On 12/28/2016 02:27 AM, Berry A.W. van Halderen wrote:
So the NOTIFY gets as source address 127.0.0.1 while is being sent to 10.2.2.53. That is an "invalid argument" to the operating system. If you reverse the two interfaces probably things start working.
Unfortunately, though behavior IS apparently sensitive to that order, they just fail *differently*.
You might wander why we bind to an interface at all
No, not at all. I however do wonder why a bind "per target (or action)" is not implemented, perhaps using multiple-sockets ....
Also it is often the case that explicit security is used to require NOTIFies to be sent using an explicit source address. So it is better to bind in these cases.
If explicit security is in fact a consideration, as I'd hope it would be, then making any 'guesses' is not a reliable approach.
Postfix, as as example of app that provides such explicit security, does an excellent job of allowing bind-address specified per action/daemon ...
I'm afraid it is just one of those things that can go wrong in an extended set-up.
I wouldn't have considered a commonplace primary + secondary setup to be an 'extended' setup ...
In any case, is this extended setup something you intended to cleanly implement/support ?
Simply need to know one way or the other. If so, great. If not, then I need to use a different approach to DNSSEC automation here.
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
