[nsd-users] Fwd: Notify | transfer refused

Jordan Sullivan jdsully at gmail.com
Sat Mar 27 19:19:20 UTC 2021


Hello there,

Apologies for my last message.  I'm having some errors with my config: my
ns1 and ns2 are not transferring between each other.  I'm receiving
"received notify response error REFUSED" when I attempt zone transfers
(using nsd-control notify and nsd-control force_update, respectively).

My setup:  I'm using OpenBSD 6.7.  Unbound is resovling on port 53; if an
authoratitive request is received, Unbound passes to it nsd on localhost
over port 5335.  This setup works well, except for the problem with ns1 and
ns2.

I saw another thread that recommeded using the outgoing-interface:
attribute, I tried using it without success, specificying specific ports
and using defaults, on ipv4 and ipv6. I have also tried with my key and
NOKEY, the same errors are logged. I can provide my unbound.conf, forward &
reverse zone files if needed.

#ns1 nsd.conf

server:
port: 5335
ip-address: 10.x.y.211
ip-address: fd00:abc::d3
ip-address: 127.0.0.1
ip-address: ::1

server-count: 1
do-ip4: yes
do-ip6: yes

hide-version: yes
identity: "ns1.whatever.xyz"
zonesdir: "/var/nsd/etc"

logfile: nsd.log
verbosity: 2

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
control-key-file: nsd_control.key
control-cert-file: nsd_control.pem
key:
name: "sec_key"
algorithm: hmac-md5
secret: "redacted"
zone:
name: "whatever.xyz"
zonefile: whatever.xyz.forward"
notify: 10.x.y.212 sec_key
provide-xfr: 10.x.y.212 sec_key

notify: fd00:abc::d4 sec_key
provide-xfr: fd00:abc::d4 sec_key
zone:
name: "x.10.in-addr.arpa"
zonefile: "whatever.xyz.reverse"

notify: 10.x.y.212 sec_key
provide-xfr: 10.x.y.212 sec_key

notify: fd00:abc::d4 sec_key
provide-xfr: fd00:abc::d4 sec_key


#ns2 nsd.conf

server:
port: 5335
ip-address: 10.x.y.212
ip-address: fd00:abc::d4
ip-address: 127.0.0.1
ip-address: ::1

server-count: 1
do-ip4: yes
do-ip6: yes

hide-version: yes
identity: "ns2.whatever.xyz <http://ns1.whatever.xyz>"
zonesdir: "/var/nsd/etc"

logfile: nsd.log
verbosity: 2

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
control-key-file: nsd_control.key
control-cert-file: nsd_control.pem
key:
name: "sec_key"
algorithm: hmac-md5
secret: "redacted"
zone:
name: "whatever.xyz"
zonefile: whatever.xyz.forward"
allow-notify: 10.x.y.211 sec_key
provide--xfr: 10.x.y.211 sec_key

allow-notify: fd00:abc::d3 sec_key
provide-xfr: fd00:abc::d3 sec_key
zone:
name: "x.10.in-addr.arpa"
zonefile: "whatever.xyz.reverse"

allow-notify: 10.x.y.211 sec_key
request-xfr: 10.x.y.211 sec_key

allow-notify: fd00:abc::d3 sec_key
request-xfr: fd00:abc::d3 sec_key
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20210327/34587bbc/attachment.htm>


More information about the nsd-users mailing list