also-notify and nsupdate doesnt work

[jo...@hasig.de]

hi,
i have a setup with one normal and some hidden slaves.
i set up a zone with also-notify and all worked fine.
all slaves got notifies and updates.
now i added a key and policy to remote update the zone.
the updates with nsupdate woks fine.
but the notify is only sent to the slave, but not to the hidden slaves.
so just the master and official slave is up to date.

how can i change that?

i use BIND 9.8.4-rpz2+rl005.12-P1 on debian wheezy...

tia
jonny

[Matthew Pounsett]

What you're describing sounds wrong.  It shouldn't work that way.

Can you share your configuration so that we can see what's actually happening?

[jo...@hasig.de]

hi,

> What you're describing sounds wrong. It shouldn't work that way.

what do you mean by "wrong" and which "it" should not work? :-)

> Can you share your configuration so that we can see what's actually
> happening?

sure :-)
samples:

1.
zone "abc.net" {
notify yes;
type master;
file "abc.net";
allow-transfer { any; };
also-notify { 1.2.3.4;};
};

works. master, slave and hidden (1.2.3.4) gets notifies and updates.

2.
key "abc.net" {
algorithm hmac-md5;
secret "LB8hpcA...==";
};

zone "abc.net" {
notify yes;
type master;
update-policy { grant * self - A TXT; };
file "abc.net";
allow-transfer { any; };
also-notify { 1.2.3.4;};
};

works half. updates ok, slave get notifies and updates. 1.2.3.4 not.

jonny

[Matthew Pounsett]

On 2 May 2016 at 10:09, <jo...@hasig.de> wrote:

hi,

What you're describing sounds wrong.  It shouldn't work that way.

what do you mean by "wrong" and which "it" should not work? :-)

What I mean is, given a typical configuration, the brokenness you're observing shouldn't be broken.

 

Can you share your configuration so that we can see what's actually
happening?

sure :-)
samples:

Can you share your whole config?  It's possible there are options outside the zone stanzas that could affect the behaviour of  notifies.

[jo...@hasig.de]

hi,

> Can you share your whole config? It's possible there are options outside
> the zone stanzas that could affect the behaviour of notifies.

no, the whole config covers about 600 zones with different configs.

and why should the notify work with stanza 1 but not with 2?
the notify 1 works great and the only difference in the config is the
added key and the update policy line.

maybe you could give me a sample config that should work?

jonny

[Alan Clegg]

On 5/2/16, 10:09 AM, "bind-user...@lists.isc.org on behalf of
jo...@hasig.de" <bind-user...@lists.isc.org on behalf of

jo...@hasig.de> wrote:
>
>1.
>zone "abc.net" {
> notify yes;
> type master;
> file "abc.net";
> allow-transfer { any; };
> also-notify { 1.2.3.4;};
>};
>
>works. master, slave and hidden (1.2.3.4) gets notifies and updates.
>
>2.
>key "abc.net" {
> algorithm hmac-md5;
> secret "LB8hpcA...==";
>};
>
>zone "abc.net" {
> notify yes;
> type master;
> update-policy { grant * self - A TXT; };
> file "abc.net";
> allow-transfer { any; };
> also-notify { 1.2.3.4;};
>};

There's nothing in this part of the configuration that links key usage to
the zone.

AlanC

[jo...@hasig.de]

hi,

> There's nothing in this part of the configuration that links key usage to
> the zone.

sure. the * is.
and the update works great.
the serial counts up,
the update is taken,
the slave is motified and updated.

the only thing is, that the "also-notify" servers get no notify.
(if i do an rndc update abc.net on a hidden slave, the transfer is taken
correct.).

jonny

[Alan Clegg]

Aye... I'm sitting here looking for zone transfer use of TSIG...

It's too early in the morning.

*sigh*

[Darcy Kevin (FCA)]

Apologies if this has already been asked, but are you sending these NOTIFYs from a master which is _not_ in the "masters" clause of the nameserver which is receiving it? That's precisely the use case for "allow-notify"...

- Kevin

-----Original Message-----
From: bind-user...@lists.isc.org [mailto:bind-user...@lists.isc.org] On Behalf Of jo...@hasig.de
Sent: Monday, May 02, 2016 10:31 AM
To: Alan Clegg; Matthew Pounsett
Cc: bind-...@lists.isc.org
Subject: Re: also-notify and nsupdate doesnt work

hi,

> There's nothing in this part of the configuration that links key usage to > the zone.

sure. the * is.
and the update works great.
the serial counts up,
the update is taken,
the slave is motified and updated.

the only thing is, that the "also-notify" servers get no notify.
(if i do an rndc update abc.net on a hidden slave, the transfer is taken correct.).

jonny

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Barry Margolin]

In article <mailman.688.1462221...@lists.isc.org>,

"Darcy Kevin (FCA)" <kevin...@fcagroup.com> wrote:

> Apologies if this has already been asked, but are you sending these NOTIFYs
> from a master which is _not_ in the "masters" clause of the nameserver which
> is receiving it? That's precisely the use case for "allow-notify"...

The use case for also-notify is when you have slave servers that aren't
in the NS records of the zone. Otherwise, those slaves won't update
until the Refresh timer goes off.

--
Barry Margolin
Arlington, MA

[Darcy Kevin (FCA)]

Right. also-notify (on a master) versus allow-notify (on a slave). Different use cases.

- Kevin

-----Original Message-----
From: bind-user...@lists.isc.org [mailto:bind-user...@lists.isc.org] On Behalf Of Barry Margolin
Sent: Monday, May 02, 2016 5:08 PM
To: comp-protoc...@isc.org
Subject: Re: also-notify and nsupdate doesnt work

In article <mailman.688.1462221...@lists.isc.org>,
"Darcy Kevin (FCA)" <kevin...@fcagroup.com> wrote:

> Apologies if this has already been asked, but are you sending these
> NOTIFYs from a master which is _not_ in the "masters" clause of the
> nameserver which is receiving it? That's precisely the use case for "allow-notify"...

The use case for also-notify is when you have slave servers that aren't in the NS records of the zone. Otherwise, those slaves won't update until the Refresh timer goes off.

--
Barry Margolin
Arlington, MA

[jo...@hasig.de]

hi,

> Apologies if this has already been asked, but are you sending these
NOTIFYs from a master which is _not_ in the "masters" clause of the
nameserver which is receiving it? That's precisely the use case for
"allow-notify"...

the notifies are sent by the only master, which is noted in the soa, has
an ns entry and is surely present in the "masters" acl of all the slaves.

jonny

[jo...@hasig.de]

hi,

> The use case for also-notify is when you have slave servers that aren't
> in the NS records of the zone. Otherwise, those slaves won't update
> until the Refresh timer goes off.

thats exactrly how i want to use it...

jonny

[jo...@hasig.de]

hi,

Am 02.05.2016 um 23:19 schrieb Darcy Kevin (FCA):
> Right. also-notify (on a master) versus allow-notify (on a slave). Different use cases.

the problem would not in the notify config.

the notify and transfer works fine with the zone config. until i add the
dynamic update option on the master...

jonny