<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>In this specific test enviroment the pdns and the dnsdist are in
the same vm and are running a slave zone.</p>
<p>The problem is not the AXFR request whic works regularry.</p>
<p>The problem arise when the master (<font size="2"><span
style="font-size:11pt;">192.168.1.1) send a notify which is
recieved by dnsdist (</span></font><font size="2"><span
style="font-size:11pt;">10.0.0.1:53) and forwarded to pdns on
the same machine (127.0.0.1:5301 but the behavior is the same
if I use the real IP instead of localhost), pdns doesnt
request AXFR to the source (192.168.1.1) but to the dnsdist
address (127.0.0.1:53 or </span></font><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;">10.0.0.1:53 depends on the dnsdist's
configurations)</span></font><font size="2"><span
style="font-size:11pt;"></span></font></p>
<p><font size="2"><span style="font-size:11pt;">On the log of the
slave pdns you can see is checking the dnsdist address, not
the master address:</span></font></p>
<p><font size="2"><span style="font-size:11pt;">Apr 19 10:07:09 </span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font>pdns_server[2531686]:
Received NOTIFY for </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">testslavezone.com </span></font></span></font>from
</span></font><font size="2"><span style="font-size:11pt;"><font
size="2"><span style="font-size:11pt;"></span></font><font
size="2"><span style="font-size:11pt;"></span></font><font
size="2"><span style="font-size:11pt;">10.0.0.1</span></font><-</span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">192.168.1.1</span></font>/32<br>
Apr 19 10:07:09 </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font>pdns_server[2531686]:
Received NOTIFY for </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">testslavezone.com </span></font></span></font>from
</span></font><font size="2"><span style="font-size:11pt;"><font
size="2"><span style="font-size:11pt;"></span></font><font
size="2"><span style="font-size:11pt;"></span></font><font
size="2"><span style="font-size:11pt;">10.0.0.1</span></font><-</span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">192.168.1.1</span></font>/32 -
queueing check<br>
Apr 19 10:07:09 </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font>pdns_server[2531686]:
Got NOTIFY for provaslavedns.com, going to check SOA serial<br>
Apr 19 10:07:09 </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font>pdns_server[2531686]:
1 slave domain needs checking, 0 queued for AXFR<br>
Apr 19 10:07:09 </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font>pdns_server[2531686]:
Received serial number updates for 1 zone<br>
Apr 19 10:07:09 </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font>pdns_server[2531686]:
Domain '</span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">testslavezone.com</span></font></span></font>'
is fresh (no DNSSEC), serial is 14 (checked master </span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;">10.0.0.1</span></font>)<br>
</span></font></p>
<p><font size="2"><span style="font-size:11pt;"><br>
</span></font></p>
<p><font size="2"><span style="font-size:11pt;">If i remove the ip </span></font><font
size="2"><span style="font-size:11pt;"></span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;">10.0.0.1 from the IP which are
masters for the domain the notify is refused</span></font></span></font><font
size="2"><span style="font-size:11pt;"></span><span
style="font-size:11pt;"><br>
</span></font></p>
<p><font size="2"><span style="font-size:11pt;">Apr 19 10:15:00 </span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font></span></font>pdns_server[2531686]:
Received NOTIFY for provaslavedns.com from </span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;">10.0.0.1</span></font></span></font><-</span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">192.168.1.1</span></font></span></font>/32<br>
Apr 19 10:15:00 </span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">mydnsserver </span></font></span></font></span></font>pdns_server[2531686]:
Received NOTIFY for provaslavedns.com from </span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;">10.0.0.1</span></font></span></font><-</span></font><font
size="2"><span style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;"></span></font><font size="2"><span
