Hi Maybe i did not understand correct, but the AXFR zone transfer from primary to secondary should not be routed via DNSdist. from my point of view, makes no sense.
Cheers On Tue. 7. June 2022 10:02 CEST, Lucas Rolff via dnsdist <dnsdist@mailman.powerdns.com> wrote: Hi guys, I want to gather DNS query information from my powerdns setup, and since powerdns doesn’t support dnstap it means deploying dnsdist in front of powerdns. My powerdns setup has a hidden primary that cannot be queried from the outside except a small amount of IPs, and transfers from the primary to the secondary is done via AXFR and NOTIFY. Now, the issue is when I put dnsdist in front of powerdns, the NOTIFY calls obviously end up at dnsdist instead of powerdns, and dnsdist then pass on the NOTIFY call to powerdns running on localhost port 5300. Per the documentation in https://dnsdist.org/advanced/axfr.html I’ve used the last “addAction” to check if NOTIFY calls come from the hidden primary, and I’ve put 127.0.0.1 in the trusted-notification-proxy setting in PowerDNS.When NOTIFY calls arrive, the secondary tries to do a SOA check to 127.0.0.1 instead of the actual hidden primary, and I end up with: ```Jun 4 09:10:30 ns1 pdns_server[789]: Received NOTIFY for my domain.com from 127.0.0.1:33941 for which we are not authoritative, trying supermasterJun 4 09:10:30 ns1 pdns_server[789]: Error resolving SOA or NS for domain.com at: 127.0.0.1: Query to '127.0.0.1' for SOA of domain.com' produced no answers``` Now, I could do another action that would redirect SOA, AXFR and IXFR to the primary, but ideally I don’t want that if a random client decides to do `dig mydomain.com SOA @ns1.dnsserver.com` that those queries are then redirected to the hidden primary.Is there any way to solve this? I’d somehow have expected that the SOA query would happen towards the “real” primary that sends the NOTIFY call when trusted-notification-proxy is set, but that doesn’t seem to be the case. In all honesty, I’m not sure whether I have to fix something in dnsdist or powerdns, but considering I only face the issue when running dnsdist, I’m using this mailing-list. My end goal is that my secondaries can get updates and new zones added correctly even when dnsdist is in front, and at the same time not open up for SOA being redirected to the hidden primary for normal DNS clients querying the secondaries. Do anyone have pointers what could be done in this case? Thanks in advance, and thanks for an awesome piece of software :)
_______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist
