Hi,
I attempt to add new slave zone DNS.
I manage the domain "stephane-huc.net", on OpenBSD, @home, with nsd, as:
$ grep -v '^;' /etc/ns/stephane-huc.net
$TTL 1H
$ORIGIN stephane-huc.net.
@ IN SOA ns1.stephane-huc.net. postmaster.stephane-huc.net. (
202002102 ;
1D ; refresh
1H ; retry
2W ; expire
1H ; negative
)
@ IN NS ns1.stephane-huc.net.
@ IN NS ledzep.ybad.name.
@ IN NS slave.dns.he.net.
ns1 IN A 88.136.16.221
ns1 IN AAAA 2001:470:cc33:47:c107:b5d:0:3
@ IN MX 5 mx.lautre.net.
@ IN MX 10 mx3.lautre.net.
@ IN A 80.67.160.70
blog IN A 80.67.160.70
ecrits IN A 80.67.160.70
en IN A 80.67.160.70
mail IN A 80.67.160.70
www IN A 80.67.160.70
autoconfig IN CNAME panel.lautre.net.
autodiscover IN CNAME panel.lautre.net.
@ IN CAA 0 iodef "mailto:postmaster@stephane-huc.net"
@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issuewild "letsencrypt.org"
@ IN TXT "v=spf1 a mx include:spf.lautre.net ~all"
_dmarc IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@stephane-huc.net;"
_443._tcp.stephane-huc.net. IN TLSA 3 1 2 48295c1605d5ae91d40b536f4188bbf242efd28baaf425fc476a1324e1d0aa69fcfc3c77a7d4a8eda4f0e910fef827b5a58a89dd6d7dbd40cc1d6a6b5d035a70
As you see, "slave.dns.he.net" in on the zone.
And the nsd config file is:
# grep -v '^#' /var/nsd/etc/nsd.conf
server:
hide-version: yes
verbosity: 1
database: "" # disable database
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
key:
name: "kshn"
algorithm: hmac-sha512
secret: "***********"
zone:
name: "stephane-huc.net"
zonefile: "signed/stephane-huc.net"
#zonefile: "zones/master/stephane-huc.net"
# yeuxdelibad/ybad.name
notify: 93.6.177.187 kshn
provide-xfr: 93.6.177.187 kshn
# slave.dns.he.net
notify: 216.218.133.2 NOKEY
provide-xfr: 216.218.133.2 NOKEY
notify: 2001:470:600::2 NOKEY
provide-xfr: 2001:470:600::2 NOKEY
# ns6.gandi.net
notify: 217.70.177.40 NOKEY
provide-xfr: 217.70.177.40 NOKEY
"NOKEY" specifies "NO TSIG"; and as you can see/read, I notify and provide xfr at the IPv4|6 adresses.
But, when I attempt to add as new slave into the web admin of HE, the system reply with:
You must delegate to one or more of the slave nameservers.----
(https://imgur.com/BmSYnna.png)
----
Any idea/suggestion?!
----
Here, dig replies:
$ dig SOA stephane-huc.net @ns1.stephane-huc.net
; <<>> DiG 9.11.14-3-Debian <<>> SOA stephane-huc.net @ns1.stephane-huc.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42445
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net. IN SOA
;; ANSWER SECTION:
stephane-huc.net. 3600 IN SOA ns1.stephane-huc.net. postmaster.stephane-huc.net. 1581321072 86400 86400 1209600 3600
;; AUTHORITY SECTION:
stephane-huc.net. 3600 IN NS ns1.stephane-huc.net.
stephane-huc.net. 3600 IN NS slave.dns.he.net.
stephane-huc.net. 3600 IN NS ledzep.ybad.name.
;; ADDITIONAL SECTION:
ns1.stephane-huc.net. 3600 IN AAAA 2001:470:cc33:47:c107:b5d:0:3
ns1.stephane-huc.net. 3600 IN A 88.136.16.221
;; Query time: 1 msec
;; SERVER: 2001:470:cc33:47:c107:b5d:0:3#53(2001:470:cc33:47:c107:b5d:0:3)
;; WHEN: lun. févr. 10 18:18:43 CET 2020
;; MSG SIZE rcvd: 211
$ dig NS stephane-huc.net @ns1.stephane-huc.net
; <<>> DiG 9.11.14-3-Debian <<>> NS stephane-huc.net @ns1.stephane-huc.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60361
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net. IN NS
;; ANSWER SECTION:
stephane-huc.net. 3600 IN NS ns1.stephane-huc.net.
stephane-huc.net. 3600 IN NS slave.dns.he.net.
stephane-huc.net. 3600 IN NS ledzep.ybad.name.
