[Pdns-users] Error in DNSSEC AXFR - Chunk Error Query Refused
Gert van Dijk
gertvdijk+pdns-users at gmail.com
Thu Apr 18 08:54:45 UTC 2019
On Thu, Apr 18, 2019 at 10:39 AM Jackson Yap <jackson at apc.sg> wrote:
> Yes, I’m trying to do AXFR of DNSSEC zones from source powerdns (cpanel)
> to another powerdns server.
>
>
>
> 1. Do you mean I just need it secured at source server that’s all?
> 2. I’m using notify to send the DNSSEC zones to the destination
> powerdns server. Is there still need to set presigned on the destination
> powerdns server?
>
> It should all be automatic, really, as per [1]. Does your backend support
storing metadata? For example, if you use the BIND backend on the
destination server, this requires you to set a SQLite DNSSEC database as
per [2].
(I suggested to run `pdnsutil set-presigned`, because it has shown me
helpful errors when I forgot to correctly configure the backend and also I
am not sure if it autodetects DNSSEC on zones that were not secured before.)
>
> 1. Cpanel mentioned there seems to be narrow mode on powerdns at their
> end which prevent the zone transfer of DNSSEC. I am trying to confirm that
> with them.
>
> NSEC3 narrow mode is stopping you from AXFR'ing the domain, indeed. It
cannot transfer a zone presigned in that mode by design, because it
requires active interaction with the secret key to provide hashed denial of
existence, as per [3]. Ask your operator of the primary site to use
inclusive NSEC3 mode instead.
[1]: https://doc.powerdns.com/authoritative/domainmetadata.html#presigned
[2]:
https://doc.powerdns.com/authoritative/backends/bind.html#bind-dnssec-db
[3]:
https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#hashed-denial-of-existence
HTH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190418/a552b87e/attachment-0001.html>
More information about the Pdns-users
mailing list