[nsd-users] Notify refused, no acl matches
Alexander Varejão
frater.alexander at gmail.com
Wed Jun 29 17:04:24 UTC 2022
Hi Dears,
I'm new to NSD and I'm trying test it
I see others topics about it but I think that's not the same issue
I have two machines:
- One authoritative server using bind9
- One secondary server using NSD
I'm confused about NSD config, could someone help me about it?
My authoritative server has the following configuration:
-----------------------------------------------------------------------------
options {
directory "xxx"
pid-file "xxx/named.pid";
listen-on {127.0.0.1; X.X.X.X;};
listen-on-v6 {Y.Y.Y.Y};
recursion no;
notify explicit;
notify-source X.X.X.X;
notify-source-v6 Y.Y.Y.Y;
transfers-out 200;
allow-transfer {127.0.0.1; Z.Z.Z.Z;};
also-notify {Z.Z.Z.Z;};
version "surely you must be joking";
// DNSSec
sig-validity-interval 1080 1;
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
key "rndc_key" {algorithm hmac-md5;
secret "KEY_A_HERE";};
controls {inet 127.0.0.1 allow {localhost;} keys {rndc_key;};};
key "upd_key" {algorithm hmac-md5;
secret "KEY_B_HERE";};
zone "." IN {type hint; file "etc/bind/db.root";};
// Zones
include "xxx/xxx/named.conf.local";
-----------------------------------------------------------------------------
The zones here are configured and work's fine.
My secondary server (with NSD) has the following configuration:
-----------------------------------------------------------------------------
include: "/etc/nsd/nsd.conf.d/*.conf"
server:
server-count: ...
ip-address: Z.Z.Z.Z
ip-address: 127.0.0.1
do-ip4: yes
do-ip6: yes
port: 53
username: nsd
zonesdir: "/var/lib/nsd/db/"
database: "/var/lib/nsd/nsd.db"
logfile: "/var/log/nsd/nsd.log"
pidfile: "/var/run/nsd/nsd.pid"
xfrdfile: "/var/lib/nsd/xfrd.state"
xfrdir: "/tmp"
hide-version: no
version: "NSD"
zonefiles-write: 3600
rrl-ratelimit: 200
verbosity: 3
debug-mode: yes
remote-control:
control-enable: yes
key:
name: "upd_key"
algorithm: hmac-md5
secret: "KEY_B_HERE"
-----------------------------------------------------------------------------
My zones in /etc/nsd/nsd.conf.d/*.conf has the follow content:
-----------------------------------------------------------------------------
zone:
# this server is secondary, X.X.X.X is primary.
name: foo.bar
zonefile: "00/foo.bar/foo.bar"
allow-notify: X.X.X.X upd_key
request-xfr: X.X.X.X upd_key
-----------------------------------------------------------------------------
Well, I created this fake zone and it work's fine
If I try running dig command on my secondary I have the follow result
(A.A.A.A is a fake address)
-----------------------------------------------------------------------------
dig @localhost www.foo.bar +short
A.A.A.A
-----------------------------------------------------------------------------
Now, I have my problem:
When I try update my zone on master my secondary has an error:
----------------------------------------------------------------------------
nsd[203933]: info: notify for foo.bar. from X.X.X.X refused, no acl matches.
----------------------------------------------------------------------------
And my dig query has no answer
-----------------------------------------------------------------------------
dig @localhost www.foo.bar +short
-----------------------------------------------------------------------------
But if I run "nsd-control force_transfer foo.bar" or if I restart NSD my
update works
------------------------------------------------------------------------------
nsd[202429]: info: control cmd: force_transfer foo.bar
nsd[202429]: info: xfrd: zone foo.bar written received XFR packet from
X.X.X.X with serial [NUMBER HERE] to disk
nsd[203931]: info: xfrd: zone foo.bar committed "received update to serial
[NUMBER HERE] at [DATE] from X.X.X.X TSIG verified with key upd_key"
nsd[202429]: info: zone foo.bar serial [NUMBER HERE] is updated to [NUMBER
HERE]
------------------------------------------------------------------------------
And my dig query works ok
-----------------------------------------------------------------------------
dig @localhost www.foo.bar +short
A.A.A.A
-----------------------------------------------------------------------------
My question is: Why notify fail and a nsd restart or a "force_transfer"
works fine ?
Could someone help me?
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220629/f37c35e6/attachment.htm>
More information about the nsd-users
mailing list