<div dir="ltr">Very Thanks,<div><br></div><div><font size="4">It's clear for me. For dnsdist i need HA pour my Powerdns.</font></div><div><br></div><div>>>The delegation is done at the parent level, yes. However the delegated domain still needs to contain NS records and a SOA record for its own zone:<br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>Yes, this is some details</div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><span style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;font-size:10.6667px;line-height:inherit;font-family:Calibri,Arial,Helvetica,sans-serif;vertical-align:baseline;color:rgb(0,0,0)">[pduser@hyp03 ~]$ </span><span style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;font-size:10.6667px;line-height:inherit;font-family:Calibri,Arial,Helvetica,sans-serif;vertical-align:baseline;color:rgb(12,100,192)">podman exec pdns pdnsutil list-zone <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a></span><span style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;font-size:10.6667px;line-height:inherit;font-family:Calibri,Arial,Helvetica,sans-serif;vertical-align:baseline;color:rgb(0,0,0)"><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] LDAP servers = ldap://<a href="http://200.17.66.30:1389/">200.17.66.30:1389/</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Ldap connection succeeded</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] LDAP servers = ldap://<a href="http://200.17.66.30:1389/">200.17.66.30:1389/</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Ldap connection succeeded</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Search = basedn: dc=cloud,dc=lfpw,dc=dsna,dc=fr, filter: (associatedDomain=*.<a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>)</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">$ORIGIN .</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>, qtype: SOA, ttl: 3600, content: <a href="http://ns.cloud.lfpw.dsna.fr">ns.cloud.lfpw.dsna.fr</a> <a href="mailto:hostmaster@cloud.lfpw.dsna.fr">hostmaster@cloud.lfpw.dsna.fr</a> 2002010401 1800 3600 604800 84600</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>, qtype: NS, ttl: 3600, content: <a href="http://ns.cloud.lfpw.dsna.fr">ns.cloud.lfpw.dsna.fr</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>, qtype: MX, ttl: 3600, content: 20 <a href="http://mail2.cloud.lfpw.dsna.fr">mail2.cloud.lfpw.dsna.fr</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>, qtype: MX, ttl: 3600, content: 10 <a href="http://mail.cloud.lfpw.dsna.fr">mail.cloud.lfpw.dsna.fr</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>, qtype: A, ttl: 3600, content: 195.83.98.243</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: *.<a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a>, qtype: A, ttl: 3600, content: 195.83.98.243</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://vip-in.cloud.lfpw.dsna.fr">vip-in.cloud.lfpw.dsna.fr</a>, qtype: A, ttl: 3600, content: 195.83.98.243</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://mail2.cloud.lfpw.dsna.fr">mail2.cloud.lfpw.dsna.fr</a>, qtype: CNAME, ttl: 3600, content: <a href="http://vip-in.cloud.lfpw.dsna.fr">vip-in.cloud.lfpw.dsna.fr</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: <a href="http://www.cloud.lfpw.dsna.fr">www.cloud.lfpw.dsna.fr</a>, qtype: CNAME, ttl: 3600, content: <a href="http://vip-in.cloud.lfpw.dsna.fr">vip-in.cloud.lfpw.dsna.fr</a></div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">Jun 