[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

PGNet Dev pgnet.dev at gmail.com
Tue Dec 27 18:02:46 UTC 2016 

with

	netstat -npla | egrep "ods\-|:15354"
		tcp        0      0 10.1.1.53:15354     0.0.0.0:*               LISTEN      12618/ods-signerd
		tcp        0      0 127.0.0.1:15354     0.0.0.0:*               LISTEN      12618/ods-signerd
		udp        0      0 10.1.1.53:15354     0.0.0.0:*                           12618/ods-signerd
		udp        0      0 127.0.0.1:15354     0.0.0.0:*                           12618/ods-signerd
		unix  2      [ ACC ]     STREAM     LISTENING     260902 12660/ods-enforcerd /var/run/opendnssec/enforcer.sock
		unix  2      [ ACC ]     STREAM     LISTENING     261964 12618/ods-signerd   /var/run/opendnssec/engine.sock
		unix  3      [ ]         STREAM     CONNECTED     262968 12660/ods-enforcerd
		unix  2      [ ]         DGRAM                    260901 12660/ods-enforcerd
		unix  3      [ ]         DGRAM                    261967 12618/ods-signerd
		unix  3      [ ]         STREAM     CONNECTED     262878 12618/ods-signerd
		unix  2      [ ]         DGRAM                    261963 12618/ods-signerd
		unix  3      [ ]         DGRAM                    261966 12618/ods-signerd

and

	/usr/local/opendnssec/sbin/ods-enforcer zone add \
	 --zone example.com \
	 --policy lab \
	 --in-type DNS \
	 --input  /usr/local/etc/opendnssec/addns.xml \
	 --out-type DNS \
	 --output /usr/local/etc/opendnssec/addns.xml

on exec of

	/usr/local/opendnssec/sbin/ods-signer retransfer example.com
		Zone example.com being re-transfered.

log reports the same/consistent failure by ods to send the notify to the remote,

	tail -f /var/logl/opendnssec/opendnssec.log

		Dec 27 09:45:03 dns ods-signerd: [xfrd] zone example.com request axfr to 127.0.0.1
		Dec 27 09:45:03 dns ods-signerd: [xfrd] zone example.com transfer done [notify acquired 0, serial on disk 1482857148, notify serial 0]
		Dec 27 09:45:03 dns ods-signerd: [STATS] example.com 1482860703 RR[count=1 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 reused=26 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
		Dec 27 09:45:03 dns ods-signerd: [notify] unable to send data over udp to 10.2.2.53: sendto() failed (Invalid argument)
		Dec 27 09:45:03 dns ods-signerd: [notify] unable to send notify retry 1 for zone example.com to 10.2.2.53: notify_send_udp() failed

further, the remote nsd's logs show no activity, and there's no traffic I can manage to see via tcpdump either locally or @ remote

otoh, if I send a 'manual' notify to the remote

	./send-dns-notify \
	 -d -d \
	 -b 10.1.1.53 \
	 -s 10.2.2.53 \
	 -z example.com
		zone      : example.com
		nameserver: 10.2.2.53
		src_ipaddr: 10.1.1.53

there's at least an obvious connection

	--------------------------------------------------------------------------
	send notify for example.com to 10.2.2.53
	received answer from 10.2.2.53
	;; Answer received from 10.2.2.53 (28 bytes)
	;; HEADER SECTION
	;;      id = 27609
	;;      qr = 1  aa = 1  tc = 0  rd = 0  opcode = NOTIFY
	;;      ra = 0  z  = 0  ad = 0  cd = 0  rcode  = NOERROR
	;;      qdcount = 1     ancount = 0     nscount = 0     arcount = 0
	;;      do = 0

	;; QUESTION SECTION (1 record)
	;; example.com.  IN      SOA

	;; ANSWER SECTION (0 records)

	;; AUTHORITY SECTION (0 records)

	;; ADDITIONAL SECTION (0 records)


which the remote nsd4 instance sees

	[2016-12-27 17:58:53.491] nsd[28836]: info: notify for example.com. from 10.1.1.53

More information about the Opendnssec-user mailing list