[Pdns-users] Error in DNSSEC AXFR - Chunk Error Query Refused

Jackson Yap jackson at apc.sg
Thu Apr 18 08:39:54 UTC 2019


Yes, I’m trying to do AXFR of DNSSEC zones from source powerdns (cpanel) to
another powerdns server.

   1. Do you mean I just need it secured at source server that’s all?
   2. I’m using notify to send the DNSSEC zones to the destination powerdns
   server. Is there still need to set presigned on the destination powerdns
   3. Cpanel mentioned there seems to be narrow mode on powerdns at their
   end which prevent the zone transfer of DNSSEC. I am trying to confirm that
   with them.

*From:* Pdns-users <pdns-users-bounces at mailman.powerdns.com> *On
Behalf Of *Gert
van Dijk
*Sent:* Thursday, 18 April 2019 4:19 PM
*To:* pdns-users at mailman.powerdns.com
*Subject:* Re: [Pdns-users] Error in DNSSEC AXFR - Chunk Error Query Refused

On Thu, Apr 18, 2019 at 6:44 AM Jackson Yap <jackson at apc.sg> wrote:

Hi all,

We have a strange situation. Previously we are able to do a zone transfer
of non-dnssec zones. But now, when we tried to transfer a dnssec zone, we
have the error below.

Zone is already activated dnssec on source server, and is secured with
pdnsutil secure-zone on the destination server.

I'm not sure I understand what you're trying to do in the first place. Your
source server is already serving the domain secured, you state. (Is that
also a PowerDNS Authoritative server under your control or not?)

If your destination server is supposed to be a secondary nameserver, you
should set the zone as 'presigned' (`pdnsutil set-presigned [ZONE]`) so
that it retrieves the signed zone and serves it as-is.

Apr 18 12:35:49 ns1 pdns_server: Starting AXFR of 'xxx.sg' from remote

Apr 18 12:35:49 ns1 pdns_server: Unable to AXFR zone 'xxx.sg' from remote
x.x.x.x (resolver): AXFR chunk error: Query Refuse

Are your sure your source server accepts zone transfers from the IP of your
destination server? It seems it does not allow you to. If your source
server is not under your control, additional restrictions may be applied
like TSIG [1], but I'm not too familiar if you would get this specific
error message on your destination server.

[1]: https://doc.powerdns.com/authoritative/tsig.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/6e3a80ef/attachment.html>

More information about the Pdns-users mailing list