[Pdns-users] pdns-3.2 AXFR per domain ACL's problem
Ruben d'Arco
cyclops at prof-x.net
Tue Mar 19 12:05:14 UTC 2013
Hi,
This ia bit of a gues, but:
The AUTO-NS feature seems to use a normal getaddrinfo(). This might have a different result than you expect on your system.
Can you check what's in your resolv.conf and see what that replied when you ask for dns1.test.com and dns2.test.com?
Regards,
Ruben
On Tue, Mar 19, 2013 at 01:51:20PM +0200, Margus Kiting wrote:
> Hi,
>
> I'm new to this list and this is the first time I encountered a problem
> using powerdns authoritative DNS server, so I hope I find solution for this
> problem from here.
>
> The problem is in AXFR per domain ACL's. They are just nor working for me.
> Below is configuration and test outputs.
>
> Master DNS: pdns-master 192.168.1.10
> Slave DNS: pdns-slave 192.168.1.11
> Test server: pdns-test 192.168.1.13
>
> PowerDNS Version 3.2, compiled on Mar 12 2013, 10:19:57 with gcc version
> 4.1.2 20080704 (Red Hat 4.1.2-51)
>
>
> pdns-master pdns.conf
>
> setuid=daemon
> setgid=daemon
> cache-ttl=60
> daemon=yes
> disable-tcp=no
> distributor-threads=10
>
> launch=gmysql
> gmysql-host=127.0.0.1
> gmysql-user=powerdns
> gmysql-password=password
> gmysql-dbname=powerdns
> logging-facility=1
> loglevel=4
> master=yes
> query-cache-ttl=60
> recursive-cache-ttl=60
> recursor=127.0.0.1
> query-local-address6=
>
> NB! recursor is not running.
>
> pdns-master mysql information:
>
> mysql> select * from domains;
> id name master last_check type notified_serial account
> 1 test.com NULL NULL MASTER 1363693953 NULL
>
> mysql> select * from records;
> id domain_id name type content ttl prio
> change_date ordername auth
> 1 1 test.com SOA dns1.test.com root at test.com 0
> 86400 NULL NULL NULL NULL
> 2 1 test.com NS dns1.test.com 86400 NULL
> 1363693952 NULL NULL
> 3 1 test.com NS dns2.test.com 86400 NULL
> 1363693952 NULL NULL
> 4 1 www.test.com A 192.168.1.12 120 NULL
> 1363693952 NULL NULL
> 5 1 mail.test.com A 192.168.1.12 120 NULL
> 1363693952 NULL NULL
> 6 1 dns1.test.com A 192.168.1.11 120 NULL
> 1363693952 NULL NULL
> 7 1 dns2.test.com A 192.168.1.10 120 NULL
> 1363693952 NULL NULL
> 8 1 test.com MX mail.test.com 120 25
> 1363693953 NULL NULL
>
> mysql> select * from domainmetadata;
> id domain_id kind content
> 1 1 ALLOW-AXFR-FROM AUTO-NS
> AXFR queries should be allowd onlly from server, which are in
> test.comdomain NS records.
> I will AXFR query from pdns-slave, which has IP 192.168.1.11 and it is
> configured as NS record in test.ccom domain and it should get correct axfr
> query answer.
> I also try AXFR query from pdns-test, which has IP 192.168.1.12 and it's
> not configured as NS record in test.com domain and this server should get
> transfer failure message from pdns-master server. powerdns daemon is
> running with monitor flag, which gives debug output from servers side.
>
> AXFR query from pdns-slave 192.168.1.11 server:
>
> [root at pdns-slave ~]# dig axfr test.com @192.168.1.10
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
> 192.168.1.10
> ;; global options: printcmd
> test.com. 86400 IN SOA dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> test.com. 86400 IN NS dns1.test.com.
> test.com. 86400 IN NS dns2.test.com.
> www.test.com. 120 IN A 192.168.1.12
> mail.test.com. 120 IN A 192.168.1.12
> dns1.test.com. 120 IN A 192.168.1.11
> dns2.test.com. 120 IN A 192.168.1.10
> test.com. 120 IN MX 25 mail.test.com.
> test.com. 86400 IN SOA dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> ;; Query time: 12 msec
> ;; SERVER: 192.168.1.10#53(192.168.1.10)
> ;; WHEN: Tue Mar 19 13:24:06 2013
> ;; XFR size: 9 records (messages 3)
>
> Powerdns log output in pdns-master server:
>
> Mar 19 13:24:06 AXFR of domain 'test.com' initiated by 192.168.1.11
> Mar 19 13:24:06 AXFR of domain 'test.com' allowed: client IP 192.168.1.11
> is in allow-axfr-ips
> Mar 19 13:24:06 gmysql Connection successful
> Mar 19 13:24:06 gmysql Connection successful
> Mar 19 13:24:06 AXFR of domain 'test.com' to 192.168.1.11 finished
>
> AXFR query from pdns-test 192.168.1.12 server:
>
> [root at pdns-test ~]# dig axfr test.com @192.168.1.10
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
> 192.168.1.10
> ;; global options: printcmd
> test.com. 86400 IN SOA dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> test.com. 86400 IN NS dns1.test.com.
> test.com. 86400 IN NS dns2.test.com.
> www.test.com. 120 IN A 192.168.1.12
> mail.test.com. 120 IN A 192.168.1.12
> dns1.test.com. 120 IN A 192.168.1.11
> dns2.test.com. 120 IN A 192.168.1.10
> test.com. 120 IN MX 25 mail.test.com.
> test.com. 86400 IN SOA dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> ;; Query time: 17 msec
> ;; SERVER: 192.168.1.10#53(192.168.1.10)
> ;; WHEN: Tue Mar 19 13:25:50 2013
> ;; XFR size: 9 records (messages 3)
>
>
> Powerdns log output in pdns-master server:
>
> Mar 19 13:25:50 AXFR of domain 'test.com' initiated by 192.168.1.12
> Mar 19 13:25:50 AXFR of domain 'test.com' allowed: client IP 192.168.1.12
> is in allow-axfr-ips
> Mar 19 13:25:50 gmysql Connection successful
> Mar 19 13:25:50 gmysql Connection successful
> Mar 19 13:25:50 AXFR of domain 'test.com' to 192.168.1.12 finished
>
> As seen from abowe, AXFR ACL's per domain is not working. Am I missing some
> configuration or I'm doing something very wrong?
> Please help.
>
> NB! English is not my native language, so appologies if there are mistakes.
>
> Thanks in advance!
> Margus Kiting
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list