[Pdns-users] pdns-3.2 AXFR per domain ACL's problem

Margus Kiting margus.kiting at gmail.com
Thu Mar 21 14:18:49 UTC 2013 

Hi all!

I found out what was missing in my configuration.

I just did not read documentation properly and did not find dnssec enabling
flag.

http://doc.powerdns.com/html/domainmetadata.html

I just added gmysql-dnssec to pdns.conf and restarted service.

AXFR ACL's are working now.

Thank You all who helped.

Best Regards,
Margus Kiting

On 19 March 2013 14:05, Ruben d'Arco <cyclops at prof-x.net> wrote:

> Hi,
>
> This ia bit of a gues, but:
> The AUTO-NS feature seems to use a normal getaddrinfo(). This might have a
> different result than you expect on your system.
> Can you check what's in your resolv.conf and see what that replied when
> you ask for dns1.test.com and dns2.test.com?
>
> Regards,
>         Ruben
>
>
>
> On Tue, Mar 19, 2013 at 01:51:20PM +0200, Margus Kiting wrote:
> > Hi,
> >
> > I'm new to this list and this is the first time I encountered a problem
> > using powerdns authoritative DNS server, so I hope I find solution for
> this
> > problem from here.
> >
> > The problem is in AXFR per domain ACL's. They are just nor working for
> me.
> > Below is configuration and test outputs.
> >
> > Master DNS: pdns-master 192.168.1.10
> > Slave DNS: pdns-slave 192.168.1.11
> > Test server: pdns-test 192.168.1.13
> >
> > PowerDNS Version 3.2, compiled on Mar 12 2013, 10:19:57 with gcc version
> > 4.1.2 20080704 (Red Hat 4.1.2-51)
> >
> >
> > pdns-master pdns.conf
> >
> > setuid=daemon
> > setgid=daemon
> > cache-ttl=60
> > daemon=yes
> > disable-tcp=no
> > distributor-threads=10
> >
> > launch=gmysql
> > gmysql-host=127.0.0.1
> > gmysql-user=powerdns
> > gmysql-password=password
> > gmysql-dbname=powerdns
> > logging-facility=1
> > loglevel=4
> > master=yes
> > query-cache-ttl=60
> > recursive-cache-ttl=60
> > recursor=127.0.0.1
> > query-local-address6=
> >
> > NB! recursor is not running.
> >
> > pdns-master mysql information:
> >
> > mysql> select * from domains;
> > id      name    master  last_check      type    notified_serial account
> > 1       test.com        NULL    NULL    MASTER  1363693953      NULL
> >
> > mysql> select * from records;
> > id      domain_id       name    type    content ttl     prio
> > change_date    ordername        auth
> > 1       1       test.com        SOA     dns1.test.com root at test.com 0
> > 86400  NULL     NULL    NULL    NULL
> > 2       1       test.com        NS      dns1.test.com   86400   NULL
> > 1363693952      NULL    NULL
> > 3       1       test.com        NS      dns2.test.com   86400   NULL
> > 1363693952      NULL    NULL
> > 4       1       www.test.com    A       192.168.1.12    120     NULL
> > 1363693952      NULL    NULL
> > 5       1       mail.test.com   A       192.168.1.12    120     NULL
> > 1363693952      NULL    NULL
> > 6       1       dns1.test.com   A       192.168.1.11    120     NULL
> > 1363693952      NULL    NULL
> > 7       1       dns2.test.com   A       192.168.1.10    120     NULL
> > 1363693952      NULL    NULL
> > 8       1       test.com        MX      mail.test.com   120     25
> > 1363693953      NULL    NULL
> >
> > mysql> select * from domainmetadata;
> > id      domain_id       kind    content
> > 1       1       ALLOW-AXFR-FROM AUTO-NS
> > AXFR queries should be allowd onlly from server, which are in
> > test.comdomain NS records.
> > I will AXFR query from pdns-slave, which has IP 192.168.1.11 and it is
> > configured as NS record in test.ccom domain and it should get correct
> axfr
> > query answer.
> > I also try AXFR query from pdns-test, which has IP 192.168.1.12 and it's
