NSD NOTIFY Possible Regression?

Unbound
1

I recently updated Unbound 1.24.2 → 1.25.1 and NSD 4.13.0 → 4.14.2 (OpenBSD). Without changing any configuration on either software (i.e. was working without issues on 1.24.2 / 4.13.0) I am now getting “SOA IN REFUSED” when I try to NOTIFY RPZ auth zones from NSD (i.e. nsd-control notify ).

When Unbound starts up it is able to AXFR the RPZ auth zones from an NSD primary without issue (confirmed with unbound-control list_auth_zones). I did crank up verbosity and did not get any additional information. Hopefully I am missing something obvious and this is not a regression?

I was able to reproduce running on loopback.

Here are the logs:

-– NSD (127.0.0.1)

[2026-06-10 05:25:11.730] nsd[30276]: info: control cmd:  notify rpz.testing

[2026-06-10 05:25:11.737] nsd[30276]: error: xfrd: zone rpz.testing: received notify response error REFUSED from 127.0.53.1

[2026-06-10 05:25:11.745] nsd[30276]: error: xfrd: zone rpz.testing: received notify response error REFUSED from 127.0.53.1

[2026-06-10 05:25:11.757] nsd[30276]: error: xfrd: zone rpz.testing: received notify response error REFUSED from 127.0.53.1

[2026-06-10 05:25:11.763] nsd[30276]: error: xfrd: zone rpz.testing: received notify response error REFUSED from 127.0.53.1

[2026-06-10 05:25:11.769] nsd[30276]: error: xfrd: zone rpz.testing: received notify response error REFUSED from 127.0.53.1

[2026-06-10 05:25:11.769] nsd[30276]: error: xfrd: zone rpz.testing: max notify send count reached, 127.0.53.1 unreachable

-– Unbound (127.0.53.1)

2026-06-10T05:25:11.764+00:00 unbound[9930:0] info: refused NOTIFY for rpz.testing. from ip4 127.0.53.1 port 26498 (len 16)

2026-06-10T05:25:11.767+00:00 unbound[9930:0] reply: 127.0.53.1 rpz.testing. SOA IN REFUSED 0.000000 1 43

Here is the basic gist of the configurations:

-– NSD (127.0.0.1)

zone:

  name: "rpz.testing"

  zonefile: "rpz.testing.zone"

  notify-retry: 5

  notify: 127.0.53.1 NOKEY

  provide-xfr: 127.0.0.0/8 NOKEY

-– Unbound (127.0.53.1)

access-control: 127.0.0.0/8 allow_snoop

...

rpz:

  name: "rpz.testing"

  primary: 127.0.0.1

  allow-notify: 127.0.53.0/24

  rpz-action-override: passthru

  rpz-log: yes

  rpz-log-name: "rpz.testing"
2

This commit likely fixes the problem:

It fixes that due to not having a zonefile configured, it followed a different set of steps. But it should not have, the fix makes it start the probe sequence, correctly, and in addition pick up addresses and netblocks for allow-notify early during server start, so that the notifies are not refused when they match.

3

Thanks so much Wouter! I will give it a spin when I have a moment and provide some feedback.

4

@Wouter I have confirmed this patch fixes the regression. Thanks again for the quick turnaround :smiley: