Failing to set up secondary DNS with OVN network zone (AXFR transfer)

Hello everyone,

I’m trying to set up an authoritative secondary DNS server (using NSD) inside a container on a MicroCloud cluster. My goal is to have this container pull the zone information from LXD’s built-in DNS server via an AXFR transfer for an OVN network. I’m running into a connectivity issue and would appreciate some guidance.

My Environment:

• LXD cluster managed by MicroCloud 4 nodes

• A default OVN network is configured as follows:
  default | ovn | YES | 10.94.219.1/24

Configuration Steps:

1. I have created the forward and reverse network zones:

       # lxc network zone list
   +------------------------+-------------+---------+
   |          NAME          | DESCRIPTION | USED BY |
   +------------------------+-------------+---------+
   | 219.94.10.in-addr.arpa |             | 1       |
   +------------------------+-------------+---------+
   | lxd.utn.ac.cr          |             | 1       |
   +------------------------+-------------+---------+
     
   

2. The zones are configured with a peer (ns1) which has a static IP of 10.94.219.5:

       # lxc network zone show lxd.utn.ac.cr
   config:
     dns.nameservers: ns1.lxd.utn.ac.cr
     peers.ns1.address: 10.94.219.5
     
   

3. I have enabled LXD’s built-in DNS server to listen on the OVN network’s gateway IP and a non-standard port:

       # lxc config show
   config:
     core.dns_address: 10.94.219.1:8853
     
   

4. Inside the ns1 container, NSD is configured to request the zone transfer from the OVN gateway:

       # cat /etc/nsd/nsd.conf.d/server.conf
   server:
     ip-address: 10.94.219.5
   
   zone:
     name: "lxd.utn.ac.cr"
     request-xfr: AXFR 10.94.219.1@8853 NOKEY
   
   zone:
     name: "219.94.10.in-addr.arpa"
     request-xfr: AXFR 10.94.219.1@8853 NOKEY
     
   

The Problem:

The zone transfer fails. When I query the ns1 server, I get a SERVFAIL response, as expected since it never received the zone data.

    # host ns1.lxd.utn.ac.cr 10.94.219.5
Host ns1.lxd.utn.ac.cr not found: 2(SERVFAIL)
  

To diagnose this, I checked the network connectivity from the ns1 container to the OVN gateway IP on the AXFR port. The connection fails (it times out with no response).

    # lxc exec ns1 -- nc -zv 10.94.219.1 8853
(Command hangs and eventually fails)
  

This appears to be the root of the problem: the container cannot reach the OVN gateway IP on the port specified in core.dns_address.

My Questions:

1. Is it expected for the OVN gateway IP (10.94.219.1) to be reachable on the core.dns_address port from within a container? Or is this approach incorrect?

2. What is the recommended way to expose LXD’s AXFR service to a container that is part of the same OVN network it is serving zones for?

Any help or clarification on the correct architecture for this would be greatly appreciated.

Thank you

I am sorry. We do not provide support for LXD on this forum. Your best bet is to contact Canonical.