<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 21/06/2021 08:53, Cheikh Dieng via
Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADCGpEgbgidFkLoSXd+1XZF0cfeBYMRLw+Lvcu59onode7LoWg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi,<br>
<div><br>
</div>
<div>
<div>My powerdns reject request for zone transfert .</div>
<div><br>
</div>
<div>My powerdns domain is "<a
href="http://cloud.lfpw.dsna.fr/" target="_blank"
moz-do-not-send="true">cloud.lfpw.dsna.fr</a>" it is a sub
domain of "<a href="http://lfpw.dsna.fr/" target="_blank"
moz-do-not-send="true">lfpw.dsna.fr</a>" (this parent
domain is not a powerdns solution).<br>
For Letsencrypt protocol to generate certificate I have to
enable zone transfer in my powerdns.<br>
</div>
</div>
</div>
</blockquote>
<p>That doesn't make much sense: the Letsencrypt protocol DNS01
challenge does not use zone transfers.<br>
</p>
<p>It might make sense if cloud.lfpw.dsna.fr were delegated to a
separate set of publicly-reachable nameservers, and your powerdns
is a hidden primary that those servers perform zone transfers
from. That looks like it's possible:<br>
</p>
<p><font face="monospace">$ dig +trace @8.8.8.8
_acme-challenge.cloud.lfpw.dsna.fr.<br>
...<br>
<b>lfpw.dsna.fr. 86400 IN NS vitre.cena.fr.</b><b><br>
</b><b>lfpw.dsna.fr. 86400 IN NS hilar.cena.fr.</b><b><br>
</b>;; Received 108 bytes from
2001:4b98:aaaa::fa#53(ns-249-a.gandi.net) in 18 ms<br>
...<br>
<b>cloud.lfpw.dsna.fr. 172800 IN NS vitre.cena.fr.</b><b><br>
</b><b>cloud.lfpw.dsna.fr. 172800 IN NS
vip-in.cloud.lfpw.dsna.fr.</b><b><br>
</b>;; Received 125 bytes from 195.83.98.1#53(hilar.cena.fr) in
39 ms</font><br>
<br>
</p>
<p>However the cloud.lfpw.dsna.fr domain looks to be totally
broken. One nameserver gives servfail:<br>
</p>
<p><font face="monospace">$ dig @vitre.cena.fr. cloud.lfpw.dsna.fr.
ns<br>
<br>
; <<>> DiG 9.10.3-P4-Debian <<>>
@vitre.cena.fr. cloud.lfpw.dsna.fr. ns<br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: <b>SERVFAIL</b>,
id: 33460<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL:
1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
;; QUESTION SECTION:<br>
;cloud.lfpw.dsna.fr. IN NS<br>
<br>
;; Query time: 36 msec<br>
;; SERVER: 2001:660:6607:100::1#53(2001:660:6607:100::1)<br>
;; WHEN: Mon Jun 21 09:20:26 BST 2021<br>
;; MSG SIZE rcvd: 47</font></p>
<p>The other nameserver, "vip-in.cloud.lfpw.dsna.fr" does not
resolve at all:<br>
</p>
<p><font face="monospace">$ dig @vip-in.cloud.lfpw.dsna.fr.
cloud.lfpw.dsna.fr. ns<br>
<br>
; <<>> DiG 9.10.3-P4-Debian <<>>
@vip-in.cloud.lfpw.dsna.fr. cloud.lfpw.dsna.fr. ns<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; connection timed out; no servers could be reached</font><br>
</p>
<p>The address from the glue record doesn't work either:</p>
<p><font face="monospace">$ dig @195.83.98.243 cloud.lfpw.dsna.fr.
ns<br>
<br>
; <<>> DiG 9.10.3-P4-Debian <<>>
@195.83.98.243 cloud.lfpw.dsna.fr. ns<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; connection timed out; no servers could be reached</font></p>
<p><br>
</p>
<p>Only one of the two nameservers for lfpw.dsna.fr *is* working -
this is where I got the glue record from.<br>
</p>
<p><font face="monospace">$ dig @hilar.cena.fr. cloud.lfpw.dsna.fr.
