[Pdns-users] how to force pdns4 autoprovisioned superslave to TSIG-sign responses to supermaster?

PGNet Dev pgnet.dev at gmail.com
Sat Dec 31 20:21:57 UTC 2016

I'm working on a not-yet-provisioned pdns superslave.

I wand pdns to be autoprovisioned on authorized NOTIFY from my bind9 master

Currently, in pdns logs I've the following error

	Dec 31 11:55:07 dns pdns[1677]: Received secure NOTIFY for example.com from, allowed by TSIG key 'pdns-key'
	Dec 31 11:55:07 dns pdns[1677]: Query: select id,name,master,last_check,notified_serial,type,account from domains where name=:domain
	Dec 31 11:55:07 dns pdns[1677]: Received NOTIFY for example.com from for which we are not authoritative
	Dec 31 11:55:08 dns pdns[1677]: Query: select account from supermasters where ip=:ip and nameserver=:nameserver
	Dec 31 11:55:08 dns pdns[1677]: Unable to find backend willing to host example.com for potential supermaster Remote nameservers:
	Dec 31 11:55:08 dns pdns[1677]: dnsint.example.net

NOTE the 'remote nameserver' == dnsint.example.net

That's the SOA ns for my master's *internal* (LAN only) view, not the *external*, to-be-signed, view data.

I've set up my master so that for a given zone, config consists of internal & external zone views+files,

	view "internal" {
	  match-clients { !pdns-key ; ... };
	 zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; };
	view "external" {
	  match-clients { pdns-key ; ... };
	 zone "example.com" IN { type master; file "/namedb/master/example.com.zone";
	   notify explicit; also-notify { powerdns_ip; };

With this config, and TSIG-signed client that uses key == 'pdns-key', should match the 'external' view.

This can be verified for


	dig @ SOA example.com +short
		dnsint.example.net. hostmaster.example.net. 1483204233 7200 1800 604800 5

& unsigned

	dig @ SOA example.com +short -k /usr/local/etc/named/keys/pdns.key
		dnsext.example.net. soacontact.example.net. 1483204233 7200 1800 604800 5

and, for reference

	host dnsint.example.net
		dnsint.example.net is an alias for dns.example.net.
		dns.example.net has address
	host dnsext.example.net
		dnsext.example.net has address II.PP.VV.44 (real/public ip address)

So, since I want pdns to access the *external* view, it needs to communicate to/with the master with TSIG_signed requests, but it needs to do so on the master's IP (either or ...).

And, since I'm setting up pdns as an auto-provisioned superslave -- i.e., I don't have the domain IDs in pdns.db until after 'first contact" from the master -- I'm attempting to use an sqlite3 trigger.

	sqlite3 /var/pdns/powerdns.sqlite3 < /usr/local/powerdns/share/doc/pdns/schema.sqlite3.sql
	sqlite3 /var/pdns/powerdns.sqlite3
	    INSERT INTO `supermasters` ( ip, nameserver, account ) VALUES ( '', 'dnsint.example.net', 'admin' );

	    INSERT INTO `tsigkeys` (name, algorithm, secret) VALUES ('pdns-key', 'hmac-sha256', 'xxxxxxxx');

	    DROP TRIGGER IF EXISTS `domains_after_create`;
	    CREATE TRIGGER IF NOT EXISTS `domains_after_create`
	    AFTER INSERT ON `domains`
	      FOR EACH ROW WHEN NEW.`type` = 'SLAVE'
	          INSERT INTO `domainmetadata` (`domain_id`, `kind`, `content`) VALUES (NEW.`id`, 'AXFR-MASTER-TSIG', 'pdns-key');

That fires no errors on entry, but I get the ERROR on transaction between the pdns slave and bind master as reported above.

Apparently, pdns is making an UNSIGNED request to the master, and I've failed to get it to use the 'pdns-key'.

What piece is missing to get pdns to sign that comm, and access the *external* view

More information about the Pdns-users mailing list