<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 22/06/2021 23:30, Cheikh Dieng
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADCGpEisnYR+RTdUbjV7uKiymajcrmig3Z6wOqLT4RYHqhNuRQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">Hi, excuse for delay..
<div><br>
</div>
<div>For context: </div>
<div>My powerdns listen in port 2053</div>
<div>My dnsdist listen in port 1053</div>
<div>We are an translating port through 53 (from external
request) to 1053 . That's why from external we use port 53
and in internal we can use port 1053 or 2053</div>
</div>
</div>
</blockquote>
<p>In that case I would have thought your powerdns authoritative
needs "local-port = 2053", not "local-port = 53"</p>
<p>Do you have a particular reason for using dnsdist? It does add
complexity that is often not required.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CADCGpEisnYR+RTdUbjV7uKiymajcrmig3Z6wOqLT4RYHqhNuRQ@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<br>
<div>
<blockquote style="margin:0 0 0
40px;border:none;padding:0px">
<blockquote
style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px;margin-top:0px;margin-bottom:0px">
<div
style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><span
style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:8pt;line-height:inherit;font-family:inherit;vertical-align:baseline;color:inherit"> <b> Detail:
DNS problem: query timed out looking up TXT for _<a
href="http://acme-challenge.cloud.lfpw.dsna.fr"
moz-do-not-send="true">acme-challenge.cloud.lfpw.dsna.fr</a></b></span></div>
</blockquote>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p>As I explained before, your entire domain "cloud.lfpw.dsna.fr" is
broken. ACME challenges and DNS updates are not the problem; the
problem is that *nobody* can resolve *any* address within that
domain.<br>
</p>
<p><font face="monospace">$ dig @8.8.8.8 cloud.lfpw.dsna.fr. soa<br>
<br>
...<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: <b>SERVFAIL</b>,
id: 7572</font><br>
</p>
<p><br>
</p>
<p>That's the problem you need to fix first. To repeat:<br>
</p>
<p>$ dig +trace @8.8.8.8 cloud.lfpw.dsna.fr<br>
...<br>
lfpw.dsna.fr. 86400 IN NS vitre.cena.fr.<br>
lfpw.dsna.fr. 86400 IN NS hilar.cena.fr.<br>
</p>
<p>dig +norec @vitre.cena.fr. cloud.lfpw.dsna.fr. txt >>
answer is SERVFAIL<br>
</p>
<p>dig +norec @hilar.cena.fr. cloud.lfpw.dsna.fr. txt >>
gives delegation (NS) to vitre.cena.fr. and
vip-in.cloud.lfpw.dsna.fr.</p>
<p>>> we already know that vitre.cena.fr gives SERVFAIL</p>
<p>>> we cannot resolve the name vip-in.cloud.lfpw.dnsa.fr,
and therefore we cannot send a DNS query to it</p>
<p>>> therefore, 2 out of 2 nameservers for cloud.lfpw.dnsa.fr
are not reachable</p>
<p>>> therefore, the entire domain cloud.lfpw.dnsa.fr is
broken<br>
</p>
<br>
<blockquote type="cite"
cite="mid:CADCGpEisnYR+RTdUbjV7uKiymajcrmig3Z6wOqLT4RYHqhNuRQ@mail.gmail.com">
<div dir="ltr">
<blockquote style="margin:0 0 0 40px;border:none;padding:0px"><br>
</blockquote>
<div dir="ltr">
<div>For first conclusion I understand from your return that:</div>
<div>
<ul>
<li> the Letsencrypt protocol DNS01 challenge does not
use zone transfers</li>
<li><a href="http://cloud.lfpw.dsna.fr"
moz-do-not-send="true">cloud.lfpw.dsna.fr</a> is a
subdomain and doesn't have to configure delagation (it
make sense). This delegation configuration should be
done at parent level (<a href="http://lfpw.dsna.fr"
moz-do-not-send="true">lfpw.dsna.fr</a>) <br>
</li>
</ul>
</div>
</div>
</div>
</blockquote>
<p>The delegation is done at the parent level, yes. However the
delegated domain still needs to contain NS records and a SOA
record for its own zone.<br>
</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</body>
</html>