<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>In this specific test enviroment the pdns and the dnsdist are in
      the same vm and are running a slave zone.</p>
    <p>The problem is not the AXFR request whic works regularry.</p>
    <p>The problem arise when the master (<font size="2"><span
          style="font-size:11pt;">192.168.1.1) send a notify which is
          recieved by dnsdist (</span></font><font size="2"><span
          style="font-size:11pt;">10.0.0.1:53) and forwarded to pdns on
          the same machine (127.0.0.1:5301 but the behavior is the same
          if I use the real IP instead of localhost), pdns doesnt
          request AXFR to the source (192.168.1.1) but to the dnsdist
          address (127.0.0.1:53 or </span></font><font size="2"><span
          style="font-size:11pt;"></span></font><font size="2"><span
          style="font-size:11pt;">10.0.0.1:53 depends on the dnsdist's
          configurations)</span></font><font size="2"><span
          style="font-size:11pt;"></span></font></p>
    <p><font size="2"><span style="font-size:11pt;">On the log of the
          slave pdns you can see is checking the dnsdist address, not
          the master address:</span></font></p>
    <p><font size="2"><span style="font-size:11pt;">Apr 19 10:07:09 </span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">mydnsserver   </span></font></span></font>pdns_server[2531686]:
          Received NOTIFY for </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">testslavezone.com </span></font></span></font>from
        </span></font><font size="2"><span style="font-size:11pt;"><font
            size="2"><span style="font-size:11pt;"></span></font><font
            size="2"><span style="font-size:11pt;"></span></font><font
            size="2"><span style="font-size:11pt;">10.0.0.1</span></font><-</span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;">192.168.1.1</span></font>/32<br>
          Apr 19 10:07:09 </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">mydnsserver   </span></font></span></font>pdns_server[2531686]:
          Received NOTIFY for </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">testslavezone.com </span></font></span></font>from
        </span></font><font size="2"><span style="font-size:11pt;"><font
            size="2"><span style="font-size:11pt;"></span></font><font
            size="2"><span style="font-size:11pt;"></span></font><font
            size="2"><span style="font-size:11pt;">10.0.0.1</span></font><-</span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;">192.168.1.1</span></font>/32 -
          queueing check<br>
          Apr 19 10:07:09 </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">mydnsserver   </span></font></span></font>pdns_server[2531686]:
          Got NOTIFY for provaslavedns.com, going to check SOA serial<br>
          Apr 19 10:07:09 </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">mydnsserver   </span></font></span></font>pdns_server[2531686]:
          1 slave domain needs checking, 0 queued for AXFR<br>
          Apr 19 10:07:09 </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">mydnsserver   </span></font></span></font>pdns_server[2531686]:
          Received serial number updates for 1 zone<br>
          Apr 19 10:07:09 </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">mydnsserver   </span></font></span></font>pdns_server[2531686]:
          Domain '</span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">testslavezone.com</span></font></span></font>'
          is fresh (no DNSSEC), serial is 14 (checked master </span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;">10.0.0.1</span></font>)<br>
        </span></font></p>
    <p><font size="2"><span style="font-size:11pt;"><br>
        </span></font></p>
    <p><font size="2"><span style="font-size:11pt;">If i remove the ip </span></font><font
        size="2"><span style="font-size:11pt;"></span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;">10.0.0.1 from the IP which are
              masters for the domain the notify is refused</span></font></span></font><font
        size="2"><span style="font-size:11pt;"></span><span
          style="font-size:11pt;"><br>
        </span></font></p>
    <p><font size="2"><span style="font-size:11pt;">Apr 19 10:15:00 </span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;"></span></font><font size="2"><span
                  style="font-size:11pt;"><font size="2"><span
                      style="font-size:11pt;">mydnsserver   </span></font></span></font></span></font>pdns_server[2531686]:
          Received NOTIFY for provaslavedns.com from </span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;"></span></font><font size="2"><span
                  style="font-size:11pt;"></span></font><font size="2"><span
                  style="font-size:11pt;">10.0.0.1</span></font></span></font><-</span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">192.168.1.1</span></font></span></font>/32<br>
          Apr 19 10:15:00 </span></font><font size="2"><span
          style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;"></span></font><font size="2"><span
                  style="font-size:11pt;"><font size="2"><span
                      style="font-size:11pt;">mydnsserver   </span></font></span></font></span></font>pdns_server[2531686]:
          Received NOTIFY for provaslavedns.com from </span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;"></span></font><font size="2"><span
                  style="font-size:11pt;"></span></font><font size="2"><span
                  style="font-size:11pt;">10.0.0.1</span></font></span></font><-</span></font><font
        size="2"><span style="font-size:11pt;"><font size="2"><span
              style="font-size:11pt;"></span></font><font size="2"><span
              style="font-size:11pt;"><font size="2"><span
                  style="font-size:11pt;">192.168.1.1</span></font></span></font>/32