10 15:53:06 [LdapBackend] Record = qname: _<a href="http://acme-challenge.cloud.lfpw.dsna.fr">acme-challenge.cloud.lfpw.dsna.fr</a>, qtype: TXT, ttl: 3600, content: "G4d-NJvGcOyN4L6FPZunTfRYeuVOvOG3afGjCby6Ncs"</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a> 3600 IN SOA <a href="http://ns.cloud.lfpw.dsna.fr">ns.cloud.lfpw.dsna.fr</a> <a href="mailto:hostmaster@cloud.lfpw.dsna.fr">hostmaster@cloud.lfpw.dsna.fr</a> 2002010401 1800 3600 604800 84600</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a> 3600 IN NS <a href="http://ns.cloud.lfpw.dsna.fr">ns.cloud.lfpw.dsna.fr</a>.</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a> 3600 IN MX 20 <a href="http://mail2.cloud.lfpw.dsna.fr">mail2.cloud.lfpw.dsna.fr</a>.</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a> 3600 IN MX 10 <a href="http://mail.cloud.lfpw.dsna.fr">mail.cloud.lfpw.dsna.fr</a>.</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a> 3600 IN A 195.83.98.243</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">*.<a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a> 3600 IN A 195.83.98.243</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://vip-in.cloud.lfpw.dsna.fr">vip-in.cloud.lfpw.dsna.fr</a> 3600 IN A 195.83.98.243</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://mail2.cloud.lfpw.dsna.fr">mail2.cloud.lfpw.dsna.fr</a> 3600 IN CNAME <a href="http://vip-in.cloud.lfpw.dsna.fr">vip-in.cloud.lfpw.dsna.fr</a>.</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><a href="http://www.cloud.lfpw.dsna.fr">www.cloud.lfpw.dsna.fr</a> 3600 IN CNAME <a href="http://vip-in.cloud.lfpw.dsna.fr">vip-in.cloud.lfpw.dsna.fr</a>.</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit">_<a href="http://acme-challenge.cloud.lfpw.dsna.fr">acme-challenge.cloud.lfpw.dsna.fr</a> 3600 IN TXT "G4d-NJvGcOyN4L6FPZunTfRYeuVOvOG3afGjCby6Ncs"</div><div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><br></div></span></blockquote><font color="#000000" face="Calibri, Arial, Helvetica, sans-serif" size="4">This is my Ldap declaration for basedn just tell if it's correct:</font><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>dn: dc=cloud,dc=lfpw,dc=dsna,dc=fr<br>objectClass: top<br>objectClass: domainRelatedObject<br>objectClass: dNSDomain2<br>objectClass: PdnsDomain<br>dc: cloud<br>sOARecord: <a href="http://ns.cloud.lfpw.dsna.fr">ns.cloud.lfpw.dsna.fr</a> <a href="mailto:hostmaster@cloud.lfpw.dsna.fr">hostmaster@cloud.lfpw.dsna.fr</a> 2002010401 1800 3600 604800 84600<br>nSRecord: <a href="http://ns.cloud.lfpw.dsna.fr">ns.cloud.lfpw.dsna.fr</a><br>mXRecord: 10 <a href="http://mail.cloud.lfpw.dsna.fr">mail.cloud.lfpw.dsna.fr</a><br>mXRecord: 20 <a href="http://mail2.cloud.lfpw.dsna.fr">mail2.cloud.lfpw.dsna.fr</a><br>arecord: 195.83.98.243<br>associateddomain: <a href="http://cloud.lfpw.dsna.fr">cloud.lfpw.dsna.fr</a><br>PdnsDomainId: 1<br>PdnsDomainType: master<br>PdnsDomainMaster: 200.17.xx.xx<br></div></blockquote><div><div><font color="#000000" face="Calibri, Arial, Helvetica, sans-serif"><br></font></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font color="#000000" face="Calibri, Arial, Helvetica, sans-serif"><br></font></div></blockquote><div><div>Thanks for your reply!</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mer. 23 juin 2021 à 09:24, Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 22/06/2021 23:30, Cheikh Dieng
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">Hi, excuse for delay..
