• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Add new slave

Started by hucste, February 10, 2020, 10:21:23 AM

Previous topic - Next topic

hucste

Hi,
I attempt to add new slave zone DNS.
I manage the domain "stephane-huc.net", on OpenBSD, @home, with nsd, as:


$ grep -v '^;' /etc/ns/stephane-huc.net
$TTL 1H
$ORIGIN stephane-huc.net.
@   IN SOA  ns1.stephane-huc.net. postmaster.stephane-huc.net. (
    202002102 ;
    1D  ; refresh
    1H  ; retry
    2W  ; expire
    1H  ; negative
)

@   IN NS   ns1.stephane-huc.net.
@   IN NS   ledzep.ybad.name.
@   IN NS   slave.dns.he.net.

ns1 IN A    88.136.16.221
ns1 IN AAAA 2001:470:cc33:47:c107:b5d:0:3

@   IN  MX  5 mx.lautre.net.
@   IN  MX  10 mx3.lautre.net.

@   IN A    80.67.160.70
blog    IN A    80.67.160.70
ecrits  IN A    80.67.160.70
en  IN A    80.67.160.70
mail    IN A    80.67.160.70
www IN A    80.67.160.70

autoconfig  IN  CNAME   panel.lautre.net.
autodiscover    IN  CNAME   panel.lautre.net.

@   IN CAA  0 iodef "mailto:postmaster@stephane-huc.net"
@   IN CAA  0 issue "letsencrypt.org"
@   IN CAA  0 issuewild "letsencrypt.org"

@   IN  TXT "v=spf1 a mx include:spf.lautre.net ~all"
_dmarc  IN TXT    "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@stephane-huc.net;"

_443._tcp.stephane-huc.net. IN TLSA 3 1 2 48295c1605d5ae91d40b536f4188bbf242efd28baaf425fc476a1324e1d0aa69fcfc3c77a7d4a8eda4f0e910fef827b5a58a89dd6d7dbd40cc1d6a6b5d035a70


As you see, "slave.dns.he.net" in on the zone.

And the nsd config file is:


# grep -v '^#' /var/nsd/etc/nsd.conf
server:
   hide-version: yes
   verbosity: 1
   database: "" # disable database

remote-control:
   control-enable: yes
   control-interface: /var/run/nsd.sock
key:
    name: "kshn"
    algorithm: hmac-sha512
    secret: "***********"
zone:
    name: "stephane-huc.net"
    zonefile: "signed/stephane-huc.net"
    #zonefile: "zones/master/stephane-huc.net"
    # yeuxdelibad/ybad.name
    notify: 93.6.177.187 kshn
    provide-xfr: 93.6.177.187 kshn
    # slave.dns.he.net
    notify: 216.218.133.2 NOKEY
    provide-xfr: 216.218.133.2 NOKEY
    notify: 2001:470:600::2 NOKEY
    provide-xfr: 2001:470:600::2 NOKEY
    # ns6.gandi.net
    notify: 217.70.177.40 NOKEY
    provide-xfr: 217.70.177.40 NOKEY


"NOKEY" specifies "NO TSIG"; and as you can see/read, I notify and provide xfr at the IPv4|6 adresses.

But, when I attempt to add as new slave into the web admin of HE, the system reply with:
You must delegate to one or more of the slave nameservers.----
----
Any idea/suggestion?!
----
Here, dig replies:

$ dig SOA stephane-huc.net @ns1.stephane-huc.net

; <<>> DiG 9.11.14-3-Debian <<>> SOA stephane-huc.net @ns1.stephane-huc.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42445
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net.        IN    SOA

;; ANSWER SECTION:
stephane-huc.net.    3600    IN    SOA    ns1.stephane-huc.net. postmaster.stephane-huc.net. 1581321072 86400 86400 1209600 3600

;; AUTHORITY SECTION:
stephane-huc.net.    3600    IN    NS    ns1.stephane-huc.net.
stephane-huc.net.    3600    IN    NS    slave.dns.he.net.
stephane-huc.net.    3600    IN    NS    ledzep.ybad.name.

;; ADDITIONAL SECTION:
ns1.stephane-huc.net.    3600    IN    AAAA    2001:470:cc33:47:c107:b5d:0:3
ns1.stephane-huc.net.    3600    IN    A    88.136.16.221

;; Query time: 1 msec
;; SERVER: 2001:470:cc33:47:c107:b5d:0:3#53(2001:470:cc33:47:c107:b5d:0:3)
;; WHEN: lun. févr. 10 18:18:43 CET 2020
;; MSG SIZE  rcvd: 211

$ dig NS stephane-huc.net @ns1.stephane-huc.net

; <<>> DiG 9.11.14-3-Debian <<>> NS stephane-huc.net @ns1.stephane-huc.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60361
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net.        IN    NS

;; ANSWER SECTION:
stephane-huc.net.    3600    IN    NS    ns1.stephane-huc.net.
stephane-huc.net.    3600    IN    NS    slave.dns.he.net.
stephane-huc.net.    3600    IN    NS    ledzep.ybad.name.

