[nsd-users] Trouble moving nsd to containers

E Frank Ball frankb at frankb.us
Sat Nov 6 17:58:28 UTC 2021 

Jan

If the system time is off on the containers encrypted transfers won't work.
It doesn't have to be perfect, but within a minute or two.

Frank

On Fri, Nov 05, 2021 at 05:28:06PM +0100, Jan de Haan via nsd-users wrote:
 > Hi All,
 > 
 > after creating a classical setup (master, 2xauthoritatives,
 > 2xrecursors) working proof-of-concept out of nsd and unbound on vm's,
 > which went smoothly and flawlessly, I wanted to move the working
 > configs to Docker containers.
 > 
 > All went well, except for that the authoritative nsd instances are not
 > accepting notifications and/or the master is not accepting requests
 > for zonetransfer:
 > 
 > master:
 > 
 > nsd[9]: error: xfrd: zone 102.168.192.in-addr.arpa: received notify
 > response error REFUSED from 192.168.102.251
 > nsd[9]: error: xfrd: zone acme.lab:                 received notify
 > response error REFUSED from 192.168.102.251
 > 
 > authoritative 1:
 > 
 > nsd[9]: error: xfrd: zone acme.lab                  received error
 > code REFUSED from 192.168.102.250 at 53
 > nsd[9]: error: xfrd: zone 102.168.192.in-addr.arpa  received error
 > code REFUSED from 192.168.102.250 at 53
 > 
 > 250 is the master, 251 the authoritative.
 > 
 > Note that the differences between the working poc and non-working
 > container configs are extremely limited, especially the key:, pattern:
 > and zone: sections are identical.
 > 
 > My conclusions until now:
 > - it's not a connectivity issue, traffic arrives both ways.
 > - could be the NAT-ing between the containers, but tcpdump shows the
 > source ip addresses of arriving traffic to be the required outside ip
 > addresses of the containers as used in the nsd.conf's, so not the
 > cause either.
 > - I'm suspicious about having to remove the external ip address on
 > which the nsd processes are listening (the 'server: ip-address: '
 > statements) from the nsd.conf's.
 > 
 > Can someone show me the errors of my ways?
 > 
 > I don't know this lists' mores, so I refrain from dumping complete
 > configs and pcaps unless asked for.
 > 
 > Thanks in advance.
 > 
 > Jan.
 > _______________________________________________
 > nsd-users mailing list
 > nsd-users at lists.nlnetlabs.nl
 > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list