[nsd-users] nsdc update failed (semi-solved)

Andreas Schulze andreas.schulze at datev.de
Mon Jan 3 14:01:07 UTC 2011 

Am 03.01.2011 14:00 schrieb Andreas Schulze:

with "sh -x nsdc update" I found that nsdc-notify is called like this:

/usr/sbin/nsd-notify -a <outgoing-interface> -p 53 -z example.com 127.0.0.1
and
/usr/sbin/nsd-notify -a <outgoing-interface> -p 53 -z example.com ::1

I now managed an update by
1)
	make nsd listen to 127.0.0.1 ( which is not always possible )

2)
	remove "allow-notify: ::1 NOKEY"

3)
	patching nsdc to not use -a <outgoing-interface> when calling nsd-notify
# diff /usr/sbin/nsdc.orig /usr/sbin/nsdc
261a262
>                       ifc_spec=""
#

But this does not look like a clean solution ...

Andreas

> Hello again,
> 
> here is my second problem for today.
> nsdc update at a slave server failed with this:
> 
> Sending notify to localhost to update secondary zones...
> Jan 03 13:41:25 nsd-notify[7399]: warning: no local address family matches remote address family, skipping server '127.0.0.1'
> Jan 03 13:41:25 nsd-notify[7400]: warning: bad reply from ::1 for zone example.com., error response REFUSED (5).
> 
> If I remove the difffile, xfrdfile and database,
> rebuild the database and start nsd, then the slave fetches the zones from the master.
> All zonetransfer and notify is configured to use IPv6 and TSIG.
> Both server do not listen to 127.0.0.1 or ::1 
> 
> nsd-master.conf
> zone:
> 	name: "example.com"
> 	zonefile: "/etc/nsd/zones/example.com"
> 	notify: <slaves ipv6 address> notify-key
> 	provide-xfr: <slaves ipv6 address> xfer-key
> 	outgoing-interface: master ipv6 address> NOKEY
> 	allow-axfr-fallback: yes
> 
> nsd-slave.conf
> zone:
> 	name "example.com"
> 	zonefile: "/etc/nsd/zones.slave/example.com"
> 	allow-notify: 127.0.0.1 NOKEY
> 	allow-notify: ::1 NOKEY
> 	allow-notify: <master ipv6 address> notify-key
> 	request-xfr: AXFR <master ipv6 address> xfer-key
> 	outgoing-interface: <slave ipv6 address> NOKEY
> 	allow-axfr-fallback: yes
> 
> both config-files:
> key:
>         name: "notify-key"
>         algorithm: "hmac-md5"
>         secret: "<base64-data>"
> 
> key:
>         name: "xfer-key"
>         algorithm: "hmac-sha256"
>         secret: "<base64-data>"
> 
> Funny to note, that the notify-key cannot be a hmac-sha256 ...
> 
> -- 
> Andreas Schulze
> Internetdienste | P252
> 
> DATEV eG
> 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
> E-Mail info @datev.de | Internet www.datev.de
> Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70
> Vorstand
> Prof. Dieter Kempf (Vorsitzender)
> Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
> Dipl.-Kfm. Michael Leistenschneider
> Jörg Rabe v. Pappenheim
> Dipl.-Vw. Eckhard Schwarzer
> Vorsitzender des Aufsichtsrates: Reinhard Verholen
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen

More information about the nsd-users mailing list