<p>Hi,<br><br>I'm new to this list and this is the first time I encountered a problem using powerdns authoritative DNS server, so I hope I find solution for this problem from here.<br><br>The problem is in AXFR per domain ACL's. They are just nor working for me. Below is configuration and test outputs.<br>
<br>Master DNS: pdns-master 192.168.1.10<br>Slave DNS: pdns-slave 192.168.1.11<br>Test server: pdns-test 192.168.1.13</p><p>PowerDNS Version 3.2, compiled on Mar 12 2013, 10:19:57 with gcc version 4.1.2 20080704 (Red Hat 4.1.2-51)</p>
<p><br>pdns-master pdns.conf</p><p>setuid=daemon<br>setgid=daemon<br>cache-ttl=60<br>daemon=yes<br>disable-tcp=no<br>distributor-threads=10</p><p>launch=gmysql<br>gmysql-host=127.0.0.1<br>gmysql-user=powerdns<br>gmysql-password=password<br>
gmysql-dbname=powerdns</p><div>logging-facility=1<br>loglevel=4<br>master=yes<br>query-cache-ttl=60<br>recursive-cache-ttl=60<br>recursor=127.0.0.1<br>query-local-address6=</div><div> </div><div>NB! recursor is not running.</div>
<p>pdns-master mysql information:</p><p>mysql> select * from domains;<br>id name master last_check type notified_serial account<br>1 <a href="http://test.com">test.com</a> NULL NULL MASTER 1363693953 NULL</p>
<p>mysql> select * from records;<br>id domain_id name type content ttl prio change_date ordername auth<br>1 1 <a href="http://test.com">test.com</a> SOA <a href="http://dns1.test.com">dns1.test.com</a> <a href="mailto:root@test.com">root@test.com</a> 0 86400 NULL NULL NULL NULL<br>
2 1 <a href="http://test.com">test.com</a> NS <a href="http://dns1.test.com">dns1.test.com</a> 86400 NULL 1363693952 NULL NULL<br>3 1 <a href="http://test.com">test.com</a> NS <a href="http://dns2.test.com">dns2.test.com</a> 86400 NULL 1363693952 NULL NULL<br>
4 1 <a href="http://www.test.com">www.test.com</a> A 192.168.1.12 120 NULL 1363693952 NULL NULL<br>5 1 <a href="http://mail.test.com">mail.test.com</a> A 192.168.1.12 120 NULL 1363693952 NULL NULL<br>
6 1 <a href="http://dns1.test.com">dns1.test.com</a> A 192.168.1.11 120 NULL 1363693952 NULL NULL<br>7 1 <a href="http://dns2.test.com">dns2.test.com</a> A 192.168.1.10 120 NULL 1363693952 NULL NULL<br>
8 1 <a href="http://test.com">test.com</a> MX <a href="http://mail.test.com">mail.test.com</a> 120 25 1363693953 NULL NULL</p><p>mysql> select * from domainmetadata;<br>id domain_id kind content<br>
1 1 ALLOW-AXFR-FROM AUTO-NS</p><div>AXFR queries should be allowd onlly from server, which are in <a href="http://test.com">test.com</a> domain NS records.</div><div>I will AXFR query from pdns-slave, which has IP 192.168.1.11 and it is configured as NS record in test.ccom domain and it should get correct axfr query answer. </div>
<div>I also try AXFR query from pdns-test, which has IP 192.168.1.12 and it's not configured as NS record in <a href="http://test.com">test.com</a> domain and this server should get transfer failure message from pdns-master server. powerdns daemon is running with monitor flag, which gives debug output from servers side.</div>
<div> </div><div>AXFR query from pdns-slave 192.168.1.11 server:</div><p>[root@pdns-slave ~]# dig axfr <a href="http://test.com">test.com</a> @<a href="http://192.168.1.10">192.168.1.10</a></p><p>; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr <a href="http://test.com">test.com</a> @<a href="http://192.168.1.10">192.168.1.10</a><br>
;; global options: printcmd<br><a href="http://test.com">test.com</a>. 86400 IN SOA <a href="http://dns1.test.com">dns1.test.com</a>. <a href="http://root.test.com">root.test.com</a>. 1363693953 10800 3600 604800 3600<br>
