[nsd-users] NSD no receiving Notifies

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Feb 4 14:53:30 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sofia,

So, nsd the zone configured correctly, it has allow-notify and
request-xfr set and the name.  The notify packet arrives on tcpdump.
lsof says NSD listens on that port, but NSD4 prints nothing.    With
verbosity it should print something, but it does not.

If you compile NSD with --enable-checking and start nsd with -F 20 -L
2 options it will print even more than it prints now (it should simply
print that a notify has been received, for every notify packet).

Can you transfer the zone if you specify nsd-control transfer
<zonename>  ?  This pretends a notify has been received internally
(but without the actual packet), and does the same zone transfer code.

Best regards,
   Wouter

On 02/04/2014 03:28 PM, Sofía Silva Berenguer wrote:
> Hi Wouter,
> 
> I couldn't set up Nsd to use syslog, however it is logging to a
> file. I actually see a lot of lines but nothing about receiving
> notifies from the master.
> 
> I increased verbosity from 2 to 5 and run tail -f on the logfile 
> while, on the master I incremented the serial of a zone and
> reloaded it. The master sent notifies and another slave got the
> zone transfered but NOT this slave (the nsd). The Nsd didn't get
> any notify.
> 
> What am I doing wrong? :)
> 
> Regards,
> 
> Sofía
> 
> El 04/02/14 11:22, W.C.A. Wijngaards escribió:
>> Hi Sofia,
> 
>> You you getting logs from NSD at all?  Or does it have similar 
>> trouble like unbound (it has very similar log code) had for you 
>> (the logfile was not inside the chroot)?  Then you can see what
>> it says about the Notify or about the zone transfers (increase 
>> verbosity from 2 to 5 to see more and more).
> 
>> Best regards, Wouter
> 
>> On 02/03/2014 05:01 PM, Sofía Silva Berenguer wrote:
>>> Wouter,
> 
>>> Iptables is accepting connections in the port 53530. I
>>> telneted it from the master and it worked.
> 
>>> I also verified with "lsof -ni:53530" that NSD is actually 
>>> listening on that port, both in TCP and UDP.
> 
>>> Regards,
> 
>>> Sofía
> 
>>> El 03/02/14 13:49, W.C.A. Wijngaards escribió:
>>>> Hi Sofia,
> 
>>>> Is your computer configured with a firewall that blocks 
>>>> traffic to port 53530?  Otherwise, I am also getting out of 
>>>> ideas, with the zone and allow-notify configured, NSD prints 
>>>> what happens with verbosity
>>>>> =2.  Nothing is printed, so I assume NSD does not actually 
>>>>> get the
>>>> packet.
> 
>>>> Best regards, Wouter
> 
>>>> On 02/03/2014 04:38 PM, Sofía Silva Berenguer wrote:
>>>>> Wouter,
> 
>>>>> I defined the pattern in nsd.conf and then added the zone 
>>>>> with nsd-control addzone <zone> <pattern>. I didn't edit
>>>>> the file manually.
> 
>>>>> I do see the zone with nsd-control zonestatus <zone>.
> 
>>>>> Regards,
> 
>>>>> Sofia
> 
>>>>> El 03/02/14 13:13, W.C.A. Wijngaards escribió:
>>>>>> Hi,
> 
>>>>>> How did you add it to the zone.list file?  If you edit
>>>>>> the file manually, NSD does not pickup the changes while
>>>>>> it is running; and in fact (may) overwrite your edits
>>>>>> when it closes. Do you see the zone with nsd-control
>>>>>> zonestatus ?
> 
>>>>>> Best regards, Wouter
> 
>>>>>> On 02/03/2014 03:55 PM, Sofía Silva Berenguer wrote:
>>>>>>> Thank you for replying Wouter!
> 
>>>>>>> The zone is listed in the zone.list file and it's
>>>>>>> spelled correctly. I added it using a pattern which
>>>>>>> includes both the allow-notify and the request-xfr
>>>>>>> lines:
> 
>>>>>>> allow-notify: <master> NOKEY request-xfr: <master>
>>>>>>> NOKEY
> 
>>>>>>> How can I check that the zone was correctly added?
> 