<div><br>
</div>
<div>For context: </div>
<div>My powerdns listen in port 2053</div>
<div>My dnsdist listen in port 1053</div>
<div>We are an translating port through 53 (from external
request) to 1053 . That's why from external we use port 53
and in internal we can use port 1053 or 2053</div>
</div>
</div>
</blockquote>
<p>In that case I would have thought your powerdns authoritative
needs "local-port = 2053", not "local-port = 53"</p>
<p>Do you have a particular reason for using dnsdist? It does add
complexity that is often not required.<br>
</p>
<p><br>
</p>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<br>
<div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<blockquote style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:16px;margin-top:0px;margin-bottom:0px">
<div style="margin:0px;padding:0px;border:0px;font:inherit;vertical-align:baseline;color:inherit"><span style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:8pt;line-height:inherit;font-family:inherit;vertical-align:baseline;color:inherit"> <b> Detail:
DNS problem: query timed out looking up TXT for _<a href="http://acme-challenge.cloud.lfpw.dsna.fr" target="_blank">acme-challenge.cloud.lfpw.dsna.fr</a></b></span></div>
</blockquote>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p>As I explained before, your entire domain "<a href="http://cloud.lfpw.dsna.fr" target="_blank">cloud.lfpw.dsna.fr</a>" is
broken. ACME challenges and DNS updates are not the problem; the
problem is that *nobody* can resolve *any* address within that
domain.<br>
</p>
<p><font face="monospace">$ dig @<a href="http://8.8.8.8" target="_blank">8.8.8.8</a> <a href="http://cloud.lfpw.dsna.fr" target="_blank">cloud.lfpw.dsna.fr</a>. soa<br>
<br>
...<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: <b>SERVFAIL</b>,
id: 7572</font><br>
</p>
<p><br>
</p>
<p>That's the problem you need to fix first. To repeat:<br>
</p>
<p>$ dig +trace @<a href="http://8.8.8.8" target="_blank">8.8.8.8</a> <a href="http://cloud.lfpw.dsna.fr" target="_blank">cloud.lfpw.dsna.fr</a><br>
...<br>
<a href="http://lfpw.dsna.fr" target="_blank">lfpw.dsna.fr</a>. 86400 IN NS <a href="http://vitre.cena.fr" target="_blank">vitre.cena.fr</a>.<br>
<a href="http://lfpw.dsna.fr" target="_blank">lfpw.dsna.fr</a>. 86400 IN NS <a href="http://hilar.cena.fr" target="_blank">hilar.cena.fr</a>.<br>
</p>
<p>dig +norec @<a href="http://vitre.cena.fr" target="_blank">vitre.cena.fr</a>. <a href="http://cloud.lfpw.dsna.fr" target="_blank">cloud.lfpw.dsna.fr</a>. txt >>
answer is SERVFAIL<br>
</p>
<p>dig +norec @<a href="http://hilar.cena.fr" target="_blank">hilar.cena.fr</a>. <a href="http://cloud.lfpw.dsna.fr" target="_blank">cloud.lfpw.dsna.fr</a>. txt >>
gives delegation (NS) to <a href="http://vitre.cena.fr" target="_blank">vitre.cena.fr</a>. and
<a href="http://vip-in.cloud.lfpw.dsna.fr" target="_blank">vip-in.cloud.lfpw.dsna.fr</a>.</p>
<p>>> we already know that <a href="http://vitre.cena.fr" target="_blank">vitre.cena.fr</a> gives SERVFAIL</p>
<p>>> we cannot resolve the name <a href="http://vip-in.cloud.lfpw.dnsa.fr" target="_blank">vip-in.cloud.lfpw.dnsa.fr</a>,
and therefore we cannot send a DNS query to it</p>
<p>>> therefore, 2 out of 2 nameservers for <a href="http://cloud.lfpw.dnsa.fr" target="_blank">cloud.lfpw.dnsa.fr</a>
are not reachable</p>
<p>>> therefore, the entire domain <a href="http://cloud.lfpw.dnsa.fr" target="_blank">cloud.lfpw.dnsa.fr</a> is
broken<br>
</p>
<br>
<blockquote type="cite">
<div dir="ltr">
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><br>
</blockquote>
<div dir="ltr">
<div>For first conclusion I understand from your return that:</div>
<div>
<ul>
<li> the Letsencrypt protocol DNS01 challenge does not
use zone transfers</li>
<li><a href="http://cloud.lfpw.dsna.fr" target="_blank">cloud.lfpw.dsna.fr</a> is a
subdomain and doesn't have to configure delagation (it
make sense). This delegation configuration should be
done at parent level (<a href="http://lfpw.dsna.fr" target="_blank">lfpw.dsna.fr</a>) <br>
</li>
</ul>
</div>
</div>
</div>
</blockquote>
<p>The delegation is done at the parent level, yes. However the
delegated domain still needs to contain NS records and a SOA
record for its own zone.<br>
</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</div>
</blockquote></div>