<a href="http://test.com">test.com</a>. 86400 IN NS <a href="http://dns1.test.com">dns1.test.com</a>.<br><a href="http://test.com">test.com</a>. 86400 IN NS <a href="http://dns2.test.com">dns2.test.com</a>.<br>
<a href="http://www.test.com">www.test.com</a>. 120 IN A 192.168.1.12<br><a href="http://mail.test.com">mail.test.com</a>. 120 IN A 192.168.1.12<br><a href="http://dns1.test.com">dns1.test.com</a>. 120 IN A 192.168.1.11<br>
<a href="http://dns2.test.com">dns2.test.com</a>. 120 IN A 192.168.1.10<br><a href="http://test.com">test.com</a>. 120 IN MX 25 <a href="http://mail.test.com">mail.test.com</a>.<br>
<a href="http://test.com">test.com</a>. 86400 IN SOA <a href="http://dns1.test.com">dns1.test.com</a>. <a href="http://root.test.com">root.test.com</a>. 1363693953 10800 3600 604800 3600<br>;; Query time: 12 msec<br>
;; SERVER: 192.168.1.10#53(192.168.1.10)<br>;; WHEN: Tue Mar 19 13:24:06 2013<br>;; XFR size: 9 records (messages 3)</p><p>Powerdns log output in pdns-master server:</p><p>Mar 19 13:24:06 AXFR of domain '<a href="http://test.com">test.com</a>' initiated by 192.168.1.11<br>
Mar 19 13:24:06 AXFR of domain '<a href="http://test.com">test.com</a>' allowed: client IP 192.168.1.11 is in allow-axfr-ips<br>Mar 19 13:24:06 gmysql Connection successful<br>Mar 19 13:24:06 gmysql Connection successful<br>
Mar 19 13:24:06 AXFR of domain '<a href="http://test.com">test.com</a>' to 192.168.1.11 finished</p><p>AXFR query from pdns-test 192.168.1.12 server:</p><p>[root@pdns-test ~]# dig axfr <a href="http://test.com">test.com</a> @<a href="http://192.168.1.10">192.168.1.10</a></p>
<p>; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr <a href="http://test.com">test.com</a> @<a href="http://192.168.1.10">192.168.1.10</a><br>;; global options: printcmd<br><a href="http://test.com">test.com</a>. 86400 IN SOA <a href="http://dns1.test.com">dns1.test.com</a>. <a href="http://root.test.com">root.test.com</a>. 1363693953 10800 3600 604800 3600<br>
<a href="http://test.com">test.com</a>. 86400 IN NS <a href="http://dns1.test.com">dns1.test.com</a>.<br><a href="http://test.com">test.com</a>. 86400 IN NS <a href="http://dns2.test.com">dns2.test.com</a>.<br>
<a href="http://www.test.com">www.test.com</a>. 120 IN A 192.168.1.12<br><a href="http://mail.test.com">mail.test.com</a>. 120 IN A 192.168.1.12<br><a href="http://dns1.test.com">dns1.test.com</a>. 120 IN A 192.168.1.11<br>
<a href="http://dns2.test.com">dns2.test.com</a>. 120 IN A 192.168.1.10<br><a href="http://test.com">test.com</a>. 120 IN MX 25 <a href="http://mail.test.com">mail.test.com</a>.<br>
<a href="http://test.com">test.com</a>. 86400 IN SOA <a href="http://dns1.test.com">dns1.test.com</a>. <a href="http://root.test.com">root.test.com</a>. 1363693953 10800 3600 604800 3600<br>;; Query time: 17 msec<br>
;; SERVER: 192.168.1.10#53(192.168.1.10)<br>;; WHEN: Tue Mar 19 13:25:50 2013<br>;; XFR size: 9 records (messages 3)</p><p><br>Powerdns log output in pdns-master server:</p><p>Mar 19 13:25:50 AXFR of domain '<a href="http://test.com">test.com</a>' initiated by 192.168.1.12<br>
Mar 19 13:25:50 AXFR of domain '<a href="http://test.com">test.com</a>' allowed: client IP 192.168.1.12 is in allow-axfr-ips<br>Mar 19 13:25:50 gmysql Connection successful<br>Mar 19 13:25:50 gmysql Connection successful<br>
Mar 19 13:25:50 AXFR of domain '<a href="http://test.com">test.com</a>' to 192.168.1.12 finished</p><div> </div><div>As seen from abowe, AXFR ACL's per domain is not working. Am I missing some configuration or I'm doing something very wrong? </div>
<div>Please help.</div><div> </div><div>NB! English is not my native language, so appologies if there are mistakes.</div><div> </div><div>Thanks in advance!</div><div>Margus Kiting</div><div> </div><div> </div>