[Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge
Brian Candler
b.candler at pobox.com
Wed Jun 23 08:25:53 UTC 2021
On 23/06/2021 08:54, Cheikh Dieng wrote:
> Very Thanks,
>
> It's clear for me. For dnsdist i need HA pour my Powerdns.
>
And how are you achieving HA of your dnsdist?
The normal, recommended approach for authoritative DNS resilience is to
have multiple nameservers, listed as separate NS records. dnsdist is
best deployed in special situations, such as the need to preprocess
requests and send them to different destinations.
There's not a problem deploying dnsdist as such: it's just adding
unnecessary complexity, and is an additional layer to manage and debug.
> >>The delegation is done at the parent level, yes. However the
> delegated domain still needs to contain NS records and a SOA record
> for its own zone:
>
> Yes, this is some details
>
> ...
> cloud.lfpw.dsna.fr <http://cloud.lfpw.dsna.fr> 3600 IN
> NS ns.cloud.lfpw.dsna.fr <http://ns.cloud.lfpw.dsna.fr>.
>
(1) That NS record disagrees with the delegation NS records. They need
to match.
(2) As far as I can see, you don't have any A record for
"ns.cloud.lfpw.dsna.fr" in your "cloud.lfpw.dsna.fr" zone, which means
your NS record won't resolve.
But there are worse problems.
Firstly, lfpw.dsns.fr and cloud.lfpw.dsna.fr are both delegated to
"vitre.cena.fr." but that nameserver does not answer to either of those
domains. Either contact that nameserver operator and get them to fix it
- or change your delegation so you don't use that nameserver.
Secondly, cloud.lfpw.dsna.fr is delegated to vip-in.cloud.lfpw.dsna.fr,
which has a glue record address of 195.83.98.243. (Glue records are
used when the nameserver's name is inside the domain being delegated:
that is, the nameserver vip-in.cloud.lfpw.dsna.fr is within
cloud.lfpw.dsna.fr)
However that nameserver does not respond:
$ dig +norec @195.83.98.243 cloud.lfpw.dsna.fr. soa
; <<>> DiG 9.10.6 <<>> +norec @195.83.98.243 cloud.lfpw.dsna.fr. soa
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
If you delegate a domain to two nameservers, and both of those
nameservers are not responding, then your domain is completely broken.
You must fix at least one of those problems for it to start working; and
preferably fix both of those problems to have some resilience.
I think I will drop out of this thread now. I've tried to explain the
problem three times, and it seems my explanations are not clear enough,
so I will let someone else try. Also, this isn't really a powerDNS
question, but more one of understanding DNS in general.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210623/852be38d/attachment.htm>
More information about the Pdns-users
mailing list