[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge

Brian Candler b.candler at pobox.com
Mon Jun 21 08:31:17 UTC 2021 

On 21/06/2021 08:53, Cheikh Dieng via Pdns-users wrote:
> Hi,
>
> My powerdns reject request for zone transfert .
>
> My powerdns domain is "cloud.lfpw.dsna.fr 
> <http://cloud.lfpw.dsna.fr/>" it is a sub domain of "lfpw.dsna.fr 
> <http://lfpw.dsna.fr/>" (this parent domain  is not a powerdns solution).
> For Letsencrypt protocol to generate certificate I have to enable zone 
> transfer in my powerdns.

That doesn't make much sense: the Letsencrypt protocol DNS01 challenge 
does not use zone transfers.

It might make sense if cloud.lfpw.dsna.fr were delegated to a separate 
set of publicly-reachable nameservers, and your powerdns is a hidden 
primary that those servers perform zone transfers from.  That looks like 
it's possible:

$ dig +trace @8.8.8.8 _acme-challenge.cloud.lfpw.dsna.fr.
...
*lfpw.dsna.fr.        86400    IN    NS    vitre.cena.fr.**
**lfpw.dsna.fr.        86400    IN    NS    hilar.cena.fr.**
*;; Received 108 bytes from 2001:4b98:aaaa::fa#53(ns-249-a.gandi.net) in 
18 ms
...
*cloud.lfpw.dsna.fr.    172800    IN    NS    vitre.cena.fr.**
**cloud.lfpw.dsna.fr.    172800    IN    NS vip-in.cloud.lfpw.dsna.fr.**
*;; Received 125 bytes from 195.83.98.1#53(hilar.cena.fr) in 39 ms

However the cloud.lfpw.dsna.fr domain looks to be totally broken.  One 
nameserver gives servfail:

$ dig @vitre.cena.fr. cloud.lfpw.dsna.fr. ns

; <<>> DiG 9.10.3-P4-Debian <<>> @vitre.cena.fr. cloud.lfpw.dsna.fr. ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 33460
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cloud.lfpw.dsna.fr.        IN    NS

;; Query time: 36 msec
;; SERVER: 2001:660:6607:100::1#53(2001:660:6607:100::1)
;; WHEN: Mon Jun 21 09:20:26 BST 2021
;; MSG SIZE  rcvd: 47

The other nameserver, "vip-in.cloud.lfpw.dsna.fr" does not resolve at all:

$ dig @vip-in.cloud.lfpw.dsna.fr. cloud.lfpw.dsna.fr. ns

; <<>> DiG 9.10.3-P4-Debian <<>> @vip-in.cloud.lfpw.dsna.fr. 
cloud.lfpw.dsna.fr. ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

The address from the glue record doesn't work either:

$ dig @195.83.98.243 cloud.lfpw.dsna.fr. ns

; <<>> DiG 9.10.3-P4-Debian <<>> @195.83.98.243 cloud.lfpw.dsna.fr. ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


Only one of the two nameservers for lfpw.dsna.fr *is* working - this is 
where I got the glue record from.

$ dig @hilar.cena.fr. cloud.lfpw.dsna.fr. ns

; <<>> DiG 9.10.3-P4-Debian <<>> @hilar.cena.fr. cloud.lfpw.dsna.fr. ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10103
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cloud.lfpw.dsna.fr.        IN    NS

;; AUTHORITY SECTION:
*cloud.lfpw.dsna.fr.    172800    IN    NS vip-in.cloud.lfpw.dsna.fr.**
**cloud.lfpw.dsna.fr.    172800    IN    NS vitre.cena.fr.**
*
;; ADDITIONAL SECTION:
*vip-in.cloud.lfpw.dsna.fr. 172800 IN    A    195.83.98.243*

;; Query time: 39 msec
;; SERVER: 195.83.98.1#53(195.83.98.1)
;; WHEN: Mon Jun 21 09:23:11 BST 2021
;; MSG SIZE  rcvd: 109


In summary: lfpw.dsna.fr is half-broken, and cloud.lfpw.dsna.fr is 
completely broken.  Getting Letsencrypt certificates is the least of 
your worries right now.


>
> Is my pdns.conf file correct ?
>
>     local-address = 0.0.0.0, ::
>     launch = ldap
>     guardian = yes
>     ldap-host = ldap: //200.17.xx.xx: 1389 /
>     ldap-basedn = dc = cloud, dc = lfpw, dc = dsna, dc = fr
>     ldap-binddn = cn = admin, dc = dsna, dc = fr
>     ldap-secret = xxxxx
>     ldap-method = simple
>     disable-axfr = no
>     allow-axfr-ips = 127.0.0.0 / 8,195.xx.xx.xx / 32,51.91.xx.xx / 32
>     local-port = 53
>     cache-ttl = 0
>
>     loglevel = 9
>     logging-facility = 0
>     api = yes
>     api-key = xxxxx
>     master = yes
>     include-dir = / etc / powerdns / pdns.d
>
>
> My powerdns listen in port 2053.


That doesn't make sense either.  You have "local-port=53", but you say 
it listens on port 2053 ??

What does powerdns log when you try to make a zone transfer?  Can you 
use tcpdump to prove the query is arriving?


>
> The AXFR request failed, see bellow:
>
>     [pduser at hyp03 ~]$ dig axfr @0 cloud.lfpw.dsna.fr
>     <http://cloud.lfpw.dsna.fr/> -p 2053
>
>     ; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> axfr @0
>     cloud.lfpw.dsna.fr <http://cloud.lfpw.dsna.fr/> -p 2053
>     ; (1 server found)
>     ;; global options: +cmd
>     ; Transfer failed.
>
It looks like you haven't copy-pasted correctly.  "dig @0" is certainly 
going to fail:

;; Connection to 0.0.0.0#2053(0.0.0.0) for cloud.lfpw.dsna.fr failed: 
connection refused.

So I can only guess what host you're trying to transfer from.  I tried 
"dig @0.cloud.lfpw.dsna.fr", but that also fails because it doesn't resolve.

Regards,

Brian.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210621/ea1fd09f/attachment.htm>

More information about the Pdns-users mailing list