[Pdns-users] supermaster + TSIG AXFR: what obvious thing am I missing?

Marek Isalski powerdns at maz.nu
Sun May 8 17:11:04 UTC 2016 

Firstly, thank you, Bert, for coming to UKNOF34 and presenting on dnsdist and powerdns.  Really interesting and useful technology.

And for that reason I've been testing out whether powerdns would be a good fit to replace our scripted BIND servers that do authoritative and DNSSEC.

The idea is to have: supermaster -> DNSSEC front-signing slave acting as master to -> cluster of authoritative slaves

So with that in mind, on "signer" - our "slave+master in the middle" - we have:

>  id | domain_id |       kind       |         content
> ----+-----------+------------------+--------------------------
>   1 |           | TSIG-ALLOW-AXFR  | keynamegoeshere
>   2 |           | AXFR-MASTER-TSIG | keynamegoeshere

And so we run this on our "slave+master in the middle":

> root at signer> pdns_control notify-host example.com 46.227.X.Y


But the "cluster of authoritative slaves" gets this:

> May  8 17:41:01 adns0 named[1701]: zone example.com/IN: Transfer started.
> May  8 17:41:01 adns0 named[1701]: transfer of 'example.com/IN' from 185.134.X.Y#53: connected using 46.227.X.Y#38039
> May  8 17:41:01 adns0 named[1701]: transfer of 'example.com/IN' from 185.134.X.Y#53: failed while receiving responses: NOTAUTH
> May  8 17:41:01 adns0 named[1701]: transfer of 'example.com/IN' from 185.134.X.Y#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.036 secs (0 bytes/sec)

And on our "slave+master in the middle":

> May  8 16:41:01 signer pdns_server[21104]: May 08 16:41:01 AXFR 'example.com.' denied: key with name 'keynamegoeshere.' and algorithm 'hmac-md5.sig-alg.reg.int.' does not grant access to zone
> May  8 16:41:01 signer pdns_server[21104]: May 08 16:41:01 AXFR of domain 'example.com.' failed: 46.227.X.Y cannot request AXFR
> May  8 16:41:04 signer pdns[21114]: Received serial number updates for 0 zones, had 1 timeouts


However, if we add a specific entry into the slave+master in the middle:

>  id | domain_id |       kind       |         content
> ----+-----------+------------------+--------------------------

>   5 |        12 | TSIG-ALLOW-AXFR  | keynamegoeshere

...then the transfer proceeds perfectly:

> May  8 17:42:09 adns0 named[1701]: client 185.134.X.Y#18063: received notify for zone 'example.com': TSIG 'keynamegoeshere'
> May  8 17:42:09 adns0 named[1701]: zone example.com/IN: Transfer started.
> May  8 17:42:09 adns0 named[1701]: transfer of 'example.com/IN' from 185.134.X.Y#53: connected using 46.227.X.Y#55071
> May  8 17:42:09 adns0 named[1701]: zone example.com/IN: transferred serial 2016050812: TSIG 'keynamegoeshere'
> May  8 17:42:09 adns0 named[1701]: transfer of 'example.com/IN' from 185.134.X.Y#53: Transfer completed: 3 messages, 13 records, 723 bytes, 0.143 secs (5055 bytes/sec)
> May  8 17:42:09 adns0 named[1701]: zone example.com/IN: sending notifies (serial 2016050812)


The problem here is that - for a TSIG AXFR - every domain needs to have an entry in the domainmetadata table.  But some things seem to work ok because they seem to pick the row with a null domain_id and use that key.

Is a null domain_id meant to be supported as a "default" for metadata?  Or do we have to copy across some domainmetadata to our DNSSEC front-signing server so that all the transfers will work correctly?

OS: Debian jessie amd64
powerdns: 4.0.0~alpha2-1pdns.jessie
backend-pgsql: 4.0.0~alpha2-1pdns.jessie (with gpgsql-dnssec=yes)

Kind regards,

Marek Isalski

More information about the Pdns-users mailing list