[RESOLVED] Why are no notifies send?

2020-10-22 Thread Axel Rau 


> Am 22.10.2020 um 23:31 schrieb Tony Finch :
> 
> 
> Notifies from my primary to my on-site servers go over IPv6 with a TSIG
> key. They are all dual-stack.
After reading this, I did a test with another secondary and the notify worked 
over IPv6!

I saw it in the logs of the secondary, but no log entry at the notifying host. 
It seems, sending
of notifies is being logged at a lower log level than sending. (I have debug 
6). The host in my
original posting does not accept notifies over IPv6 and I can’t access its 
logs, so I just saw
nothing at the sending side.

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why are no notifies send?

2020-10-22 Thread Tony Finch 
Axel Rau  wrote:
>
> Has anybody a working IPv6 notify address in use?

Notifies from my primary to my on-site servers go over IPv6 with a TSIG
key. They are all dual-stack.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to 6,
occasionally 7 later in west. Moderate or rough, occasionally very rough later
in west. Rain or showers. Good, occasionally moderate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why are no notifies send?

2020-10-20 Thread Sami Ait Ali Oulahcen via bind-users 



On 10/20/20 3:54 PM, Axel Rau wrote:



Am 20.10.2020 um 16:02 schrieb Sami Ait Ali Oulahcen >:


I don't see the part where the acls are used.
Yes, acls have nothing to do with the notify, instead they are used in 
an allow-transfer statement.



Is "also-notify" meant to be "allow-notify" ?

No:
 From bind 9.16 ARM:

also-notify


Yes, sorry just realized after sending. I never used that option before. 
It shouldn't be an issue with the stack, we've been using v6 for 
notifies for years.


Only meaningful if notify is active for this zone. The set of machines 
that will receive a DNS NOTIFY message for this zone is made up of all 
the listed name servers (other than the primary master) for the zone 
plus any IP addresses specified with also-notify. A port may be 
specified with each also-notify address to send the notify messages to a 
port other than the default of 53. A TSIG key may also be specified to 
cause the NOTIFY to be signed by the given key. also-notify is not 
meaningful for stub zones. The default is the empty list.


Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why are no notifies send?

2020-10-20 Thread Axel Rau 


> Am 20.10.2020 um 16:02 schrieb Sami Ait Ali Oulahcen :
> 
> I don't see the part where the acls are used.
Yes, acls have nothing to do with the notify, instead they are used in an 
allow-transfer statement.

> Is "also-notify" meant to be "allow-notify" ?
No:
From bind 9.16 ARM:

also-notify
Only meaningful if notify is active for this zone. The set of machines that 
will receive a DNS NOTIFY message for this zone is made up of all the listed 
name servers (other than the primary master) for the zone plus any IP addresses 
specified with also-notify. A port may be specified with each also-notify 
address to send the notify messages to a port other than the default of 53. A 
TSIG key may also be specified to cause the NOTIFY to be signed by the given 
key. also-notify is not meaningful for stub zones. The default is the empty 
list.

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why are no notifies send?

2020-10-20 Thread Sami Ait Ali Oulahcen via bind-users 
I don't see the part where the acls are used. Is "also-notify" meant to 
be "allow-notify" ?


On 10/20/20 12:55 PM, Axel Rau wrote:

Using the IPv4 address of the dual stack notify receiver, works.

Has anybody a working IPv6 notify address in use?

Axel

Am 16.10.2020 um 10:59 schrieb Axel Rau >:


Signierter PGP-Teil
Hi all,

related parts from my named.conf:
- - -
include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf";


// slave.dns.he.net  pulls zones from us, 
ns1.he.net  receives notify from us

 server 216.218.133.2 {
   keys { ns4-he.net . ; };
   };
 server 2001:470:600::2 {
   keys { ns4-he.net . ; };
   };
 server 2001:470:100::2 {
   keys { ns4-he.net . ; };
   };


// From slave.dns.he.net  pulls zones from 
us, ns1.he.net  receives notify from us
 acl not-he {  !216.218.133.2;  !2001:470:600::2;  !2001:470:100::2; 
 any; };

 acl ns4-he { !not-he; key ns4-he.net .; };


also-notify {
   2001:470:100::2 key "ns4-he.net " ;
   144.91.89.26 key "ns5-ping" ;
};
- - -
I can’t see any notifies to 2001:470:100::2 in the logs.

What am I doing wrong?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius




---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why are no notifies send?

2020-10-20 Thread Axel Rau 
Using the IPv4 address of the dual stack notify receiver, works.

Has anybody a working IPv6 notify address in use?

Axel

> Am 16.10.2020 um 10:59 schrieb Axel Rau :
> 
> Signierter PGP-Teil
> Hi all,
> 
> related parts from my named.conf:
> - - -
> include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf";
> 
> 
> // slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
>  server 216.218.133.2 {
>keys { ns4-he.net. ; };
>};
>  server 2001:470:600::2 {
>keys { ns4-he.net. ; };
>};
>  server 2001:470:100::2 {
>keys { ns4-he.net. ; };
>};
> 
> 
> // From slave.dns.he.net pulls zones from us, ns1.he.net receives notify from 
> us
>  acl not-he {  !216.218.133.2;  !2001:470:600::2;  !2001:470:100::2;  any; };
>  acl ns4-he { !not-he; key ns4-he.net.; };
> 
> 
>   also-notify {
>2001:470:100::2 key "ns4-he.net" ;
>144.91.89.26 key "ns5-ping" ;
>   };
> - - -
> I can’t see any notifies to 2001:470:100::2 in the logs.
> 
> What am I doing wrong?
> 
> Axel
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
> 
> 
> 

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why are no notifies send?

2020-10-18 Thread Tony Finch 
Axel Rau  wrote:
>
> I can’t see any notifies to 2001:470:100::2 in the logs.
>
> What am I doing wrong?

Normally BIND only logs "sending notifies" without saying anything about
where it is sending them. You need to increase the log level using `rndc
trace 3` (or more than 3) to get the information you want.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Berwick upon Tweed to Whitby: Variable 3 or less, becoming south 4 or 5,
occasionally 6 later. Moderate. Showers, occasional rain later. Good,
occasionally moderate later.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Why are no notifies send?

2020-10-16 Thread Axel Rau 
Hi all,

related parts from my named.conf:
- - -
include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf";


// slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
  server 216.218.133.2 {
keys { ns4-he.net. ; };
};
  server 2001:470:600::2 {
keys { ns4-he.net. ; };
};
  server 2001:470:100::2 {
keys { ns4-he.net. ; };
};


// From slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
  acl not-he {  !216.218.133.2;  !2001:470:600::2;  !2001:470:100::2;  any; };
  acl ns4-he { !not-he; key ns4-he.net.; };


also-notify {
2001:470:100::2 key "ns4-he.net" ;
144.91.89.26 key "ns5-ping" ;
};
- - -
I can’t see any notifies to 2001:470:100::2 in the logs.

What am I doing wrong?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users