[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

PGNet Dev pgnet.dev at gmail.com
Mon Dec 26 22:29:32 UTC 2016

On 12/26/2016 01:47 PM, Yuri Schaeffer wrote:
> I'm not in the position to dive in to the code right now. But I might
> have a hunch which might help you debug. It sounds like from what I
> gather from your reports ODS has trouble selecting the right outgoing
> interface (That's why it doesn't show up dumping lo, and that's why
> sendto says invalid arguments).
> Please take a look at the Signer/listener section in conf.xml and check
> which interfaces you have configured. There has been some 'gotchas' in
> the past in having multiple interfaces where the OS would select the
> wrong outgoing interface if more than 1 had a route to the destination.
> Resulting in the wrong source address on the outgoing packet. Maybe one
> of our fixes has bitten you?

Perhaps ... I'd been looking at the bound src addresses, or trying to, until I got side tracked by that^ error-logging bug ...

In my latest/current stab at this, I've two physical boxes:

(1) bind9 (hidden primary)
		listens on,	
		currently configured to listen on two interfaces (I've also tried with just one ...), port 15354

			cat conf.xml

	(2) nsd4 (secondary)
	listens on

comms 'tween the two are over a VPN link.  without ods2, it's worked this way for ages.

bind9 comms via AXFR+NOTIFY to the nsd4 secondary, etc.

firewall/routes are setup so that from the primary-box to the secondary-box,

	telnet 53
		Connected to
		Escape character is '^]'.

and in the other direction, from the secondary to the primary

	telnet 15354
		Connected to
		Escape character is '^]'.

I'm changing stuff all over the place atm, trying to figure out what's happening, or not :-/  So certainly open to any suggestions re: config.

Also, I'm trying to prove to myself that the bug report is (1) real, and (2) whether it only effects LOGGING or is hiding an actual UDP packet-assembly/content problem

More information about the Opendnssec-user mailing list