Hi all! I found out what was missing in my configuration.
I just did not read documentation properly and did not find dnssec enabling flag. http://doc.powerdns.com/html/domainmetadata.html I just added gmysql-dnssec to pdns.conf and restarted service. AXFR ACL's are working now. Thank You all who helped. Best Regards, Margus Kiting On 19 March 2013 14:05, Ruben d'Arco <[email protected]> wrote: > Hi, > > This ia bit of a gues, but: > The AUTO-NS feature seems to use a normal getaddrinfo(). This might have a > different result than you expect on your system. > Can you check what's in your resolv.conf and see what that replied when > you ask for dns1.test.com and dns2.test.com? > > Regards, > Ruben > > > > On Tue, Mar 19, 2013 at 01:51:20PM +0200, Margus Kiting wrote: > > Hi, > > > > I'm new to this list and this is the first time I encountered a problem > > using powerdns authoritative DNS server, so I hope I find solution for > this > > problem from here. > > > > The problem is in AXFR per domain ACL's. They are just nor working for > me. > > Below is configuration and test outputs. > > > > Master DNS: pdns-master 192.168.1.10 > > Slave DNS: pdns-slave 192.168.1.11 > > Test server: pdns-test 192.168.1.13 > > > > PowerDNS Version 3.2, compiled on Mar 12 2013, 10:19:57 with gcc version > > 4.1.2 20080704 (Red Hat 4.1.2-51) > > > > > > pdns-master pdns.conf > > > > setuid=daemon > > setgid=daemon > > cache-ttl=60 > > daemon=yes > > disable-tcp=no > > distributor-threads=10 > > > > launch=gmysql > > gmysql-host=127.0.0.1 > > gmysql-user=powerdns > > gmysql-password=password > > gmysql-dbname=powerdns > > logging-facility=1 > > loglevel=4 > > master=yes > > query-cache-ttl=60 > > recursive-cache-ttl=60 > > recursor=127.0.0.1 > > query-local-address6= > > > > NB! recursor is not running. > > > > pdns-master mysql information: > > > > mysql> select * from domains; > > id name master last_check type notified_serial account > > 1 test.com NULL NULL MASTER 1363693953 NULL > > > > mysql> select * from records; > > id domain_id name type content ttl prio > > change_date ordername auth > > 1 1 test.com SOA dns1.test.com [email protected] 0 > > 86400 NULL NULL NULL NULL > > 2 1 test.com NS dns1.test.com 86400 NULL > > 1363693952 NULL NULL > > 3 1 test.com NS dns2.test.com 86400 NULL > > 1363693952 NULL NULL > > 4 1 www.test.com A 192.168.1.12 120 NULL > > 1363693952 NULL NULL > > 5 1 mail.test.com A 192.168.1.12 120 NULL > > 1363693952 NULL NULL > > 6 1 dns1.test.com A 192.168.1.11 120 NULL > > 1363693952 NULL NULL > > 7 1 dns2.test.com A 192.168.1.10 120 NULL > > 1363693952 NULL NULL > > 8 1 test.com MX mail.test.com 120 25 > > 1363693953 NULL NULL > > > > mysql> select * from domainmetadata; > > id domain_id kind content > > 1 1 ALLOW-AXFR-FROM AUTO-NS > > AXFR queries should be allowd onlly from server, which are in > > test.comdomain NS records. > > I will AXFR query from pdns-slave, which has IP 192.168.1.11 and it is > > configured as NS record in test.ccom domain and it should get correct > axfr > > query answer. > > I also try AXFR query from pdns-test, which has IP 192.168.1.12 and it's > > not configured as NS record in test.com domain and this server should > get > > transfer failure message from pdns-master server. powerdns daemon is > > running with monitor flag, which gives debug output from servers side. > > > > AXFR query from pdns-slave 192.168.1.11 server: > > > > [root@pdns-slave ~]# dig axfr test.com @192.168.1.10 > > > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @ > > 192.168.1.10 > > ;; global options: printcmd > > test.com. 86400 IN SOA dns1.test.com. > root.test.com. > > 1363693953 10800 3600 604800 3600 > > test.com. 86400 IN NS dns1.test.com. > > test.com. 86400 IN NS dns2.test.com. > > www.test.com. 120 IN A 192.168.1.12 > > mail.test.com. 120 IN A 192.168.1.12 > > dns1.test.com. 120 IN A 192.168.1.11 > > dns2.test.com. 120 IN A 192.168.1.10 > > test.com. 120 IN MX 25 mail.test.com. > > test.com. 86400 IN SOA dns1.test.com. > root.test.com. > > 1363693953 10800 3600 604800 3600 > > ;; Query time: 12 msec > > ;; SERVER: 192.168.1.10#53(192.168.1.10) > > ;; WHEN: Tue Mar 19 13:24:06 2013 > > ;; XFR size: 9 records (messages 3) > > > > Powerdns log output in pdns-master server: > > > > Mar 19 13:24:06 AXFR of domain 'test.com' initiated by 192.168.1.11 > > Mar 19 13:24:06 AXFR of domain 'test.com' allowed: client IP > 192.168.1.11 > > is in allow-axfr-ips > > Mar 19 13:24:06 gmysql Connection successful > > Mar 19 13:24:06 gmysql Connection successful > > Mar 19 13:24:06 AXFR of domain 'test.com' to 192.168.1.11 finished > > > > AXFR query from pdns-test 192.168.1.12 server: > > > > [root@pdns-test ~]# dig axfr test.com @192.168.1.10 > > > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> axfr test.com @ > > 192.168.1.10 > > ;; global options: printcmd > > test.com. 86400 IN SOA dns1.test.com. > root.test.com. > > 1363693953 10800 3600 604800 3600 > > test.com. 86400 IN NS dns1.test.com. > > test.com. 86400 IN NS dns2.test.com. > > www.test.com. 120 IN A 192.168.1.12 > > mail.test.com. 120 IN A 192.168.1.12 > > dns1.test.com. 120 IN A 192.168.1.11 > > dns2.test.com. 120 IN A 192.168.1.10 > > test.com. 120 IN MX 25 mail.test.com. > > test.com. 86400 IN SOA dns1.test.com. > root.test.com. > > 1363693953 10800 3600 604800 3600 > > ;; Query time: 17 msec > > ;; SERVER: 192.168.1.10#53(192.168.1.10) > > ;; WHEN: Tue Mar 19 13:25:50 2013 > > ;; XFR size: 9 records (messages 3) > > > > > > Powerdns log output in pdns-master server: > > > > Mar 19 13:25:50 AXFR of domain 'test.com' initiated by 192.168.1.12 > > Mar 19 13:25:50 AXFR of domain 'test.com' allowed: client IP > 192.168.1.12 > > is in allow-axfr-ips > > Mar 19 13:25:50 gmysql Connection successful > > Mar 19 13:25:50 gmysql Connection successful > > Mar 19 13:25:50 AXFR of domain 'test.com' to 192.168.1.12 finished > > > > As seen from abowe, AXFR ACL's per domain is not working. Am I missing > some > > configuration or I'm doing something very wrong? > > Please help. > > > > NB! English is not my native language, so appologies if there are > mistakes. > > > > Thanks in advance! > > Margus Kiting > > > _______________________________________________ > > Pdns-users mailing list > > [email protected] > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users >
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
