So the setup isn't just "Hidden Primary —> Secondary (2x)"!
Then you must have the acl action transfer in the secondary configuration as
well.
On 2/16/24 20:18, Michael Grimm wrote:
But I do need something similar at one of my secondary servers that
allows for a zone transfer from that given secondary to secondaryOVH as
set up in NSD config:
allow-notify: 10.2.2.203
primary-secondary
request-xfr: 10.2.2.203@5333
primary-secondary
provide-xfr: 213.251.188.141 NOKEY # allow
xfr from secondary sdns2.ovh.net
# notify
is sent from hidden primary @MWN
Why do you send NOTIFY from the hidden primary instead of the secondary?
My "equivalent" config at that given secondary is:
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden primary
via: 10.2.2.201 # outgoing interface
- id: secondaryOVH
address: 213.251.188.141 # allow xfr from
secondary sdns2.ovh.net
via: 10.2.2.201 # outgoing interface
The zone configuration is missing!
The remote configuration itself does nothing if the id (secondaryOVH) isn't
referenced from notify/master/acl.
In this case you probably need only the acl rule for the transfer from
213.251.188.141.
That's all.
But I do get:
debug: [ellael.org.] ACL, denied, action transfer, remote
213.251.188.141@41425
--
