Confused error with code REFUSED

Vladimir_Lomov1 · August 30, 2020, 4:12am

Hello,

I faced with strange behaviour of two my DNS servers served by NSD.

Recently I switched these two hosts to IPv6 only but I saw the same errors
earlier but the hosts had IPv4 addresses and DNS servers (seems) worked fine.

Host A is a master DNS server and served two domains.
Host B is a reserved (secondary) DNS server and gets updates from Host A.

Host A configuration:
--------------------------------- 8< ------------------------------------
server:
  server-count: 1
  ip-address: 2a0a:2b40::4:14f
  ip-address: 2a0a:2b40::4:3a2f
  ip-transparent: yes
  identity: "BKOTY domain master DNS"
  zonesdir: "/etc/nsd"

pattern:
  name: "secondary"
  notify: 2a01:4f8:c2c:c813::14f NOKEY
  provide-xfr: 2a01:4f8:c2c:c813::14f NOKEY
  notify: 2a01:4f8:c2c:c813::3a2f NOKEY
  provide-xfr: 2a01:4f8:c2c:c813::3a2f NOKEY
  outgoing-interface: 2a0a:2b40::4:14f
  outgoing-interface: 2a0a:2b40::4:3a2f

zone:
  name: "bkoty.ru"
  zonefile: "bkoty.ru.forward.signed"
  include-pattern: "secondary"

zone:
  name: "bkoty.work"
  zonefile: "bkoty.work.forward.signed"
  include-pattern: "secondary"

remote-control:
control-enable: yes
--------------------------------- 8< ------------------------------------

Host B configuration:
--------------------------------- 8< ------------------------------------
server:
  server-count: 1
  ip-address: 2a01:4f8:c2c:c813::14f
  ip-address: 2a01:4f8:c2c:c813::3a2f
  ip-transparent: yes
  identity: "BKOTY domain secondary/reserve DNS"
  zonesdir: "/etc/nsd"

pattern:
  name: "primary"
  allow-notify: 2a0a:2b40::4:14f NOKEY
  request-xfr: AXFR 2a0a:2b40::4:14f NOKEY
  allow-notify: 2a0a:2b40::4:3a2f NOKEY
  request-xfr: AXFR 2a0a:2b40::4:3a2f NOKEY

zone:
  name: "bkoty.ru"
  zonefile: "bkoty.ru.forward.signed"
  include-pattern: "primary"

zone:
  name: "bkoty.work"
  zonefile: "bkoty.work.forward.signed"
  include-pattern: "primary"

remote-control:
control-enable: yes
--------------------------------- 8< ------------------------------------

Both servers managed by systemd.

Host A output (systemctl status ...):
--------------------------------- 8< ------------------------------------
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address 2a0a:2b40::4:14f@53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.886] nsd[23969]: notice: listen on ip-address 2a0a:2b40::4:14f@53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address 2a0a:2b40::4:14f@53 (tcp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.887] nsd[23969]: notice: listen on ip-address 2a0a:2b40::4:14f@53 (tcp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address 2a0a:2b40::4:3a2f@53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.888] nsd[23969]: notice: listen on ip-address 2a0a:2b40::4:3a2f@53 (udp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: listen on ip-address 2a0a:2b40::4:3a2f@53 (tcp) with server(s): *
Aug 30 06:42:19 node1.bkoty.ru nsd[23969]: [2020-08-30 06:42:19.889] nsd[23969]: notice: listen on ip-address 2a0a:2b40::4:3a2f@53 (tcp) with server(s): *
Aug 30 06:42:20 node1.bkoty.ru nsd[23970]: nsd started (NSD 4.3.0), pid 23969
Aug 30 06:42:20 node1.bkoty.ru nsd[23970]: [2020-08-30 06:42:20.214] nsd[23970]: notice: nsd started (NSD 4.3.0), pid 23969
--------------------------------- 8< ------------------------------------

Host B output:
--------------------------------- 8< ------------------------------------
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.303] nsd[17455]: error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.362] nsd[17455]: error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.364] nsd[17455]: error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.423] nsd[17455]: error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.425] nsd[17455]: error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:3a2f
--------------------------------- 8< ------------------------------------

