[nsd-users] info: axfr for domain not-verified

Roman Serbski mefystofel at gmail.com
Mon Jan 12 15:01:24 UTC 2026 

Hello,

Hidden DNS master (NSD 4.3.9) ---> signer (OpenDNSSEC 2.1.14) --->
public DNS (NSD 4.13.0) setup (all on FreeBSD 14).

I recently moved the role of hidden DNS master to a new server running
the latest NSD 4.14.0 and started receiving not-verified errors(?) in
the logs:

[2026-01-12 15:12:10.050] nsd[1697]: info: axfr for domain.org. from
192.168.12.147  not-verified

Where 192.168.12.147 is my signer.

Looking at the logs of old hidden master, I see similar entries
(without not-verified though):

[2026-01-12 02:43:25.081] nsd[64267]: info: axfr for domain.org. from
192.168.12.147

There were no changes to OpenDNSSEC configuration:

                <TSIG>
                        <Name>tsig.sha256.signed</Name>
                        <Algorithm>hmac-sha256</Algorithm>
                        <Secret>XXXXXXXXXXX</Secret>
                </TSIG>

                <Inbound>
                        <RequestTransfer>
                                <Remote>
                                        <Address>192.168.12.46</Address>
                                        <Key>tsig.sha256.signed</Key>
                                </Remote>
                        </RequestTransfer>

                        <AllowNotify>
                                <Peer>
                                        <Prefix>192.168.12.46</Prefix>
                                        <Key>tsig.sha256.signed</Key>
                                </Peer>
                        </AllowNotify>
                </Inbound>

The config of hidden master also remains unchanged:

server:
        ip-address: 192.168.12.46
        do-ip4: yes
        do-ip6: no
        verbosity: 2
        chroot: "/usr/local/etc/nsd"
        zonesdir: "/usr/local/etc/nsd"
        zonelistfile: "zone.list"
        database: "var/db/nsd/nsd.db"
        logfile: "/var/log/nsd.log"
        pidfile: "var/run/nsd.pid"
        xfrdfile: "var/db/nsd/xfrd.state"
        xfrdir: "var/db/nsd/"
        hide-version: yes

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: 8952
        server-key-file: "/usr/local/etc/nsd/nsd_server.key"
        server-cert-file: "/usr/local/etc/nsd/nsd_server.pem"
        control-key-file: "/usr/local/etc/nsd/nsd_control.key"
        control-cert-file: "/usr/local/etc/nsd/nsd_control.pem"

key:
        name: "tsig.sha256.signed"
        algorithm: hmac-sha256
        secret: "XXXXXX"

pattern:
        name: "plain-to-signer"
        zonefile: "zones/%s"
        notify: 192.168.12.147 tsig.sha256.signed
        provide-xfr: 192.168.12.147 tsig.sha256.signed

zone:
        name: "domain.org"
        include-pattern: "plain-to-signer"


Did I miss something during the migration to the new server? Any hints
would be appreciated.

Thank you.

More information about the nsd-users mailing list