On 16. Feb 2024, at 20:18, Michael Grimm <[email protected]> wrote:
Hi Daniel,
thank you very much, your mail helped a lot!
I see a few issues:
- increase the number of workers (at least one TCP worker is too low on the
primary if you have more secondaries)
- acl action notify is not needed on the primary
- acl action transfer is not needed on secondaries
- notify configuration on secondaries doesn't make sense in your case
Done, although not understood, yet. I need more reading in the manual.
BUT: Now (almost, see below) everything works as expected.
- there is some inconsistency in secondaryOVH configuration: remote without key
vs. acl with key primary-secondary
No, that's intended. The communication with secondaryOVH needs to be keyless.
That is something I need to separate. And actually it is working as expected at
the primary.
But I do need something similar at one of my secondary servers that allows for
a zone transfer from that given secondary to secondaryOVH as set up in NSD
config:
allow-notify: 10.2.2.203 primary-secondary
request-xfr: 10.2.2.203@5333 primary-secondary
provide-xfr: 213.251.188.141 NOKEY # allow xfr
from secondary sdns2.ovh.net
# notify is
sent from hidden primary @MWN
My "equivalent" config at that given secondary is:
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden primary
via: 10.2.2.201 # outgoing interface
- id: secondaryOVH
address: 213.251.188.141 # allow xfr from secondary
sdns2.ovh.net
via: 10.2.2.201 # outgoing interface
But I do get:
debug: [ellael.org.] ACL, denied, action transfer, remote 213.251.188.141@41425
Your other mail:
Another issues are:
`via: 10.1.1.201` - this interface isn't configured and the
specification is not needed if there is just one IPv4 address - remove it
Yeah, there are more IPv4 addresses in that given FreeBSD jail, I do need it.
`block-notify-after-transfer: on` - this doesn't make sense too
Done, and thanks to your suggestion, no longer needed.
Thank you very much for your help!
Regards,
Michael
On 2/16/24 16:14, Michael Grimm wrote:
Thank you for your help. I will send complete configs.
Primary hidden:
###############
# server specifics
#
server:
listen: 10.2.2.203@5333
user: knot:knot
rundir: "/var/run/knot"
tcp-workers: 1
udp-workers: 1
identity: ""
# logging
#
log:
- target: syslog
any: info
- target: "/var/log/knot.log"
any: debug
# database managment
#
database:
storage: "/var/db/knot"
kasp-db: "/var/db/knot/kasp"
# key used for acl transactions
#
key:
- id: primary-secondary
algorithm: hmac-sha256
secret: <hidden>
# acl transactions (primary, secondary)
#
acl:
- id: aclTRANSACTIONS
key: primary-secondary
action: [notify, transfer]
# remote secondary and authoritative nameservers (KBN, MWN)
#
remote:
- id: secondaryKBN
key: primary-secondary
address: 10.1.1.201 # KBN secondary
via: 10.2.2.203 # outgoing interface
- id: secondaryMWN
key: primary-secondary
address: 10.2.2.201 # MWN secondary
via: 10.2.2.203 # outgoing interface
- id: secondaryOVH
address: 213.251.188.141 # OVH's sdns2.ovh.net
(notify, submission)
via: 10.2.2.203 # outgoing interface
# all remote secondary servers that get notified
#
remotes:
- id: remoteSERVERS
remote: [secondaryKBN, secondaryMWN, secondaryOVH]
# KSK submission checks (only active during ksk rollovers)
#
submission:
- id: kskCHECKER
check-interval: 15m
parent: secondaryOVH
# dnssec policy
#
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 0 # no KSK rollover
zsk-lifetime: 365d
propagation-delay: 6h
nsec3: on
cds-cdnskey-publish: always
ksk-submission: kskCHECKER
# default template used for all zonefiles
#
template:
- id: default
storage: "/usr/local/etc/knot/zones"
file: "%s"
semantic-checks: on
dnssec-policy: ecdsa
dnssec-signing: on
acl: aclTRANSACTIONS
notify: remoteSERVERS
zonefile-sync: -1
zonefile-load: difference
journal-content: changes
# primary zones hosted
#
zone:
- domain: ellael.org
[others snipped]
Secondary (both identical configs):
###################################
# server specifics
#
server:
listen: 10.1.1.201@53
listen: fd00:a:a:a::201@53
user: knot:knot
rundir: "/var/run/knot"
tcp-workers: 1
udp-workers: 1
identity: ""
version: ""
# logging
#
log:
- target: syslog
any: info
- target: "/var/log/knot.log"
any: debug
# database managment
#
database:
storage: "/var/db/knot"
kasp-db: "/var/db/knot/kasp"
# key used for acl transactions
#
key:
- id: primary-secondary
algorithm: hmac-sha256
secret: <hidden>
# acl transactions (primary, secondary)
#
acl:
- id: aclTRANSACTIONS
key: primary-secondary
action: [notify, transfer]
# remote hidden primary and secondary nameservers (MWN, OVH)
#
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden primary
via: 10.1.1.201 # outgoing interface
block-notify-after-transfer: on
remotes:
- id: remoteSERVERS
remote: [primaryMWN]
# default template used for all zonefiles
#
template:
- id: default
storage: "/usr/local/etc/knot/zones"
file: "%s"
master: primaryMWN
notify: remoteSERVERS
acl: aclTRANSACTIONS
semantic-checks: on
# primary zones hosted
#
zone:
- domain: ellael.org
[others snipped]
Thanks in advance,
Michael
On 16. Feb 2024, at 16:05, Daniel Salzman <[email protected]> wrote:
Okay. Please show me the configuration of the zone (template).
On 2/16/24 16:03, Michael Grimm wrote:
Yes, I understand that, now ;-)
But my main concern is this: "Those errors are only logged when a zone gets
updated"
Regards,
Michael
On 16. Feb 2024, at 15:57, Daniel Salzman <[email protected]> wrote:
Note that `knotc zone-notify` works on a primary. If you want an explicit
refresh on a secondary, call `knotc zone-refresh`.
On 2/16/24 15:55, Michael Grimm wrote:
Daniel Salzman <[email protected]> wrote
Is there another primary above the hidden master?
I am not sure if I do understand your question correctly.
Here is my setup:
Hidden Primary —> Secondary (2x)
Feel free to ask for more info. Complete configs?
Thanks,
Michael
--
--
--
