[nsd-users] Trouble moving nsd to containers

[Jan de Haan]

Hi All,

after creating a classical setup (master, 2xauthoritatives,
2xrecursors) working proof-of-concept out of nsd and unbound on vm's,
which went smoothly and flawlessly, I wanted to move the working
configs to Docker containers.

All went well, except for that the authoritative nsd instances are not
accepting notifications and/or the master is not accepting requests
for zonetransfer:

master:

nsd[9]: error: xfrd: zone 102.168.192.in-addr.arpa: received notify
response error REFUSED from 192.168.102.251
nsd[9]: error: xfrd: zone acme.lab:                 received notify
response error REFUSED from 192.168.102.251

authoritative 1:

nsd[9]: error: xfrd: zone acme.lab                  received error
code REFUSED from 192.168.102.250 at 53
nsd[9]: error: xfrd: zone 102.168.192.in-addr.arpa  received error
code REFUSED from 192.168.102.250 at 53

250 is the master, 251 the authoritative.

Note that the differences between the working poc and non-working
container configs are extremely limited, especially the key:, pattern:
and zone: sections are identical.

My conclusions until now:
- it's not a connectivity issue, traffic arrives both ways.
- could be the NAT-ing between the containers, but tcpdump shows the
source ip addresses of arriving traffic to be the required outside ip
addresses of the containers as used in the nsd.conf's, so not the
cause either.
- I'm suspicious about having to remove the external ip address on
which the nsd processes are listening (the 'server: ip-address: '
statements) from the nsd.conf's.

Can someone show me the errors of my ways?

I don't know this lists' mores, so I refrain from dumping complete
configs and pcaps unless asked for.

Thanks in advance.

Jan.