[Pdns-users] RFS2136 updates

Gert van Dijk pdns-users at gertvandijk.nl
Sun Jun 26 20:17:39 UTC 2022 

Hi Walter,

I believe you may be missing the 'NOTIFY-DNSUPDATE' domain meta setting. [1]
Note that 'dnsupdate' is a different and global setting; whether or not 
to enable the support for dynamic updates overall on the instance. [2]

What is the backend that you use for the dynamic zone?
In my case I have a small scale setup using SQLite on a hidden master 
and I used these queries (taken from notes years ago) to enable notify 
updates to secondary servers (running a possibly different backend).

$ sqlite3 /path/to/my/sqlite3.db
sqlite> update domains set type='MASTER' where name='dyn.zone.tld';
sqlite> insert into domainmetadata(domain_id, kind, content) 
values((select id from domains where name='dyn.zone.tld'), 
'SOA-EDIT-DNSUPDATE', 'SOA-EDIT-INCREASE');
sqlite> insert into domainmetadata(domain_id, kind, content) 
values((select id from domains where name='dyn.zone.tld'), 
'NOTIFY-DNSUPDATE','1');

Likely unrelated, but just wanted to note the following. I ran into zone 
caching issues on the secondaries side ever since upgrading to 4.5 and 
still happening for me on 4.6, complaining about the domain SOA being 
out of date. Still have to investigate that further and perhaps file an 
issue, but my current workaround for that is setting this on the primary 
server:

zone-cache-refresh-interval=0
zone-metadata-cache-ttl=0

... which is fine for a small scale setup like mine. You may not run 
into the same issue, though. :-)

HTH

Gert

[1]: https://doc.powerdns.com/authoritative/dnsupdate.html#notify-dnsupdate
[2]: https://doc.powerdns.com/authoritative/dnsupdate.html#dnsupdate

On 6/26/22 19:44, Walter Parker via Pdns-users wrote:
> Hi,
> 
> I have a PowerDNS server with Dynamic Updates (RFC2136 enabled) and it 
> is not pushing the updates to the secondaries.
> 
> I have allow-axfr-ips set to allow the IP addresses of the secondaries 
> and also-notify set to IP addresses of the notification servers.
> 
> I have allow-dnsudpates-from set to the IP subnet where the request is 
> coming from. I have dnsupdate set to true.
> 
> When I run acme.sh, I see the update request come in (UPDATE (18591) 
> from 66.113.99.184 for chaosdynamics.com <http://chaosdynamics.com>: 
> TSIG is provided, but domain is not secured with TSIG. Processing continues
> ) but I don't see the notification queue message or the AXFR messages.
> 
> When I run a notify manually, I see them (logs below).
> What did I miss to get dynamic DNS updates to be transferred to the 
> secondary servers?
> 
> Jun 26 10:39:02 natasha pdns[65543]: Notification request for domain 
> 'chaosdynamics.com <http://chaosdynamics.com>' received from operator
> Jun 26 10:39:02 natasha pdns[65543]: Queued notification of domain 
> 'chaosdynamics.com <http://chaosdynamics.com>' to 208.80.126.13:53 
> <http://208.80.126.13:53>
> Jun 26 10:39:02 natasha pdns[65543]: Queued notification of domain 
> 'chaosdynamics.com <http://chaosdynamics.com>' to 208.94.148.13:53 
> <http://208.94.148.13:53>
> Jun 26 10:39:03 natasha pdns[65543]: IXFR of domain 'chaosdynamics.com 
> <http://chaosdynamics.com>' initiated by 208.94.150.198:61335 
> <http://208.94.150.198:61335> with serial 2022062505
> Jun 26 10:39:03 natasha pdns[65543]: AXFR of domain 'chaosdynamics.com 
> <http://chaosdynamics.com>' allowed: client IP 208.94.150.198:61335 
> <http://208.94.150.198:61335> is in allow-axfr-ips
> Jun 26 10:39:03 natasha pdns[65543]: IXFR of domain 'chaosdynamics.com 
> <http://chaosdynamics.com>' initiated by 208.94.147.135:48779 
> <http://208.94.147.135:48779> with serial 2022062505
> Jun 26 10:39:03 natasha pdns[65543]: AXFR of domain 'chaosdynamics.com 
> <http://chaosdynamics.com>' allowed: client IP 208.94.147.135:48779 
> <http://208.94.147.135:48779> is in allow-axfr-ips
> Jun 26 10:39:03 natasha pdns[65543]: IXFR fallback to AXFR for domain 
> 'chaosdynamics.com <http://chaosdynamics.com>' our serial 2022062606
> Jun 26 10:39:03 natasha pdns[65543]: AXFR of domain 'chaosdynamics.com 
> <http://chaosdynamics.com>' initiated by 208.94.150.198:61335 
> <http://208.94.150.198:61335>
> Jun 26 10:39:03 natasha pdns[65543]: AXFR of domain 'chaosdynamics.com 
> <http://chaosdynamics.com>' allowed: client IP 208.94.150.198:61335 
> <http://208.94.150.198:61335> is in allow-axfr-ips
> 
> -- 
> The greatest dangers to liberty lurk in insidious encroachment by men of 
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list