In my nsd.conf file, I have:
zone:
name: dimeadozen.org
zonefile: slave/dimeadozen.org
allow-notify: 85.214.50.249 NOKEY
request-xfr: UDP 85.214.50.249 NOKEY
Yet in the log, I see:
[1259891852] nsd[6570]: error: Could not tcp connect to 85.214.50.249: Operation timed out
I see the same thing if I remove the "UDP", but my real question is: why is NSD trying over TCP if I specified UDP?
--Paul Hoffman
Hi Paul,
Previously, NSD always made his IXFR requests over UDP.
Since 3.2.0, we default to IXFR/TCP.
The UDP option is too still make IXFR/UDP requests.
We strongly recommend to use TSIG if you use IXFR/UDP.
NSD will still try to AXFR the zone with TCP, if the zone's current
serial is 0, or if the master server does not implement IXFR.
Best regards,
Matthijs
Paul Hoffman wrote:
This new rule makes it impossible to start being a slave to a master that requires UDP, unless it will do AXFR. That is, even specifying "UDP" will not let NSD start be a slave because at first, the serial number will be 0. This seems like a pretty severe restriction in the name of forced safety.
Hi Paul,
This new rule makes it impossible to start being a slave to a master
that requires UDP, unless it will do AXFR. That is, even specifying
"UDP" will not let NSD start be a slave because at first, the serial
number will be 0. This seems like a pretty severe restriction in the
name of forced safety.
The UDP keyword allows NSD to use UDP for IXFR attempts.
AXFR and some-IXFR responses cause fallback to tcp in any case.
So, the master does not require UDP, but instead the use of UDP may be
very useful - simply because of lower bandwidth for small changes. To
my knowledge no masters 'require UDP', although they may allow it.
So with this option NSD will attempt to use the less overhead UDP form
of IXFR update when possible. When not possible, such as at a start
like you say, or when flagged by the master that the update is large,
then TCP is used.
Best regards,
Wouter