[nsd-users] Getting Refused from stub-zone authoritative query record_Follow_up

Jeroen Koekkoek jeroen at nlnetlabs.nl
Wed Dec 14 11:04:37 UTC 2022 

Hi Josh,

Setting up an acl does not relate to DNSSEC. It's really just
specifying which machines are allowed to query, xfr, etc. Normally,
you'd want to limit which machines are allowed to IXFR/AXFR the zone,
I'm not sure that applies in this situation though as it seems you just
want Unbound to redirect queries for internal domains to your
authoratative servers?

In that case, I think you only want to specify provide-xfr, etc and
leave allow-query alone(?)

If you really want to limit the machines that are allowed to query as
well, you probably want to check which source address is used for the
query. Perhaps just list all IPs assigned to your Unbound machines in
the NSD configuration(?)

I'd try limiting to IP first, and include TSIG after you're sure that
works (assuming you're still in a lab environment).

Hope that helps. Of course, feel free to follow up if you need
additional help.

- Jeroen


On Sat, 2022-12-10 at 22:21 -0500, info--- via nsd-users wrote:
> I would like to follow up on my previous message on the mailing list
> by 
> saying that I have finally focused my issue to the tsig/ key ... The 
> authoritative nsd1(master) & nsd2 (slave) after NOKEY change works 
> without an issue and I'm able to get zone records; having said that,
> I 
> would like to have the keys set up / DNSSEC.
> 
> When setting up keys, setting up allow-query, and setting up patterns
> on 
> each zone the previous unbound log still occurs (refuse) BUT now I
> can 
> see new logs in the NSD not previously available (SLAVE ns2 works
> with 
> keys and without keys meaning it gets serial from each of the zones
> in 
> master / no error in nsd log)...
> 
>   The new logs entries after TSIG changes in nsd.log (Master):
> 
> [2022-12-10 19:17:57.370] nsd[6338]: info: query example.com. from
> DNS1 
> (unbound1_Global) refused, no acl matches .
> [2022-12-10 19:17:57.778] nsd[6338]: info: query example.com. from
> DNS1 
> (unbound1_Local_Alias) refused, no acl matches .
> [2022-12-10 19:17:57.370] nsd[6338]: info: query example.com. from
> DNS2 
> (unbound1_Global) refused, no acl matches .
> [2022-12-10 19:17:57.778] nsd[6338]: info: query example.com. from
> DNS2 
> (unbound1_Local_Alias) refused, no acl matches .
> 
> This occurs every time I used drill/dig to get information on the NSD
> zones I set up with the key.
> 
> I have looked into the issues but I have not been able to find
> exactly 
> what the log means no acl matches or how to remedy it because I was 
> under the impression that with the allow-query option in the pattern 
> section and adding it to the zones it would serve as an access
> control 
> list for NSD (maybe there is something else I must add as an acl).
> Any 
> assistance on properly configuring this final step would be
> appreciated, 
> I am kind of stuck at the moment.
> 
> -
> Josh
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list