[Pdns-users] pdns-3.2 AXFR per domain ACL's problem

Ruben d'Arco cyclops at prof-x.net
Tue Mar 19 12:05:14 UTC 2013


Hi,

This ia bit of a gues, but:
The AUTO-NS feature seems to use a normal getaddrinfo(). This might have a different result than you expect on your system.
Can you check what's in your resolv.conf and see what that replied when you ask for dns1.test.com and dns2.test.com?

Regards,
	Ruben



On Tue, Mar 19, 2013 at 01:51:20PM +0200, Margus Kiting wrote:
> Hi,
> 
> I'm new to this list and this is the first time I encountered a problem
> using powerdns authoritative DNS server, so I hope I find solution for this
> problem from here.
> 
> The problem is in AXFR per domain ACL's. They are just nor working for me.
> Below is configuration and test outputs.
> 
> Master DNS: pdns-master 192.168.1.10
> Slave DNS: pdns-slave 192.168.1.11
> Test server: pdns-test 192.168.1.13
> 
> PowerDNS Version 3.2, compiled on Mar 12 2013, 10:19:57 with gcc version
> 4.1.2 20080704 (Red Hat 4.1.2-51)
> 
> 
> pdns-master pdns.conf
> 
> setuid=daemon
> setgid=daemon
> cache-ttl=60
> daemon=yes
> disable-tcp=no
> distributor-threads=10
> 
> launch=gmysql
> gmysql-host=127.0.0.1
> gmysql-user=powerdns
> gmysql-password=password
> gmysql-dbname=powerdns
> logging-facility=1
> loglevel=4
> master=yes
> query-cache-ttl=60
> recursive-cache-ttl=60
> recursor=127.0.0.1
> query-local-address6=
> 
> NB! recursor is not running.
> 
> pdns-master mysql information:
> 
> mysql> select * from domains;
> id      name    master  last_check      type    notified_serial account
> 1       test.com        NULL    NULL    MASTER  1363693953      NULL
> 
> mysql> select * from records;
> id      domain_id       name    type    content ttl     prio
> change_date    ordername        auth
> 1       1       test.com        SOA     dns1.test.com root at test.com 0
> 86400  NULL     NULL    NULL    NULL
> 2       1       test.com        NS      dns1.test.com   86400   NULL
> 1363693952      NULL    NULL
> 3       1       test.com        NS      dns2.test.com   86400   NULL
> 1363693952      NULL    NULL
> 4       1       www.test.com    A       192.168.1.12    120     NULL
> 1363693952      NULL    NULL
> 5       1       mail.test.com   A       192.168.1.12    120     NULL
> 1363693952      NULL    NULL
> 6       1       dns1.test.com   A       192.168.1.11    120     NULL
> 1363693952      NULL    NULL
> 7       1       dns2.test.com   A       192.168.1.10    120     NULL
> 1363693952      NULL    NULL
> 8       1       test.com        MX      mail.test.com   120     25
> 1363693953      NULL    NULL
> 
> mysql> select * from domainmetadata;
> id      domain_id       kind    content
> 1       1       ALLOW-AXFR-FROM AUTO-NS
> AXFR queries should be allowd onlly from server, which are in
> test.comdomain NS records.
> I will AXFR query from pdns-slave, which has IP 192.168.1.11 and it is
> configured as NS record in test.ccom domain and it should get correct axfr
> query answer.
> I also try AXFR query from pdns-test, which has IP 192.168.1.12 and it's
> not configured as NS record in test.com domain and this server should get
> transfer failure message from pdns-master server. powerdns daemon is
> running with monitor flag, which gives debug output from servers side.
> 
> AXFR query from pdns-slave 192.168.1.11 server:
> 
> [root at pdns-slave ~]# dig axfr test.com @192.168.1.10
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
> 192.168.1.10
> ;; global options:  printcmd
> test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> test.com.               86400   IN      NS      dns1.test.com.
> test.com.               86400   IN      NS      dns2.test.com.
> www.test.com.           120     IN      A       192.168.1.12
> mail.test.com.          120     IN      A       192.168.1.12
> dns1.test.com.          120     IN      A       192.168.1.11
> dns2.test.com.          120     IN      A       192.168.1.10
> test.com.               120     IN      MX      25 mail.test.com.
> test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> ;; Query time: 12 msec
> ;; SERVER: 192.168.1.10#53(192.168.1.10)
> ;; WHEN: Tue Mar 19 13:24:06 2013
> ;; XFR size: 9 records (messages 3)
> 
> Powerdns log output in pdns-master server:
> 
> Mar 19 13:24:06 AXFR of domain 'test.com' initiated by 192.168.1.11
> Mar 19 13:24:06 AXFR of domain 'test.com' allowed: client IP 192.168.1.11
> is in allow-axfr-ips
> Mar 19 13:24:06 gmysql Connection successful
> Mar 19 13:24:06 gmysql Connection successful
> Mar 19 13:24:06 AXFR of domain 'test.com' to 192.168.1.11 finished
> 
> AXFR query from pdns-test 192.168.1.12 server:
> 
> [root at pdns-test ~]# dig axfr test.com @192.168.1.10
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
> 192.168.1.10
> ;; global options:  printcmd
> test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> test.com.               86400   IN      NS      dns1.test.com.
> test.com.               86400   IN      NS      dns2.test.com.
> www.test.com.           120     IN      A       192.168.1.12
> mail.test.com.          120     IN      A       192.168.1.12
> dns1.test.com.          120     IN      A       192.168.1.11
> dns2.test.com.          120     IN      A       192.168.1.10
> test.com.               120     IN      MX      25 mail.test.com.
> test.com.               86400   IN      SOA     dns1.test.com. root.test.com.
> 1363693953 10800 3600 604800 3600
> ;; Query time: 17 msec
> ;; SERVER: 192.168.1.10#53(192.168.1.10)
> ;; WHEN: Tue Mar 19 13:25:50 2013
> ;; XFR size: 9 records (messages 3)
> 
> 
> Powerdns log output in pdns-master server:
> 
> Mar 19 13:25:50 AXFR of domain 'test.com' initiated by 192.168.1.12
> Mar 19 13:25:50 AXFR of domain 'test.com' allowed: client IP 192.168.1.12
> is in allow-axfr-ips
> Mar 19 13:25:50 gmysql Connection successful
> Mar 19 13:25:50 gmysql Connection successful
> Mar 19 13:25:50 AXFR of domain 'test.com' to 192.168.1.12 finished
> 
> As seen from abowe, AXFR ACL's per domain is not working. Am I missing some
> configuration or I'm doing something very wrong?
> Please help.
> 
> NB! English is not my native language, so appologies if there are mistakes.
> 
> Thanks in advance!
> Margus Kiting

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users




More information about the Pdns-users mailing list