          which is not a master (Refused)</span></font></p>
    <p><font size="2"><span style="font-size:11pt;"><br>
        </span></font></p>
    <p><font size="2"><span style="font-size:11pt;">So it seems that
          pdns ignore the edns source IP recieved from dnsdist<br>
        </span></font><font size="2"><span style="font-size:11pt;"></span></font></p>
    <p><span style="font-size: 14.666667px;"><br>
      </span></p>
    <p><span style="font-size: 14.666667px;"><br>
      </span></p>
    <p><span style="font-size: 14.666667px;"><br>
      </span></p>
    <div class="moz-cite-prefix">Il 19/04/2023 07:24, Andrey Vishnyakov
      ha scritto:<br>
    </div>
    <blockquote type="cite"
      cite="mid:505441ED-4B37-4D1E-874B-051AC725EBFB@gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Hi Badli,</div>
      <div dir="ltr"><br>
      </div>
      <div dir="ltr">Dnsdist makes NAT on passing through traffic, so
        Source IP is changed. You should use <span style="font-size:
          14.666667px;">allow-axfr-ips=10.0.0.1 on PDNS</span></div>
      <div dir="ltr"><span style="font-size: 14.666667px;"><br>
        </span></div>
      <div dir="ltr"><span style="font-size: 14.666667px;">Best regards,</span></div>
      <div dir="ltr"><span style="font-size: 14.666667px;">Andrey</span></div>
      <div dir="ltr"><br>
        On 19 Apr 2023, at 02:15, Badli Al Rashid via Pdns-users
        <a class="moz-txt-link-rfc2396E" href="mailto:pdns-users@mailman.powerdns.com"><pdns-users@mailman.powerdns.com></a> wrote:<br>
        <br>
      </div>
      <div dir="ltr">
        <meta http-equiv="Content-Type" content="text/html;
          charset=UTF-8">
        <div dir="auto">Hi All,</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">For the bind9 as primary solve it by entering <span
            style="font-size: 12pt;">option allow-axfr-ips. When I check
            the primary replicated to secondary powerdns running with
            bind backend.</span></div>
        <div dir="auto"><span style="font-size: 12pt;"><br>
          </span></div>
        <div dir="auto"><span style="font-size: 12pt;">Now left with
            primary powerdns to secondary bind9 with the "NO AUTH" in
            logs.</span></div>
        <div dir="auto"><span style="font-size: 12pt;"><br>
          </span></div>
        <div dir="auto" id="ms-outlook-mobile-signature">
          <div dir="auto">Regards,</div>
          <div dir="auto">-badli</div>
        </div>
        <div id="mail-editor-reference-message-container" dir="auto"><br>
          <hr style="display:inline-block;width:98%" tabindex="-1">
          <div id="divRplyFwdMsg" style="font-size: 11pt;"><strong>From:</strong>
            Pdns-users <a class="moz-txt-link-rfc2396E" href="mailto:pdns-users-bounces@mailman.powerdns.com"><pdns-users-bounces@mailman.powerdns.com></a>
            on behalf of Alessandro Caselli via Pdns-users
            <a class="moz-txt-link-rfc2396E" href="mailto:pdns-users@mailman.powerdns.com"><pdns-users@mailman.powerdns.com></a><br>
            <strong>Sent:</strong> Tuesday, April 18, 2023, 22:46<br>
            <strong>To:</strong> <a class="moz-txt-link-abbreviated" href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>
            <a class="moz-txt-link-rfc2396E" href="mailto:pdns-users@mailman.powerdns.com"><pdns-users@mailman.powerdns.com></a><br>
            <strong>Subject:</strong> [Pdns-users] DnsDist and secondary
            pdns auth<br>
          </div>
          <br>
          <meta name="Generator" content="Microsoft Exchange Server">
          <!-- converted from text --><font size="2"><span
              style="font-size:11pt;">
              <div class="PlainText">Hello,<br>
                <br>
                i'm trying to install an infrastructure with a DNDDist
                frontend and a <br>
                pdns autoritative backend and i have a problem with the
                secondary zones. <br>
                Please note that this enviroment could be used as
                secondary server for <br>
                some zones and as a primary server for other zones.<br>
                <br>
                I've already activated ECS EDNS on both pdns and
                dnsdist, and i can see <br>
                the source IP on the backend but pdns seems to ignore
                it. Am I missing <br>
                some settings?<br>
                <br>
                --<br>
                <br>
                Test Enviroment<br>
                <br>
                dnsdist and pdns-auth are on the same server on
                different port (in a <br>
                real enviroment this should be separated, but i think
                the problem would <br>
                be the same).<br>
                <br>
                dnsdist: 10.0.0.1 port 53<br>
                <br>
                pdns-auth: 10.0.0.1 port 5301<br>
                <br>
                External primary server: server1 192.168.1.1 (this in a
                real enviroment <br>
                could be out of my control)<br>
                <br>
                - Relevant config on
                dnsdist:newServer({address="127.0.0.1:5301", <br>
                useClientSubnet=true, setECSSourcePrefixV4(32),
                name="be1", <br>
                pool={"primary", "otherpool"}})<br>
                addAction(AllRule(), ECSPrefixLengthAction(32))<br>
                addAction(OrRule({QTypeRule(DNSQType.AXFR),
                QTypeRule(DNSQType.IXFR)}), <br>
                SetSkipCacheAction())<br>
                addAction(AndRule({OpcodeRule(DNSOpcode.Notify), <br>
                NotRule(makeRule("192.168.1.1"))}),
                RCodeAction(DNSRCode.REFUSED))<br>
                addAction(OrRule({QTypeRule(DNSQType.SOA),
                QTypeRule(DNSQType.AXFR), <br>
                OpcodeRule(DNSOpcode.Notify),
