[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary
Anand Buddhdev
anandb at ripe.net
Sun May 14 06:46:46 UTC 2017
Hi John,
In your slave's config, you have:
request-xfr: 104.245.34.178 NOKEY
You've configured the slave's own IP address there, instead of the
master's IP address (104.219.54.106).
Regards,
Anand Buddhdev
On 14/05/2017 06:18, John Griessen wrote:
> I get error log messages like
>
>
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com:
> max notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone
> cottagematic.com: max notify send count reached, 104.245.34.178 at 53
> unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max
> notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max
> notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com:
> max notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com:
> max notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from
> 127.0.0.1
> [2017-05-13 23:42:25.436] nsd[13764]: info: control cmd: reload
> [2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from
> 216.218.133.2 refused, no acl matches
> [2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from
> 127.0.0.1
> [2017-05-14 00:35:55.692] nsd[13764]: info: control cmd: reload
>
>
>
> on the master,
> and on the slave:
>
> [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from
> 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com.
> from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com.
> from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for
> 34.245.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for
> 54.219.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone
> 34.245.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone
> 54.219.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53
>
>
> Does this look familiar to anyone? have I got a mistake in nsd.conf?
>
> The master works OK, looks good at https://intodns.com/ecosensory.com
>
>
> ==master nsd.conf========================
>
> # ns1.cibolo.us
> # See the nsd.conf(5) man page.
>
> server:
> port: 53
> server-count: 1
> ip-address: 104.219.54.106
> do-ip4: yes
> do-ip6: no
> verbosity: 2
>
> database: "/var/lib/nsd/nsd.db" # the database to use
> hide-version: yes # don't answer VERSION.BIND queries
> logfile: "/var/log/nsd.log"
> pidfile: "/run/nsd/nsd.pid"
> zonesdir: "/etc/nsd"
> tcp-query-count: 180 # queries served on a single TCP conn
> xfrdfile: "/var/lib/nsd/xfrd.state"
> nsid: "ascii_ns1.cibolo.us" # NSID identity (hex string, or
> "ascii_somestring").
>
> remote-control:
> control-enable: yes
> control-interface: 127.0.0.1
> control-port: 8952
> server-key-file: "/etc/nsd/nsd_server.key"
> server-cert-file: "/etc/nsd/nsd_server.pem"
> control-key-file: "/etc/nsd/nsd_control.key"
> control-cert-file: "/etc/nsd/nsd_control.pem"
>
> key:
> name: "ns1-cibolo-us-key"
> algorithm: hmac-md5
> secret: "xxxxxXXXXXxxxxxXXXX"
>
> pattern:
> name: "toslave"
> notify: 104.245.34.178 NOKEY
> provide-xfr: 104.245.34.178 NOKEY
> notify: 216.218.131.2 NOKEY
> provide-xfr: 216.218.131.2 NOKEY
>
> zone:
> name: 54.219.104.in-addr.arpa
> zonefile: 54.219.104.in-addr.arpa
> include-pattern: "toslave"
>
> ==master nsd.conf========================
>
> ==slave nsd.conf========================
> server:
> server-count: 1
> port: 53
> ip-address: 104.245.34.178
> do-ip4: yes
> do-ip6: no
> verbosity: 2
>
> database: "/var/lib/nsd/nsd.db" # the database to use
> hide-version: yes # don't answer VERSION.BIND queries
> logfile: "/var/log/nsd.log"
> pidfile: "/run/nsd/nsd.pid"
> zonesdir: "/etc/nsd"
> tcp-query-count: 180 # queries served on a single TCP connection.
> xfrdfile: "/var/lib/nsd/xfrd.state"
> nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or
> "ascii_somestring").
>
> remote-control:
> control-enable: yes
> control-interface: 127.0.0.1
> control-port: 8952
> server-cert-file: "/etc/nsd/nsd_server.pem"
> control-key-file: "/etc/nsd/nsd_control.key"
> control-cert-file: "/etc/nsd/nsd_control.pem"
>
> key:
> name: "ns1-cibolo-us-key"
> algorithm: hmac-md5
> secret: "xxxXXXxxxXXX"
>
>
> pattern:
> name: "frommaster"
> allow-notify: 104.245.34.178 NOKEY
> request-xfr: 104.245.34.178 NOKEY
>
> zone:
> name: 54.219.104.in-addr.arpa
> zonefile: 54.219.104.in-addr.arpa
> include-pattern: "frommaster"
>
> ==slave nsd.conf========================
More information about the nsd-users
mailing list