According to journald on Host B I see that TCP is reset by peer but I don't
understand the reason:
--------------------------------- 8< ------------------------------------
Aug 30 05:35:22 node2.bkoty.ru nsd[17456]: [2020-08-30 05:35:22.489] nsd[17456]: notice: nsd started (NSD 4.3.0), pid 17455
Aug 30 05:40:24 node2.bkoty.ru nsd[17457]: failed reading from 2a0a:2b40::4:3a2f tcp: Connection reset by peer
Aug 30 05:40:24 node2.bkoty.ru nsd[17457]: [2020-08-30 05:40:24.626] nsd[17457]: error: failed reading from 2a0a:2b40::4:3a2f tcp: Connection reset by peer
Aug 30 05:40:35 node2.bkoty.ru nsd[17457]: failed reading from 2a0a:2b40::4:3a2f tcp: Connection reset by peer
Aug 30 05:40:35 node2.bkoty.ru nsd[17457]: [2020-08-30 05:40:35.555] nsd[17457]: error: failed reading from 2a0a:2b40::4:3a2f tcp: Connection reset by peer
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.work. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.238] nsd[17457]: info: notify for bkoty.work. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.238] nsd[17457]: info: notify for bkoty.ru. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.238] nsd[17457]: info: notify for bkoty.ru. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: [2020-08-30 05:42:20.239] nsd[17457]: info: notify for bkoty.work. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.ru. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.ru. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17457]: notify for bkoty.work. from 2a0a:2b40::4:14f serial 2020082831
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.300] nsd[17455]: error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.303] nsd[17455]: error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.362] nsd[17455]: error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.364] nsd[17455]: error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:14f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.423] nsd[17455]: error: xfrd: zone bkoty.work received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:3a2f
Aug 30 05:42:20 node2.bkoty.ru nsd[17455]: [2020-08-30 05:42:20.425] nsd[17455]: error: xfrd: zone bkoty.ru received error code REFUSED from 2a0a:2b40::4:3a2f
--------------------------------- 8< ------------------------------------

A_Schulze · August 30, 2020, 8:42am

Hi,

I've no clear idea about the implications of "managed by systemd" But I know,
systemd could listen for inbound connection on a specified IP+Port. Inbound traffic is the n magically relayed to an application.
I guess systemd must be configured for this task somehow. Maybe incoming notify connections are affected.

I reviewed your configuration and for me it looks not obviously wrong.

two points:
- As you configured multiple IPv6 addresses and also enabled "ip-transparent"
the ip addresses on each host would worth a look.
- I never used two "outgoing-interface" statements. You may try to reconfig using only one "outgoing-interface"
and see if this solved your issue.

Andreas

Vladimir_Lomov1 · August 30, 2020, 12:52pm

Hello,
** A. Schulze via nsd-users <nsd-users@lists.nlnetlabs.nl> [2020-08-30 10:42:29 +0200]:

Both servers managed by systemd.

Hi,

I've no clear idea about the implications of "managed by systemd" But I
know, systemd could listen for inbound connection on a specified IP+Port.
Inbound traffic is the n magically relayed to an application. I guess
systemd must be configured for this task somehow. Maybe incoming notify
connections are affected.

Sorry, bad wording. I meant that NSD is started, stopped and reloaded by
systemd. The nsd.service doesn't do any special except that.

I reviewed your configuration and for me it looks not obviously wrong.

two points:
- As you configured multiple IPv6 addresses and also enabled "ip-transparent"
the ip addresses on each host would worth a look.
- I never used two "outgoing-interface" statements. You may try to reconfig
using only one "outgoing-interface" and see if this solved your issue.

Ah, that was helpful. I rechecked the IPs on both hosts and NSD configuration,
they are correct. Then I turned off 'outgoing-interface' on host A and added
'versobility' to both servers to figure out what is going wrong. On host B
there were no changes but on host A I saw that it drops connections from host
B due to not matching (ACL) ip address. That was it, as both hosts has several
IP6 addresses and NSD configured to listen only on specific addresses I forgot
that it doesn't mean that NSD will use the same addresses for notification. I
reread the nsd.conf(5) and added 'outgoing-interface' for both servers. Now
all works fine.

Andreas

Thank you.