Hi,
do I understand it right, that your secondaries are configured to send
NOTIFY back to the primary?
That is obviously wrong. Just remove the 'notify' lines in the
secondaries' config files.
If you want to achieve some multi-master topology (such that zone
transfers do not happen only from the primary down to each secondary,
but "sideways" from each server to each other), it is generally
difficult to achieve, and one must first make clear about the reason
(for example desired redundance in case of one server outage...).
Libor
Dne 16. 02. 24 v 15:26 Michael Grimm napsal(a):
Hi,
after successful migration of my hidden primary NSD and OpenDNSSEC signer to
Knot DNS, I started to migrate my secondary NSDs to Knot DNS as well.
Thanks to excellent documentation this migration went more or less flawless as
well.
BUT: I am somehow irritated about the following error messages at my hidden
primary like:
2024-02-16T10:54:08+0100 debug: [ellael.org.] ACL, allowed, action
transfer, remote 10.1.1.201@27919, key primary-secondary.
2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, outgoing, remote
10.1.1.201@27919 TCP, started, serial 2024021331
2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, outgoing, remote
10.1.1.201@27919 TCP, finished, 0.00 seconds, 1 messages, 7774 bytes
2024-02-16T10:54:09+0100 debug: [ellael.org.] ACL, allowed, action
notify, remote 10.1.1.201@40884, key primary-secondary.
2024-02-16T10:54:09+0100 info: [ellael.org.] notify, incoming, remote
10.1.1.201@40884 TCP, serial 2024021331
! 2024-02-16T10:54:09+0100 error: [ellael.org.] zone event 'refresh'
failed (operation not supported)
The log files at both secondary are identical, here one example:
2024-02-16T10:54:08+0100 info: [ellael.org.] AXFR, incoming, remote
10.2.2.203@5333 TCP, finished, 0.00 seconds, 1 messages, 7774 bytes
2024-02-16T10:54:08+0100 info: [ellael.org.] refresh, remote
10.2.2.203@5333, zone updated, 0.03 seconds, serial none -> 2024021331,\
expires in 1209600 seconds
2024-02-16T10:54:08+0100 info: [ellael.org.] zone file updated, serial
2024021331
>>>! 2024-02-16T10:54:09+0100 info: [ellael.org.] notify, outgoing,
remote 10.2.2.203@5333 TCP, serial 2024021331
FYI: Those errors are only logged when a zone gets updated or using "knotc
zone-notify" at the secondary site.
Here are my essential config excerpts:
Primary:
acl:
- id: aclTRANSACTIONS
key: primary-secondary
action: [notify, transfer]
remote:
- id: secondaryKBN
key: primary-secondary
address: 10.1.1.201 # KBN secondary
via: 10.2.2.203 # outgoing
interface
Secondary:
acl:
- id: aclTRANSACTIONS
key: primary-secondary
action: [notify, transfer]
remote:
- id: primaryMWN
key: primary-secondary
address: 10.2.2.203@5333 # MWN hidden
primary
via: 10.2.2.201 # outgoing
interface
block-notify-after-transfer: on
FYI: Only adding "block-notify-after-transfer: on" at secondary sites stopped
those error messages.
I found https://www.mail-archive.com/knot-dns-users@lists.nic.cz/msg01812.html :
"I recommend not using this option unless you really know what you're doing
and why this option is essential for you."
Questions:
#) I do have to admit, I don't understand what is going on without
"block-notify-after-transfer: on"?
#) Am I save in using "block-notify-after-transfer: on"?
#) Or is the another config option?
Thanks in advance and regards,
Michael
--
--
