[nsd-users] NSD no receiving Notifies

Sofía Silva Berenguer sofia at lacnic.net
Mon Feb 3 16:01:09 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Wouter,

Iptables is accepting connections in the port 53530. I telneted it
from the master and it worked.

I also verified with "lsof -ni:53530" that NSD is actually listening
on that port, both in TCP and UDP.

Regards,

Sofía

El 03/02/14 13:49, W.C.A. Wijngaards escribió:
> Hi Sofia,
> 
> Is your computer configured with a firewall that blocks traffic to 
> port 53530?  Otherwise, I am also getting out of ideas, with the
> zone and allow-notify configured, NSD prints what happens with
> verbosity
>> =2.  Nothing is printed, so I assume NSD does not actually get
>> the
> packet.
> 
> Best regards, Wouter
> 
> On 02/03/2014 04:38 PM, Sofía Silva Berenguer wrote:
>> Wouter,
> 
>> I defined the pattern in nsd.conf and then added the zone with 
>> nsd-control addzone <zone> <pattern>. I didn't edit the file 
>> manually.
> 
>> I do see the zone with nsd-control zonestatus <zone>.
> 
>> Regards,
> 
>> Sofia
> 
>> El 03/02/14 13:13, W.C.A. Wijngaards escribió:
>>> Hi,
> 
>>> How did you add it to the zone.list file?  If you edit the file
>>>  manually, NSD does not pickup the changes while it is
>>> running; and in fact (may) overwrite your edits when it closes.
>>> Do you see the zone with nsd-control zonestatus ?
> 
>>> Best regards, Wouter
> 
>>> On 02/03/2014 03:55 PM, Sofía Silva Berenguer wrote:
>>>> Thank you for replying Wouter!
> 
>>>> The zone is listed in the zone.list file and it's spelled 
>>>> correctly. I added it using a pattern which includes both the
>>>>  allow-notify and the request-xfr lines:
> 
>>>> allow-notify: <master> NOKEY request-xfr: <master> NOKEY
> 
>>>> How can I check that the zone was correctly added?
> 
>>>> I'm sorry for asking so basic questions but I'm a newby with
>>>>  NSD.
> 
>>>> Thank you a lot for your help!
> 
>>>> Regards,
> 
>>>> Sofía
> 
>>>> El 03/02/14 12:35, W.C.A. Wijngaards escribió:
>>>>> Hi Sofía,
> 
>>>>> On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
>>>>>> Dear nsd-users members,
> 
>>>>>> I've installed Unbound and Nsd on a Centos 6.5 server.
> 
>>>>>> NSD is the secondary (slave) name server for some zones. 
>>>>>> The primary (master) for those zones is a BIND server.
> 
>>>>>> Unbound is listening on the port 53 and NSD is listening 
>>>>>> on the port 53530.
> 
>>>>>> The master is set up to send notifies to the port 53530
>>>>>> of the slave server. (also-notify <slave IP address> port
>>>>>>  53530)
> 
>>>>>> I'm having some issues when a zone is updated on the 
>>>>>> master. The master sends the notifies to the right port 
>>>>>> (53530). I can see the notifies with a tcpdump but NSD 
>>>>>> doesn't transfer the zone. I don't even see any message
>>>>>> in the NSD log saying it received the notifies. (the 
>>>>>> "verbosity" parameter is set to 2).
> 
>>>>>> If NSD requests the transfer (nsd-control transfer
>>>>>> <zone>) the transfer works. It just doesn't work when the
>>>>>> transfer is support to be initiated by a notify sent by
>>>>>> the master.
> 
>>>>>> I've already checked iptables and it is accepting 
>>>>>> connections to the port 53530.
> 
>>>>>> I've even trying stopping Unbound and setting up NSD to 
>>>>>> listen on the port 53 just in case this issue has
>>>>>> anything to do with the non-standard port being used, but
>>>>>> it didn't work either.
> 
>>>>>> Is there anything else I could check?
> 
>>>>> Have you checked that your NSD configuration allows the 
>>>>> notify, with the allow-notify: <master-ipaddress> NOKEY 
>>>>> statement. With verbosity 2 it should print allowed or 
>>>>> refused for almost all notifies.
> 
>>>>> If NSD does not host the zone, then it prints nothing at 
>>>>> verbosity 2, instead it returns 'nxdomain' rcode to the 
>>>>> master. Do you have the zone name spelled correctly in the 
>>>>> NSD configuration?
> 
>>>>> The zone should also have a request-xfr: <master ipadress>
>>>>>  NOKEY in the nsd.conf file, so that it knows where to 
>>>>> transfer the zone from.
> 
>>>>> If you are using TSIG, try to disable it, if the TSIG fails
>>>>>  (i.e. you have the wrong TSIG key) then NSD will also not 
>>>>> print a log entry.
> 
>>>>>> Are you aware of any incompatibility between a BIND
>>>>>> master and a NSD slave?
> 
>>>>> No, this should work.
> 
>>>>> Best regards, Wouter
> 
>>>>> _______________________________________________ nsd-users 
>>>>> mailing list nsd-users at NLnetLabs.nl 
>>>>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> 
> 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLvvUUACgkQ6pdkzarU61/2uQD9GESwgpdPQE4oyliYSNtgAJyW
4y0QK2kDorVK9v9do3kA/0EBdoiEqgh/qiisBZl+hvoZXOA8wLfXjjj/CHBC2+kF
=ufQj
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list