[Pdns-users] Can't make AXFR work with LDAP backend

Kenneth Marshall ktm at rice.edu
Fri Dec 3 13:49:27 UTC 2010 

On Fri, Dec 03, 2010 at 12:43:53PM +0100, David Douard wrote:
> Hi everybody,
> 
> I am using PowerDNS from Debian Squeeze with LDAP backend.
> 
> The problem is that I have never been able make AXFR dig. I have the problem 
> for years now, but until now, I never really need to make it work. But I'd 
> like now to use a PowerDNS server as shadow master for my public zone (the DNS 
> server is BIND9).
> 
> When I do on the machine running powerdns:
> 
>   dig @localhost logilab.fr AXFR
> 
> I sometimes get the correct result, but most of the times, I have a:
> 
>   ;; Got bad packet: out of range
>   473 bytes
>   [snip gathered hex values]  
> 
> 
> If I activate some debug information, I can see:
> 
>   Dec  2 16:10:54 ident pdns[10893]: TCP Connection Thread died because of STL 
> error: Writing data: Broken pipe
> 
> or if I dig fro another machine:
> 
>   Dec  2 16:20:00 ident pdns[12375]: TCP Connection Thread died because of STL 
> error: Reading data: Connection reset by peer
> 
> I've been searching on the web and in the Mailing List, without being able to 
> find a definitive answer to the problem. The recent discussions on similar 
> situation do not apply here (eg. I do have a serial set to a value >0 for my 
> SOA.) 
> 
> Using wireshark on port 53, the strange thing is that when I do an AXFR 
> request, the communication ends with 2 almost identical ACK packets, the 
> second one having the RESET flag set. All the requested zone information is 
> included in the DNS answer packet (the zone is small enough to fit in one 
> packet). So I guess dig do notice the presence of the RESET packet and 
> conclude something wrong occured.
> 
> Note that the AXFR request do sometimes succeed (very rarely to be honest, I 
> haven't seen one for a while).
> 
> I may have missed something obvious, but I can't find it :-/
> 
> Anyone having a clue?
> 
> Thanks,
> 
> David Douard


It is stated in the PDNS documentation that the LDAP backend
does not support master/slave/superslave/autoserial:

http://doc.powerdns.com/ldap.html

You will need to use one that does support the features you
need/want to use.

Cheers,
Ken

More information about the Pdns-users mailing list