Hi,
On solaris 9 host, the acl checking system is failing although proper acl are in place.
setting ip4-only: yes , seems to resolve the issue.
[1207959794] nsd[9559]: info: got notify for zone: pch.net.; Refused by acl: no acl matches .
[1207959795] nsd[9559]: info: got notify for zone: pch.net.; Refused by acl: no acl matches .
Regards,
Vicky Shrestha
Hi Vicky,
I think Solaris 9 (being a little old) forces ip4toip6 mapping. Can you
try to enable ::ffff:127.0.0.1 style (4to6 mapped) addresses in your config?
On other OSes NSD tries to disable the 4to6 mapping to avoid this.
Best regards,
~ Wouter
Vicky Shrestha wrote:
Thanks Wouter,
Indeed after prefixing with ::ffff: to the acl, notify is being accepted.
However if I prefix it on 127.0.0.1 it will fail during nsdc update with :
nsdc: Could not send notify for slave zone .: not configured (with allow-notify: 127.0.0.1 or ::1)
if I have a acl with allow-notify: ::1 (the solaris doesn't have ipv6 interface)
[1208111418] nsd-notify[13692]: warning: timeout (1 s) expired, retry notify to ::1.
The following combination is working for me
allow-notify: 127.0.0.1 NOKEY
allow-notify: ::ffff:192.168.0.1 NOKEY
Regards,
Vicky Shrestha
update:
The following combination is working for me
# tell nsdc update proper acl is in place
allow-notify: 127.0.0.1 NOKEY
# For matching actual ACL
allow-notify: ::ffff:127.0.0.1 NOKEY
# master server
allow-notify: ::ffff:192.168.0.1 NOKEY
Regards,
Vicky Shrestha