Why are no notifies send?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Why are no notifies send?

Axel Rau
Hi all,

related parts from my named.conf:
- - -
include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf";


// slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
  server 216.218.133.2 {
    keys { ns4-he.net. ; };
    };
  server 2001:470:600::2 {
    keys { ns4-he.net. ; };
    };
  server 2001:470:100::2 {
    keys { ns4-he.net. ; };
    };


// From slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
  acl not-he {  !216.218.133.2;  !2001:470:600::2;  !2001:470:100::2;  any; };
  acl ns4-he { !not-he; key ns4-he.net.; };


        also-notify {
        2001:470:100::2 key "ns4-he.net" ;
        144.91.89.26 key "ns5-ping" ;
        };
- - -
I can’t see any notifies to 2001:470:100::2 in the logs.

What am I doing wrong?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why are no notifies send?

Tony Finch
Axel Rau <[hidden email]> wrote:
>
> I can’t see any notifies to 2001:470:100::2 in the logs.
>
> What am I doing wrong?

Normally BIND only logs "sending notifies" without saying anything about
where it is sending them. You need to increase the log level using `rndc
trace 3` (or more than 3) to get the information you want.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Berwick upon Tweed to Whitby: Variable 3 or less, becoming south 4 or 5,
occasionally 6 later. Moderate. Showers, occasional rain later. Good,
occasionally moderate later.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Why are no notifies send?

Axel Rau
In reply to this post by Axel Rau
Using the IPv4 address of the dual stack notify receiver, works.

Has anybody a working IPv6 notify address in use?

Axel

Am 16.10.2020 um 10:59 schrieb Axel Rau <[hidden email]>:

Signierter PGP-Teil
Hi all,

related parts from my named.conf:
- - -
include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf";


// slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
 server 216.218.133.2 {
   keys { ns4-he.net. ; };
   };
 server 2001:470:600::2 {
   keys { ns4-he.net. ; };
   };
 server 2001:470:100::2 {
   keys { ns4-he.net. ; };
   };


// From slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us
 acl not-he {  !216.218.133.2;  !2001:470:600::2;  !2001:470:100::2;  any; };
 acl ns4-he { !not-he; key ns4-he.net.; };


also-notify {
       2001:470:100::2 key "ns4-he.net" ;
       144.91.89.26 key "ns5-ping" ;
};
- - -
I can’t see any notifies to 2001:470:100::2 in the logs.

What am I doing wrong?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why are no notifies send?

Bind-Users forum mailing list
I don't see the part where the acls are used. Is "also-notify" meant to
be "allow-notify" ?

On 10/20/20 12:55 PM, Axel Rau wrote:

> Using the IPv4 address of the dual stack notify receiver, works.
>
> Has anybody a working IPv6 notify address in use?
>
> Axel
>
>> Am 16.10.2020 um 10:59 schrieb Axel Rau <[hidden email]
>> <mailto:[hidden email]>>:
>>
>> Signierter PGP-Teil
>> Hi all,
>>
>> related parts from my named.conf:
>> - - -
>> include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf";
>>
>>
>> // slave.dns.he.net <http://slave.dns.he.net> pulls zones from us,
>> ns1.he.net <http://ns1.he.net> receives notify from us
>>  server 216.218.133.2 {
>>    keys { ns4-he.net <http://ns4-he.net>. ; };
>>    };
>>  server 2001:470:600::2 {
>>    keys { ns4-he.net <http://ns4-he.net>. ; };
>>    };
>>  server 2001:470:100::2 {
>>    keys { ns4-he.net <http://ns4-he.net>. ; };
>>    };
>>
>>
>> // From slave.dns.he.net <http://slave.dns.he.net> pulls zones from
>> us, ns1.he.net <http://ns1.he.net> receives notify from us
>>  acl not-he {  !216.218.133.2;  !2001:470:600::2;  !2001:470:100::2;
>>  any; };
>>  acl ns4-he { !not-he; key ns4-he.net <http://ns4-he.net>.; };
>>
>>
>> also-notify {
>>        2001:470:100::2 key "ns4-he.net <http://ns4-he.net>" ;
>>        144.91.89.26 key "ns5-ping" ;
>> };
>> - - -
>> I can’t see any notifies to 2001:470:100::2 in the logs.
>>
>> What am I doing wrong?
>>
>> Axel
>> ---
>> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>>
>>
>
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Why are no notifies send?

Axel Rau


Am 20.10.2020 um 16:02 schrieb Sami Ait Ali Oulahcen <[hidden email]>:

I don't see the part where the acls are used.
Yes, acls have nothing to do with the notify, instead they are used in an allow-transfer statement.

Is "also-notify" meant to be "allow-notify" ?
No:
From bind 9.16 ARM:

also-notify
Only meaningful if notify is active for this zone. The set of machines that will receive a DNS NOTIFY message for this zone is made up of all the listed name servers (other than the primary master) for the zone plus any IP addresses specified with also-notify. A port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. A TSIG key may also be specified to cause the NOTIFY to be signed by the given key. also-notify is not meaningful for stub zones. The default is the empty list. 

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why are no notifies send?

Bind-Users forum mailing list


On 10/20/20 3:54 PM, Axel Rau wrote:

>
>
>> Am 20.10.2020 um 16:02 schrieb Sami Ait Ali Oulahcen <[hidden email]
>> <mailto:[hidden email]>>:
>>
>> I don't see the part where the acls are used.
> Yes, acls have nothing to do with the notify, instead they are used in
> an allow-transfer statement.
>
>> Is "also-notify" meant to be "allow-notify" ?
> No:
>  From bind 9.16 ARM:
>
> also-notify

Yes, sorry just realized after sending. I never used that option before.
It shouldn't be an issue with the stack, we've been using v6 for
notifies for years.

> Only meaningful if notify is active for this zone. The set of machines
> that will receive a DNS NOTIFY message for this zone is made up of all
> the listed name servers (other than the primary master) for the zone
> plus any IP addresses specified with also-notify. A port may be
> specified with each also-notify address to send the notify messages to a
> port other than the default of 53. A TSIG key may also be specified to
> cause the NOTIFY to be signed by the given key. also-notify is not
> meaningful for stub zones. The default is the empty list.
>
> Axel
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Why are no notifies send?

Tony Finch
In reply to this post by Axel Rau
Axel Rau <[hidden email]> wrote:
>
> Has anybody a working IPv6 notify address in use?

Notifies from my primary to my on-site servers go over IPv6 with a TSIG
key. They are all dual-stack.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to 6,
occasionally 7 later in west. Moderate or rough, occasionally very rough later
in west. Rain or showers. Good, occasionally moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

[RESOLVED] Why are no notifies send?

Axel Rau


Am 22.10.2020 um 23:31 schrieb Tony Finch <[hidden email]>:


Notifies from my primary to my on-site servers go over IPv6 with a TSIG
key. They are all dual-stack.
After reading this, I did a test with another secondary and the notify worked over IPv6!

I saw it in the logs of the secondary, but no log entry at the notifying host. It seems, sending
of notifies is being logged at a lower log level than sending. (I have debug 6). The host in my
original posting does not accept notifies over IPv6 and I can’t access its logs, so I just saw
nothing at the sending side.

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment