Firstly, thank you, Bert, for coming to UKNOF34 and presenting on dnsdist and powerdns. Really interesting and useful technology.
And for that reason I've been testing out whether powerdns would be a good fit to replace our scripted BIND servers that do authoritative and DNSSEC. The idea is to have: supermaster -> DNSSEC front-signing slave acting as master to -> cluster of authoritative slaves So with that in mind, on "signer" - our "slave+master in the middle" - we have: > id | domain_id | kind | content > ----+-----------+------------------+-------------------------- > 1 | | TSIG-ALLOW-AXFR | keynamegoeshere > 2 | | AXFR-MASTER-TSIG | keynamegoeshere And so we run this on our "slave+master in the middle": > root@signer> pdns_control notify-host example.com 46.227.X.Y But the "cluster of authoritative slaves" gets this: > May 8 17:41:01 adns0 named[1701]: zone example.com/IN: Transfer started. > May 8 17:41:01 adns0 named[1701]: transfer of 'example.com/IN' from > 185.134.X.Y#53: connected using 46.227.X.Y#38039 > May 8 17:41:01 adns0 named[1701]: transfer of 'example.com/IN' from > 185.134.X.Y#53: failed while receiving responses: NOTAUTH > May 8 17:41:01 adns0 named[1701]: transfer of 'example.com/IN' from > 185.134.X.Y#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.036 > secs (0 bytes/sec) And on our "slave+master in the middle": > May 8 16:41:01 signer pdns_server[21104]: May 08 16:41:01 AXFR > 'example.com.' denied: key with name 'keynamegoeshere.' and algorithm > 'hmac-md5.sig-alg.reg.int.' does not grant access to zone > May 8 16:41:01 signer pdns_server[21104]: May 08 16:41:01 AXFR of domain > 'example.com.' failed: 46.227.X.Y cannot request AXFR > May 8 16:41:04 signer pdns[21114]: Received serial number updates for 0 > zones, had 1 timeouts However, if we add a specific entry into the slave+master in the middle: > id | domain_id | kind | content > ----+-----------+------------------+-------------------------- > 5 | 12 | TSIG-ALLOW-AXFR | keynamegoeshere ...then the transfer proceeds perfectly: > May 8 17:42:09 adns0 named[1701]: client 185.134.X.Y#18063: received notify > for zone 'example.com': TSIG 'keynamegoeshere' > May 8 17:42:09 adns0 named[1701]: zone example.com/IN: Transfer started. > May 8 17:42:09 adns0 named[1701]: transfer of 'example.com/IN' from > 185.134.X.Y#53: connected using 46.227.X.Y#55071 > May 8 17:42:09 adns0 named[1701]: zone example.com/IN: transferred serial > 2016050812: TSIG 'keynamegoeshere' > May 8 17:42:09 adns0 named[1701]: transfer of 'example.com/IN' from > 185.134.X.Y#53: Transfer completed: 3 messages, 13 records, 723 bytes, 0.143 > secs (5055 bytes/sec) > May 8 17:42:09 adns0 named[1701]: zone example.com/IN: sending notifies > (serial 2016050812) The problem here is that - for a TSIG AXFR - every domain needs to have an entry in the domainmetadata table. But some things seem to work ok because they seem to pick the row with a null domain_id and use that key. Is a null domain_id meant to be supported as a "default" for metadata? Or do we have to copy across some domainmetadata to our DNSSEC front-signing server so that all the transfers will work correctly? OS: Debian jessie amd64 powerdns: 4.0.0~alpha2-1pdns.jessie backend-pgsql: 4.0.0~alpha2-1pdns.jessie (with gpgsql-dnssec=yes) Kind regards, Marek Isalski _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
