[nsd-users] Zonetranfer_refused
Oliver Niesner
oliver.niesner at gmail.com
Wed Aug 31 08:01:58 UTC 2022
Hello,
I'am new to nsd and i tried to setup two ns dns1 and dns2 and unbound as a resolver on each ns.
unbound is listening on port 53 therefore i used port 5353 for nsd.
dns1 should do a zonetransfer to dns2.
To keep things simple i use no encryption (NOKEY)
nsd-checkconf gives no errors
nsd-checkzone gives no errors in forward or reverse zone
The zonetransfer between the two fails with the following error(s)
dns1:
Aug 31 08:32:34 dns1 nsd[37829]: xfrd: zone example.com: max notify send count reached, 45.xx.yy.195 at 5353 unreachable
Aug 31 08:40:23 dns1 nsd[37833]: axfr for example.com. from 45.xx.yy.195 refused, no acl matches
dns2:
Aug 31 08:32:34 dns2 nsd[5149]: notify for example.com. from 45.xx.yy.194 refused, no acl matches.
I tried to leave out the "@5353" but then there is no communication at all..
tcpdump:
09:07:26.130431 IP 45.xx.yy.194.47272 > 45.xx.yy.195.5353: 60694 notify [b2&3=0x2400] [1a] SOA (QM)? 2.0.192.in-addr.arpa. (126)
09:07:26.130546 IP 45.xx.yy.194.36486 > 45.xx.yy.195.5353: 42430 notify [b2&3=0x2400] [1a] SOA (QM)? example.com. (108)
09:07:26.131360 IP 45.xx.yy.195.5353 > 45.xx.yy.194.47272: 60694 notify Refused*- [0q] 0/0/0 (12)
09:07:26.131377 IP 45.xx.yy.195.5353 > 45.xx.yy.194.36486: 42430 notify Refused*- [0q] 0/0/0 (12)
dns1-config:
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
# reference config file.
include: "/etc/nsd/nsd.conf.d/*.conf"
# include: "/etc/nsd/zones/zones.conf"
server:
# log only to syslog.
log-only-syslog: yes
debug-mode: yes
verbosity: 5
username: nsd
pidfile: "/run/nsd/nsd.pid"
# uncomment to specify specific interfaces to bind (default all).
#ip-address: 45.xx.yy.194
# port to answer queries on. default is 53.
port: 5353
# Number of NSD servers to fork.
server-count: 1
# listen only on IPv4 connections
ip4-only: yes
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
hide-version: yes
# identify the server (CH TXT ID.SERVER entry).
identity: "serverteam"
# The directory for zonefile: files.
zonesdir: "/etc/nsd"
key:
name: "sec_key"
algorithm: hmac-md5
secret: "TAXxQRTb0ZL9eWqImm3nWFRBc3yhfrBVLCGxzE/8jYg="
remote-control:
# this allows the use of 'nsd-control' to control NSD. The default is "no"
control-enable: yes
# the interface NSD listens to for nsd-control. The default is 127.0.0.1
control-interface: 127.0.0.1
# the key files that allow the use of 'nsd-control'. The default path is "/etc/nsd/". Create these using the 'nsd-control-setup' utility
server-key-file: /etc/nsd/nsd_server.key
server-cert-file: /etc/nsd/nsd_server.pem
control-key-file: /etc/nsd/nsd_control.key
control-cert-file: /etc/nsd/nsd_control.pem
zone:
name: "example.com"
zonefile: "db.example"
notify: 45.xx.yy.195 at 5353 NOKEY
provide-xfr: 45.xx.yy.195 at 5353 NOKEY
outgoing-interface: 45.xx.yy.194
zone:
name: "2.0.192.in-addr.arpa"
zonefile: "db.192"
notify: 45.xx.yy.195 at 5353 NOKEY
provide-xfr: 45.xx.yy.195 at 5353 NOKEY
outgoing-interface: 45.xx.yy.194
dns2-config ist the same except the listining address and the zone-part
zone:
name: "example.com"
zonefile: "db.example"
allow-notify: 45.xx.yy.194 at 5353 NOKEY
request-xfr: 45.xx.yy.194 at 5353 NOKEY
outgoing-interface: 45.xx.yy.195
zone:
name: "2.0.192.in-addr.arpa"
zonefile: "db.192"
allow-notify: 45.xx.yy.194 at 5353 NOKEY
request-xfr: 45.xx.yy.194 at 5353 NOKEY
outgoing-interface: 45.xx.yy.195
I don't know what i'm missing any advice would be helpful thank you in advance.
Oliver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220831/6b50295a/attachment.htm>
More information about the nsd-users
mailing list