style="font-size:11pt;"><font size="2"><span
style="font-size:11pt;">192.168.1.1</span></font></span></font>/32
which is not a master (Refused)</span></font></p>
<p><font size="2"><span style="font-size:11pt;"><br>
</span></font></p>
<p><font size="2"><span style="font-size:11pt;">So it seems that
pdns ignore the edns source IP recieved from dnsdist<br>
</span></font><font size="2"><span style="font-size:11pt;"></span></font></p>
<p><span style="font-size: 14.666667px;"><br>
</span></p>
<p><span style="font-size: 14.666667px;"><br>
</span></p>
<p><span style="font-size: 14.666667px;"><br>
</span></p>
<div class="moz-cite-prefix">Il 19/04/2023 07:24, Andrey Vishnyakov
ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:505441ED-4B37-4D1E-874B-051AC725EBFB@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Badli,</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Dnsdist makes NAT on passing through traffic, so
Source IP is changed. You should use <span style="font-size:
14.666667px;">allow-axfr-ips=10.0.0.1 on PDNS</span></div>
<div dir="ltr"><span style="font-size: 14.666667px;"><br>
</span></div>
<div dir="ltr"><span style="font-size: 14.666667px;">Best regards,</span></div>
<div dir="ltr"><span style="font-size: 14.666667px;">Andrey</span></div>
<div dir="ltr"><br>
On 19 Apr 2023, at 02:15, Badli Al Rashid via Pdns-users
<a class="moz-txt-link-rfc2396E" href="mailto:pdns-users@mailman.powerdns.com"><pdns-users@mailman.powerdns.com></a> wrote:<br>
<br>
</div>
<div dir="ltr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div dir="auto">Hi All,</div>
<div dir="auto"><br>
</div>
<div dir="auto">For the bind9 as primary solve it by entering <span
style="font-size: 12pt;">option allow-axfr-ips. When I check
the primary replicated to secondary powerdns running with
bind backend.</span></div>
<div dir="auto"><span style="font-size: 12pt;"><br>
</span></div>
<div dir="auto"><span style="font-size: 12pt;">Now left with
primary powerdns to secondary bind9 with the "NO AUTH" in
logs.</span></div>
<div dir="auto"><span style="font-size: 12pt;"><br>
</span></div>
<div dir="auto" id="ms-outlook-mobile-signature">
<div dir="auto">Regards,</div>
<div dir="auto">-badli</div>
</div>
<div id="mail-editor-reference-message-container" dir="auto"><br>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" style="font-size: 11pt;"><strong>From:</strong>
Pdns-users <a class="moz-txt-link-rfc2396E" href="mailto:pdns-users-bounces@mailman.powerdns.com"><pdns-users-bounces@mailman.powerdns.com></a>
on behalf of Alessandro Caselli via Pdns-users
<a class="moz-txt-link-rfc2396E" href="mailto:pdns-users@mailman.powerdns.com"><pdns-users@mailman.powerdns.com></a><br>
<strong>Sent:</strong> Tuesday, April 18, 2023, 22:46<br>
<strong>To:</strong> <a class="moz-txt-link-abbreviated" href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:pdns-users@mailman.powerdns.com"><pdns-users@mailman.powerdns.com></a><br>
<strong>Subject:</strong> [Pdns-users] DnsDist and secondary
pdns auth<br>
</div>
<br>
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><font size="2"><span
style="font-size:11pt;">
<div class="PlainText">Hello,<br>
<br>
i'm trying to install an infrastructure with a DNDDist
frontend and a <br>
pdns autoritative backend and i have a problem with the
secondary zones. <br>
Please note that this enviroment could be used as
secondary server for <br>
some zones and as a primary server for other zones.<br>
<br>
I've already activated ECS EDNS on both pdns and
dnsdist, and i can see <br>
the source IP on the backend but pdns seems to ignore
it. Am I missing <br>
some settings?<br>
<br>
--<br>
<br>
Test Enviroment<br>
<br>
dnsdist and pdns-auth are on the same server on
different port (in a <br>
real enviroment this should be separated, but i think
the problem would <br>
be the same).<br>
<br>
dnsdist: 10.0.0.1 port 53<br>
<br>
pdns-auth: 10.0.0.1 port 5301<br>
<br>
External primary server: server1 192.168.1.1 (this in a
real enviroment <br>
could be out of my control)<br>
<br>
- Relevant config on
dnsdist:newServer({address="127.0.0.1:5301", <br>
useClientSubnet=true, setECSSourcePrefixV4(32),
name="be1", <br>
pool={"primary", "otherpool"}})<br>
addAction(AllRule(), ECSPrefixLengthAction(32))<br>
addAction(OrRule({QTypeRule(DNSQType.AXFR),
QTypeRule(DNSQType.IXFR)}), <br>
