[nsd-users] nsd & ip-addresses

Michael Tokarev mjt at tls.msk.ru
Mon Nov 9 22:38:49 UTC 2009 

Hello.

I'm trying to set up nsd here, after using it for more than a
year on several machines.  And I come across several.. issues.

nsdc assumes that nsd is listening on 127.0.0.1, or else the
program does not work.  But usually, 127.0.0.1 is used by
_recursive_ resolver (it's the default entry if no 'nameserver'
line is specified in /etc/resolv.conf).  It is more: it's a
good idea to bind nsd to an external IP address only, and
don't listen on 127.0.0.1 at all.  Obviously nsdc will fail
with this setup.

So in order to work around this, I bind nsd to 2 addresses --
the proper 'external' IP and 127.0.0.1 for nsdc to work.
At the same time, i'm forced to bind unbound (which is used
for cache) to 127.0.0.2, and specify 127.0.0.2 in resolv.conf.
It works, it's just slightly ugly.

So far so good.

Now, I'm on a multihomed host.  The two IP addresses are here
because I'm forced to use two due to two different nameservers.
One main IP address is used for everything, and another,
additional IP is for nsd.  Because I need to provide both
recursive and authoritative zones.

Nsd is bound to "second" IP.  Now, when it tries to send
AXFR requests, it receives REFUSED replies, since it comes
from the primary IP address, even if "ip-address" config
item is specified (it'd be logical to use that instead of
0.0.0.0).  So I specify outgoing-interface (why the first
is -address and second is -interface?).  This way, AXFR
between the two machines works, but at the same time it
completely breaks nscd.

Because now, nscd uses the same outgoing-interface when
sending notifies to localhost!  And sure there's no
acl entry for that.  After changing 127.0.0.1 to the
same value as outgoing-interface, nsdc refuses to work
saying that there's no zones for which 127.0.0.1 is
allowed to sent notifies.  Wow.

So I revert outgoing-interface back to the default, and
allow different IP address on the primary.  Which becomes
"notify: a" and "provide-xfr: b" with different a and b
for the same host.

Either I don't understand something important here,
or... dunno.

To sum it up:

o why nsdc requires nsd to listen on 127.0.0.1?

o why ip-address but outgoing-interface?

o why not use ip-address by default for outgoing?

o why nsdc uses outgoing-interface when contacting
   local nsd?

o why nsdc only checks zones that has acl for 127.0.0.1
   (even if it actually uses outgoing-interface)?

And an additional question:

o why it's not possible to provide some defaults in
   a global section, like outgoing-interface and
   provide-xfr and allow-* things, in order to not
   repeat the same thing for every zone?  When trying
   to list any of that in the "server" zection nsd
   complains about syntax error...

That's all about version 3.2.3.

Comments?

Thanks!

/mjt

More information about the nsd-users mailing list