Hi,
after successful migration of my hidden primary NSD and OpenDNSSEC signer to Knot DNS, I
started to migrate my secondary NSDs to Knot DNS as well.
Thanks to excellent documentation this migration went more or less flawless as well.
BUT: I am somehow irritated about the following error messages at my hidden primary like:
2024-02-16T10:54:08+0100 debug: [
ellael.org.] ACL, allowed, action transfer, remote
10.1.1.201@27919, key primary-secondary.
2024-02-16T10:54:08+0100 info: [
ellael.org.] AXFR, outgoing, remote 10.1.1.201@27919 TCP,
started, serial 2024021331
2024-02-16T10:54:08+0100 info: [
ellael.org.] AXFR, outgoing, remote 10.1.1.201@27919 TCP,
finished, 0.00 seconds, 1 messages, 7774 bytes
2024-02-16T10:54:09+0100 debug: [
ellael.org.] ACL, allowed, action notify, remote
10.1.1.201@40884, key primary-secondary.
2024-02-16T10:54:09+0100 info: [
ellael.org.] notify, incoming, remote 10.1.1.201@40884
TCP, serial 2024021331
>>! 2024-02-16T10:54:09+0100 error:
[
ellael.org.] zone event 'refresh' failed (operation not supported)
The log files at both secondary are identical, here one example:
2024-02-16T10:54:08+0100 info: [
ellael.org.] AXFR, incoming, remote 10.2.2.203@5333 TCP,
finished, 0.00 seconds, 1 messages, 7774 bytes
2024-02-16T10:54:08+0100 info: [
ellael.org.] refresh, remote 10.2.2.203@5333, zone
updated, 0.03 seconds, serial none -> 2024021331,\
expires in 1209600 seconds
2024-02-16T10:54:08+0100 info: [
ellael.org.] zone file updated, serial 2024021331
>>! 2024-02-16T10:54:09+0100 info: [
ellael.org.]
notify, outgoing, remote 10.2.2.203@5333 TCP, serial 2024021331
FYI: Those errors are only logged when a zone gets updated or using "knotc
zone-notify" at the secondary site.
Here are my essential config excerpts:
Primary:
acl:
- id: aclTRANSACTIONS
key: primary-secondary
action: [notify, transfer]
remote:
- id: secondaryKBN
key: primary-secondary
address: 10.1.1.201 # KBN secondary
via: 10.2.2.203 # outgoing interface
Secondary:
acl:
- id: aclTRANSACTIONS
key: primary-secondary
action: [notify, transfer]
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden primary
via: 10.2.2.201 # outgoing interface
block-notify-after-transfer: on
FYI: Only adding "block-notify-after-transfer: on" at secondary sites stopped
those error messages.
I found
https://www.mail-archive.com/knot-dns-users@lists.nic.cz/msg01812.html :
"I recommend not using this option unless you really know what you're doing
and why this option is essential for you."
Questions:
#) I do have to admit, I don't understand what is going on without
"block-notify-after-transfer: on"?
#) Am I save in using "block-notify-after-transfer: on"?
#) Or is the another config option?
Thanks in advance and regards,
Michael