[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

[PGNet Dev]

On 12/26/2016 01:47 PM, Yuri Schaeffer wrote:
> I'm not in the position to dive in to the code right now. But I might
> have a hunch which might help you debug. It sounds like from what I
> gather from your reports ODS has trouble selecting the right outgoing
> interface (That's why it doesn't show up dumping lo, and that's why
> sendto says invalid arguments).
> 
> Please take a look at the Signer/listener section in conf.xml and check
> which interfaces you have configured. There has been some 'gotchas' in
> the past in having multiple interfaces where the OS would select the
> wrong outgoing interface if more than 1 had a route to the destination.
> Resulting in the wrong source address on the outgoing packet. Maybe one
> of our fixes has bitten you?

Perhaps ... I'd been looking at the bound src addresses, or trying to, until I got side tracked by that^ error-logging bug ...

In my latest/current stab at this, I've two physical boxes:

(1) bind9 (hidden primary)
		listens on 10.1.1.53:53, 127.0.0.1:53	
	ods2
		currently configured to listen on two interfaces (I've also tried with just one ...), port 15354

			cat conf.xml
				...
				<Signer>
					<Listener>
						<Interface>
							<Address>127.0.0.1</Address>
							<Port>15354</Port>
						</Interface>
						<Interface>
							<Address>10.1.1.53</Address>
							<Port>15354</Port>
						</Interface>
					</Listener>
					<Privileges>
						<User>opendnssec</User>
						<Group>opendnssec</Group>
					</Privileges>
					<WorkingDirectory>/var/opendnssec/signer</WorkingDirectory>
					<WorkerThreads>4</WorkerThreads>
				</Signer>
				...

	(2) nsd4 (secondary)
	listens on 10.2.2.53:53

comms 'tween the two are over a VPN link.  without ods2, it's worked this way for ages.

bind9 comms via AXFR+NOTIFY to the nsd4 secondary, etc.

firewall/routes are setup so that from the primary-box to the secondary-box,

	telnet 10.2.2.53 53
		Trying 10.2.2.53...
		Connected to 10.2.2.53.
		Escape character is '^]'.

and in the other direction, from the secondary to the primary

	telnet 10.1.1.53 15354
		Trying 10.1.1.53...
		Connected to 10.1.1.53.
		Escape character is '^]'.

I'm changing stuff all over the place atm, trying to figure out what's happening, or not :-/  So certainly open to any suggestions re: config.

Also, I'm trying to prove to myself that the bug report is (1) real, and (2) whether it only effects LOGGING or is hiding an actual UDP packet-assembly/content problem