Hello, I'am new to nsd and i tried to setup two ns dns1 and dns2 and unbound as a resolver on each ns.
unbound is listening on port 53 therefore i used port 5353 for nsd. dns1 should do a zonetransfer to dns2. To keep things simple i use no encryption (NOKEY) nsd-checkconf gives no errors nsd-checkzone gives no errors in forward or reverse zone The zonetransfer between the two fails with the following error(s) dns1: Aug 31 08:32:34 dns1 nsd[37829]: xfrd: zone example.com: max notify send count reached, 45.xx.yy.195@5353 unreachable Aug 31 08:40:23 dns1 nsd[37833]: axfr for example.com. from 45.xx.yy.195 refused, no acl matches dns2: Aug 31 08:32:34 dns2 nsd[5149]: notify for example.com. from 45.xx.yy.194 refused, no acl matches. I tried to leave out the "@5353" but then there is no communication at all.. tcpdump: 09:07:26.130431 IP 45.xx.yy.194.47272 > 45.xx.yy.195.5353: 60694 notify [b2&3=0x2400] [1a] SOA (QM)? 2.0.192.in-addr.arpa. (126) 09:07:26.130546 IP 45.xx.yy.194.36486 > 45.xx.yy.195.5353: 42430 notify [b2&3=0x2400] [1a] SOA (QM)? example.com. (108) 09:07:26.131360 IP 45.xx.yy.195.5353 > 45.xx.yy.194.47272: 60694 notify Refused*- [0q] 0/0/0 (12) 09:07:26.131377 IP 45.xx.yy.195.5353 > 45.xx.yy.194.36486: 42430 notify Refused*- [0q] 0/0/0 (12) dns1-config: # See /usr/share/doc/nsd/examples/nsd.conf for a commented # reference config file. include: "/etc/nsd/nsd.conf.d/*.conf" # include: "/etc/nsd/zones/zones.conf" server: # log only to syslog. log-only-syslog: yes debug-mode: yes verbosity: 5 username: nsd pidfile: "/run/nsd/nsd.pid" # uncomment to specify specific interfaces to bind (default all). #ip-address: 45.xx.yy.194 # port to answer queries on. default is 53. port: 5353 # Number of NSD servers to fork. server-count: 1 # listen only on IPv4 connections ip4-only: yes # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries hide-version: yes # identify the server (CH TXT ID.SERVER entry). identity: "serverteam" # The directory for zonefile: files. zonesdir: "/etc/nsd" key: name: "sec_key" algorithm: hmac-md5 secret: "TAXxQRTb0ZL9eWqImm3nWFRBc3yhfrBVLCGxzE/8jYg=" remote-control: # this allows the use of 'nsd-control' to control NSD. The default is "no" control-enable: yes # the interface NSD listens to for nsd-control. The default is 127.0.0.1 control-interface: 127.0.0.1 # the key files that allow the use of 'nsd-control'. The default path is "/etc/nsd/". Create these using the 'nsd-control-setup' utility server-key-file: /etc/nsd/nsd_server.key server-cert-file: /etc/nsd/nsd_server.pem control-key-file: /etc/nsd/nsd_control.key control-cert-file: /etc/nsd/nsd_control.pem zone: name: "example.com" zonefile: "db.example" notify: 45.xx.yy.195@5353 NOKEY provide-xfr: 45.xx.yy.195@5353 NOKEY outgoing-interface: 45.xx.yy.194 zone: name: "2.0.192.in-addr.arpa" zonefile: "db.192" notify: 45.xx.yy.195@5353 NOKEY provide-xfr: 45.xx.yy.195@5353 NOKEY outgoing-interface: 45.xx.yy.194 dns2-config ist the same except the listining address and the zone-part zone: name: "example.com" zonefile: "db.example" allow-notify: 45.xx.yy.194@5353 NOKEY request-xfr: 45.xx.yy.194@5353 NOKEY outgoing-interface: 45.xx.yy.195 zone: name: "2.0.192.in-addr.arpa" zonefile: "db.192" allow-notify: 45.xx.yy.194@5353 NOKEY request-xfr: 45.xx.yy.194@5353 NOKEY outgoing-interface: 45.xx.yy.195 I don't know what i'm missing any advice would be helpful thank you in advance. Oliver
_______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
