[nsd-users] nsd refusing secondary AXFR
Anand Buddhdev
anandb at ripe.net
Wed Sep 10 13:19:05 UTC 2014
On 10/09/2014 14:20, shmick at riseup.net wrote:
Dear shmuck,
> each time the designated secondary NS requests AXFR, my nsd server sends
> REFUSED which i can see from tcpdumps
>
> ive setup debug logging and it reports:
>
> info: axfr for zone example.com. from client 1.2.3.4 refused, no acl matches
>
> ive simply setup it as followed in nsd.conf & no problems with nsd-checkconf
>
> zone:
> name: example.com.
> zonefile: example.com.signed
> notify: 1.2.3.4 at 53 NOKEY
> provide-xfr: 1.2.3.4 at 53 NOKEY
This is your problem. You're telling the NSD master that the slave must
connect from address 1.2.3.4 *and* source port 53. However, the slave
will most likely use an ephemeral port number, so the ACL will not
match. Change that to:
provide-xfr: 1.2.3.4 NOKEY
Regards,
Anand Buddhdev
RIPE NCC
More information about the nsd-users
mailing list