<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 18, 2019 at 6:44 AM Jackson Yap <<a href="mailto:jackson@apc.sg">jackson@apc.sg</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-SG"><div class="gmail-m_8209963718978626209WordSection1"><p class="MsoNormal">Hi all,</p><p class="MsoNormal"> </p><p class="MsoNormal">We have a strange situation. Previously we are able to do a zone transfer of non-dnssec zones. But now, when we tried to transfer a dnssec zone, we have the error below.</p><p class="MsoNormal"> </p><p class="MsoNormal">Zone is already activated dnssec on source server, and is secured with pdnsutil secure-zone on the destination server.</p></div></div></blockquote><div><br></div><div>I'm not sure I understand what you're trying to do in the first place. Your source server is already serving the domain secured, you state. (Is that also a PowerDNS Authoritative server under your control or not?)</div><div>If your destination server is supposed to be a secondary nameserver, you should set the zone as 'presigned' (`pdnsutil set-presigned [ZONE]`) so that it retrieves the signed zone and serves it as-is.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-SG"><div class="gmail-m_8209963718978626209WordSection1"><p class="MsoNormal"><span>Apr 18 12:35:49 ns1 pdns_server: Starting AXFR of '<a href="http://xxx.sg" target="_blank">xxx.sg</a>' from remote x.x.x.x</span></p><p class="MsoNormal"><span>Apr 18 12:35:49 ns1 pdns_server: Unable to AXFR zone '<a href="http://xxx.sg" target="_blank">xxx.sg</a>' from remote x.x.x.x (resolver): AXFR chunk error: Query Refuse</span></p></div></div></blockquote><div><br></div><div>Are your sure your source server accepts zone transfers from the IP of your destination server? It seems it does not allow you to. If your source server is not under your control, additional restrictions may be applied like TSIG [1], but I'm not too familiar if you would get this specific error message on your destination server.</div><div><br></div><div>[1]: <a href="https://doc.powerdns.com/authoritative/tsig.html">https://doc.powerdns.com/authoritative/tsig.html</a></div><div><br></div><div>HTH<br>
</div></div></div></div></div>