Op 03-07-2024 om 10:52 schreef Willem Toorop via nsd-users:
Hi Jamie,I can reproduce, but only if the target zone of the DNAME (or CNAME which behaves the same) matches a zone with an allow-query option that doesn't match the querier.For example with the following config in nsd.conf: zone: name: "." allow-query: 0::/128 NOKEY zone: name: "example" zonefile: "example"and an example zone that contains `nsdtest.example. CNAME hello.example.com.`, then indeed a query for `nsdtest.example.` gives the correct CNAME answer, but a "info: query nsdtest.example. from 127.0.0.1 refused, no acl matches" message is logged. NSD logs the error trying to add more records while following the CNAME, but the checked target CNAME domain has an acl forbidding this for the querier.Do you have a similar situation?Should an error be logged when CNAME targets match a zone with an allow-query list that doesn't match?-- Willem Op 03-07-2024 om 04:12 schreef Jamie Landeg-Jones via nsd-users:I just noticed this with NSD 4.10.0 (and earlier versions - it's not a new regression)) I have nsd set to log refused requests to syslog.After adding a DNAME type into my dns for one sub-zone that is being moved, I noticed that legitimate requests for hosts under that subdomain are workingas expected, howerver they are being logged as refused. As a quick replicable test, I just did this to demostrate the issue. Firatlt, add edthis to my dyslexicfish.net domain: nsdtest IN DNAME hello.example.com.Then, update serial, reload, watch it propagate to secondaries etc., thenfrom a machine with no specific acls (i.e. not from one of the primaries or secondaries: | # dig sjsjqju2qu.nsdtest.dyslexicfish.net. | | ; <<>> DiG 9.18.27 <<>> sjsjqju2qu.nsdtest.dyslexicfish.net. | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53148| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1| | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 1232 | ; COOKIE: eef66b9e45770f3e010000006684ada8ca27d2ccb2d7c25f (good) | ;; QUESTION SECTION: | ;sjsjqju2qu.nsdtest.dyslexicfish.net. IN A | | ;; ANSWER SECTION: | nsdtest.dyslexicfish.net. 86363 IN DNAME hello.example.com.| sjsjqju2qu.nsdtest.dyslexicfish.net. 86363 IN CNAME sjsjqju2qu.hello.example.com.| | ;; AUTHORITY SECTION:| example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. 2024041842 7200 3600 1209600 3600| | ;; Query time: 30 msec | ;; SERVER: 205.166.94.24#53(205.166.94.24) (UDP) | ;; WHEN: Wed Jul 03 01:47:17 UTC 2024 | ;; MSG SIZE rcvd: 213 This produces this via syslog on the nsd serversx:| Jul 3 02:46:43 <daemon.info> catnip nsd[3620]: query sjsjqju2qu.nsdtest.dyslexicfish.net. from 205.166.94.24 refused, no acl matches .As can be seen from "dig", the result is valid, and everything works as suspected, I'm just getting rather a lot of those "refused" messages, as the domain gets a lot of traffic! I know I can disable the logging of such messages, but I do want to log then when they are legitimate! (Obviously I first noticed this on a valid DNAME target zone of mine I just used 'hello.example.com' in the above demonstration to show thatit's nothing weird going on with my setup - delegating to any domain thatthe nsd server itself doesn't serve causes the issue)Any ideas? And apologies for any late-night incoherencies in this message!Cheers, Jamie _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users_______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
