[Pdns-users] How to understand cause of rejected notify

Frank Louwers frank+pdns at tembo.be
Sun Dec 2 21:24:49 UTC 2018 

Hi MRob,

Could you please try a ‘dig AXFR domain.com’ from your slave?

Could you also provide us a full packet capture (pcap if possible)? I am starting to suspect a firewall issue…

Frank



> On 1 Dec 2018, at 22:44, MRob <mrobti at insiberia.net> wrote:
> 
>> All supermaster problems I know of can be resolved by checking the
>> checklist:
>> https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves
> 
> * supermaster support must be enabled
> I already asked about this on unanswered inquiry over a week ago. Master is version 4.1 where I think the setting is not recognized (according to docs, added in 4.2) thus no- I didn't use it. Would appreciate to have clarification the use of that setting, how 4.1 works without it and what it adds to 4.2. Also if you have supermaster=yes then should master=yes be removed? Documentation does not make it clear
> 
> * The supermaster must carry a SOA record for the notified domain
> Yes it does
> 
> * The supermaster IP must be present in the ‘supermaster’ table
> Yes, I said in my last email it exists and can assume this is working because as I explained the supermaster causes an entry to the ``domains'' table on the slave if I use 4.1 slave. 4.2 slave alone is refusing the NOTIFY.
> 
> * The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
> dig shows me this is true, both @ the master and without @ to local resolver
> 
> * If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
> When slave is 4.1 yes it added entry to ``domainmetadata'' table as well as ``domains''. So appears working good. Just not adding to ``records'' with no error expressed. Only v4.2 just refusing the NOTIFY with no error to help diagnose.
> 
> * If you turn off allow-unsigned-supermaster, then your supermaster(s) are required to sign their notifications.
> Per above I think this is ok
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list