[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary

John Griessen john at industromatic.com
Sun May 14 04:18:05 UTC 2017 

I get error log messages like


[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com: max notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cottagematic.com: max notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com: max notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com: max notify send count reached, 104.245.34.178 at 53 unreachable
[2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from 127.0.0.1
[2017-05-13 23:42:25.436] nsd[13764]: info: control cmd:  reload
[2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from 216.218.133.2 refused, no acl matches
[2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from 127.0.0.1
[2017-05-14 00:35:55.692] nsd[13764]: info: control cmd:  reload



on the master,
and on the slave:

[2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com. from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com. from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for 34.245.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[32153]: info: axfr for 54.219.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone 34.245.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53
[2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone 54.219.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53


Does this look familiar to anyone?  have I got a mistake in nsd.conf?

The master works OK, looks good at https://intodns.com/ecosensory.com


==master nsd.conf========================

# ns1.cibolo.us
# See the nsd.conf(5) man page.

server:
     port: 53
     server-count: 1
     ip-address: 104.219.54.106
     do-ip4: yes
     do-ip6: no
     verbosity: 2

     database: "/var/lib/nsd/nsd.db"  # the database to use
     hide-version: yes  # don't answer VERSION.BIND queries
     logfile: "/var/log/nsd.log"
     pidfile: "/run/nsd/nsd.pid"
     zonesdir: "/etc/nsd"
     tcp-query-count: 180  # queries served on a single TCP conn
     xfrdfile: "/var/lib/nsd/xfrd.state"
     nsid: "ascii_ns1.cibolo.us"  # NSID identity (hex string, or "ascii_somestring").

remote-control:
     control-enable: yes
     control-interface: 127.0.0.1
     control-port: 8952
     server-key-file: "/etc/nsd/nsd_server.key"
     server-cert-file: "/etc/nsd/nsd_server.pem"
     control-key-file: "/etc/nsd/nsd_control.key"
     control-cert-file: "/etc/nsd/nsd_control.pem"

key:
     name: "ns1-cibolo-us-key"
     algorithm: hmac-md5
     secret: "xxxxxXXXXXxxxxxXXXX"

pattern:
     name: "toslave"
     notify: 104.245.34.178 NOKEY
     provide-xfr: 104.245.34.178 NOKEY
     notify: 216.218.131.2 NOKEY
     provide-xfr: 216.218.131.2 NOKEY

zone:
     name: 54.219.104.in-addr.arpa
     zonefile: 54.219.104.in-addr.arpa
     include-pattern: "toslave"

==master nsd.conf========================

==slave nsd.conf========================
server:
     server-count: 1
     port: 53
     ip-address: 104.245.34.178
     do-ip4: yes
     do-ip6: no
     verbosity: 2

     database: "/var/lib/nsd/nsd.db" # the database to use
     hide-version: yes  # don't answer VERSION.BIND queries
     logfile: "/var/log/nsd.log"
     pidfile: "/run/nsd/nsd.pid"
     zonesdir: "/etc/nsd"
     tcp-query-count: 180  # queries served on a single TCP connection.
     xfrdfile: "/var/lib/nsd/xfrd.state"
     nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or "ascii_somestring").

remote-control:
     control-enable: yes
     control-interface: 127.0.0.1
     control-port: 8952
     server-cert-file: "/etc/nsd/nsd_server.pem"
     control-key-file: "/etc/nsd/nsd_control.key"
     control-cert-file: "/etc/nsd/nsd_control.pem"

key:
     name: "ns1-cibolo-us-key"
     algorithm: hmac-md5
     secret: "xxxXXXxxxXXX"


pattern:
     name: "frommaster"
     allow-notify: 104.245.34.178 NOKEY
     request-xfr: 104.245.34.178 NOKEY

zone:
     name: 54.219.104.in-addr.arpa
     zonefile: 54.219.104.in-addr.arpa
     include-pattern: "frommaster"

==slave nsd.conf========================
-- 
John Griessen

More information about the nsd-users mailing list