Hi, FTR: My questions are all answered, and I solved the last remaining issue regarding OVH's secondary server without key.
1) Modification of my firewall: The primary is still cutoff from remote access, except that one IP of OVH's secondary 2) Now, my primary serves all secondary servers, two of mine plus OVH 3) Added an additional ACL for keyless AFXR to OVH secondary Thank you very much again. Now, I understand much better what went wrong in my first setup attempts ;-) Regards, Michael > On 16. Feb 2024, at 20:18, Michael Grimm <[email protected]> wrote: > > Hi Daniel, > > thank you very much, your mail helped a lot! > >> I see a few issues: >> >> - increase the number of workers (at least one TCP worker is too low on the >> primary if you have more secondaries) >> - acl action notify is not needed on the primary >> - acl action transfer is not needed on secondaries >> - notify configuration on secondaries doesn't make sense in your case > > Done, although not understood, yet. I need more reading in the manual. > BUT: Now (almost, see below) everything works as expected. > >> - there is some inconsistency in secondaryOVH configuration: remote without >> key vs. acl with key primary-secondary > > No, that's intended. The communication with secondaryOVH needs to be keyless. > That is something I need to separate. And actually it is working as expected > at the primary. > > But I do need something similar at one of my secondary servers that allows > for a zone transfer from that given secondary to secondaryOVH as set up in > NSD config: > > allow-notify: 10.2.2.203 primary-secondary > request-xfr: 10.2.2.203@5333 primary-secondary > > provide-xfr: 213.251.188.141 NOKEY # allow xfr > from secondary sdns2.ovh.net > # notify is > sent from hidden primary @MWN > > My "equivalent" config at that given secondary is: > > remote: > - id: primaryMWN > key: primary-secondary > address: 10.2.2.203@5333 # MWN hidden primary > via: 10.2.2.201 # outgoing interface > > - id: secondaryOVH > address: 213.251.188.141 # allow xfr from secondary > sdns2.ovh.net > via: 10.2.2.201 # outgoing interface > > But I do get: > > debug: [ellael.org.] ACL, denied, action transfer, remote > 213.251.188.141@41425 > > > Your other mail: > >> Another issues are: >> >> `via: 10.1.1.201` - this interface isn't configured and >> the specification is not needed if there is just one IPv4 address - remove it > > Yeah, there are more IPv4 addresses in that given FreeBSD jail, I do need it. > >> `block-notify-after-transfer: on` - this doesn't make sense too > > Done, and thanks to your suggestion, no longer needed. > > Thank you very much for your help! > > Regards, > Michael > >> >> On 2/16/24 16:14, Michael Grimm wrote: >>> Thank you for your help. I will send complete configs. >>> Primary hidden: >>> ############### >>> # server specifics >>> # >>> server: >>> listen: 10.2.2.203@5333 >>> user: knot:knot >>> rundir: "/var/run/knot" >>> tcp-workers: 1 >>> udp-workers: 1 >>> identity: "" >>> # logging >>> # >>> log: >>> - target: syslog >>> any: info >>> - target: "/var/log/knot.log" >>> any: debug >>> # database managment >>> # >>> database: >>> storage: "/var/db/knot" >>> kasp-db: "/var/db/knot/kasp" >>> # key used for acl transactions >>> # >>> key: >>> - id: primary-secondary >>> algorithm: hmac-sha256 >>> secret: <hidden> >>> # acl transactions (primary, secondary) >>> # >>> acl: >>> - id: aclTRANSACTIONS >>> key: primary-secondary >>> action: [notify, transfer] >>> # remote secondary and authoritative nameservers (KBN, MWN) >>> # >>> remote: >>> - id: secondaryKBN >>> key: primary-secondary >>> address: 10.1.1.201 # KBN secondary >>> via: 10.2.2.203 # outgoing interface >>> - id: