[Pdns-users] How to understand cause of rejected notify

MRob mrobti at insiberia.net
Sat Dec 1 21:44:50 UTC 2018


> All supermaster problems I know of can be resolved by checking the
> checklist:
> 
> https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves

* supermaster support must be enabled
I already asked about this on unanswered inquiry over a week ago. Master 
is version 4.1 where I think the setting is not recognized (according to 
docs, added in 4.2) thus no- I didn't use it. Would appreciate to have 
clarification the use of that setting, how 4.1 works without it and what 
it adds to 4.2. Also if you have supermaster=yes then should master=yes 
be removed? Documentation does not make it clear

* The supermaster must carry a SOA record for the notified domain
Yes it does

* The supermaster IP must be present in the ‘supermaster’ table
Yes, I said in my last email it exists and can assume this is working 
because as I explained the supermaster causes an entry to the 
``domains'' table on the slave if I use 4.1 slave. 4.2 slave alone is 
refusing the NOTIFY.

* The set of NS records for the domain, as retrieved by the slave from 
the supermaster, must include the name that goes with the IP address in 
the supermaster table
dig shows me this is true, both @ the master and without @ to local 
resolver

* If your master sends signed NOTIFY it will mark that TSIG key as the 
TSIG key used for retrieval as well
When slave is 4.1 yes it added entry to ``domainmetadata'' table as well 
as ``domains''. So appears working good. Just not adding to ``records'' 
with no error expressed. Only v4.2 just refusing the NOTIFY with no 
error to help diagnose.

* If you turn off allow-unsigned-supermaster, then your supermaster(s) 
are required to sign their notifications.
Per above I think this is ok



More information about the Pdns-users mailing list