[Pdns-users] DnsDist and secondary pdns auth

Badli Al Rashid badlialrashid at outlook.com
Tue Apr 18 23:15:40 UTC 2023 

Hi All,

For the bind9 as primary solve it by entering option allow-axfr-ips. When I check the primary replicated to secondary powerdns running with bind backend.

Now left with primary powerdns to secondary bind9 with the "NO AUTH" in logs.

Regards,
-badli

________________________________
From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> on behalf of Alessandro Caselli via Pdns-users <pdns-users at mailman.powerdns.com>
Sent: Tuesday, April 18, 2023, 22:46
To: pdns-users at mailman.powerdns.com <pdns-users at mailman.powerdns.com>
Subject: [Pdns-users] DnsDist and secondary pdns auth

Hello,

i'm trying to install an infrastructure with a DNDDist frontend and a
pdns autoritative backend and i have a problem with the secondary zones.
Please note that this enviroment could be used as secondary server for
some zones and as a primary server for other zones.

I've already activated ECS EDNS on both pdns and dnsdist, and i can see
the source IP on the backend but pdns seems to ignore it. Am I missing
some settings?

--

Test Enviroment

dnsdist and pdns-auth are on the same server on different port (in a
real enviroment this should be separated, but i think the problem would
be the same).

dnsdist: 10.0.0.1 port 53

pdns-auth: 10.0.0.1 port 5301

External primary server: server1 192.168.1.1 (this in a real enviroment
could be out of my control)

- Relevant config on dnsdist:newServer({address="127.0.0.1:5301",
useClientSubnet=true, setECSSourcePrefixV4(32), name="be1",
pool={"primary", "otherpool"}})
addAction(AllRule(), ECSPrefixLengthAction(32))
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
SetSkipCacheAction())
addAction(AndRule({OpcodeRule(DNSOpcode.Notify),
NotRule(makeRule("192.168.1.1"))}), RCodeAction(DNSRCode.REFUSED))
addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR),
OpcodeRule(DNSOpcode.Notify), QTypeRule(DNSQType.IXFR)}),
PoolAction("primary"))
addAction(OpcodeRule(DNSOpcode.Notify), SetSkipCacheAction())

- Relevant config on pdns:

allow-axfr-ips=192.168.1.1
allow-dnsupdate-from=192.168.1.1
allow-notify-from=192.168.1.1/32,127.0.0.1,192.168.1.1
edns-subnet-processing=yes
autosecondary=yes
secondary=yes




On the pdns log I can see the source address:

Apr 18 14:22:11 mydnsserver pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32

The problem is that the source address seems ignored by pdns.

When the master address of the zone is

+-------------------+--------------+-------+
| name              | master       | type  |
+-------------------+--------------+-------+
| provaslavedns.com | 192.168.1.1  | SLAVE |
+-------------------+--------------+-------+

On the log i can see

Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32
Apr 18 14:22:11 mydnsserver  pdns_server[2315325]: Received NOTIFY for
testslavezone.com from 127.0.0.1<-192.168.1.1/32 which is not a master
(Refused)


I've altro tried with the CIDR  on the master:

+-------------------+-----------------+-------+
| name              | master          | type  |
+-------------------+-----------------+-------+
| provaslavedns.com | 192.168.1.1/32  | SLAVE |
+-------------------+-----------------+-------+

but doesnt seem supported:

Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Received NOTIFY for
testslavezone.com  from 127.0.0.1<-192.168.1.1/32
Apr 18 14:29:31 mydnsserver  pdns_server[2315325]: Backend reported
permanent error which prevented lookup (Unable to convert presentation
address '192.168.1.1/32'), aborting


Whe the zone is configured with both master and localhost as masters
adresses:

+-------------------+-------------------------+-------+
| name              | master                  | type  |
+-------------------+-------------------------+-------+
| provaslavedns.com | 192.168.1.1, 127.0.0.1  | SLAVE |
+-------------------+-------------------------+-------+

The zone doesen't refresh  after a notification:

Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for
testslavezone.com  from 127.0.0.1<-192.168.1.1/32
Apr 18 14:38:26 mydnsserver  pdns_server[2326542]: Received NOTIFY for
testslavezone.com  from 127.0.0.1<-192.168.1.1/32 - queueing check
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Got NOTIFY for
testslavezone.com, going to check SOA serial
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: 1 slave domain needs
checking, 0 queued for AXFR
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Received serial
number updates for 1 zone
Apr 18 14:38:27 mydnsserver  pdns_server[2326542]: Domain
'testslavezone.com' is fresh (no DNSSEC), serial is 14 (checked master
127.0.0.1)


The updated serial is 15

root at mydnsserver:~# dig testslavezone.com SOA @192.168.1.1 +short
mymaster.mydns.com. hostmaster.mydns.com. 15 86400 7200 2592000 86400


_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230418/7b8351e5/attachment.htm>

More information about the Pdns-users mailing list