I'm trying to set up NSD as the main DNS server for my domain and my virtual users' domains. The master (192.168.2.205) is a BIND server on a local network protected from the 'Net -- the NSD zones are all slaves. The server I'm working on is at 192.168.2.202.
I'm seeing what seem to be contradictions in the books I have, on the 'Net, and the man page. I'm told by most of them that "allow-notify" and "request-xfer" should be the same IP: that of the master. But when that's what I set, 'nsdc update' throws an error saying "allow-notify" isn't set to 127.0.0.1, and several 'Net sites agree. When I set that, nobody complains, but as best I can tell, no zones are transferred. Since the majority (including Evi Nemeth and the man page) votes for the IP of the master, I suspect I'm misunderstanding something.
Here's my config (just making changes to the sample so far):
root@server:/etc/nsd3# cat nsd.conf
# 2013-07-05
#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
## options for the nsd server
server:
# uncomment to specify specific interfaces to bind (default wildcard interface).
# ip-address: 1.2.3.4
# ip-address: 1.2.3.4@5678
# ip-address: 12fe::8ef0# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
# hide-version: no
hide-version: yes# enable debug mode, does not fork daemon process into the background.
# debug-mode: no# listen only on IPv4 connections
# ip4-only: no
ip4-only: yes# listen only on IPv6 connections
# ip6-only: no
# the database to use
# database: "/var/lib/nsd3/nsd.db"
database: "/var/cache/dns/nsd.db"# identify the server (CH TXT ID.SERVER entry).
# identity: "unidentified server"
identity: ""# NSID identity (hex string). default disabled.
# nsid: "aabbccdd"# log messages to file. Default to stderr and syslog (with facility LOG_DAEMON).
# logfile: "/var/log/nsd.log"# Number of NSD servers to fork.
# server-count: 1
server-count: 4# Maximum number of concurrent TCP connections per server.
# This option should have a value below 1000.
# tcp-count: 10# Maximum number of queries served on a single TCP connection.
# By default 0, which means no maximum.
# tcp-query-count: 0
tcp-query-count: 5# Override the default (120 seconds) TCP timeout.
# tcp-timeout: 120# Preferred EDNS buffer size for IPv4.
# ipv4-edns-size: 4096
ipv4-edns-size: 256# Preferred EDNS buffer size for IPv6.
# ipv6-edns-size: 4096# File to store pid for nsd in.
# pidfile: "/var/run/nsd3/nsd.pid"
pidfile: "/var/run/nsd3/nsd.pid"# port to answer queries on. default is 53.
# port: 53# statistics are produced every number of seconds.
# statistics: 3600# if per zone statistics is enabled, file to store statistics.
# zone-stats-file: "/var/log/nsd.stats"# Run NSD in a chroot-jail.
# make sure to have pidfile and database reachable from there.
# by default, no chroot-jail is used.
# chroot: "/etc/nsd3"# After binding socket, drop user privileges.
# can be a username, id or id.gid.
# username: nsd
username: nsd# The directory for zonefile: files.
# zonesdir: "/etc/nsd3"
zonesdir: "/var/cache/dns/slaves"# The file where incoming zone transfers are stored.
# run nsd-patch to update zone files, then you can safely delete it.
# difffile: "/var/lib/nsd3/ixfr.db"
difffile: "/var/cache/dns/ixfr.db"# The file where secondary zone refresh and expire timeouts are kept.
# If you delete this file, all secondary zones are forced to be
# 'refreshing' (as if nsd got a notify).
# xfrdfile: "/var/lib/nsd3/xfrd.state"
xfrdfile: "/var/cache/dns/xfrd.state"# Number of seconds between reloads triggered by xfrd.
# xfrd-reload-timeout: 10# Verbosity level.
# verbosity: 0# RRLconfig
# Response Rate Limiting, size of the hashtable. Default 1000000.
# rrl-size: 1000000# Response Rate Limiting, maximum QPS allowed (from one query source).
# Default 200. If set to 0, ratelimiting is disabled. Also set
# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
# rrl-ratelimit: 200# Response Rate Limiting, maximum QPS allowed (from one query source)
# for whitelisted types. Default 2000.
# rrl-whitelist-ratelimit: 2000
# RRLend# key for local zones
key:
name: mskey
algorithm: hmac-md5
secret: "K2tf3TRjvQkVCmJF3/Z9vA=="# Slave zones
zone:
name: "aerco.net"
zonefile: "db.aerco.net"
include: "/etc/nsd3/zoneInclude.txt"
and the include file of everything that's the same in all the zones:
root@server:/etc/nsd3# cat zoneInclude.txt
# By default, a slave will request a zone transfer with IXFR/TCP.
# If you want to make use of IXFR/UDP use
allow-notify: 127.0.0.1 NOKEY
request-xfr: 192.168.2.205 NOKEY# Allow AXFR fallback if the master does not support IXFR. Default
# is yes.
allow-axfr-fallback: "yes"# set local interface for sending zone transfer requests.
outgoing-interface: 192.168.2.202
Just one of the zones is here -- all the others are identical except for the names. The zone files are BIND syntax, and the server is serving DNS quite nicely when I transfer by hand (or rsync), rebuild the database, and reload.
Can someone tell me what I'm doing wrong, and why it's wrong? Is there a book yet explaining how NSD works and what the various config options mean?
BTW, 'nsdc restart' just stops NSD. So does Debian's /etc/init.d/nsd startup file. I've looked at the code, and they aren't the same. A 'nsdc stop' followed by 'nsdc start' do the job.
And there is no log file.
