notify rejected in unbound 1.16.3

Peter Hessler phessler at theapt.org
Tue Nov 8 09:26:54 UTC 2022


Hi All,

I'm running unbound 1.16.3 as included in OpenBSD 7.2, and wanted to cache
a public zone on it.  It is a caching resolver for a busy[1] website and
since I use lots of dns entries in my configuration I want to have a
local copy of the zone already in the cache.

I added this stanza to my working configuration:

auth-zone:
    name: "example.com"
    primary: "ns.example.org"
#    allow-notify: "ns.example.org"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes

and configured my primary auth server to allow AXFR and send NOTIFYs to
this system.  When I start unbound, it does an AXFR properly so it has
the data.  However, when i send a NOTIFY I immediately get back a
rejected message.  I've verified that the IP addresses are correct, and
even though it should automatically allow the primary to send notifies
I've tried with manually added allow-notify entries for both the
dual-stack hostname and for the raw IP address of the sending server.

Am I holding it wrong?

-peter

[1] Busy is subjective, but the logs scroll by faster than I can read
them.

-- 
God made machine language; all the rest is the work of man.


More information about the Unbound-users mailing list