[nsd-users] using 4.1.14 on debian, I can't get AXFR to work to a secondary

Anand Buddhdev anandb at ripe.net
Sun May 14 06:46:46 UTC 2017


Hi John,

In your slave's config, you have:

request-xfr: 104.245.34.178 NOKEY

You've configured the slave's own IP address there, instead of the
master's IP address (104.219.54.106).

Regards,
Anand Buddhdev

On 14/05/2017 06:18, John Griessen wrote:

> I get error log messages like
> 
> 
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone casageorge.com:
> max notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone
> cottagematic.com: max notify send count reached, 104.245.34.178 at 53
> unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone labhw.com: max
> notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone cibolo.com: max
> notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone kitmatic.com:
> max notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:41:41.692] nsd[13764]: error: xfrd: zone tankmatic.com:
> max notify send count reached, 104.245.34.178 at 53 unreachable
> [2017-05-13 23:42:25.380] nsd[13764]: info: new control connection from
> 127.0.0.1
> [2017-05-13 23:42:25.436] nsd[13764]: info: control cmd:  reload
> [2017-05-14 00:22:43.913] nsd[13789]: info: axfr for kitmatic.com. from
> 216.218.133.2 refused, no acl matches
> [2017-05-14 00:35:55.638] nsd[13764]: info: new control connection from
> 127.0.0.1
> [2017-05-14 00:35:55.692] nsd[13764]: info: control cmd:  reload
> 
> 
> 
> on the master,
> and on the slave:
> 
> [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone griessen.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone ecosensory.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.946] nsd[31878]: error: xfrd: zone cottagematic.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for cibolo.com. from
> 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casitageorge.com.
> from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for casageorge.com.
> from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for
> 34.245.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[32153]: info: axfr for
> 54.219.104.in-addr.arpa. from 104.245.34.178 refused, no acl matches
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone cibolo.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casitageorge.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone casageorge.com
> received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone
> 34.245.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53
> [2017-05-14 04:08:25.947] nsd[31878]: error: xfrd: zone
> 54.219.104.in-addr.arpa received error code REFUSED from 104.245.34.178 at 53
> 
> 
> Does this look familiar to anyone?  have I got a mistake in nsd.conf?
> 
> The master works OK, looks good at https://intodns.com/ecosensory.com
> 
> 
> ==master nsd.conf========================
> 
> # ns1.cibolo.us
> # See the nsd.conf(5) man page.
> 
> server:
>     port: 53
>     server-count: 1
>     ip-address: 104.219.54.106
>     do-ip4: yes
>     do-ip6: no
>     verbosity: 2
> 
>     database: "/var/lib/nsd/nsd.db"  # the database to use
>     hide-version: yes  # don't answer VERSION.BIND queries
>     logfile: "/var/log/nsd.log"
>     pidfile: "/run/nsd/nsd.pid"
>     zonesdir: "/etc/nsd"
>     tcp-query-count: 180  # queries served on a single TCP conn
>     xfrdfile: "/var/lib/nsd/xfrd.state"
>     nsid: "ascii_ns1.cibolo.us"  # NSID identity (hex string, or
> "ascii_somestring").
> 
> remote-control:
>     control-enable: yes
>     control-interface: 127.0.0.1
>     control-port: 8952
>     server-key-file: "/etc/nsd/nsd_server.key"
>     server-cert-file: "/etc/nsd/nsd_server.pem"
>     control-key-file: "/etc/nsd/nsd_control.key"
>     control-cert-file: "/etc/nsd/nsd_control.pem"
> 
> key:
>     name: "ns1-cibolo-us-key"
>     algorithm: hmac-md5
>     secret: "xxxxxXXXXXxxxxxXXXX"
> 
> pattern:
>     name: "toslave"
>     notify: 104.245.34.178 NOKEY
>     provide-xfr: 104.245.34.178 NOKEY
>     notify: 216.218.131.2 NOKEY
>     provide-xfr: 216.218.131.2 NOKEY
> 
> zone:
>     name: 54.219.104.in-addr.arpa
>     zonefile: 54.219.104.in-addr.arpa
>     include-pattern: "toslave"
> 
> ==master nsd.conf========================
> 
> ==slave nsd.conf========================
> server:
>     server-count: 1
>     port: 53
>     ip-address: 104.245.34.178
>     do-ip4: yes
>     do-ip6: no
>     verbosity: 2
> 
>     database: "/var/lib/nsd/nsd.db" # the database to use
>     hide-version: yes  # don't answer VERSION.BIND queries
>     logfile: "/var/log/nsd.log"
>     pidfile: "/run/nsd/nsd.pid"
>     zonesdir: "/etc/nsd"
>     tcp-query-count: 180  # queries served on a single TCP connection.
>     xfrdfile: "/var/lib/nsd/xfrd.state"
>     nsid: "ascii_ns2.cibolo.us" # NSID identity (hex string, or
> "ascii_somestring").
> 
> remote-control:
>     control-enable: yes
>     control-interface: 127.0.0.1
>     control-port: 8952
>     server-cert-file: "/etc/nsd/nsd_server.pem"
>     control-key-file: "/etc/nsd/nsd_control.key"
>     control-cert-file: "/etc/nsd/nsd_control.pem"
> 
> key:
>     name: "ns1-cibolo-us-key"
>     algorithm: hmac-md5
>     secret: "xxxXXXxxxXXX"
> 
> 
> pattern:
>     name: "frommaster"
>     allow-notify: 104.245.34.178 NOKEY
>     request-xfr: 104.245.34.178 NOKEY
> 
> zone:
>     name: 54.219.104.in-addr.arpa
>     zonefile: 54.219.104.in-addr.arpa
>     include-pattern: "frommaster"
> 
> ==slave nsd.conf========================



More information about the nsd-users mailing list