[nsd-users] NSD no receiving Notifies

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Feb 4 13:22:25 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sofia,

You you getting logs from NSD at all?  Or does it have similar trouble
like unbound (it has very similar log code) had for you (the logfile
was not inside the chroot)?  Then you can see what it says about the
Notify or about the zone transfers (increase verbosity from 2 to 5 to
see more and more).

Best regards,
   Wouter

On 02/03/2014 05:01 PM, Sofía Silva Berenguer wrote:
> Wouter,
> 
> Iptables is accepting connections in the port 53530. I telneted it 
> from the master and it worked.
> 
> I also verified with "lsof -ni:53530" that NSD is actually
> listening on that port, both in TCP and UDP.
> 
> Regards,
> 
> Sofía
> 
> El 03/02/14 13:49, W.C.A. Wijngaards escribió:
>> Hi Sofia,
> 
>> Is your computer configured with a firewall that blocks traffic
>> to port 53530?  Otherwise, I am also getting out of ideas, with
>> the zone and allow-notify configured, NSD prints what happens
>> with verbosity
>>> =2.  Nothing is printed, so I assume NSD does not actually get 
>>> the
>> packet.
> 
>> Best regards, Wouter
> 
>> On 02/03/2014 04:38 PM, Sofía Silva Berenguer wrote:
>>> Wouter,
> 
>>> I defined the pattern in nsd.conf and then added the zone with
>>>  nsd-control addzone <zone> <pattern>. I didn't edit the file 
>>> manually.
> 
>>> I do see the zone with nsd-control zonestatus <zone>.
> 
>>> Regards,
> 
>>> Sofia
> 
>>> El 03/02/14 13:13, W.C.A. Wijngaards escribió:
>>>> Hi,
> 
>>>> How did you add it to the zone.list file?  If you edit the
>>>> file manually, NSD does not pickup the changes while it is 
>>>> running; and in fact (may) overwrite your edits when it
>>>> closes. Do you see the zone with nsd-control zonestatus ?
> 
>>>> Best regards, Wouter
> 
>>>> On 02/03/2014 03:55 PM, Sofía Silva Berenguer wrote:
>>>>> Thank you for replying Wouter!
> 
>>>>> The zone is listed in the zone.list file and it's spelled 
>>>>> correctly. I added it using a pattern which includes both
>>>>> the allow-notify and the request-xfr lines:
> 
>>>>> allow-notify: <master> NOKEY request-xfr: <master> NOKEY
> 
>>>>> How can I check that the zone was correctly added?
> 
>>>>> I'm sorry for asking so basic questions but I'm a newby
>>>>> with NSD.
> 
>>>>> Thank you a lot for your help!
> 
>>>>> Regards,
> 
>>>>> Sofía
> 
>>>>> El 03/02/14 12:35, W.C.A. Wijngaards escribió:
>>>>>> Hi Sofía,
> 
>>>>>> On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
>>>>>>> Dear nsd-users members,
> 
>>>>>>> I've installed Unbound and Nsd on a Centos 6.5 server.
> 
>>>>>>> NSD is the secondary (slave) name server for some
>>>>>>> zones. The primary (master) for those zones is a BIND
>>>>>>> server.
> 
>>>>>>> Unbound is listening on the port 53 and NSD is
>>>>>>> listening on the port 53530.
> 
>>>>>>> The master is set up to send notifies to the port
>>>>>>> 53530 of the slave server. (also-notify <slave IP
>>>>>>> address> port 53530)
> 
>>>>>>> I'm having some issues when a zone is updated on the 
>>>>>>> master. The master sends the notifies to the right port
>>>>>>>  (53530). I can see the notifies with a tcpdump but NSD
>>>>>>>  doesn't transfer the zone. I don't even see any
>>>>>>> message in the NSD log saying it received the notifies.
>>>>>>> (the "verbosity" parameter is set to 2).
> 
>>>>>>> If NSD requests the transfer (nsd-control transfer 
>>>>>>> <zone>) the transfer works. It just doesn't work when
>>>>>>> the transfer is support to be initiated by a notify
>>>>>>> sent by the master.
> 
>>>>>>> I've already checked iptables and it is accepting 
>>>>>>> connections to the port 53530.
> 
>>>>>>> I've even trying stopping Unbound and setting up NSD to
>>>>>>>  listen on the port 53 just in case this issue has 
>>>>>>> anything to do with the non-standard port being used,
>>>>>>> but it didn't work either.
> 
>>>>>>> Is there anything else I could check?
> 
>>>>>> Have you checked that your NSD configuration allows the 
>>>>>> notify, with the allow-notify: <master-ipaddress> NOKEY 
>>>>>> statement. With verbosity 2 it should print allowed or 
>>>>>> refused for almost all notifies.
> 
>>>>>> If NSD does not host the zone, then it prints nothing at
>>>>>>  verbosity 2, instead it returns 'nxdomain' rcode to the
>>>>>>  master. Do you have the zone name spelled correctly in
>>>>>> the NSD configuration?
> 
>>>>>> The zone should also have a request-xfr: <master
>>>>>> ipadress> NOKEY in the nsd.conf file, so that it knows
>>>>>> where to transfer the zone from.
> 
>>>>>> If you are using TSIG, try to disable it, if the TSIG
>>>>>> fails (i.e. you have the wrong TSIG key) then NSD will
>>>>>> also not print a log entry.
> 
>>>>>>> Are you aware of any incompatibility between a BIND 
>>>>>>> master and a NSD slave?
> 
>>>>>> No, this should work.
> 
>>>>>> Best regards, Wouter
> 
>>>>>> _______________________________________________ nsd-users
>>>>>>  mailing list nsd-users at NLnetLabs.nl 
>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> 
> 
> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS8OmRAAoJEJ9vHC1+BF+NOTAQAIflAjWkMKBXNLemOZQEDR4q
yX4oAFQnbYYITOYqOXfjYMq28XrvQdvVjpz9apWkUiNG8pX2+VZM/XTWvVQT+du8
z8EDLe6QzShsSVit2t3IZqoEtQBaLrzBkVlUR5ICUPxaRwe8vI6KleDppuJfmHDU
8XXknsvLrkd/UvSYVA8LgNqYFa805ascr+0f2nOQAGJbtaAD90v+SdbX8kXZms+7
Nsg0uiFtJrifru6PjNkFP0eUi7dbYz1I5yvNNrjmkAiidDzAJEf80zzhj7w9nYMZ
BS1WBd5bnoV8fUulSRULSkHPNo5BNgZI2NUeS5VXWZDFqXCQBJsdPsdXlRI+oYxa
oZGIUPTuDTL9wvYOJ9TodNEWbxa4EamchYzb+6DVXnm/hJABXYyf5T5tu7B1r6uI
LxNSRvBMw8juYgSmPOCik7l27d62zmUOyLF5GmkUcUgBu62uKyY6xlay+VduznlE
QQ8S0IC1NmnKIWtfT5KtZ0Q9JGBEHz3FatoE+FcitaUokioSj3mMt2JCUm5F1T4N
QI2EQSh+9aPh3ml36g2N6pxcYUymSBX4X/t+1/5bgN/iKn6Zt0WCujGDuwiNao8z
NmYDteki1m6AEox61VDE2mVWtXzefWbPBixsSWQy56ix79el0qUjkpsRaEDLmdvO
Xg6DMDqrY2RQ0WhZp4ig
=EcNX
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list