notify rejected in unbound 1.16.3
George (Yorgos) Thessalonikefs
george at nlnetlabs.nl
Tue Nov 8 12:04:34 UTC 2022
Hi Peter,
ACL (also) comes before NOTIFY processing.
Make sure that the nameserver addresses are not denied (the default) by
Unbound.
Something like:
server:
access-control: <IP address> allow
or
server:
access-control: <IP address> refuse_non_local
should work.
The latter will make sure to not allow recursion for the <IP address>.
Best regards,
-- Yorgos
On 08/11/2022 10:26, Peter Hessler via Unbound-users wrote:
> Hi All,
>
> I'm running unbound 1.16.3 as included in OpenBSD 7.2, and wanted to cache
> a public zone on it. It is a caching resolver for a busy[1] website and
> since I use lots of dns entries in my configuration I want to have a
> local copy of the zone already in the cache.
>
> I added this stanza to my working configuration:
>
> auth-zone:
> name: "example.com"
> primary: "ns.example.org"
> # allow-notify: "ns.example.org"
> fallback-enabled: yes
> for-downstream: no
> for-upstream: yes
>
> and configured my primary auth server to allow AXFR and send NOTIFYs to
> this system. When I start unbound, it does an AXFR properly so it has
> the data. However, when i send a NOTIFY I immediately get back a
> rejected message. I've verified that the IP addresses are correct, and
> even though it should automatically allow the primary to send notifies
> I've tried with manually added allow-notify entries for both the
> dual-stack hostname and for the raw IP address of the sending server.
>
> Am I holding it wrong?
>
> -peter
>
> [1] Busy is subjective, but the logs scroll by faster than I can read
> them.
>
More information about the Unbound-users
mailing list