[Pdns-users] IXFR request refused response

Thomas Mieslinger miesi at mail.com
Tue Nov 24 07:43:46 UTC 2020 

Back in time we had a setup of chained pdns-auth Servers where one pdns
signed the zone and another did a full axfr which was replicated using
db replication to readonly pdnses with public ips.

This way we worked around the need for private keys in databases in colo
datacenters. With your opendnssec setup I guess you are trying to work
around the same problem.

That worked ok for zones with up to 50k records.

Nowadays we've written an incremental signer which we've integrated in
our DNS/DHCP and IP Management. You can find it at github.com/1and1/dim.

This incremental signer performs well for zones with upto 500k records
(Didn't test more).

Cheers
Thomas

On 11/24/20 8:12 AM, Sebastian Sandberg via Pdns-users wrote:
> I have missed that statement in the docs, that's probably why I see this
> error.
>
> I have a problem when sending zone updates from pdns to Opendnssec for
> zone signing. After sending a notification from pdns to opendnssec,
> opendnssec request ixfr over udp and gets back rcode REFUSED.
>
> Have not yet found a solution for this. If anyone has more input that
> could help me in the right direction please let me know, I'm going to
> dig deeper.
>
> Thanks Brian for your update.
>
> Best regards,
> Sebastian
>
> On Mon, Nov 23, 2020 at 3:54 PM Brian Candler <b.candler at pobox.com
> <mailto:b.candler at pobox.com>> wrote:
>
>     On 23/11/2020 13:33, Sebastian Sandberg via Pdns-users wrote:
>>
>>     I have questions regarding IXFR. I have a problem in my lab where
>>     pdns is refusing IXFR requests to check current serial of a master
>>     zone in pdns. This seems to appear when IXFR is requested over UDP.
>
>     Aside: I see in ./docs/modes-of-operation.rst and here
>     <https://doc.powerdns.com/authoritative/modes-of-operation.html#ixfr-incremental-zone-transfers>:
>
>     "PowerDNS itself is currently only able to retrieve updates via
>     IXFR. It can not serve IXFR updates."
>
>     Is that sentence still true, or now obsolete?
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>

More information about the Pdns-users mailing list