ns<br>
<br>
; <<>> DiG 9.10.3-P4-Debian <<>>
@hilar.cena.fr. cloud.lfpw.dsna.fr. ns<br>
; (2 servers found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
10103<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL:
2<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
;; QUESTION SECTION:<br>
;cloud.lfpw.dsna.fr. IN NS<br>
<br>
;; AUTHORITY SECTION:<br>
<b>cloud.lfpw.dsna.fr. 172800 IN NS
vip-in.cloud.lfpw.dsna.fr.</b><b><br>
</b><b>cloud.lfpw.dsna.fr. 172800 IN NS
vitre.cena.fr.</b><b><br>
</b><br>
;; ADDITIONAL SECTION:<br>
<b>vip-in.cloud.lfpw.dsna.fr. 172800 IN A 195.83.98.243</b><br>
<br>
;; Query time: 39 msec<br>
;; SERVER: 195.83.98.1#53(195.83.98.1)<br>
;; WHEN: Mon Jun 21 09:23:11 BST 2021<br>
;; MSG SIZE rcvd: 109</font><br>
</p>
<p><br>
</p>
<p>In summary: lfpw.dsna.fr is half-broken, and cloud.lfpw.dsna.fr
is completely broken. Getting Letsencrypt certificates is the
least of your worries right now.<br>
</p>
<br>
<blockquote type="cite"
cite="mid:CADCGpEgbgidFkLoSXd+1XZF0cfeBYMRLw+Lvcu59onode7LoWg@mail.gmail.com">
<div dir="ltr">
<div>
<div><br>
</div>
<div>Is my pdns.conf file correct ?</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>local-address = 0.0.0.0, ::</div>
<div>launch = ldap</div>
<div>guardian = yes</div>
<div>ldap-host = ldap: //200.17.xx.xx: 1389 /</div>
<div>ldap-basedn = dc = cloud, dc = lfpw, dc = dsna, dc = fr</div>
<div>ldap-binddn = cn = admin, dc = dsna, dc = fr</div>
<div>ldap-secret = xxxxx</div>
<div>ldap-method = simple</div>
<div>disable-axfr = no</div>
<div>allow-axfr-ips = 127.0.0.0 / 8,195.xx.xx.xx /
32,51.91.xx.xx / 32</div>
<div>local-port = 53</div>
<div>cache-ttl = 0</div>
</blockquote>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>loglevel = 9</div>
<div>logging-facility = 0</div>
<div>api = yes</div>
<div>api-key = xxxxx</div>
<div>master = yes</div>
<div>include-dir = / etc / powerdns / pdns.d</div>
<div><br>
</div>
</blockquote>
<div><br>
</div>
My powerdns listen in port 2053.</div>
</div>
</blockquote>
<p><br>
</p>
<p>That doesn't make sense either. You have "local-port=53", but
you say it listens on port 2053 ??</p>
<p>What does powerdns log when you try to make a zone transfer? Can
you use tcpdump to prove the query is arriving?<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CADCGpEgbgidFkLoSXd+1XZF0cfeBYMRLw+Lvcu59onode7LoWg@mail.gmail.com">
<div dir="ltr">
<div><br>
<div>The AXFR request failed, see bellow:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>[pduser@hyp03 ~]$ dig axfr @0 <a
href="http://cloud.lfpw.dsna.fr/" target="_blank"
moz-do-not-send="true">cloud.lfpw.dsna.fr</a> -p 2053</div>
<div><br>
</div>
<div>; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4
<<>> axfr @0 <a
href="http://cloud.lfpw.dsna.fr/" target="_blank"
moz-do-not-send="true">cloud.lfpw.dsna.fr</a> -p 2053</div>
<div>; (1 server found)</div>
<div>;; global options: +cmd</div>
<div>; Transfer failed.</div>
<div><br>
</div>
</blockquote>
</div>
</div>
</blockquote>
<p>It looks like you haven't copy-pasted correctly. "dig @0" is
certainly going to fail:</p>
<p>;; Connection to 0.0.0.0#2053(0.0.0.0) for cloud.lfpw.dsna.fr
failed: connection refused.<br>
</p>
<p>So I can only guess what host you're trying to transfer from. I
tried "dig @0.cloud.lfpw.dsna.fr", but that also fails because it
doesn't resolve.</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</body>
</html>