Hi All,
For the bind9 as primary solve it by entering option allow-axfr-ips. When I
check the primary replicated to secondary powerdns running with bind backend.
Now left with primary powerdns to secondary bind9 with the "NO AUTH" in logs.
Regards,
-badli
________________________________
From: Pdns-users <pdns-users-boun...@mailman.powerdns.com> on behalf of
Alessandro Caselli via Pdns-users <pdns-users@mailman.powerdns.com>
Sent: Tuesday, April 18, 2023, 22:46
To: pdns-users@mailman.powerdns.com <pdns-users@mailman.powerdns.com>
Subject: [Pdns-users] DnsDist and secondary pdns auth
Hello,
i'm trying to install an infrastructure with a DNDDist frontend and a
pdns autoritative backend and i have a problem with the secondary zones.
Please note that this enviroment could be used as secondary server for
some zones and as a primary server for other zones.
I've already activated ECS EDNS on both pdns and dnsdist, and i can see
the source IP on the backend but pdns seems to ignore it. Am I missing
some settings?
--
Test Enviroment
dnsdist and pdns-auth are on the same server on different port (in a
real enviroment this should be separated, but i think the problem would
be the same).
dnsdist: 10.0.0.1 port 53
pdns-auth: 10.0.0.1 port 5301
External primary server: server1 192.168.1.1 (this in a real enviroment
could be out of my control)
- Relevant config on dnsdist:newServer({address="127.0.0.1:5301",
useClientSubnet=true, setECSSourcePrefixV4(32), name="be1",
pool={"primary", "otherpool"}})
addAction(AllRule(), ECSPrefixLengthAction(32))
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
SetSkipCacheAction())
addAction(AndRule({OpcodeRule(DNSOpcode.Notify),
NotRule(makeRule("192.168.1.1"))}), RCodeAction(DNSRCode.REFUSED))
addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR),
OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.IXFR)}),
PoolAction("primary"))
addAction(OpcodeRule(DNSOpcode.Notify), SetSkipCacheAction())
- Relevant config on pdns:
allow-axfr-ips=192.168.1.1
allow-dnsupdate-from=192.168.1.1
allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1
edns-subnet-processing=yes
autosecondary=yes
secondary=yes
On the pdns log I can see the source address:
Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32
The problem is that the source address seems ignored by pdns.
When the master address of the zone is
+-------------------+--------------+-------+
| name | master | type |
+-------------------+--------------+-------+
| provaslavedns.com | 192.168.1.1 | SLAVE |
+-------------------+--------------+-------+
On the log i can see
Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32
Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32 which is not a master
(Refused)
I've altro tried with the CIDR on the master:
+-------------------+-----------------+-------+
| name | master | type |
+-------------------+-----------------+-------+
| provaslavedns.com | 192.168.1.1/32 | SLAVE |
+-------------------+-----------------+-------+
but doesnt seem supported:
Apr 18 14:29:31 mydnsserver pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32
Apr 18 14:29:31 mydnsserver pdns_server[2315325]: Backend reported
permanent error which prevented lookup (Unable to convert presentation
address '192.168.1.1/32'), aborting
Whe the zone is configured with both master and localhost as masters
adresses:
+-------------------+-------------------------+-------+
| name | master | type |
+-------------------+-------------------------+-------+
| provaslavedns.com | 192.168.1.1, 127.0.0.1 | SLAVE |
+-------------------+-------------------------+-------+
The zone doesen't refresh after a notification:
Apr 18 14:38:26 mydnsserver pdns_server[2326542]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32
Apr 18 14:38:26 mydnsserver pdns_server[2326542]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32 - queueing check
Apr 18 14:38:27 mydnsserver pdns_server[2326542]: Got NOTIFY for
testslavezone.com, going to check SOA serial
Apr 18 14:38:27 mydnsserver pdns_server[2326542]: 1 slave domain needs
checking, 0 queued for AXFR
Apr 18 14:38:27 mydnsserver pdns_server[2326542]: Received serial
number updates for 1 zone
Apr 18 14:38:27 mydnsserver pdns_server[2326542]: Domain
'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master
127.0.0.1)
The updated serial is 15
root@mydnsserver:~# dig testslavezone.com SOA @192.168.1.1 +short
mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200 2592000 86400
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
