[Pdns-users] Error in DNSSEC AXFR - Chunk Error Query Refused

Gert van Dijk gertvdijk+pdns-users at gmail.com
Thu Apr 18 08:19:05 UTC 2019


On Thu, Apr 18, 2019 at 6:44 AM Jackson Yap <jackson at apc.sg> wrote:

> Hi all,
>
>
>
> We have a strange situation. Previously we are able to do a zone transfer
> of non-dnssec zones. But now, when we tried to transfer a dnssec zone, we
> have the error below.
>
>
>
> Zone is already activated dnssec on source server, and is secured with
> pdnsutil secure-zone on the destination server.
>

I'm not sure I understand what you're trying to do in the first place. Your
source server is already serving the domain secured, you state. (Is that
also a PowerDNS Authoritative server under your control or not?)
If your destination server is supposed to be a secondary nameserver, you
should set the zone as 'presigned' (`pdnsutil set-presigned [ZONE]`) so
that it retrieves the signed zone and serves it as-is.


> Apr 18 12:35:49 ns1 pdns_server: Starting AXFR of 'xxx.sg' from remote
> x.x.x.x
>
> Apr 18 12:35:49 ns1 pdns_server: Unable to AXFR zone 'xxx.sg' from remote
> x.x.x.x (resolver): AXFR chunk error: Query Refuse
>

Are your sure your source server accepts zone transfers from the IP of your
destination server? It seems it does not allow you to. If your source
server is not under your control, additional restrictions may be applied
like TSIG [1], but I'm not too familiar if you would get this specific
error message on your destination server.

[1]: https://doc.powerdns.com/authoritative/tsig.html

HTH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/0efe15c0/attachment.html>


More information about the Pdns-users mailing list