secondaryMWN >>> key: primary-secondary >>> address: 10.2.2.201 # MWN secondary >>> via: 10.2.2.203 # outgoing interface >>> - id: secondaryOVH >>> address: 213.251.188.141 # OVH's sdns2.ovh.net >>> (notify, submission) >>> via: 10.2.2.203 # outgoing interface >>> # all remote secondary servers that get notified >>> # >>> remotes: >>> - id: remoteSERVERS >>> remote: [secondaryKBN, secondaryMWN, secondaryOVH] >>> # KSK submission checks (only active during ksk rollovers) >>> # >>> submission: >>> - id: kskCHECKER >>> check-interval: 15m >>> parent: secondaryOVH >>> # dnssec policy >>> # >>> policy: >>> - id: ecdsa >>> algorithm: ecdsap256sha256 >>> ksk-lifetime: 0 # no KSK rollover >>> zsk-lifetime: 365d >>> propagation-delay: 6h >>> nsec3: on >>> cds-cdnskey-publish: always >>> ksk-submission: kskCHECKER >>> # default template used for all zonefiles >>> # >>> template: >>> - id: default >>> storage: "/usr/local/etc/knot/zones" >>> file: "%s" >>> semantic-checks: on >>> dnssec-policy: ecdsa >>> dnssec-signing: on >>> acl: aclTRANSACTIONS >>> notify: remoteSERVERS >>> zonefile-sync: -1 >>> zonefile-load: difference >>> journal-content: changes >>> # primary zones hosted >>> # >>> zone: >>> - domain: ellael.org >>> [others snipped] >>> Secondary (both identical configs): >>> ################################### >>> # server specifics >>> # >>> server: >>> listen: 10.1.1.201@53 >>> listen: fd00:a:a:a::201@53 >>> user: knot:knot >>> rundir: "/var/run/knot" >>> tcp-workers: 1 >>> udp-workers: 1 >>> identity: "" >>> version: "" >>> # logging >>> # >>> log: >>> - target: syslog >>> any: info >>> - target: "/var/log/knot.log" >>> any: debug >>> # database managment >>> # >>> database: >>> storage: "/var/db/knot" >>> kasp-db: "/var/db/knot/kasp" >>> # key used for acl transactions >>> # >>> key: >>> - id: primary-secondary >>> algorithm: hmac-sha256 >>> secret: <hidden> >>> # acl transactions (primary, secondary) >>> # >>> acl: >>> - id: aclTRANSACTIONS >>> key: primary-secondary >>> action: [notify, transfer] >>> # remote hidden primary and secondary nameservers (MWN, OVH) >>> # >>> remote: >>> - id: primaryMWN >>> key: primary-secondary >>> address: 10.2.2.203@5333 # MWN hidden primary >>> via: 10.1.1.201 # outgoing interface >>> block-notify-after-transfer: on >>> remotes: >>> - id: remoteSERVERS >>> remote: [primaryMWN] >>> # default template used for all zonefiles >>> # >>> template: >>> - id: default >>> storage: "/usr/local/etc/knot/zones" >>> file: "%s" >>> master: primaryMWN >>> notify: remoteSERVERS >>> acl: aclTRANSACTIONS >>> semantic-checks: on >>> # primary zones hosted >>> # >>> zone: >>> - domain: ellael.org >>> [others snipped] >>> Thanks in advance, >>> Michael >>>> On 16. Feb 2024, at 16:05, Daniel Salzman <[email protected]> wrote: >>>> >>>> Okay. Please show me the configuration of the zone (template). >>>> >>>> On 2/16/24 16:03, Michael Grimm wrote: >>>>> Yes, I understand that, now ;-) >>>>> But my main concern is this: "Those errors are only logged when a zone >>>>> gets updated" >>>>> Regards, >>>>> Michael >>>>>> On 16. Feb 2024, at 15:57, Daniel Salzman <[email protected]> wrote: >>>>>> >>>>>> Note that `knotc zone-notify` works on a primary. If you want an >>>>>> explicit refresh on a secondary, call `knotc zone-refresh`. >>>>>> >>>>>> On 2/16/24 15:55, Michael Grimm wrote: >>>>>>> Daniel Salzman <[email protected]> wrote >>>>>>>> Is there another primary above the hidden master? >>>>>>> I am not sure if I do understand your question correctly. >>>>>>> Here is my setup: >>>>>>> Hidden Primary —> Secondary (2x) >>>>>>> Feel free to ask for more info. Complete configs? >>>>>>> Thanks, >>>>>>> Michael >>>>>> -- >>>> -- > > -- --
