Re: nsd Will Not Start At Boot
G'day Ken, On Tue, 7 Jul 2020 19:28:23 + Ken Hendrickson wrote: > > I have NSD working now, serving up my local DNS names. > Unbound is still not working. > > I have a hunch, but cannot find it in the man pages, > that somehow they have to talk to each other. Is this true? Depends on what you want unbound & NSD to do! To have NSD be a zone's authoritative server on a server's public address, with unbound being the recursive resolver on the same server's private address & proxying NSD's zones to the LAN, this sort of configuration could help get you going:- # /var/unbound/etc/unbound.conf server: interface: 127.0.0.1 interface: 192.168.some.thing # If you have NSD listening on all 53 ports, # unbound can't also listen on all 53 ports! # Limit your interfaces. do-ip6: no access-control: ::0/0 refuse access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.blah.0/24 allow # private networks: private-address: 10.0.0.0/8 private-address: 100.64.0.0/10 private-address: 172.16.0.0/12 private-address: 192.0.0.0/29 private-address: 192.168.0.0/16 private-address: 198.18.0.0/15 # example source code & documentation: private-address: 192.0.2.0/24 private-address: 198.51.100.0/24 private-address: 203.0.113.0/24 # subnet, autoconfiguration between two hosts on a single link: private-address: 169.254.0.0/16 # reserved for multicast assignments: private-address: 224.0.0.0/4 # reserved for future use: private-address: 240.0.0.0/4 private-domain: 'internal' # or localdomain, or private, or home.ARPA do-not-query-localhost: no local-zone: 'blah.168.192.in-addr.ARPA' typetransparent remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock stub-zone: name: 'internal' stub-addr: 127.0.0.1@42 # <--- NSD needs to be listening here # Port 42 is defunct, # so use it for NSD to serve zones on the loopback to unbound. stub-zone: name: 'blah.168.192.in-addr.ARPA' stub-addr: 127.0.0.1@42 stub-zone: name:'Britvault.Co.UK' stub-addr: 127.0.0.1@42 stub-zone: Cheers, Craig.
Re: nsd Will Not Start At Boot
Hi, I realise binding to 0.0.0.0 is akin to binding to INADDR_ANY, but could you try binding to each interface address that you want seperately? Such as: interface: 192.168.1.2 interface: 127.0.0.1 interface: ::1 interface: 2003:XXX::XXX and then try again. Cross-check that they are bound to these IP's with fstat -p and netstat. I'm by no means an nsd expert, in fact I program my own DNS server and thus don't need to know much about other authoritative dns servers. Maybe this will help you. (I apologize for the formatting of this mail, I deleted this one out of my mutt). Regards, -peter On 2020-07-07 21:28, ken.hendrick...@l3harris.com wrote: -- server: interface: 0.0.0.0 interface: ::0 access-control: 192.168.0.0/16 allow access-control: ::1 allow verbosity: 1 --
Re: nsd Will Not Start At Boot
On 2020-07-07 15:28, ken.hendrick...@l3harris.com wrote: ... > Unbound is still not working. > > I have a hunch, but cannot find it in the man pages, > that somehow they have to talk to each other. Is this true? depends on what you want them to do. A DNS resolver and an authoritative DNS server are two different things. You may want your resolver to talk to your server for some applications, other times, no. I.e., exactly like two people in a room. Maybe they have NEED to talk, maybe they shouldn't talk to each other. Getting the job done properly depends on picking the right model. :) > I tried a very simple unbound.conf file, and it didn't work. > The very simple config file was from [snip] The unbound config file that ships with OpenBSD Just Works as a stand-alone resolver listening on localhost. Start there. THEN make your changes you need. > Any ideas? Any help? What should I be reading?? Unfortunately, the classic texts on DNS usually are based on ISC BIND, which horribly munges the roles of authoritative DNS and DNS resolver into one unified application, so going from there to separated functions is difficult. I learned the separated model from Dan Bernstein's website, but in looking it over, unfortunately, it is very much based on his DJBDNS package, which is brilliant, but unmaintained for the last 15+ years and no longer compatible with many modern Internet "features" everyone expects today, and uses its own file formats, which were great, but not a standard way to communicate DNS info. http://cr.yp.to/djbdns/separation.html Still...most of his points are valid, and he's worth a read. Everyone's favorite error: Your DNS resolver has to bind to an IP address. Your authoritative DNS server has to bind to an IP address. They both listen on port 53 (UDP and TCP). You can't connect both your server and your resolver to the same IP address. Won't work. First gets it, second gets a port in use error. But remember -- extra external IP addresses on your server are easily added, and your machine has a huge number of potential localhost addresses (127.0.0.0/8) for internal use. Between those and PF, you can pretty well make any kind of magic I've ever thought of. Nick.