                QTypeRule(DNSQType.IXFR)}), <br>
                PoolAction("primary"))<br>
                addAction(OpcodeRule(DNSOpcode.Notify),
                SetSkipCacheAction())<br>
                <br>
                - Relevant config on pdns:<br>
                <br>
                allow-axfr-ips=192.168.1.1<br>
                allow-dnsupdate-from=192.168.1.1<br>
                allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1<br>
                edns-subnet-processing=yes<br>
                autosecondary=yes<br>
                secondary=yes<br>
                <br>
                <br>
                <br>
                <br>
                On the pdns log I can see the source address:<br>
                <br>
                Apr 18 14:22:11 mydnsserver pdns_server[2315325]:
                Received NOTIFY for <br>
                testslavezone.com from 127.0.0.1<-192.168.1.1/32<br>
                <br>
                The problem is that the source address seems ignored by
                pdns.<br>
                <br>
                When the master address of the zone is<br>
                <br>
                +-------------------+--------------+-------+<br>
                | name              | master       | type  |<br>
                +-------------------+--------------+-------+<br>
                | provaslavedns.com | 192.168.1.1  | SLAVE |<br>
                +-------------------+--------------+-------+<br>
                <br>
                On the log i can see<br>
                <br>
                Apr 18 14:22:11 mydnsserver  pdns_server[2315325]:
                Received NOTIFY for <br>
                testslavezone.com from 127.0.0.1<-192.168.1.1/32<br>
                Apr 18 14:22:11 mydnsserver  pdns_server[2315325]:
                Received NOTIFY for <br>
                testslavezone.com from 127.0.0.1<-192.168.1.1/32
                which is not a master <br>
                (Refused)<br>
                <br>
                <br>
                I've altro tried with the CIDR  on the master:<br>
                <br>
                +-------------------+-----------------+-------+<br>
                | name              | master          | type  |<br>
                +-------------------+-----------------+-------+<br>
                | provaslavedns.com | 192.168.1.1/32  | SLAVE |<br>
                +-------------------+-----------------+-------+<br>
                <br>
                but doesnt seem supported:<br>
                <br>
                Apr 18 14:29:31 mydnsserver  pdns_server[2315325]:
                Received NOTIFY for <br>
                testslavezone.com  from 127.0.0.1<-192.168.1.1/32<br>
                Apr 18 14:29:31 mydnsserver  pdns_server[2315325]:
                Backend reported <br>
                permanent error which prevented lookup (Unable to
                convert presentation <br>
                address '192.168.1.1/32'), aborting<br>
                <br>
                <br>
                Whe the zone is configured with both master and
                localhost as masters <br>
                adresses:<br>
                <br>
                +-------------------+-------------------------+-------+<br>
                | name              | master                  | type  |<br>
                +-------------------+-------------------------+-------+<br>
                | provaslavedns.com | 192.168.1.1, 127.0.0.1  | SLAVE |<br>
                +-------------------+-------------------------+-------+<br>
                <br>
                The zone doesen't refresh  after a notification:<br>
                <br>
                Apr 18 14:38:26 mydnsserver  pdns_server[2326542]:
                Received NOTIFY for <br>
                testslavezone.com  from 127.0.0.1<-192.168.1.1/32<br>
                Apr 18 14:38:26 mydnsserver  pdns_server[2326542]:
                Received NOTIFY for <br>
                testslavezone.com  from 127.0.0.1<-192.168.1.1/32 -
                queueing check<br>
                Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Got
                NOTIFY for <br>
                testslavezone.com, going to check SOA serial<br>
                Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: 1
                slave domain needs <br>
                checking, 0 queued for AXFR<br>
                Apr 18 14:38:27 mydnsserver  pdns_server[2326542]:
                Received serial <br>
                number updates for 1 zone<br>
                Apr 18 14:38:27 mydnsserver  pdns_server[2326542]:
                Domain <br>
                'testslavezone.com' is fresh (no DNSSEC), serial is 14
                (checked master <br>
                127.0.0.1)<br>
                <br>
                <br>
                The updated serial is 15<br>
                <br>
                root@mydnsserver:~# dig testslavezone.com SOA
                @192.168.1.1 +short<br>
                mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200
                2592000 86400<br>
                <br>
                <br>
                _______________________________________________<br>
                Pdns-users mailing list<br>
                <a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>
                <a
                  href="https://mailman.powerdns.com/mailman/listinfo/pdns-users"
                  moz-do-not-send="true" class="moz-txt-link-freetext">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
              </div>
            </span></font><br>
        </div>
        <span>_______________________________________________</span><br>
        <span>Pdns-users mailing list</span><br>
        <span><a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a></span><br>
        <span><a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a></span><br>
      </div>
    </blockquote>
  </body>
</html>