[nsd-users] nsd refusing secondary AXFR

Anand Buddhdev anandb at ripe.net
Wed Sep 10 13:19:05 UTC 2014

On 10/09/2014 14:20, shmick at riseup.net wrote:

Dear shmuck,

> each time the designated secondary NS requests AXFR, my nsd server sends
> REFUSED which i can see from tcpdumps
> ive setup debug logging and it reports:
> info: axfr for zone example.com. from client refused, no acl matches
> ive simply setup it as followed in nsd.conf & no problems with nsd-checkconf
> zone:
>     name: example.com.
>     zonefile: example.com.signed
>     notify: at 53 NOKEY
>     provide-xfr: at 53 NOKEY

This is your problem. You're telling the NSD master that the slave must
connect from address *and* source port 53. However, the slave
will most likely use an ephemeral port number, so the ACL will not
match. Change that to:

provide-xfr: NOKEY


Anand Buddhdev

More information about the nsd-users mailing list