[Pdns-users] pdns-3.2 AXFR per domain ACL's problem

Margus Kiting margus.kiting at gmail.com
Tue Mar 19 11:51:20 UTC 2013 

Hi,

I'm new to this list and this is the first time I encountered a problem
using powerdns authoritative DNS server, so I hope I find solution for this
problem from here.

The problem is in AXFR per domain ACL's. They are just nor working for me.
Below is configuration and test outputs.

Master DNS: pdns-master 192.168.1.10
Slave DNS: pdns-slave 192.168.1.11
Test server: pdns-test 192.168.1.13

PowerDNS Version 3.2, compiled on Mar 12 2013, 10:19:57 with gcc version
4.1.2 20080704 (Red Hat 4.1.2-51)


pdns-master pdns.conf

setuid=daemon
setgid=daemon
cache-ttl=60
daemon=yes
disable-tcp=no
distributor-threads=10

launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdns
gmysql-password=password
gmysql-dbname=powerdns
logging-facility=1
loglevel=4
master=yes
query-cache-ttl=60
recursive-cache-ttl=60
recursor=127.0.0.1
query-local-address6=

NB! recursor is not running.

pdns-master mysql information:

mysql> select * from domains;
id      name    master  last_check      type    notified_serial account
1       test.com        NULL    NULL    MASTER  1363693953      NULL

mysql> select * from records;
id      domain_id       name    type    content ttl     prio
change_date    ordername        auth
1       1       test.com        SOA     dns1.test.com root at test.com 0
86400  NULL     NULL    NULL    NULL
2       1       test.com        NS      dns1.test.com   86400   NULL
1363693952      NULL    NULL
3       1       test.com        NS      dns2.test.com   86400   NULL
1363693952      NULL    NULL
4       1       www.test.com    A       192.168.1.12    120     NULL
1363693952      NULL    NULL
5       1       mail.test.com   A       192.168.1.12    120     NULL
1363693952      NULL    NULL
6       1       dns1.test.com   A       192.168.1.11    120     NULL
1363693952      NULL    NULL
7       1       dns2.test.com   A       192.168.1.10    120     NULL
1363693952      NULL    NULL
8       1       test.com        MX      mail.test.com   120     25
1363693953      NULL    NULL

mysql> select * from domainmetadata;
id      domain_id       kind    content
1       1       ALLOW-AXFR-FROM AUTO-NS
AXFR queries should be allowd onlly from server, which are in
test.comdomain NS records.
I will AXFR query from pdns-slave, which has IP 192.168.1.11 and it is
configured as NS record in test.ccom domain and it should get correct axfr
query answer.
I also try AXFR query from pdns-test, which has IP 192.168.1.12 and it's
not configured as NS record in test.com domain and this server should get
transfer failure message from pdns-master server. powerdns daemon is
running with monitor flag, which gives debug output from servers side.

AXFR query from pdns-slave 192.168.1.11 server:

[root at pdns-slave ~]# dig axfr test.com @192.168.1.10

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
192.168.1.10
;; global options:  printcmd
test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
1363693953 10800 3600 604800 3600
test.com.               86400   IN      NS      dns1.test.com.
test.com.               86400   IN      NS      dns2.test.com.
www.test.com.           120     IN      A       192.168.1.12
mail.test.com.          120     IN      A       192.168.1.12
dns1.test.com.          120     IN      A       192.168.1.11
dns2.test.com.          120     IN      A       192.168.1.10
test.com.               120     IN      MX      25 mail.test.com.
test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
1363693953 10800 3600 604800 3600
;; Query time: 12 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Tue Mar 19 13:24:06 2013
;; XFR size: 9 records (messages 3)

Powerdns log output in pdns-master server:

Mar 19 13:24:06 AXFR of domain 'test.com' initiated by 192.168.1.11
Mar 19 13:24:06 AXFR of domain 'test.com' allowed: client IP 192.168.1.11
is in allow-axfr-ips
Mar 19 13:24:06 gmysql Connection successful
Mar 19 13:24:06 gmysql Connection successful
Mar 19 13:24:06 AXFR of domain 'test.com' to 192.168.1.11 finished

AXFR query from pdns-test 192.168.1.12 server:

[root at pdns-test ~]# dig axfr test.com @192.168.1.10

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
192.168.1.10
;; global options:  printcmd
test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
1363693953 10800 3600 604800 3600
test.com.               86400   IN      NS      dns1.test.com.
test.com.               86400   IN      NS      dns2.test.com.
www.test.com.           120     IN      A       192.168.1.12
mail.test.com.          120     IN      A       192.168.1.12
dns1.test.com.          120     IN      A       192.168.1.11
dns2.test.com.          120     IN      A       192.168.1.10
test.com.               120     IN      MX      25 mail.test.com.
test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
1363693953 10800 3600 604800 3600
;; Query time: 17 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Tue Mar 19 13:25:50 2013
;; XFR size: 9 records (messages 3)


Powerdns log output in pdns-master server:

Mar 19 13:25:50 AXFR of domain 'test.com' initiated by 192.168.1.12
Mar 19 13:25:50 AXFR of domain 'test.com' allowed: client IP 192.168.1.12
is in allow-axfr-ips
Mar 19 13:25:50 gmysql Connection successful
Mar 19 13:25:50 gmysql Connection successful
Mar 19 13:25:50 AXFR of domain 'test.com' to 192.168.1.12 finished

As seen from abowe, AXFR ACL's per domain is not working. Am I missing some
configuration or I'm doing something very wrong?
Please help.

NB! English is not my native language, so appologies if there are mistakes.

Thanks in advance!
Margus Kiting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130319/90a630ff/attachment.html>

More information about the Pdns-users mailing list