[nsd-users] NSD 4.12.0rc1 pre-release

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Thu Apr 24 10:01:18 UTC 2025 

Hi Andreas,

On 23/04/2025 22:19, A. Schulze via nsd-users wrote:
> Hello Yorgos,
> 
> Am 22.04.25 um 15:20 schrieb Yorgos Thessalonikefs via nsd-users:
>> Unbound is an example when configured with auth zones, it will send 
>> the SOA prove over UDP before starting a zone transfer.
> 
> correct, I verified that by such an unbound.conf
> 
> (10.0.0.2 is an NSD serving the zone 'example.' over 53/UDP, 53/TCP and 
> 853/TLS = TCP )
> 
> auth-zone:
>          name: "example."
>          for-downstream: no
>          for-upstream: yes
>          fallback-enabled: yes
>          primary: 10.0.0.2 at 853#nsd
>          zonefile: "/spool/auth-zones/example"
> 
> with tcpdump I saw unbound
>   - asking 10.0.0.2 at 53 via UDP for a SOA-Record
> then
>   - transfering the zone over a TLS conection to 10.0.0.2 at 853 / TCP
> 
> I do not saw any traffic to 10.0.0.2 at 853 / UDP
Hmm, I wasn't expecting that. This looks like a feature in this case?
I would expect Unbound to not know about port 53 with this 
configuration, but since the probe will go over UDP it "correctly" uses 
port 53?

But that doesn't sound right if your config is like:
	primary: 10.0.0.2 at 54
I'll look into that and probably treat it like a bug.

> 
>> ... you expect to see only TCP open on 853 but you also see UDP open 
>> on 853?
> yes
> 
> NSD even write it to my log:
> 
> nsd_1      | [2025-04-23 21:54:21.848] nsd[1]: notice: nsd starting (NSD 
> 4.12.0)
> nsd_1      | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip- 
> address 10.0.0.2 at 53 (udp) with server(s): *
> nsd_1      | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip- 
> address 10.0.0.2 at 53 (tcp) with server(s): *
> nsd_1      | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip- 
> address 10.0.0.2 at 853 (udp) with server(s): -
> nsd_1      | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip- 
> address 10.0.0.2 at 853 (tcp) with server(s): *
> nsd_1      | [2025-04-23 21:54:21.848] nsd[1]: info: creating unix 
> socket /run/nsd-control.socket
> nsd_1      | [2025-04-23 21:54:21.871] nsd[20]: info: zone . read with 
> success
> nsd_1      | [2025-04-23 21:54:21.871] nsd[20]: info: zone example. read 
> with success
> nsd_1      | [2025-04-23 21:54:21.871] nsd[20]: notice: nsd started (NSD 
> 4.12.0), pid 1
> 
> Notice the '-' at the end of the 853-UDP line, while the other lines end 
> with '*'
> No idea, what that means...
'*' means all the server processes are listening there
'-' means none of the server processes are listening there

Thanks for looking into this btw!

Best regards,
-- Yorgos

More information about the nsd-users mailing list