[Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

PGNet Dev pgnet.dev at gmail.com
Wed Dec 28 13:54:33 UTC 2016

On 12/28/2016 02:27 AM, Berry A.W. van Halderen wrote:
> So the NOTIFY gets as source address while is being
> sent to  That is an "invalid argument" to the operating
> system.  If you reverse the two interfaces probably things start
> working.

Unfortunately, though behavior IS apparently sensitive to that order, 
they just fail *differently*.

> You might wander why we bind to an interface at all

No, not at all.  I however do wonder why a bind "per target (or action)" 
is not implemented, perhaps using multiple-sockets ....

> Also it is often the case that explicit security is used to require
> NOTIFies to be sent using an explicit source address.  So it is
> better to bind in these cases.

If explicit security is in fact a consideration, as I'd hope it would 
be, then making any 'guesses' is not a reliable approach.

Postfix, as as example of app that provides such explicit security, does 
an excellent job of allowing bind-address specified per action/daemon ...

> I'm afraid it is just one of those things that can go wrong in an
> extended set-up.

I wouldn't have considered a commonplace primary + secondary setup to be 
an 'extended' setup ...

In any case, is this extended setup something you intended to cleanly 
implement/support ?

Simply need to know one way or the other.  If so, great. If not, then I 
need to use a different approach to DNSSEC automation here.

More information about the Opendnssec-user mailing list