• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

NOTIFY to ns1.he.net returns REFUSED

Started by dereckson, October 20, 2025, 03:35:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

dereckson

October 20, 2025, 03:35:30 PM Last Edit: October 20, 2025, 03:40:02 PM by dereckson Reason: Clarify title
Recently, we set up a DNS server to manage our nasqueron.org. domain as code.

We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.

I've noticed DNS NOTIFY requests don't reach HE.

Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:

Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'

The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".

We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.

AXFR polling works correctly.

Thanks in advance for your assistance and for providing such a reliable DNS secondary service.

Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
--
« La connaissance s'accroît quand on la partage. »
"Share you knowledge, you'll increase it."
Print
Go Up Pages1
User actions