> > not configured as NS record in test.com domain and this server should
> get
> > transfer failure message from pdns-master server. powerdns daemon is
> > running with monitor flag, which gives debug output from servers side.
> >
> > AXFR query from pdns-slave 192.168.1.11 server:
> >
> > [root at pdns-slave ~]# dig axfr test.com @192.168.1.10
> >
> > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
> > 192.168.1.10
> > ;; global options:  printcmd
> > test.com.               86400   IN      SOA     dns1.test.com.
> root.test.com.
> > 1363693953 10800 3600 604800 3600
> > test.com.               86400   IN      NS      dns1.test.com.
> > test.com.               86400   IN      NS      dns2.test.com.
> > www.test.com.           120     IN      A       192.168.1.12
> > mail.test.com.          120     IN      A       192.168.1.12
> > dns1.test.com.          120     IN      A       192.168.1.11
> > dns2.test.com.          120     IN      A       192.168.1.10
> > test.com.               120     IN      MX      25 mail.test.com.
> > test.com.               86400   IN      SOA     dns1.test.com.
> root.test.com.
> > 1363693953 10800 3600 604800 3600
> > ;; Query time: 12 msec
> > ;; SERVER: 192.168.1.10#53(192.168.1.10)
> > ;; WHEN: Tue Mar 19 13:24:06 2013
> > ;; XFR size: 9 records (messages 3)
> >
> > Powerdns log output in pdns-master server:
> >
> > Mar 19 13:24:06 AXFR of domain 'test.com' initiated by 192.168.1.11
> > Mar 19 13:24:06 AXFR of domain 'test.com' allowed: client IP
> 192.168.1.11
> > is in allow-axfr-ips
> > Mar 19 13:24:06 gmysql Connection successful
> > Mar 19 13:24:06 gmysql Connection successful
> > Mar 19 13:24:06 AXFR of domain 'test.com' to 192.168.1.11 finished
> >
> > AXFR query from pdns-test 192.168.1.12 server:
> >
> > [root at pdns-test ~]# dig axfr test.com @192.168.1.10
> >
> > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @
> > 192.168.1.10
> > ;; global options:  printcmd
> > test.com.               86400   IN      SOA     dns1.test.com.
> root.test.com.
> > 1363693953 10800 3600 604800 3600
> > test.com.               86400   IN      NS      dns1.test.com.
> > test.com.               86400   IN      NS      dns2.test.com.
> > www.test.com.           120     IN      A       192.168.1.12
> > mail.test.com.          120     IN      A       192.168.1.12
> > dns1.test.com.          120     IN      A       192.168.1.11
> > dns2.test.com.          120     IN      A       192.168.1.10
> > test.com.               120     IN      MX      25 mail.test.com.
> > test.com.               86400   IN      SOA     dns1.test.com.
> root.test.com.
> > 1363693953 10800 3600 604800 3600
> > ;; Query time: 17 msec
> > ;; SERVER: 192.168.1.10#53(192.168.1.10)
> > ;; WHEN: Tue Mar 19 13:25:50 2013
> > ;; XFR size: 9 records (messages 3)
> >
> >
> > Powerdns log output in pdns-master server:
> >
> > Mar 19 13:25:50 AXFR of domain 'test.com' initiated by 192.168.1.12
> > Mar 19 13:25:50 AXFR of domain 'test.com' allowed: client IP
> 192.168.1.12
> > is in allow-axfr-ips
> > Mar 19 13:25:50 gmysql Connection successful
> > Mar 19 13:25:50 gmysql Connection successful
> > Mar 19 13:25:50 AXFR of domain 'test.com' to 192.168.1.12 finished
> >
> > As seen from abowe, AXFR ACL's per domain is not working. Am I missing
> some
> > configuration or I'm doing something very wrong?
> > Please help.
> >
> > NB! English is not my native language, so appologies if there are
> mistakes.
> >
> > Thanks in advance!
> > Margus Kiting
>
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20130321/8899e76e/attachment-0001.html>

More information about the Pdns-users mailing list