[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge

Brian Candler b.candler at pobox.com
Wed Jun 23 07:24:28 UTC 2021

On 22/06/2021 23:30, Cheikh Dieng wrote:
> Hi, excuse for delay..
> For context:
> My powerdns listen in port 2053
> My dnsdist listen in port 1053
> We are an translating port through 53 (from external request) to 1053 
> . That's why from external we use port 53 and in internal we can use 
> port 1053 or 2053

In that case I would have thought your powerdns authoritative needs 
"local-port = 2053", not "local-port = 53"

Do you have a particular reason for using dnsdist?  It does add 
complexity that is often not required.

>         * Detail: DNS problem: query timed out looking up TXT for
>         _acme-challenge.cloud.lfpw.dsna.fr
>         <http://acme-challenge.cloud.lfpw.dsna.fr>*
As I explained before, your entire domain "cloud.lfpw.dsna.fr" is 
broken.  ACME challenges and DNS updates are not the problem; the 
problem is that *nobody* can resolve *any* address within that domain.

$ dig @ cloud.lfpw.dsna.fr. soa

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 7572

That's the problem you need to fix first.  To repeat:

$ dig +trace @ cloud.lfpw.dsna.fr
lfpw.dsna.fr.        86400    IN    NS    vitre.cena.fr.
lfpw.dsna.fr.        86400    IN    NS    hilar.cena.fr.

dig +norec @vitre.cena.fr. cloud.lfpw.dsna.fr. txt   >> answer is SERVFAIL

dig +norec @hilar.cena.fr. cloud.lfpw.dsna.fr. txt   >> gives delegation 
(NS) to vitre.cena.fr. and vip-in.cloud.lfpw.dsna.fr.

 >> we already know that vitre.cena.fr gives SERVFAIL

 >> we cannot resolve the name vip-in.cloud.lfpw.dnsa.fr, and therefore 
we cannot send a DNS query to it

 >> therefore, 2 out of 2 nameservers for cloud.lfpw.dnsa.fr are not 

 >> therefore, the entire domain cloud.lfpw.dnsa.fr is broken

> For first conclusion I understand from your return that:
>   *   the Letsencrypt protocol DNS01 challenge does not use zone transfers
>   * cloud.lfpw.dsna.fr <http://cloud.lfpw.dsna.fr> is a subdomain and
>     doesn't have to configure delagation (it make sense).  This
>     delegation configuration should be done at parent level
>     (lfpw.dsna.fr <http://lfpw.dsna.fr>)
The delegation is done at the parent level, yes.  However the delegated 
domain still needs to contain NS records and a SOA record for its own zone.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210623/8a4d6e63/attachment.htm>

More information about the Pdns-users mailing list