16 Úno
2024
16 Úno
'24
20:18
Hi Daniel,
thank you very much, your mail helped a lot!
I see a few issues:
- increase the number of workers (at least one TCP worker is too low on the primary if
you have more secondaries)
- acl action notify is not needed on the primary
- acl action transfer is not needed on secondaries
- notify configuration on secondaries doesn't make sense in your case
Done, although not understood, yet. I need more reading in the manual.
BUT: Now (almost, see below) everything works as expected.
- there is some inconsistency in secondaryOVH
configuration: remote without key vs. acl with key primary-secondary
No, that's intended. The communication with secondaryOVH needs to be keyless. That is
something I need to separate. And actually it is working as expected at the primary.
But I do need something similar at one of my secondary servers that allows for a zone
transfer from that given secondary to secondaryOVH as set up in NSD config:
allow-notify: 10.2.2.203 primary-secondary
request-xfr: 10.2.2.203@5333 primary-secondary
provide-xfr: 213.251.188.141 NOKEY # allow xfr from secondary
sdns2.ovh.net
# notify is sent from
hidden primary @MWN
My "equivalent" config at that given secondary is:
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden primary
via: 10.2.2.201 # outgoing interface
- id: secondaryOVH
address: 213.251.188.141 # allow xfr from secondary
sdns2.ovh.net
via: 10.2.2.201 # outgoing interface
But I do get:
debug: [ellael.org.] ACL, denied, action transfer, remote 213.251.188.141@41425
Your other mail:
Another issues are:
`via: 10.1.1.201` - this interface isn't configured and the
specification is not needed if there is just one IPv4 address - remove it
Yeah, there are more IPv4 addresses in that given FreeBSD jail, I do need it.
`block-notify-after-transfer: on` - this doesn't
make sense too
Done, and thanks to your suggestion, no longer needed.
Thank you very much for your help!
Regards,
Michael
On 2/16/24 16:14, Michael Grimm wrote:
> Thank you for your help. I will send complete configs.
> Primary hidden:
> ###############
> # server specifics
> #
> server:
> listen: 10.2.2.203@5333
> user: knot:knot
> rundir: "/var/run/knot"
> tcp-workers: 1
> udp-workers: 1
> identity: ""
> # logging
> #
> log:
> - target: syslog
> any: info
> - target: "/var/log/knot.log"
> any: debug
> # database managment
> #
> database:
> storage: "/var/db/knot"
> kasp-db: "/var/db/knot/kasp"
> # key used for acl transactions
> #
> key:
> - id: primary-secondary
> algorithm: hmac-sha256
> secret: <hidden>
> # acl transactions (primary, secondary)
> #
> acl:
> - id: aclTRANSACTIONS
> key: primary-secondary
> action: [notify, transfer]
> # remote secondary and authoritative nameservers (KBN, MWN)
> #
> remote:
> - id: secondaryKBN
> key: primary-secondary
> address: 10.1.1.201 # KBN secondary
> via: 10.2.2.203 # outgoing interface
> - id: secondaryMWN
> key: primary-secondary
> address: 10.2.2.201 # MWN secondary
> via: 10.2.2.203 # outgoing interface
> - id: secondaryOVH
> address: 213.251.188.141 # OVH's sdns2.ovh.net (notify,
submission)
> via: 10.2.2.203 # outgoing interface
> # all remote secondary servers that get notified
> #
> remotes:
> - id: remoteSERVERS
> remote: [secondaryKBN, secondaryMWN, secondaryOVH]
> # KSK submission checks (only active during ksk rollovers)
> #
> submission:
> - id: kskCHECKER
> check-interval: 15m
> parent: secondaryOVH
> # dnssec policy
> #
> policy:
> - id: ecdsa
> algorithm: ecdsap256sha256
> ksk-lifetime: 0 # no KSK rollover
> zsk-lifetime: 365d
> propagation-delay: 6h
> nsec3: on
> cds-cdnskey-publish: always
> ksk-submission: kskCHECKER
> # default template used for all zonefiles
> #
> template:
> - id: default
> storage: "/usr/local/etc/knot/zones"
> file: "%s"
> semantic-checks: on
> dnssec-policy: ecdsa
> dnssec-signing: on
> acl: aclTRANSACTIONS
> notify: remoteSERVERS
> zonefile-sync: -1
> zonefile-load: difference
> journal-content: changes
> # primary zones hosted
> #
> zone:
> - domain: ellael.org
> [others snipped]
> Secondary (both identical configs):
> ###################################
> # server specifics
> #
> server:
> listen: 10.1.1.201@53
> listen: fd00:a:a:a::201@53
> user: knot:knot
> rundir: "/var/run/knot"
> tcp-workers: 1
> udp-workers: 1
> identity: ""
> version: ""
> # logging
> #
> log:
> - target: syslog
> any: info
> - target: "/var/log/knot.log"
> any: debug
> # database managment
> #
> database:
> storage: "/var/db/knot"
> kasp-db: "/var/db/knot/kasp"
> # key used for acl transactions
> #
> key:
> - id: primary-secondary
> algorithm: hmac-sha256
> secret: <hidden>
> # acl transactions (primary, secondary)
> #
> acl:
> - id: aclTRANSACTIONS
> key: primary-secondary
> action: [notify, transfer]
> # remote hidden primary and secondary nameservers (MWN, OVH)
> #
> remote:
> - id: primaryMWN
> key: primary-secondary
> address: 10.2.2.203@5333 # MWN hidden primary
> via: 10.1.1.201 # outgoing interface
> block-notify-after-transfer: on
> remotes:
> - id: remoteSERVERS
> remote: [primaryMWN]
> # default template used for all zonefiles
> #
> template:
> - id: default
> storage: "/usr/local/etc/knot/zones"
> file: "%s"
> master: primaryMWN
> notify: remoteSERVERS
> acl: aclTRANSACTIONS
> semantic-checks: on
> # primary zones hosted
> #
> zone:
> - domain: ellael.org
> [others snipped]
> Thanks in advance,
> Michael
>> On 16. Feb 2024, at 16:05, Daniel Salzman <daniel.salzman(a)nic.cz> wrote:
>>
>> Okay. Please show me the configuration of the zone (template).
>>
>> On 2/16/24 16:03, Michael Grimm wrote:
>>> Yes, I understand that, now ;-)
>>> But my main concern is this: "Those errors are only logged when a zone
gets updated"
>>> Regards,
>>> Michael
>>>> On 16. Feb 2024, at 15:57, Daniel Salzman <daniel.salzman(a)nic.cz>
wrote:
>>>>
>>>> Note that `knotc zone-notify` works on a primary. If you want an explicit
refresh on a secondary, call `knotc zone-refresh`.
>>>>
>>>> On 2/16/24 15:55, Michael Grimm wrote:
>>>>> Daniel Salzman <daniel.salzman(a)nic.cz> wrote
>>>>>> Is there another primary above the hidden master?
>>>>> I am not sure if I do understand your question correctly.
>>>>> Here is my setup:
>>>>> Hidden Primary —> Secondary (2x)
>>>>> Feel free to ask for more info. Complete configs?
>>>>> Thanks,
>>>>> Michael
>>>> --
>> --