Re: nsd Will Not Start At Boot
--- Ian Darwin wrote: > Try doing it by the book, i.e., rcctl start nsd > If it fails silently, try rcctl -d start nsd Thanks for that. I haven't upgraded my OpenBSD boxes in some years, so I didn't know about it. I have nsd working now, serving up my local DNS names. Unbound is still not working. I have a hunch, but cannot find it in the man pages, that somehow they have to talk to each other. Is this true? I tried a very simple unbound.conf file, and it didn't work. The very simple config file was from https://nlnetlabs.nl/documentation/unbound/howto-setup/ -- server: interface: 0.0.0.0 interface: ::0 access-control: 192.168.0.0/16 allow access-control: ::1 allow verbosity: 1 -- On startup of nsd with "rcctl -d start nsd", it complains: error: connect (127.0.0.1@8952): Connection refused My /var/nsd/etc/nsd.conf file does not have @8952 in it anyplace. I haven't been able to figure out how to get DNS for other sites on the Internet. ping OpenBSD.org ping: no address associated with name Any ideas? Any help? What should I be reading?? Thanks, Ken Hendrickson CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
Re: nsd Will Not Start At Boot
On 2020-07-06, wrote: > The nsd daemon will not start at boot time. > It will start and run by hand later. > > There is NOTHING in the logs indicating what the failure was. > In fact, the logs indicate that everything is OK, and nsd did start! > Jul 5 22:32:32 Soekris2 nsd[51297]: nsd starting (NSD 4.2.4) > Jul 5 22:32:32 Soekris2 nsd[16350]: zone 10.24.172.in-addr.arpa read with > success > Jul 5 22:32:33 Soekris2 nsd[16350]: zone 20.24.172.in-addr.arpa read with > success > Jul 5 22:32:33 Soekris2 nsd[16350]: zone 2.168.192.in-addr.arpa read with > success > Jul 5 22:32:33 Soekris2 nsd[16350]: zone FakeZone.com read with success > Jul 5 22:32:33 Soekris2 nsd[16350]: nsd started (NSD 4.2.4), pid 52261 So it exited at some point after startup. Bump up the logging, e.g. try adding "verbosity: 3" to the server: section of nsd.conf, see if anything more is logged.
Re: nsd Will Not Start At Boot
On Mon, Jul 06, 2020 at 04:57:20AM +, ken.hendrick...@l3harris.com wrote: > I have tried putting "rcctl enable nsd" in the /etc/rc.conf.local file. > That did not help. I presume you meant "using rcctl enable nsd to update /etc/rc.conf.local", not actually what you wrote. > If I try to start nsd the same way the scripts do, I get nsd(failed). > $ /etc/rc.d/nsd start > nsd(failed) Try doing it by the book, i.e., rcctl start nsd If it fails silently, try rcctl -d start nsd
nsd Will Not Start At Boot
Probably not a bug. But I need help! I've read the fine manual(s). Many times. I still can't figure it out. The nsd daemon will not start at boot time. It will start and run by hand later. There is NOTHING in the logs indicating what the failure was. In fact, the logs indicate that everything is OK, and nsd did start! Jul 5 22:32:32 Soekris2 nsd[51297]: nsd starting (NSD 4.2.4) Jul 5 22:32:32 Soekris2 nsd[16350]: zone 10.24.172.in-addr.arpa read with success Jul 5 22:32:33 Soekris2 nsd[16350]: zone 20.24.172.in-addr.arpa read with success Jul 5 22:32:33 Soekris2 nsd[16350]: zone 2.168.192.in-addr.arpa read with success Jul 5 22:32:33 Soekris2 nsd[16350]: zone FakeZone.com read with success Jul 5 22:32:33 Soekris2 nsd[16350]: nsd started (NSD 4.2.4), pid 52261 But when I check with ps, or dig, or nslookup, nsd is obviously not running and not working. nsd-checkconf says my nsd.conf file is OK. nsd-checkzone says all my zone files are OK. I have tried putting "rcctl enable nsd" in the /etc/rc.conf.local file. That did not help. I have used nsd-control-setup to generate keys and self-signed certificates, and I have turned remote-control on and off. Nothing works. If I try to start nsd the same way the scripts do, I get nsd(failed). $ /etc/rc.d/nsd start nsd(failed) It will start and run by hand later. $ nsd -u _nsd -t /var/nsd [2020-07-05 23:56:47.489] nsd[54059]: notice: nsd starting (NSD 4.2.4) Now nsd is resolving names properly. But it wasn't running until starting by hand. It failed when the start-up scripts tried to start it. unbound starts up OK at boot time. But nsd won't. Google does not reveal any solution. The manual pages do not give me the clue I need to get this working. Any help? Please? Thanks, Ken Hendrickson PS I cannot control anything below this line. I didn't type it, and I can't remove it. CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.