[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

PGNet Dev pgnet.dev at gmail.com
Tue Dec 27 01:21:20 UTC 2016 

a bit more for completeness ...

initiating UDP traffic from the ods box's shell, a query to nsd4 listening at 10.2.2.53 -- specified in ods addns.xml as the notify target, (noting that recursion's not allowed -- just watching traffic),

	dig google.com @10.2.2.53
		; <<>> DiG 9.11.0-P1 <<>> google.com @10.2.2.53
		;; global options: +cmd
		;; Got answer:
		;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 399
		;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
		;; WARNING: recursion requested but not available

		;; OPT PSEUDOSECTION:
		; EDNS: version: 0, flags:; udp: 4096
		;; QUESTION SECTION:
		;google.com.                    IN      A

		;; Query time: 43 msec
		;; SERVER: 10.2.2.53#53(10.2.2.53)
		;; WHEN: Mon Dec 26 17:10:23 PST 2016
		;; MSG SIZE  rcvd: 39

following with tcpdump

	tcpdump -i tun1 udp port 53
		tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
		listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
		17:10:23.485198 IP dns.example.net.57886 > dnsext.example.net.domain: 399+ [1au] A? google.com. (51)
		17:10:23.528369 IP dnsext.example.net.domain > dns.example.net.57886: 399 Refused- 0/0/1 (39)
		^C
		2 packets captured
		2 packets received by filter
		0 packets dropped by kernel


on exec of an ODS zone add

	/usr/local/opendnssec/sbin/ods-enforcer zone add \
	 --zone example.com \
	 --policy lab \
	 --in-type DNS \
	 --input  /usr/local/etc/opendnssec/addns.xml \
	 --out-type DNS \
	 --output /usr/local/etc/opendnssec/addns.xml
		input is set to /usr/local/etc/opendnssec/addns.xml.
		output is set to /usr/local/etc/opendnssec/addns.xml.
		Zone example.com added successfully

tcpdump is silent

	tcpdump -i tun1 udp port 53
		tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
		listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
		^C
		0 packets captured
		0 packets received by filter
		0 packets dropped by kernel

More information about the Opendnssec-user mailing list