Hello there,
#ns1 nsd.conf
server:
port: 5335
ip-address: 10.x.y.211
ip-address: fd00:abc::d3
ip-address: 127.0.0.1
ip-address: ::1
server-count: 1
do-ip4: yes
do-ip6: yes
hide-version: yes
identity: “ns1.whatever.xyz”
zonesdir: “/var/nsd/etc”
logfile: nsd.log
verbosity: 2
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
Hello there,
Apologies for my last message. I’m having some errors with my config: my ns1 and ns2 are not transferring between each other. I’m receiving “received notify response error REFUSED” when I attempt zone transfers (using nsd-control notify and nsd-control force_update, respectively).
My setup: I’m using OpenBSD 6.7. Unbound is resovling on port 53; if an authoratitive request is received, Unbound passes to it nsd on localhost over port 5335. This setup works well, except for the problem with ns1 and ns2.
I saw another thread that recommeded using the outgoing-interface: attribute, I tried using it without success, specificying specific ports and using defaults, on ipv4 and ipv6. I have also tried with my key and NOKEY, the same errors are logged. I can provide my unbound.conf, forward & reverse zone files if needed.
#ns1 nsd.conf
server:
port: 5335
ip-address: 10.x.y.211
ip-address: fd00:abc::d3
ip-address: 127.0.0.1
ip-address: ::1
server-count: 1
do-ip4: yes
do-ip6: yes
hide-version: yes
identity: “ns1.whatever.xyz”
zonesdir: “/var/nsd/etc”
logfile: nsd.log
verbosity: 2
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
control-key-file: nsd_control.key
control-cert-file: nsd_control.pem
key:
name: “sec_key”
algorithm: hmac-md5
secret: “redacted”
zone:
name: “whatever.xyz”
zonefile: whatever.xyz.forward"
notify: 10.x.y.212 sec_key
provide-xfr: 10.x.y.212 sec_key
notify: fd00:abc::d4 sec_key
provide-xfr: fd00:abc::d4 sec_key
zone:
name: “x.10.in-addr.arpa”
zonefile: “whatever.xyz.reverse”
notify: 10.x.y.212 sec_key
provide-xfr: 10.x.y.212 sec_key
notify: fd00:abc::d4 sec_key
provide-xfr: fd00:abc::d4 sec_key
#ns2 nsd.conf
server:
port: 5335
ip-address: 10.x.y.212
ip-address: fd00:abc::d4
ip-address: 127.0.0.1
ip-address: ::1
server-count: 1
do-ip4: yes
do-ip6: yes
hide-version: yes
identity: “ns2.whatever.xyz”
zonesdir: “/var/nsd/etc”
logfile: nsd.log
verbosity: 2
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: nsd_server.key
server-cert-file: nsd_server.pem
control-key-file: nsd_control.key
control-cert-file: nsd_control.pem
key:
name: “sec_key”
algorithm: hmac-md5
secret: “redacted”
zone:
name: “whatever.xyz”
zonefile: whatever.xyz.forward"
allow-notify: 10.x.y.211 sec_key
provide–xfr: 10.x.y.211 sec_key
allow-notify: fd00:abc::d3 sec_key
provide-xfr: fd00:abc::d3 sec_key
zone:
name: “x.10.in-addr.arpa”
zonefile: “whatever.xyz.reverse”
allow-notify: 10.x.y.211 sec_key
request-xfr: 10.x.y.211 sec_key
allow-notify: fd00:abc::d3 sec_key
request-xfr: fd00:abc::d3 sec_key
My setup: I'm using OpenBSD 6.7. Unbound is resovling on port 53; if an authoratitive request is received, Unbound passes to it nsd on localhost over port 5335. This setup works well, except for the problem with ns1 and ns2.
Hello Jordan,
my guess: unbound can forward dns queries but not dns notify messages.
If possible, let ns1 and ns2 talk directly.
#ns1 nsd.conf
notify: 10.x.y.212 sec_key
notify: 10.x.y.212@5353 sec_key
notify: fd00:abc::d4 sec_key
notify: fd00:abc::d4@5353 sec_key
#ns2 nsd.conf
zone:
name: "whatever.xyz <http://whatever.xyz>"
zonefile: whatever.xyz.forward"
allow-notify: 10.x.y.211 sec_key
configuring both to provide transfer from the other
makes no sense.
@ns2, delete: provide--xfr: 10.x.y.211 sec_key
while debugging issues in such a setup I find it helpful
to start with zone-transfer over /one/ protocol, IPv4 /or/ IPv6
but not both. Simplify the setup 
Andreas