>>>>>>> I'm sorry for asking so basic questions but I'm a newby
>>>>>>>  with NSD.
> 
>>>>>>> Thank you a lot for your help!
> 
>>>>>>> Regards,
> 
>>>>>>> Sofía
> 
>>>>>>> El 03/02/14 12:35, W.C.A. Wijngaards escribió:
>>>>>>>> Hi Sofía,
> 
>>>>>>>> On 02/03/2014 03:03 PM, Sofía Silva Berenguer wrote:
>>>>>>>>> Dear nsd-users members,
> 
>>>>>>>>> I've installed Unbound and Nsd on a Centos 6.5 
>>>>>>>>> server.
> 
>>>>>>>>> NSD is the secondary (slave) name server for some 
>>>>>>>>> zones. The primary (master) for those zones is a 
>>>>>>>>> BIND server.
> 
>>>>>>>>> Unbound is listening on the port 53 and NSD is 
>>>>>>>>> listening on the port 53530.
> 
>>>>>>>>> The master is set up to send notifies to the port 
>>>>>>>>> 53530 of the slave server. (also-notify <slave IP 
>>>>>>>>> address> port 53530)
> 
>>>>>>>>> I'm having some issues when a zone is updated on
>>>>>>>>> the master. The master sends the notifies to the
>>>>>>>>> right port (53530). I can see the notifies with a
>>>>>>>>> tcpdump but NSD doesn't transfer the zone. I don't
>>>>>>>>> even see any message in the NSD log saying it
>>>>>>>>> received the notifies. (the "verbosity" parameter
>>>>>>>>> is set to 2).
> 
>>>>>>>>> If NSD requests the transfer (nsd-control transfer
>>>>>>>>>  <zone>) the transfer works. It just doesn't work 
>>>>>>>>> when the transfer is support to be initiated by a 
>>>>>>>>> notify sent by the master.
> 
>>>>>>>>> I've already checked iptables and it is accepting 
>>>>>>>>> connections to the port 53530.
> 
>>>>>>>>> I've even trying stopping Unbound and setting up
>>>>>>>>> NSD to listen on the port 53 just in case this
>>>>>>>>> issue has anything to do with the non-standard port
>>>>>>>>> being used, but it didn't work either.
> 
>>>>>>>>> Is there anything else I could check?
> 
>>>>>>>> Have you checked that your NSD configuration allows
>>>>>>>> the notify, with the allow-notify:
>>>>>>>> <master-ipaddress> NOKEY statement. With verbosity 2
>>>>>>>> it should print allowed or refused for almost all
>>>>>>>> notifies.
> 
>>>>>>>> If NSD does not host the zone, then it prints
>>>>>>>> nothing at verbosity 2, instead it returns 'nxdomain'
>>>>>>>> rcode to the master. Do you have the zone name
>>>>>>>> spelled correctly in the NSD configuration?
> 
>>>>>>>> The zone should also have a request-xfr: <master 
>>>>>>>> ipadress> NOKEY in the nsd.conf file, so that it
>>>>>>>> knows where to transfer the zone from.
> 
>>>>>>>> If you are using TSIG, try to disable it, if the TSIG
>>>>>>>>  fails (i.e. you have the wrong TSIG key) then NSD
>>>>>>>> will also not print a log entry.
> 
>>>>>>>>> Are you aware of any incompatibility between a BIND
>>>>>>>>>  master and a NSD slave?
> 
>>>>>>>> No, this should work.
> 
>>>>>>>> Best regards, Wouter
> 
>>>>>>>> _______________________________________________ 
>>>>>>>> nsd-users mailing list nsd-users at NLnetLabs.nl 
>>>>>>>> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS8P7qAAoJEJ9vHC1+BF+N3JYP/R08VIn4mtqBfV1AtfEgKr3K
ieVh/LQsWMo2uc7HBlbGKZfs5cXTgGNaAOgZN20WMl7gMFFQkqpttRt7IjjeWJj+
X+yCEhdPzJ/d07gvGkPK3k2PpYQ+qN+BTQz4VpS6dsC1faRLq0B3vrv9cpnTd5bj
nj3EGIx78dacsIvj5KTwRygrf6RGKTgBr9gfrZ4HykdzVbMAkEjjwBvPU1k2s0Vz
uOOWyCvwuVXWBjg6lDUS+4aKvgot70oInwRApBp/7/ViCEuR8oUgDOv7JmqJgslV
NUpvZA6PXQdQmTMsFcBJxApqrcdRAi+CArGN2bguBV9C65Ao9GMKa3BZT2h3rsNj
kUoJGyTbgQIhaUbmfkEKsd9p6iQca0KgrRDlF/+XTvM1x+LRbAZUBukUlAdz8zEB
MyKiKnWgND1fKqUnvwAEsRZKgeJf44rqfnyfaNW+FtRrmxVVq+b/c9PxDKoLYnZ+
rWP202XJxL280btcwHGE7QAlYxlvkpMDF7AklvHBDEQsBQwVSY+29HPnGYsy29Z0
uPcFwm6NCYg7d8vSdeY3tQbU+q0M8IuvEKJOXdjG0hy+fWKcphJVtf//1j3FRYeS
pRT4mL+lJ1FirVS0xaf35n/2DMmXKVEsmwH2QB/1ufZCLSVSXtaCceiLCAA/PGzu
nQc3apSpCOiU2IcGf1BP
=B9bs
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list