;; ADDITIONAL SECTION:
ns1.stephane-huc.net.    3600    IN    AAAA    2001:470:cc33:47:c107:b5d:0:3
ns1.stephane-huc.net.    3600    IN    A    88.136.16.221

;; Query time: 0 msec
;; SERVER: 2001:470:cc33:47:c107:b5d:0:3#53(2001:470:cc33:47:c107:b5d:0:3)
;; WHEN: lun. févr. 10 18:19:01 CET 2020
;; MSG SIZE  rcvd: 164

$ dig SOA stephane-huc.net @ledzep.ybad.name

; <<>> DiG 9.11.14-3-Debian <<>> SOA stephane-huc.net @ledzep.ybad.name
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61342
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net.        IN    SOA

;; ANSWER SECTION:
stephane-huc.net.    3600    IN    SOA    ns1.stephane-huc.net. postmaster.stephane-huc.net. 2020020916 86400 86400 1209600 3600

;; AUTHORITY SECTION:
stephane-huc.net.    3600    IN    NS    ns1.stephane-huc.net.
stephane-huc.net.    3600    IN    NS    slave.dns.he.net.
stephane-huc.net.    3600    IN    NS    ledzep.ybad.name.

;; ADDITIONAL SECTION:
ns1.stephane-huc.net.    3600    IN    A    88.136.16.221
ns1.stephane-huc.net.    3600    IN    AAAA    2001:470:cc33:47:c107:b5d:0:3

;; Query time: 49 msec
;; SERVER: 93.6.177.187#53(93.6.177.187)
;; WHEN: lun. févr. 10 19:19:57 CET 2020
;; MSG SIZE  rcvd: 211

$ dig NS stephane-huc.net @ledzep.ybad.name

; <<>> DiG 9.11.14-3-Debian <<>> NS stephane-huc.net @ledzep.ybad.name
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26688
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;stephane-huc.net.        IN    NS

;; ANSWER SECTION:
stephane-huc.net.    3600    IN    NS    ns1.stephane-huc.net.
stephane-huc.net.    3600    IN    NS    slave.dns.he.net.
stephane-huc.net.    3600    IN    NS    ledzep.ybad.name.

;; ADDITIONAL SECTION:
ns1.stephane-huc.net.    3600    IN    A    88.136.16.221
ns1.stephane-huc.net.    3600    IN    AAAA    2001:470:cc33:47:c107:b5d:0:3

;; Query time: 51 msec
;; SERVER: 93.6.177.187#53(93.6.177.187)
;; WHEN: lun. févr. 10 19:20:06 CET 2020
;; MSG SIZE  rcvd: 164



snarked

Slave.dns.he.net is where HE interacts with your server to fetch the zone and where notify messages go.  Therefore using it in your nsd.conf file is correct.

However, you listed it in your zone data too.  That is wrong.  You need to put ns[1-5].he.net there.

Remove:  @ IN NS slave.dns.he.net.
Add:
@ IN NS ns1.he.net.
@ IN NS ns2.he.net.
@ IN NS ns3.he.net.
@ IN NS ns4.he.net.
@ IN NS ns5.he.net.



hucste

#2
Ok.

@snarked: ty!

With yours suggestions, it runs correctly.


 


But, I continue to get a problem when I notify.

Now I use the notification with TSIG, on hmac-sha512.

# grep -v '^#' /var/nsd/etc/nsd.conf                                                                                                                                   

server:
hide-version: yes
verbosity: 1
database: "" # disable database

remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
key:
    name: "name"
    algorithm: hmac-sha512
    secret: "***"
zone:
    name: "stephane-huc.net"
    zonefile: "signed/stephane-huc.net"
    #zonefile: "zones/master/stephane-huc.net"
    # yeuxdelibad/ybad.name
    notify: 93.6.177.187 name
    provide-xfr: 93.6.177.187 name
    # slave.dns.he.net
    notify: 216.218.133.2 name
    provide-xfr: 216.218.133.2 name
    notify: 2001:470:600::2 name
    provide-xfr: 2001:470:600::2 name



I anonymise key name and secret to publish here ;)

I cant reached dns HE, but the DNS "ybad.name" received informations.


# nsd-control notify stephane-huc.net                                                                                                                                 
ok

# grep nsd /var/log/messages | tail -n2
Feb 14 13:30:12 omv nsd[21361]: xfrd: zone stephane-huc.net: max notify send count reached, 216.218.133.2 unreachable
Feb 14 13:30:12 omv nsd[21361]: xfrd: zone stephane-huc.net: max notify send count reached, 2001:470:600::2 unreachable

# ping -c3 216.218.133.2
PING 216.218.133.2 (216.218.133.2): 56 data bytes
64 bytes from 216.218.133.2: icmp_seq=0 ttl=64 time=184.365 ms
64 bytes from 216.218.133.2: icmp_seq=1 ttl=64 time=182.789 ms
64 bytes from 216.218.133.2: icmp_seq=2 ttl=64 time=183.714 ms

--- 216.218.133.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 182.789/183.622/184.365/0.647 ms

# ping6 -c3 2001:470:600::2
PING 2001:470:600::2 (2001:470:600::2): 56 data bytes
64 bytes from 2001:470:600::2: icmp_seq=0 hlim=64 time=182.012 ms
64 bytes from 2001:470:600::2: icmp_seq=1 hlim=64 time=182.573 ms
64 bytes from 2001:470:600::2: icmp_seq=2 hlim=64 time=182.766 ms

--- 2001:470:600::2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 182.012/182.450/182.766/0.320 ms



???


snarked

It's possible that notify messages should go to ns[1-5] also, not slave.  As I set up my zones before TSIG was in use here, you're on your own for any problems with that issue.

1977er

Had the same error message. In my case the origin was missing on the NS lines of the zonefile:

Instead of

@   IN NS   ns1.example.com.
@   IN NS   ns1.he.net.
@   IN NS   ns2.he.net.

I had

   IN NS   ns1.example.com.
   IN NS   ns1.he.net.
   IN NS   ns2.he.net.