Nsd refusing secondary AXFR

hello,

please can i have some help regarding this

ive setup nsd as primary with NOKEY

my domain registrar secondary DS cannot handle TSIG

my zone file is signed NSEC3SHA1

each time the designated secondary NS requests AXFR, my nsd server sends
REFUSED which i can see from tcpdumps

ive setup debug logging and it reports:

info: axfr for zone example.com. from client 1.2.3.4 refused, no acl matches

ive simply setup it as followed in nsd.conf & no problems with nsd-checkconf

zone:
    name: example.com.
    zonefile: example.com.signed
    notify: 1.2.3.4@53 NOKEY
    provide-xfr: 1.2.3.4@53 NOKEY

server:
    ip-address: 4.3.2.1

    port: 53

    server-count: 1

    username: nsd

    do-ip4: yes

    do-ip6: no

    hide-version: yes

    identity: ""

    ipv4-edns-size: 4096

    zonesdir: "/etc/nsd"

    zonefiles-check: yes

    verbosity: 2

    debug-mode: yes

    logfile: "/etc/nsd/nsd.log"

its running from debian jessie amd-64

what could it be ?

Dear shmuck,

each time the designated secondary NS requests AXFR, my nsd server sends
REFUSED which i can see from tcpdumps

ive setup debug logging and it reports:

info: axfr for zone example.com. from client 1.2.3.4 refused, no acl matches

ive simply setup it as followed in nsd.conf & no problems with nsd-checkconf

zone:
    name: example.com.
    zonefile: example.com.signed
    notify: 1.2.3.4@53 NOKEY
    provide-xfr: 1.2.3.4@53 NOKEY

This is your problem. You're telling the NSD master that the slave must
connect from address 1.2.3.4 *and* source port 53. However, the slave
will most likely use an ephemeral port number, so the ACL will not
match. Change that to:

provide-xfr: 1.2.3.4 NOKEY

Regards,

Anand Buddhdev
RIPE NCC

Anand Buddhdev wrote:

Dear shmuck,

i don't mind the old shmuck if it will allow me to sleep tonight !
that's a trade off im willing to take
thanks