• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

[SOLVED] NOTIFY messages being refused

Started by striek, September 30, 2016, 04:45:31 PM

Previous topic - Next topic


Hi all,

I have HE DNS set up as a slave to my domains - everything is working well except for NOTIFY updates.

I seem to be unable to send NOTIFY updates to ns1.he.net - when I do, I get a response back that the update has been refused. It doesn't show up in the BIND logs, but I tripped over this while grokking tcpdump output trying to figure out the problem:

root@namemaster-01:/home/ken# service bind9 restart
root@namemaster-01:/home/ken# 23:29:13.900612 IP > 42247 notify [b2&3=0x2400] [1a] SOA? domain1.ca. (83)
23:29:13.935776 IP > 42247 notify Refused*- 0/0/0 (26)
23:29:14.392570 IP > 26176 notify [b2&3=0x2400] [1a] SOA? domain2.com. (85)
23:29:14.427565 IP > 26176 notify Refused*- 0/0/0 (28)
23:29:14.892512 IP > 59642 notify [b2&3=0x2400] [1a] SOA? reverseDomain.in-addr.arpa. (104)
23:29:14.926442 IP > 59642 notify Refused*- 0/0/0 (47)

IP addresses have been obfuscated, obviously, but the server you see there is set up as the master for all these domains.

Any idea why these NOTIFY messages are being refused? I'm racking my brain trying to figure it out and I'm at a dead end...


This was actually because of a mangled firewall rule on my end - I was masquerading connections from my nameserver to look like they were coming from my router - which, obviously, is not listed as the primary nameserver in the zone settings.

I couldn't see the problem with tcpdump output from the nameserver, but looking at tcpdump output on the router while investigating something else made it obvious.