[knot-dns-users] Re: error: [ellael.org.] zone event 'refresh' failed (operation not supported)

[Daniel Salzman]

Hi Michael,

Is there another primary above the hidden master?

Daniel

On 2/16/24 15:26, Michael Grimm wrote:

Hi,

after successful migration of my hidden primary NSD and OpenDNSSEC signer to 
Knot DNS, I started to migrate my secondary NSDs to Knot DNS as well.

Thanks to excellent documentation this migration went more or less flawless as 
well.


BUT: I am somehow irritated about the following error messages at my hidden 
primary like:

        2024-02-16T10:54:08+0100 debug: [ellael.org.] ACL, allowed, action 
transfer, remote 10.1.1.201@27919, key primary-secondary.
        2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, outgoing, remote 
10.1.1.201@27919 TCP, started, serial 2024021331
        2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, outgoing, remote 
10.1.1.201@27919 TCP, finished, 0.00 seconds, 1 messages, 7774 bytes
        2024-02-16T10:54:09+0100 debug: [ellael.org.] ACL, allowed, action 
notify, remote 10.1.1.201@40884, key primary-secondary.
        2024-02-16T10:54:09+0100 info: [ellael.org.] notify, incoming, remote 
10.1.1.201@40884 TCP, serial 2024021331

!       2024-02-16T10:54:09+0100 error: [ellael.org.] zone event 'refresh' 
failed (operation not supported)

The log files at both secondary are identical, here one example:

        2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, incoming, remote 
10.2.2.203@5333 TCP, finished, 0.00 seconds, 1 messages, 7774 bytes
        2024-02-16T10:54:08+0100 info: [ellael.org.] refresh, remote 
10.2.2.203@5333, zone updated, 0.03 seconds, serial none -> 2024021331,\
                                                     expires in 1209600 seconds
        2024-02-16T10:54:08+0100 info: [ellael.org.] zone file updated, serial 
2024021331
        >>>! 2024-02-16T10:54:09+0100 info: [ellael.org.] notify, outgoing, 
remote 10.2.2.203@5333 TCP, serial 2024021331

FYI: Those errors are only logged when a zone gets updated or using "knotc 
zone-notify" at the secondary site.


Here are my essential config excerpts:

Primary:
        acl:
          - id:                          aclTRANSACTIONS
            key:                         primary-secondary
            action:                      [notify, transfer]
        remote:
          - id:                          secondaryKBN
            key:                         primary-secondary
            address:                     10.1.1.201           # KBN secondary
            via:                         10.2.2.203           # outgoing 
interface

Secondary:
        acl:
          - id:                          aclTRANSACTIONS
            key:                         primary-secondary
            action:                      [notify, transfer]
        remote:
          - id:                          primaryMWN
            key:                         primary-secondary
            address:                     10.2.2.203@5333      # MWN hidden 
primary
            via:                         10.2.2.201           # outgoing 
interface
            block-notify-after-transfer: on


FYI: Only adding "block-notify-after-transfer: on" at secondary sites stopped 
those error messages.

I found https://www.mail-archive.com/knot-dns-users@lists.nic.cz/msg01812.html :

"I recommend not using this option unless you really know what you're doing
  and why this option is essential for you."


Questions:

#) I do have to admit, I don't understand what is going on without 
"block-notify-after-transfer: on"?
#) Am I save in using "block-notify-after-transfer: on"?
#) Or is the another config option?

Thanks in advance and regards,
Michael



--

--