[nsd-users] Notify refused, no acl matches

Alexander Varejão frater.alexander at gmail.com
Wed Jun 29 17:04:24 UTC 2022 

Hi Dears,

I'm new to NSD and I'm trying test it

I see others topics about it but I think that's not the same issue

I have two machines:

- One authoritative server using bind9
- One secondary server using NSD

I'm confused about NSD config, could someone help me about it?

My authoritative server has the following configuration:

-----------------------------------------------------------------------------
options {
  directory        "xxx"
  pid-file         "xxx/named.pid";
  listen-on        {127.0.0.1; X.X.X.X;};
  listen-on-v6     {Y.Y.Y.Y};
  recursion        no;
  notify           explicit;
  notify-source    X.X.X.X;
  notify-source-v6 Y.Y.Y.Y;
  transfers-out    200;
  allow-transfer   {127.0.0.1; Z.Z.Z.Z;};
  also-notify      {Z.Z.Z.Z;};
  version          "surely you must be joking";

  // DNSSec
  sig-validity-interval 1080 1;
  dnssec-dnskey-kskonly yes;
  update-check-ksk yes;
};

key "rndc_key" {algorithm hmac-md5;
secret "KEY_A_HERE";};
controls {inet 127.0.0.1 allow {localhost;} keys {rndc_key;};};

key "upd_key" {algorithm hmac-md5;
secret "KEY_B_HERE";};

zone "." IN {type hint; file "etc/bind/db.root";};

// Zones
include "xxx/xxx/named.conf.local";

-----------------------------------------------------------------------------

The zones here are configured and work's fine.

My secondary server (with NSD) has the following configuration:

-----------------------------------------------------------------------------
include: "/etc/nsd/nsd.conf.d/*.conf"
server:
   server-count: ...
   ip-address: Z.Z.Z.Z
   ip-address: 127.0.0.1
   do-ip4: yes
   do-ip6: yes
   port: 53
   username: nsd
   zonesdir: "/var/lib/nsd/db/"
   database: "/var/lib/nsd/nsd.db"
   logfile: "/var/log/nsd/nsd.log"
   pidfile: "/var/run/nsd/nsd.pid"
   xfrdfile: "/var/lib/nsd/xfrd.state"
   xfrdir: "/tmp"
   hide-version: no
   version: "NSD"
   zonefiles-write: 3600
   rrl-ratelimit: 200
   verbosity: 3
   debug-mode: yes

remote-control:
    control-enable: yes

key:
   name: "upd_key"
   algorithm: hmac-md5
   secret: "KEY_B_HERE"
-----------------------------------------------------------------------------


My zones in /etc/nsd/nsd.conf.d/*.conf has the follow content:

-----------------------------------------------------------------------------
zone:
    # this server is secondary, X.X.X.X is primary.
    name: foo.bar
    zonefile: "00/foo.bar/foo.bar"
    allow-notify: X.X.X.X upd_key
    request-xfr: X.X.X.X  upd_key
-----------------------------------------------------------------------------

Well, I created this fake zone and it work's fine

If I try running dig command on my secondary I have the follow result
(A.A.A.A is a fake address)

-----------------------------------------------------------------------------
dig @localhost www.foo.bar +short
A.A.A.A
-----------------------------------------------------------------------------

Now, I have my problem:

When I try update my zone on master my secondary has an error:

----------------------------------------------------------------------------
nsd[203933]: info: notify for foo.bar. from X.X.X.X refused, no acl matches.
----------------------------------------------------------------------------

And my dig query has no answer

-----------------------------------------------------------------------------
dig @localhost www.foo.bar +short

-----------------------------------------------------------------------------

But if I run "nsd-control force_transfer foo.bar" or if I restart NSD my
update works

------------------------------------------------------------------------------
nsd[202429]: info: control cmd:  force_transfer foo.bar
nsd[202429]: info: xfrd: zone foo.bar written received XFR packet from
X.X.X.X with serial [NUMBER HERE] to disk
nsd[203931]: info: xfrd: zone foo.bar committed "received update to serial
[NUMBER HERE] at [DATE] from X.X.X.X TSIG verified with key upd_key"
nsd[202429]: info: zone foo.bar serial [NUMBER HERE] is updated to [NUMBER
HERE]
------------------------------------------------------------------------------

And my dig query works ok

-----------------------------------------------------------------------------
dig @localhost www.foo.bar +short
A.A.A.A
-----------------------------------------------------------------------------

My question is: Why notify fail and a nsd restart or a "force_transfer"
works fine ?

Could someone help me?

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20220629/f37c35e6/attachment.htm>

More information about the nsd-users mailing list