Hi Daniel,
thank you very much, your mail helped a lot!
> I see a few issues:
>
> - increase the number of workers (at least one TCP worker is too low on the
> primary if you have more secondaries)
> - acl action notify is not needed on the primary
> - acl action transfer is not needed on secondaries
> - notify configuration on secondaries doesn't make sense in your case
Done, although not understood, yet. I need more reading in the manual.
BUT: Now (almost, see below) everything works as expected.
> - there is some inconsistency in secondaryOVH configuration: remote without
> key vs. acl with key primary-secondary
No, that's intended. The communication with secondaryOVH needs to be keyless.
That is something I need to separate. And actually it is working as expected at
the primary.
But I do need something similar at one of my secondary servers that allows for
a zone transfer from that given secondary to secondaryOVH as set up in NSD
config:
allow-notify: 10.2.2.203 primary-secondary
request-xfr: 10.2.2.203@5333 primary-secondary
provide-xfr: 213.251.188.141 NOKEY # allow xfr
from secondary sdns2.ovh.net
# notify is
sent from hidden primary @MWN
My "equivalent" config at that given secondary is:
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden primary
via: 10.2.2.201 # outgoing interface
- id: secondaryOVH
address: 213.251.188.141 # allow xfr from secondary
sdns2.ovh.net
via: 10.2.2.201 # outgoing interface
But I do get:
debug: [ellael.org.] ACL, denied, action transfer, remote
213.251.188.141@41425
Your other mail:
> Another issues are:
>
> `via: 10.1.1.201` - this interface isn't configured and
> the specification is not needed if there is just one IPv4 address - remove it
Yeah, there are more IPv4 addresses in that given FreeBSD jail, I do need it.
> `block-notify-after-transfer: on` - this doesn't make sense too
Done, and thanks to your suggestion, no longer needed.
Thank you very much for your help!
Regards,
Michael
>
> On 2/16/24 16:14, Michael Grimm wrote:
>> Thank you for your help. I will send complete configs.
>> Primary hidden:
>> ###############
>> # server specifics
>> #
>> server:
>> listen: 10.2.2.203@5333
>> user: knot:knot
>> rundir: "/var/run/knot"
>> tcp-workers: 1
>> udp-workers: 1
>> identity: ""
>> # logging
>> #
>> log:
>> - target: syslog
>> any: info
>> - target: "/var/log/knot.log"
>> any: debug
>> # database managment
>> #
>> database:
>> storage: "/var/db/knot"
>> kasp-db: "/var/db/knot/kasp"
>> # key used for acl transactions
>> #
>> key:
>> - id: primary-secondary
>> algorithm: hmac-sha256
>> secret: <hidden>
>> # acl transactions (primary, secondary)
>> #
>> acl:
>> - id: aclTRANSACTIONS
>> key: primary-secondary
>> action: [notify, transfer]
>> # remote secondary and authoritative nameservers (KBN, MWN)
>> #
>> remote:
>> - id: secondaryKBN
>> key: primary-secondary
>> address: 10.1.1.201 # KBN secondary
>> via: 10.2.2.203 # outgoing interface
>> - id: secondaryMWN
>> key: primary-secondary
>> address: 10.2.2.201 # MWN secondary
>> via: 10.2.2.203 # outgoing interface
>> - id: secondaryOVH
>> address: 213.251.188.141 # OVH's sdns2.ovh.net
>> (notify, submission)
>> via: 10.2.2.203 # outgoing interface
>> # all remote secondary servers that get notified
>> #
>> remotes:
>> - id: remoteSERVERS
>> remote: [secondaryKBN, secondaryMWN, secondaryOVH]
>> # KSK submission checks (only active during ksk rollovers)
>> #
>> submission:
>> - id: kskCHECKER
>> check-interval: 15m
>> parent: secondaryOVH
>> # dnssec policy
>> #
>> policy:
>> - id: ecdsa
>> algorithm: ecdsap256sha256
>> ksk-lifetime: 0 # no KSK rollover
>> zsk-lifetime: 365d
>> propagation-delay: 6h
>> nsec3: on
>> cds-cdnskey-publish: always
>> ksk-submission: kskCHECKER
>> # default template used for all zonefiles
>> #
>> template:
>> - id: default
>> storage: "/usr/local/etc/knot/zones"
>> file: "%s"
>> semantic-checks: on
>> dnssec-policy: ecdsa
>> dnssec-signing: on
>> acl: aclTRANSACTIONS
>> notify: remoteSERVERS
>> zonefile-sync: -1
>> zonefile-load: difference
>> journal-content: changes
>> # primary zones hosted
>> #
>> zone:
>> - domain: ellael.org
>> [others snipped]
>> Secondary (both identical configs):
>> ###################################
>> # server specifics
>> #
>> server:
>> listen: 10.1.1.201@53
>> listen: fd00:a:a:a::201@53
>> user: knot:knot
>> rundir: "/var/run/knot"
>> tcp-workers: 1
>> udp-workers: 1
>> identity: ""
>> version: ""
>> # logging
>> #
>> log:
>> - target: syslog
>> any: info
>> - target: "/var/log/knot.log"
>> any: debug
>> # database managment
>> #
>> database:
>> storage: "/var/db/knot"
>> kasp-db: "/var/db/knot/kasp"
>> # key used for acl transactions
>> #
>> key:
>> - id: primary-secondary
>> algorithm: hmac-sha256
>> secret: <hidden>
>> # acl transactions (primary, secondary)
>> #
>> acl:
>> - id: aclTRANSACTIONS
>> key: primary-secondary
>> action: [notify, transfer]
>> # remote hidden primary and secondary nameservers (MWN, OVH)
>> #
>> remote:
>> - id: primaryMWN
>> key: primary-secondary
>> address: 10.2.2.203@5333 # MWN hidden primary
>> via: 10.1.1.201 # outgoing interface
>> block-notify-after-transfer: on
>> remotes:
>> - id: remoteSERVERS
>> remote: [primaryMWN]
>> # default template used for all zonefiles
>> #
>> template:
>> - id: default
>> storage: "/usr/local/etc/knot/zones"
>> file: "%s"
>> master: primaryMWN
>> notify: remoteSERVERS
>> acl: aclTRANSACTIONS
>> semantic-checks: on
>> # primary zones hosted
>> #
>> zone:
>> - domain: ellael.org
>> [others snipped]
>> Thanks in advance,
>> Michael
>>> On 16. Feb 2024, at 16:05, Daniel Salzman <[email protected]> wrote:
>>>
>>> Okay. Please show me the configuration of the zone (template).
>>>
>>> On 2/16/24 16:03, Michael Grimm wrote:
>>>> Yes, I understand that, now ;-)
>>>> But my main concern is this: "Those errors are only logged when a zone
>>>> gets updated"
>>>> Regards,
>>>> Michael
>>>>> On 16. Feb 2024, at 15:57, Daniel Salzman <[email protected]> wrote:
>>>>>
>>>>> Note that `knotc zone-notify` works on a primary. If you want an explicit
>>>>> refresh on a secondary, call `knotc zone-refresh`.
>>>>>
>>>>> On 2/16/24 15:55, Michael Grimm wrote:
>>>>>> Daniel Salzman <[email protected]> wrote
>>>>>>> Is there another primary above the hidden master?
>>>>>> I am not sure if I do understand your question correctly.
>>>>>> Here is my setup:
>>>>>> Hidden Primary —> Secondary (2x)
>>>>>> Feel free to ask for more info. Complete configs?
>>>>>> Thanks,
>>>>>> Michael
>>>>> --
>>> --
--