;; ADDITIONAL SECTION:
ns1.stephane-huc.net. 3600 IN AAAA 2001:470:cc33:47:c107:b5d:0:3
ns1.stephane-huc.net. 3600 IN A 88.136.16.221
;; Query time: 0 msec
;; SERVER: 2001:470:cc33:47:c107:b5d:0:3#53(2001:470:cc33:47:c107:b5d:0:3)
;; WHEN: lun. févr. 10 18:19:01 CET 2020
;; MSG SIZE rcvd: 164
$ dig SOA stephane-huc.net @ledzep.ybad.name
; <<>> DiG 9.11.14-3-Debian <<>> SOA stephane-huc.net @ledzep.ybad.name
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61342
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net. IN SOA
;; ANSWER SECTION:
stephane-huc.net. 3600 IN SOA ns1.stephane-huc.net. postmaster.stephane-huc.net. 2020020916 86400 86400 1209600 3600
;; AUTHORITY SECTION:
stephane-huc.net. 3600 IN NS ns1.stephane-huc.net.
stephane-huc.net. 3600 IN NS slave.dns.he.net.
stephane-huc.net. 3600 IN NS ledzep.ybad.name.
;; ADDITIONAL SECTION:
ns1.stephane-huc.net. 3600 IN A 88.136.16.221
ns1.stephane-huc.net. 3600 IN AAAA 2001:470:cc33:47:c107:b5d:0:3
;; Query time: 49 msec
;; SERVER: 93.6.177.187#53(93.6.177.187)
;; WHEN: lun. févr. 10 19:19:57 CET 2020
;; MSG SIZE rcvd: 211
$ dig NS stephane-huc.net @ledzep.ybad.name
; <<>> DiG 9.11.14-3-Debian <<>> NS stephane-huc.net @ledzep.ybad.name
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26688
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net. IN NS
;; ANSWER SECTION:
stephane-huc.net. 3600 IN NS ns1.stephane-huc.net.
stephane-huc.net. 3600 IN NS slave.dns.he.net.
stephane-huc.net. 3600 IN NS ledzep.ybad.name.
;; ADDITIONAL SECTION:
ns1.stephane-huc.net. 3600 IN A 88.136.16.221
ns1.stephane-huc.net. 3600 IN AAAA 2001:470:cc33:47:c107:b5d:0:3
;; Query time: 51 msec
;; SERVER: 93.6.177.187#53(93.6.177.187)
;; WHEN: lun. févr. 10 19:20:06 CET 2020
;; MSG SIZE rcvd: 164
Slave.dns.he.net is where HE interacts with your server to fetch the zone and where notify messages go. Therefore using it in your nsd.conf file is correct.
However, you listed it in your zone data too. That is wrong. You need to put ns[1-5].he.net there.
Remove: @ IN NS slave.dns.he.net.
Add:
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.
Ok.
@snarked: ty!
With yours suggestions, it runs correctly.
(https://imgur.com/2GipjPU.png)
But, I continue to get a problem when I notify.
Now I use the notification with TSIG, on hmac-sha512.
# grep -v '^#' /var/nsd/etc/nsd.conf
server:
hide-version: yes
verbosity: 1
database: "" # disable database
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
key:
name: "name"
algorithm: hmac-sha512
secret: "***"
zone:
name: "stephane-huc.net"
zonefile: "signed/stephane-huc.net"
#zonefile: "zones/master/stephane-huc.net"
# yeuxdelibad/ybad.name
notify: 93.6.177.187 name
provide-xfr: 93.6.177.187 name
# slave.dns.he.net
notify: 216.218.133.2 name
provide-xfr: 216.218.133.2 name
notify: 2001:470:600::2 name
provide-xfr: 2001:470:600::2 name
I anonymise key name and secret to publish here ;)
I cant reached dns HE, but the DNS "ybad.name" received informations.
# nsd-control notify stephane-huc.net
ok
# grep nsd /var/log/messages | tail -n2
Feb 14 13:30:12 omv nsd[21361]: xfrd: zone stephane-huc.net: max notify send count reached, 216.218.133.2 unreachable
Feb 14 13:30:12 omv nsd[21361]: xfrd: zone stephane-huc.net: max notify send count reached, 2001:470:600::2 unreachable
# ping -c3 216.218.133.2
PING 216.218.133.2 (216.218.133.2): 56 data bytes
64 bytes from 216.218.133.2: icmp_seq=0 ttl=64 time=184.365 ms
64 bytes from 216.218.133.2: icmp_seq=1 ttl=64 time=182.789 ms
64 bytes from 216.218.133.2: icmp_seq=2 ttl=64 time=183.714 ms
--- 216.218.133.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 182.789/183.622/184.365/0.647 ms
# ping6 -c3 2001:470:600::2
PING 2001:470:600::2 (2001:470:600::2): 56 data bytes
64 bytes from 2001:470:600::2: icmp_seq=0 hlim=64 time=182.012 ms
64 bytes from 2001:470:600::2: icmp_seq=1 hlim=64 time=182.573 ms
64 bytes from 2001:470:600::2: icmp_seq=2 hlim=64 time=182.766 ms
--- 2001:470:600::2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 182.012/182.450/182.766/0.320 ms
???
It's possible that notify messages should go to ns[1-5] also, not slave. As I set up my zones before TSIG was in use here, you're on your own for any problems with that issue.
Had the same error message. In my case the origin was missing on the NS lines of the zonefile:
Instead of
@ IN NS ns1.example.com.
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
I had
IN NS ns1.example.com.
IN NS ns1.he.net.
IN NS ns2.he.net.