[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge
Brian Candler
b.candler at pobox.com
Wed Jun 23 07:24:28 UTC 2021
On 22/06/2021 23:30, Cheikh Dieng wrote:
> Hi, excuse for delay..
>
> For context:
> My powerdns listen in port 2053
> My dnsdist listen in port 1053
> We are an translating port through 53 (from external request) to 1053
> . That's why from external we use port 53 and in internal we can use
> port 1053 or 2053
In that case I would have thought your powerdns authoritative needs
"local-port = 2053", not "local-port = 53"
Do you have a particular reason for using dnsdist? It does add
complexity that is often not required.
>
>
> * Detail: DNS problem: query timed out looking up TXT for
> _acme-challenge.cloud.lfpw.dsna.fr
> <http://acme-challenge.cloud.lfpw.dsna.fr>*
>
As I explained before, your entire domain "cloud.lfpw.dsna.fr" is
broken. ACME challenges and DNS updates are not the problem; the
problem is that *nobody* can resolve *any* address within that domain.
$ dig @8.8.8.8 cloud.lfpw.dsna.fr. soa
...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 7572
That's the problem you need to fix first. To repeat:
$ dig +trace @8.8.8.8 cloud.lfpw.dsna.fr
...
lfpw.dsna.fr. 86400 IN NS vitre.cena.fr.
lfpw.dsna.fr. 86400 IN NS hilar.cena.fr.
dig +norec @vitre.cena.fr. cloud.lfpw.dsna.fr. txt >> answer is SERVFAIL
dig +norec @hilar.cena.fr. cloud.lfpw.dsna.fr. txt >> gives delegation
(NS) to vitre.cena.fr. and vip-in.cloud.lfpw.dsna.fr.
>> we already know that vitre.cena.fr gives SERVFAIL
>> we cannot resolve the name vip-in.cloud.lfpw.dnsa.fr, and therefore
we cannot send a DNS query to it
>> therefore, 2 out of 2 nameservers for cloud.lfpw.dnsa.fr are not
reachable
>> therefore, the entire domain cloud.lfpw.dnsa.fr is broken
>
> For first conclusion I understand from your return that:
>
> * the Letsencrypt protocol DNS01 challenge does not use zone transfers
> * cloud.lfpw.dsna.fr <http://cloud.lfpw.dsna.fr> is a subdomain and
> doesn't have to configure delagation (it make sense). This
> delegation configuration should be done at parent level
> (lfpw.dsna.fr <http://lfpw.dsna.fr>)
>
The delegation is done at the parent level, yes. However the delegated
domain still needs to contain NS records and a SOA record for its own zone.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210623/8a4d6e63/attachment.htm>
More information about the Pdns-users
mailing list