>> overwrite your edits when it closes. Do you see the
>>>>>>>> zone with nsd-control zonestatus ?
> 
>>>>>>>> Best regards, Wouter
> 
>>>>>>>> On 02/03/2014 03:55 PM, Sofía Silva Berenguer wrote:
>>>>>>>>> Thank you for replying Wouter!
> 
>>>>>>>>> The zone is listed in the zone.list file and it's 
>>>>>>>>> spelled correctly. I added it using a pattern which
>>>>>>>>>  includes both the allow-notify and the request-xfr
>>>>>>>>>  lines:
> 
>>>>>>>>> allow-notify: <master> NOKEY request-xfr: <master>
>>>>>>>>>  NOKEY
> 
>>>>>>>>> How can I check that the zone was correctly added?
> 
>>>>>>>>> I'm sorry for asking so basic questions but I'm a 
>>>>>>>>> newby with NSD.
> 
>>>>>>>>> Thank you a lot for your help!
> 
>>>>>>>>> Regards,
> 
>>>>>>>>> Sofía
> 
>>>>>>>>> El 03/02/14 12:35, W.C.A. Wijngaards escribió:
>>>>>>>>>> Hi Sofía,
> 
>>>>>>>>>> On 02/03/2014 03:03 PM, Sofía Silva Berenguer 
>>>>>>>>>> wrote:
>>>>>>>>>>> Dear nsd-users members,
> 
>>>>>>>>>>> I've installed Unbound and Nsd on a Centos 6.5
>>>>>>>>>>>  server.
> 
>>>>>>>>>>> NSD is the secondary (slave) name server for
>>>>>>>>>>> some zones. The primary (master) for those
>>>>>>>>>>> zones is a BIND server.
> 
>>>>>>>>>>> Unbound is listening on the port 53 and NSD is
>>>>>>>>>>>  listening on the port 53530.
> 
>>>>>>>>>>> The master is set up to send notifies to the
>>>>>>>>>>> port 53530 of the slave server. (also-notify
>>>>>>>>>>> <slave IP address> port 53530)
> 
>>>>>>>>>>> I'm having some issues when a zone is updated
>>>>>>>>>>> on the master. The master sends the notifies to
>>>>>>>>>>> the right port (53530). I can see the notifies
>>>>>>>>>>> with a tcpdump but NSD doesn't transfer the
>>>>>>>>>>> zone. I don't even see any message in the NSD
>>>>>>>>>>> log saying it received the notifies. (the
>>>>>>>>>>> "verbosity" parameter is set to 2).
> 
>>>>>>>>>>> If NSD requests the transfer (nsd-control 
>>>>>>>>>>> transfer <zone>) the transfer works. It just 
>>>>>>>>>>> doesn't work when the transfer is support to
>>>>>>>>>>> be initiated by a notify sent by the master.
> 
>>>>>>>>>>> I've already checked iptables and it is
>>>>>>>>>>> accepting connections to the port 53530.
> 
>>>>>>>>>>> I've even trying stopping Unbound and setting
>>>>>>>>>>> up NSD to listen on the port 53 just in case
>>>>>>>>>>> this issue has anything to do with the
>>>>>>>>>>> non-standard port being used, but it didn't
>>>>>>>>>>> work either.
> 
>>>>>>>>>>> Is there anything else I could check?
> 
>>>>>>>>>> Have you checked that your NSD configuration 
>>>>>>>>>> allows the notify, with the allow-notify: 
>>>>>>>>>> <master-ipaddress> NOKEY statement. With
>>>>>>>>>> verbosity 2 it should print allowed or refused
>>>>>>>>>> for almost all notifies.
> 
>>>>>>>>>> If NSD does not host the zone, then it prints 
>>>>>>>>>> nothing at verbosity 2, instead it returns 
>>>>>>>>>> 'nxdomain' rcode to the master. Do you have the 
>>>>>>>>>> zone name spelled correctly in the NSD 
>>>>>>>>>> configuration?
> 
>>>>>>>>>> The zone should also have a request-xfr: <master
>>>>>>>>>>  ipadress> NOKEY in the nsd.conf file, so that it
>>>>>>>>>>  knows where to transfer the zone from.
> 
>>>>>>>>>> If you are using TSIG, try to disable it, if the 
>>>>>>>>>> TSIG fails (i.e. you have the wrong TSIG key)
>>>>>>>>>> then NSD will also not print a log entry.
> 
>>>>>>>>>>> Are you aware of any incompatibility between a 
>>>>>>>>>>> BIND master and a NSD slave?
> 
>>>>>>>>>> No, this should work.
> 
>>>>>>>>>> Best regards, Wouter
> 
>>>>>>>>>> _______________________________________________ 
>>>>>>>>>> nsd-users mailing list nsd-users at NLnetLabs.nl 
>>>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>
>>>>>>>>>> 
>>>>>>>>>> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLxFNsACgkQ6pdkzarU6185nQD/Z4T6m19ZNR0LdxZFr1GmRHmx
JjgDVYUcJnZwDEzkkXoA/jDrA949QQNnD1/0s8LS4gAziGdnxnjC29Ovkf36nEjz
=qIDh
-----END PGP SIGNATURE-----