[nsd-users] NSD incorrectly logging DNAME as refused?

Jamie Landeg-Jones jamie at catflap.org
Wed Jul 3 02:12:01 UTC 2024 

I just noticed this with NSD 4.10.0 (and earlier versions - it's not a
new regression))

I have nsd set to log refused requests to syslog.

After adding a DNAME type into my dns for one sub-zone that is being moved,
I noticed that legitimate requests for hosts under that subdomain are working
as expected, howerver they are being logged as refused.

As a quick replicable test, I just did this to demostrate the issue.

Firatlt, add edthis to my dyslexicfish.net domain:

nsdtest IN DNAME hello.example.com.

Then, update serial, reload, watch it propagate to secondaries etc., then
from a machine with no specific acls (i.e. not from one of the primaries
or secondaries:

 | # dig sjsjqju2qu.nsdtest.dyslexicfish.net.
 | 
 | ; <<>> DiG 9.18.27 <<>> sjsjqju2qu.nsdtest.dyslexicfish.net.
 | ;; global options: +cmd
 | ;; Got answer:
 | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53148
 | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
 | 
 | ;; OPT PSEUDOSECTION:
 | ; EDNS: version: 0, flags:; udp: 1232
 | ; COOKIE: eef66b9e45770f3e010000006684ada8ca27d2ccb2d7c25f (good)
 | ;; QUESTION SECTION:
 | ;sjsjqju2qu.nsdtest.dyslexicfish.net. IN        A
 | 
 | ;; ANSWER SECTION:
 | nsdtest.dyslexicfish.net. 86363 IN      DNAME   hello.example.com.
 | sjsjqju2qu.nsdtest.dyslexicfish.net. 86363 IN CNAME sjsjqju2qu.hello.example.com.
 | 
 | ;; AUTHORITY SECTION:
 | example.com.            3600    IN      SOA     ns.icann.org. noc.dns.icann.org. 2024041842 7200 3600 1209600 3600
 | 
 | ;; Query time: 30 msec
 | ;; SERVER: 205.166.94.24#53(205.166.94.24) (UDP)
 | ;; WHEN: Wed Jul 03 01:47:17 UTC 2024
 | ;; MSG SIZE  rcvd: 213

This produces this via syslog on the nsd serversx:

 | Jul  3 02:46:43 <daemon.info> catnip nsd[3620]: query sjsjqju2qu.nsdtest.dyslexicfish.net. from 205.166.94.24 refused, no acl matches .

As can be seen from "dig", the result is valid, and everything works as
suspected, I'm just getting rather a lot of those "refused" messages, as
the domain gets a lot of traffic!

I know I can disable the logging of such messages, but I do want to log
then when they are legitimate!

(Obviously I first noticed this on a valid DNAME target zone of mine
I just used 'hello.example.com' in the above demonstration to show that
it's nothing weird going on with my setup - delegating to any domain that
the nsd server itself doesn't serve causes the issue)

Any ideas? And apologies for any late-night incoherencies in this message!

Cheers, Jamie

More information about the nsd-users mailing list