How to config one nsd zone as both master & slave using two interfaces -- one IPv4 & one IPv6?

user33 · December 4, 2010, 12:37am

i've built

NSD version 3.2.7, r3084

from src on linux.

my test zone is config'd to slave IXFR from an offsite primary @
SERVER_A.

the same zone is also config'd to serve as master to nameserver @
SERVER_B.

in an all IPv4 scenario, where the single zone's one
"outgoing-interface:" specification (in IPv4) serves to BOTH request
IXFR and send NOTIFY, all's well.

i'd like to switch to IXFR from my offsite primary over IPv6 to
SERVER_A, but keep NOTIFY to SERVER_B over the IPv4 address.

But, iiuc, "outgoing-interface:" can't handle two different addresses,
and a single zone can't have two outgoing-interface specs.

how can I split the single zone's master & slave communications across
two IP protocols & interfaces?

do I have to set up 2 zones for this?

thanks!

Dave_Knight · December 4, 2010, 3:55pm

i've built

NSD version 3.2.7, r3084

from src on linux.

So you have NSD running a server, let's call that nsd.example.net

my test zone is config'd to slave IXFR from an offsite primary @
SERVER_A.

and it is slaving a zone, let's call that test.example.org, from a server, let's call that nsa.example.net

the same zone is also config'd to serve as master to nameserver @
SERVER_B.

and there's another server, let's call that nsb.example.net and it is slaving test.example.org from nsb.example.net

in an all IPv4 scenario, where the single zone's one
"outgoing-interface:" specification (in IPv4) serves to BOTH request
IXFR and send NOTIFY, all's well.

this currently works

nsa --NOTIFY/XFR(v4)--> ns --> --NOTIFY/XFR(v4)--> nsb

i'd like to switch to IXFR from my offsite primary over IPv6 to
SERVER_A, but keep NOTIFY to SERVER_B over the IPv4 address.

But, iiuc, "outgoing-interface:" can't handle two different addresses,
and a single zone can't have two outgoing-interface specs.

You probably don't need to use the outgoing-interface directive at all.

how can I split the single zone's master & slave communications across
two IP protocols & interfaces?

do I have to set up 2 zones for this?

No.

As I understand it you want this to work:

nsa --NOTIFY/XFR(v4)--> nsd --NOTIFY/XFR(v6)--> nsb

the configuration of those servers could look something like this:

nsa:
server:
ip-address: 192.0.2.1

    zone:
        name: test.example.org
        zonefile: test.example.org
        # allow nsd to pull the zone
        notify: 192.0.2.2 NOKEY
        provide-xfr: 192.0.2.2 NOKEY

nsd:
    server:
        ip-address: 192.0.2.2
        ip-address: 2001:DB8::2

    zone:
        name: test.example.org
        zonefile: test.example.org
        # pull the zone from nsa
        allow-notify: 192.0.2.1 NOKEY
        request-xfr: 192.0.2.1 NOKEY
        # allow nsb to pull the zone
        notify: 2001:DB8::3 NOKEY
        provide-xfr: 2001:DB8::3 NOKEY

nsb:
server:
ip-address: 2001:DB8::3

    zone:
        name: test.example.org
        zonefile: test.example.org
        # pull the zone from nsd
        allow-notify: 2001:DB8::2 NOKEY
        request-xfr: 2001:DB8::2 NOKEY

dave

user33 · December 4, 2010, 5:36pm

hi,

So you have NSD running a server, let's call that nsd.example.net

1st, thanks for (a) reading/understanding my question, (b) recasting it
in more appropriate, and clearer, lingo, and (c) then undertaking to
answer/solve the problem!

much appreciated!

> But, iiuc, "outgoing-interface:" can't handle two different addresses,
> and a single zone can't have two outgoing-interface specs.

You probably don't need to use the outgoing-interface directive at all.

i didn't realize that that was an option ... that said, all's much
clearer.

and, this,

...

nsd:
    server:
        ip-address: 192.0.2.2
        ip-address: 2001:DB8::2

    zone:
        name: test.example.org
        zonefile: test.example.org
        # pull the zone from nsa
        allow-notify: 192.0.2.1 NOKEY
        request-xfr: 192.0.2.1 NOKEY
        # allow nsb to pull the zone
        notify: 2001:DB8::3 NOKEY
        provide-xfr: 2001:DB8::3 NOKEY

...

is exactly what's called for.

of course, now i wonder what purpose "outgoing-interface" serves at all
... unless it defines a/the default interface that can be overridden for
each zone & notify-direction. ? :-/

thanks again!

Dave_Knight · December 4, 2010, 6:14pm

much appreciated!

no problem

of course, now i wonder what purpose "outgoing-interface" serves at all
... unless it defines a/the default interface that can be overridden for
each zone & notify-direction. ? :-/

It's used in the case where a system has multiple interfaces/addresses from which packets might be sourced and you want NSD to use a specific one. This is useful for example when a nameserver allows transfers only to a specific address, you need to ensure that you are in fact requesting the transfer from that specific address.

ie, if your Linux box has an additional address on an interface alias

eth0 Link encap:Ethernet HWaddr 00:11:d8:9b:6b:7c
inet addr:192.0.2.1 Bcast:192.0.2.255 Mask:255.255.255.0

eth0:1 Link encap:Ethernet HWaddr 00:11:d8:9b:6b:7c
inet addr:192.0.2.2 Bcast:192.0.2.255 Mask:255.255.255.0

it will default to sourcing packets using 192.0.2.1, but if you really want it to source using 192.0.2.2 you can instruct nsd to override the default behaviour with outgoing-interface: 192.0.2.2

dave

user33 · December 4, 2010, 7:24pm

well, this in-the-middle 'nsd' box is actually a VPS-hosted VM slice,
with 4 public, static IPs, (eth0, eth0:1, eth0:2, eth0:3), each in a
completely different subnet.

but, nsd is config'd to listen on only one of those IP interfaces
(eth0), with its two "ip-address:"-specs, on IPv4 & one IPv6.

so, iiuc, i'm still "ok" doing it the way you suggested.

thanks again!