[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge
Cheikh Dieng
tekdieng at gmail.com
Wed Jun 23 07:54:32 UTC 2021
Very Thanks,
It's clear for me. For dnsdist i need HA pour my Powerdns.
>>The delegation is done at the parent level, yes. However the delegated
domain still needs to contain NS records and a SOA record for its own zone:
Yes, this is some details
[pduser at hyp03 ~]$ podman exec pdns pdnsutil list-zone cloud.lfpw.dsna.fr
Jun 10 15:53:06 [LdapBackend] LDAP servers = ldap://200.17.66.30:1389/
Jun 10 15:53:06 [LdapBackend] Ldap connection succeeded
Jun 10 15:53:06 [LdapBackend] LDAP servers = ldap://200.17.66.30:1389/
Jun 10 15:53:06 [LdapBackend] Ldap connection succeeded
Jun 10 15:53:06 [LdapBackend] Search = basedn:
dc=cloud,dc=lfpw,dc=dsna,dc=fr, filter: (associatedDomain=*.
cloud.lfpw.dsna.fr)
$ORIGIN .
Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype:
SOA, ttl: 3600, content: ns.cloud.lfpw.dsna.fr hostmaster at cloud.lfpw.dsna.fr
2002010401 1800 3600 604800 84600
Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype:
NS, ttl: 3600, content: ns.cloud.lfpw.dsna.fr
Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype:
MX, ttl: 3600, content: 20 mail2.cloud.lfpw.dsna.fr
Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype:
MX, ttl: 3600, content: 10 mail.cloud.lfpw.dsna.fr
Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype: A,
ttl: 3600, content: 195.83.98.243
Jun 10 15:53:06 [LdapBackend] Record = qname: *.cloud.lfpw.dsna.fr, qtype:
A, ttl: 3600, content: 195.83.98.243
Jun 10 15:53:06 [LdapBackend] Record = qname: vip-in.cloud.lfpw.dsna.fr,
qtype: A, ttl: 3600, content: 195.83.98.243
Jun 10 15:53:06 [LdapBackend] Record = qname: mail2.cloud.lfpw.dsna.fr,
qtype: CNAME, ttl: 3600, content: vip-in.cloud.lfpw.dsna.fr
Jun 10 15:53:06 [LdapBackend] Record = qname: www.cloud.lfpw.dsna.fr,
qtype: CNAME, ttl: 3600, content: vip-in.cloud.lfpw.dsna.fr
Jun 10 15:53:06 [LdapBackend] Record = qname: _
acme-challenge.cloud.lfpw.dsna.fr, qtype: TXT, ttl: 3600, content:
"G4d-NJvGcOyN4L6FPZunTfRYeuVOvOG3afGjCby6Ncs"
cloud.lfpw.dsna.fr 3600 IN SOA ns.cloud.lfpw.dsna.fr
hostmaster at cloud.lfpw.dsna.fr 2002010401 1800 3600 604800 84600
cloud.lfpw.dsna.fr 3600 IN NS ns.cloud.lfpw.dsna.fr.
cloud.lfpw.dsna.fr 3600 IN MX 20 mail2.cloud.lfpw.dsna.fr.
cloud.lfpw.dsna.fr 3600 IN MX 10 mail.cloud.lfpw.dsna.fr.
cloud.lfpw.dsna.fr 3600 IN A 195.83.98.243
*.cloud.lfpw.dsna.fr 3600 IN A 195.83.98.243
vip-in.cloud.lfpw.dsna.fr 3600 IN A 195.83.98.243
mail2.cloud.lfpw.dsna.fr 3600 IN CNAME
vip-in.cloud.lfpw.dsna.fr.
www.cloud.lfpw.dsna.fr 3600 IN CNAME vip-in.cloud.lfpw.dsna.fr.
_acme-challenge.cloud.lfpw.dsna.fr 3600 IN TXT
"G4d-NJvGcOyN4L6FPZunTfRYeuVOvOG3afGjCby6Ncs"
This is my Ldap declaration for basedn just tell if it's correct:
dn: dc=cloud,dc=lfpw,dc=dsna,dc=fr
objectClass: top
objectClass: domainRelatedObject
objectClass: dNSDomain2
objectClass: PdnsDomain
dc: cloud
sOARecord: ns.cloud.lfpw.dsna.fr hostmaster at cloud.lfpw.dsna.fr 2002010401
1800 3600 604800 84600
nSRecord: ns.cloud.lfpw.dsna.fr
mXRecord: 10 mail.cloud.lfpw.dsna.fr
mXRecord: 20 mail2.cloud.lfpw.dsna.fr
arecord: 195.83.98.243
associateddomain: cloud.lfpw.dsna.fr
PdnsDomainId: 1
PdnsDomainType: master
PdnsDomainMaster: 200.17.xx.xx
Thanks for your reply!
Le mer. 23 juin 2021 à 09:24, Brian Candler <b.candler at pobox.com> a écrit :
> On 22/06/2021 23:30, Cheikh Dieng wrote:
>
> Hi, excuse for delay..
>
> For context:
> My powerdns listen in port 2053
> My dnsdist listen in port 1053
> We are an translating port through 53 (from external request) to 1053 .
> That's why from external we use port 53 and in internal we can use port
> 1053 or 2053
>
> In that case I would have thought your powerdns authoritative needs
> "local-port = 2053", not "local-port = 53"
>
> Do you have a particular reason for using dnsdist? It does add complexity
> that is often not required.
>
>
>
>
> * Detail: DNS problem: query timed out looking up TXT for
> _acme-challenge.cloud.lfpw.dsna.fr
> <http://acme-challenge.cloud.lfpw.dsna.fr>*
>
> As I explained before, your entire domain "cloud.lfpw.dsna.fr" is
> broken. ACME challenges and DNS updates are not the problem; the problem
> is that *nobody* can resolve *any* address within that domain.
>
> $ dig @8.8.8.8 cloud.lfpw.dsna.fr. soa
>
> ...
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 7572
>
>
> That's the problem you need to fix first. To repeat:
>
> $ dig +trace @8.8.8.8 cloud.lfpw.dsna.fr
> ...
> lfpw.dsna.fr. 86400 IN NS vitre.cena.fr.
> lfpw.dsna.fr. 86400 IN NS hilar.cena.fr.
>
> dig +norec @vitre.cena.fr. cloud.lfpw.dsna.fr. txt >> answer is SERVFAIL
>
> dig +norec @hilar.cena.fr. cloud.lfpw.dsna.fr. txt >> gives delegation
> (NS) to vitre.cena.fr. and vip-in.cloud.lfpw.dsna.fr.
>
> >> we already know that vitre.cena.fr gives SERVFAIL
>
> >> we cannot resolve the name vip-in.cloud.lfpw.dnsa.fr, and therefore we
> cannot send a DNS query to it
>
> >> therefore, 2 out of 2 nameservers for cloud.lfpw.dnsa.fr are not
> reachable
>
> >> therefore, the entire domain cloud.lfpw.dnsa.fr is broken
>
>
> For first conclusion I understand from your return that:
>
> - the Letsencrypt protocol DNS01 challenge does not use zone
> transfers
> - cloud.lfpw.dsna.fr is a subdomain and doesn't have to configure
> delagation (it make sense). This delegation configuration should be done
> at parent level (lfpw.dsna.fr)
>
> The delegation is done at the parent level, yes. However the delegated
> domain still needs to contain NS records and a SOA record for its own zone.
>
> Regards,
>
> Brian.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210623/c572f2fd/attachment-0001.htm>
More information about the Pdns-users
mailing list