notify rejected in unbound 1.16.3
phessler at theapt.org
Tue Nov 8 13:19:15 UTC 2022
Yup, that did it, thanks!
Since there is already some magic around primary: (for allow-notify:)
would it make sense for unbound to also do a magic in access-control:,
but possibly only if there is not an explicit ACL for those address(es)?
On 2022 Nov 08 (Tue) at 13:04:34 +0100 (+0100), George (Yorgos) Thessalonikefs via Unbound-users wrote:
:ACL (also) comes before NOTIFY processing.
:Make sure that the nameserver addresses are not denied (the default) by
: access-control: <IP address> allow
: access-control: <IP address> refuse_non_local
:The latter will make sure to not allow recursion for the <IP address>.
:On 08/11/2022 10:26, Peter Hessler via Unbound-users wrote:
:> Hi All,
:> I'm running unbound 1.16.3 as included in OpenBSD 7.2, and wanted to cache
:> a public zone on it. It is a caching resolver for a busy website and
:> since I use lots of dns entries in my configuration I want to have a
:> local copy of the zone already in the cache.
:> I added this stanza to my working configuration:
:> name: "example.com"
:> primary: "ns.example.org"
:> # allow-notify: "ns.example.org"
:> fallback-enabled: yes
:> for-downstream: no
:> for-upstream: yes
:> and configured my primary auth server to allow AXFR and send NOTIFYs to
:> this system. When I start unbound, it does an AXFR properly so it has
:> the data. However, when i send a NOTIFY I immediately get back a
:> rejected message. I've verified that the IP addresses are correct, and
:> even though it should automatically allow the primary to send notifies
:> I've tried with manually added allow-notify entries for both the
:> dual-stack hostname and for the raw IP address of the sending server.
:> Am I holding it wrong?
:>  Busy is subjective, but the logs scroll by faster than I can read
Beware of bugs in the above code; I have only proved it correct, not
-- Donald Knuth
More information about the Unbound-users