I've installed Unbound and Nsd on a Centos 6.5 server.
NSD is the secondary (slave) name server for some zones. The primary
(master) for those zones is a BIND server.
Unbound is listening on the port 53 and NSD is listening on the port 53530.
The master is set up to send notifies to the port 53530 of the slave
server. (also-notify <slave IP address> port 53530)
I'm having some issues when a zone is updated on the master. The master
sends the notifies to the right port (53530). I can see the notifies
with a tcpdump but NSD doesn't transfer the zone. I don't even see any
message in the NSD log saying it received the notifies. (the "verbosity"
parameter is set to 2).
If NSD requests the transfer (nsd-control transfer <zone>) the transfer
works. It just doesn't work when the transfer is support to be initiated
by a notify sent by the master.
I've already checked iptables and it is accepting connections to the
port 53530.
I've even trying stopping Unbound and setting up NSD to listen on the
port 53 just in case this issue has anything to do with the non-standard
port being used, but it didn't work either.
Is there anything else I could check?
Are you aware of any incompatibility between a BIND master and a NSD slave?
Thank you a lot for any comments/help you could provide.
I'm having some issues when a zone is updated on the master. The master
sends the notifies to the right port (53530). I can see the notifies
with a tcpdump but NSD doesn't transfer the zone. I don't even see any
message in the NSD log saying it received the notifies. (the "verbosity"
parameter is set to 2).
Do you have:
allow-notify: <master>@53530 NOKEY
for this zone? Without it, NSD will ignore the NOTIFY message from the
master.
I've installed Unbound and Nsd on a Centos 6.5 server.
NSD is the secondary (slave) name server for some zones. The
primary (master) for those zones is a BIND server.
Unbound is listening on the port 53 and NSD is listening on the
port 53530.
The master is set up to send notifies to the port 53530 of the
slave server. (also-notify <slave IP address> port 53530)
I'm having some issues when a zone is updated on the master. The
master sends the notifies to the right port (53530). I can see the
notifies with a tcpdump but NSD doesn't transfer the zone. I don't
even see any message in the NSD log saying it received the
notifies. (the "verbosity" parameter is set to 2).
If NSD requests the transfer (nsd-control transfer <zone>) the
transfer works. It just doesn't work when the transfer is support
to be initiated by a notify sent by the master.
I've already checked iptables and it is accepting connections to
the port 53530.
I've even trying stopping Unbound and setting up NSD to listen on
the port 53 just in case this issue has anything to do with the
non-standard port being used, but it didn't work either.
Is there anything else I could check?
Have you checked that your NSD configuration allows the notify, with
the allow-notify: <master-ipaddress> NOKEY statement. With
verbosity 2 it should print allowed or refused for almost all notifies.
If NSD does not host the zone, then it prints nothing at verbosity 2,
instead it returns 'nxdomain' rcode to the master. Do you have the
zone name spelled correctly in the NSD configuration?
The zone should also have a request-xfr: <master ipadress> NOKEY in
the nsd.conf file, so that it knows where to transfer the zone from.
If you are using TSIG, try to disable it, if the TSIG fails (i.e. you
have the wrong TSIG key) then NSD will also not print a log entry.
Are you aware of any incompatibility between a BIND master and a
NSD slave?
I'm having some issues when a zone is updated on the master. The
master sends the notifies to the right port (53530). I can see
the notifies with a tcpdump but NSD doesn't transfer the zone. I
don't even see any message in the NSD log saying it received the
notifies. (the "verbosity" parameter is set to 2).
Do you have:
allow-notify: <master>@53530 NOKEY
for this zone? Without it, NSD will ignore the NOTIFY message from
the master.
The master is not sending from 53530, so you can omit the port number.
The port number is ignored for incoming ACL entries, it is used to
specify destination ports (and bind-this-local-port). We allow the
master to send the notify from a random port number (like other DNS
queries).
But you are right, the allow-notify line is needed otherwise NSD
ignores them.
The master is listening on port 53. It's just NSD (slave) that is
listening on port 53530.
Should I have "allow-notify: <master>@53530 NOKEY" anyway?
No, I'm sorry. I replied too quickly. You don't need port 53530 in the
allow-notify. It's only needed if you want to allow NOTIFY messages from
that specific port number. I'm sorry to have caused confusion.
The zone is listed in the zone.list file and it's spelled correctly. I
added it using a pattern which includes both the allow-notify and the
request-xfr lines:
How did you add it to the zone.list file? If you edit the file
manually, NSD does not pickup the changes while it is running; and in
fact (may) overwrite your edits when it closes. Do you see the zone
with nsd-control zonestatus ?
Is your computer configured with a firewall that blocks traffic to
port 53530? Otherwise, I am also getting out of ideas, with the zone
and allow-notify configured, NSD prints what happens with verbosity
=2. Nothing is printed, so I assume NSD does not actually get the
You you getting logs from NSD at all? Or does it have similar trouble
like unbound (it has very similar log code) had for you (the logfile
was not inside the chroot)? Then you can see what it says about the
Notify or about the zone transfers (increase verbosity from 2 to 5 to
see more and more).
I couldn't set up Nsd to use syslog, however it is logging to a file.
I actually see a lot of lines but nothing about receiving notifies
from the master.
I increased verbosity from 2 to 5 and run tail -f on the logfile
while, on the master I incremented the serial of a zone and reloaded
it. The master sent notifies and another slave got the zone transfered
but NOT this slave (the nsd). The Nsd didn't get any notify.
So, nsd the zone configured correctly, it has allow-notify and
request-xfr set and the name. The notify packet arrives on tcpdump.
lsof says NSD listens on that port, but NSD4 prints nothing. With
verbosity it should print something, but it does not.
If you compile NSD with --enable-checking and start nsd with -F 20 -L
2 options it will print even more than it prints now (it should simply
print that a notify has been received, for every notify packet).
Can you transfer the zone if you specify nsd-control transfer
<zonename> ? This pretends a notify has been received internally
(but without the actual packet), and does the same zone transfer code.
Thank you anyway Anand!