SetSkipCacheAction())<br>
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), <br>
NotRule(makeRule("192.168.1.1"))}),
RCodeAction(DNSRCode.REFUSED))<br>
addAction(OrRule({QTypeRule(DNSQType.SOA),
QTypeRule(DNSQType.AXFR), <br>
OpcodeRule(DNSOpcode.Notify),
QTypeRule(DNSQType.IXFR)}), <br>
PoolAction("primary"))<br>
addAction(OpcodeRule(DNSOpcode.Notify),
SetSkipCacheAction())<br>
<br>
- Relevant config on pdns:<br>
<br>
allow-axfr-ips=192.168.1.1<br>
allow-dnsupdate-from=192.168.1.1<br>
allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1<br>
edns-subnet-processing=yes<br>
autosecondary=yes<br>
secondary=yes<br>
<br>
<br>
<br>
<br>
On the pdns log I can see the source address:<br>
<br>
Apr 18 14:22:11 mydnsserver pdns_server[2315325]:
Received NOTIFY for <br>
testslavezone.com from 127.0.0.1<-192.168.1.1/32<br>
<br>
The problem is that the source address seems ignored by
pdns.<br>
<br>
When the master address of the zone is<br>
<br>
+-------------------+--------------+-------+<br>
| name | master | type |<br>
+-------------------+--------------+-------+<br>
| provaslavedns.com | 192.168.1.1 | SLAVE |<br>
+-------------------+--------------+-------+<br>
<br>
On the log i can see<br>
<br>
Apr 18 14:22:11 mydnsserver pdns_server[2315325]:
Received NOTIFY for <br>
testslavezone.com from 127.0.0.1<-192.168.1.1/32<br>
Apr 18 14:22:11 mydnsserver pdns_server[2315325]:
Received NOTIFY for <br>
testslavezone.com from 127.0.0.1<-192.168.1.1/32
which is not a master <br>
(Refused)<br>
<br>
<br>
I've altro tried with the CIDR on the master:<br>
<br>
+-------------------+-----------------+-------+<br>
| name | master | type |<br>
+-------------------+-----------------+-------+<br>
| provaslavedns.com | 192.168.1.1/32 | SLAVE |<br>
+-------------------+-----------------+-------+<br>
<br>
but doesnt seem supported:<br>
<br>
Apr 18 14:29:31 mydnsserver pdns_server[2315325]:
Received NOTIFY for <br>
testslavezone.com from 127.0.0.1<-192.168.1.1/32<br>
Apr 18 14:29:31 mydnsserver pdns_server[2315325]:
Backend reported <br>
permanent error which prevented lookup (Unable to
convert presentation <br>
address '192.168.1.1/32'), aborting<br>
<br>
<br>
Whe the zone is configured with both master and
localhost as masters <br>
adresses:<br>
<br>
+-------------------+-------------------------+-------+<br>
| name | master | type |<br>
+-------------------+-------------------------+-------+<br>
| provaslavedns.com | 192.168.1.1, 127.0.0.1 | SLAVE |<br>
+-------------------+-------------------------+-------+<br>
<br>
The zone doesen't refresh after a notification:<br>
<br>
Apr 18 14:38:26 mydnsserver pdns_server[2326542]:
Received NOTIFY for <br>
testslavezone.com from 127.0.0.1<-192.168.1.1/32<br>
Apr 18 14:38:26 mydnsserver pdns_server[2326542]:
Received NOTIFY for <br>
testslavezone.com from 127.0.0.1<-192.168.1.1/32 -
queueing check<br>
Apr 18 14:38:27 mydnsserver pdns_server[2326542]: Got
NOTIFY for <br>
testslavezone.com, going to check SOA serial<br>
Apr 18 14:38:27 mydnsserver pdns_server[2326542]: 1
slave domain needs <br>
checking, 0 queued for AXFR<br>
Apr 18 14:38:27 mydnsserver pdns_server[2326542]:
Received serial <br>
number updates for 1 zone<br>
Apr 18 14:38:27 mydnsserver pdns_server[2326542]:
Domain <br>
'testslavezone.com' is fresh (no DNSSEC), serial is 14
(checked master <br>
127.0.0.1)<br>
<br>
<br>
The updated serial is 15<br>
<br>
root@mydnsserver:~# dig testslavezone.com SOA
@192.168.1.1 +short<br>
mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200
2592000 86400<br>
<br>
<br>
_______________________________________________<br>
Pdns-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a><br>
<a
href="https://mailman.powerdns.com/mailman/listinfo/pdns-users"
moz-do-not-send="true" class="moz-txt-link-freetext">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a><br>
</div>
</span></font><br>
</div>
<span>_______________________________________________</span><br>
<span>Pdns-users mailing list</span><br>
<span><a class="moz-txt-link-abbreviated" href="mailto:Pdns-users@mailman.powerdns.com">Pdns-users@mailman.powerdns.com</a></span><br>
<span><a class="moz-txt-link-freetext" href="https://mailman.powerdns.com/mailman/listinfo/pdns-users">https://mailman.powerdns.com/mailman/listinfo/pdns-users</a></span><br>
</div>
</blockquote>
</body>
</html>