[Pdns-users] how to force pdns4 autoprovisioned superslave to TSIG-sign responses to supermaster?
PGNet Dev
pgnet.dev at gmail.com
Sat Dec 31 20:21:57 UTC 2016
I'm working on a not-yet-provisioned pdns superslave.
I wand pdns to be autoprovisioned on authorized NOTIFY from my bind9 master
Currently, in pdns logs I've the following error
...
Dec 31 11:55:07 dns pdns[1677]: Received secure NOTIFY for example.com from 10.1.1.53, allowed by TSIG key 'pdns-key'
Dec 31 11:55:07 dns pdns[1677]: Query: select id,name,master,last_check,notified_serial,type,account from domains where name=:domain
Dec 31 11:55:07 dns pdns[1677]: Received NOTIFY for example.com from 10.1.1.53 for which we are not authoritative
Dec 31 11:55:08 dns pdns[1677]: Query: select account from supermasters where ip=:ip and nameserver=:nameserver
Dec 31 11:55:08 dns pdns[1677]: Unable to find backend willing to host example.com for potential supermaster 10.1.1.53. Remote nameservers:
Dec 31 11:55:08 dns pdns[1677]: dnsint.example.net
...
NOTE the 'remote nameserver' == dnsint.example.net
That's the SOA ns for my master's *internal* (LAN only) view, not the *external*, to-be-signed, view data.
I've set up my master so that for a given zone, config consists of internal & external zone views+files,
...
view "internal" {
match-clients { !pdns-key ; ... };
...
zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; };
...
}
view "external" {
match-clients { pdns-key ; ... };
...
zone "example.com" IN { type master; file "/namedb/master/example.com.zone";
notify explicit; also-notify { powerdns_ip; };
};
...
}
...
With this config, and TSIG-signed client that uses key == 'pdns-key', should match the 'external' view.
This can be verified for
unsigned,
dig @10.1.1.53 SOA example.com +short
dnsint.example.net. hostmaster.example.net. 1483204233 7200 1800 604800 5
& unsigned
dig @10.1.1.53 SOA example.com +short -k /usr/local/etc/named/keys/pdns.key
dnsext.example.net. soacontact.example.net. 1483204233 7200 1800 604800 5
and, for reference
host dnsint.example.net
dnsint.example.net is an alias for dns.example.net.
dns.example.net has address 10.1.1.53
host dnsext.example.net
dnsext.example.net has address II.PP.VV.44 (real/public ip address)
So, since I want pdns to access the *external* view, it needs to communicate to/with the master with TSIG_signed requests, but it needs to do so on the master's IP (either 127.0.0.1 or 10.1.1.53 ...).
And, since I'm setting up pdns as an auto-provisioned superslave -- i.e., I don't have the domain IDs in pdns.db until after 'first contact" from the master -- I'm attempting to use an sqlite3 trigger.
sqlite3 /var/pdns/powerdns.sqlite3 < /usr/local/powerdns/share/doc/pdns/schema.sqlite3.sql
sqlite3 /var/pdns/powerdns.sqlite3
>
INSERT INTO `supermasters` ( ip, nameserver, account ) VALUES ( '10.1.1.53', 'dnsint.example.net', 'admin' );
INSERT INTO `tsigkeys` (name, algorithm, secret) VALUES ('pdns-key', 'hmac-sha256', 'xxxxxxxx');
DROP TRIGGER IF EXISTS `domains_after_create`;
CREATE TRIGGER IF NOT EXISTS `domains_after_create`
AFTER INSERT ON `domains`
FOR EACH ROW WHEN NEW.`type` = 'SLAVE'
BEGIN
INSERT INTO `domainmetadata` (`domain_id`, `kind`, `content`) VALUES (NEW.`id`, 'AXFR-MASTER-TSIG', 'pdns-key');
END
;
.exit
That fires no errors on entry, but I get the ERROR on transaction between the pdns slave and bind master as reported above.
Apparently, pdns is making an UNSIGNED request to the master, and I've failed to get it to use the 'pdns-key'.
What piece is missing to get pdns to sign that comm, and access the *external* view
More information about the Pdns-users
mailing list