Sorry, my mistake; it turns out I hadn't in fact successfully tried pgpsql-dnssec - including that in my pdns.conf worked like a charm.
Thanks again, David On Thu Mar 13, 03:55pm -0400, David B Harris wrote: > Good afternoon all, > > I'm deploying PowerDNS for the first time. We needed a simple standalone > web interface for robust/fatfinger-free and easy editing of our zones. > Our configuration is/will be: > > 1. A single hidden PowerDNS 3.3.1 master > 2. Two public slaves we control (running PowerDNS 3.3.1 with the > hidden master configured as supermaster) > 3. "Three" slaves run by EasyDNS, which themselves use a hidden > master > > Everything between our PowerDNS instances is working great. I haven't > finished going through the default config file to see if we want to > change anything, but as-is it's working fine. > > We're having problems using the third-party slave(s) though. EasyDNS has > a hidden master/central system that serves as the AXFR initiator. > Currently, that's 64.68.200.91. The slaves do not initiate AXFRs, and > ignore NOTIFYs (returning RCODE 5). > > My 'domainmetadata' has the following: > > pdns=# SELECT * FROM domainmetadata; > id | domain_id | kind | content > ----+-----------+-----------------+-------------- > 2 | 2 | ALLOW-AXFR-FROM | 64.68.200.91 > 4 | 2 | ALSO-NOTIFY | 64.68.200.91 > (2 rows) > > pdns=# > > (Please give me the benefit of the doubt on using the correct domain_id. :) > > Now I read in a mailing list post that perhaps gpgsql-dnssec had to be > loaded for 'domainmetadata' to be read at all? I added that to my > pdns.conf and still, NOTIFYs appear to not be sent. Here's my > (effective) pdns.conf: > > master > > launch=gpgsql > gpgsql-dbname=pdns > gpgsql-user=pdns > gpgsql-password=foobar > > When I make a change to the zone (using the PowerAdmin PHP frontend, > incidentally), these are the log messages I get (note nothing about > 64.68.200.91, though a number of failed NOTIFYs to the EasyDNS public slaves): > > Mar 13 15:39:47 apricot pdns[7206]: 1 domain for which we are master > needs notifications > Mar 13 15:39:48 apricot pdns[7206]: Queued notification of domain > 'foocorp.com' to 2001:1838:f001::10 > Mar 13 15:39:48 apricot pdns[7206]: Queued notification of domain > 'foocorp.com' to 64.68.192.210 > Mar 13 15:39:48 apricot pdns[7206]: Queued notification of domain > 'foocorp.com' to 64.68.196.10 > Mar 13 15:39:48 apricot pdns[7206]: Queued notification of domain > 'foocorp.com' to 67.205.89.78 > Mar 13 15:39:48 apricot pdns[7206]: Queued notification of domain > 'foocorp.com' to 72.52.2.1 > Mar 13 15:39:48 apricot pdns[7206]: Queued notification of domain > 'foocorp.com' to 74.52.92.34 > Mar 13 15:39:48 apricot pdns[7206]: Error trying to resolve > '2001:1838:f001::10' for notifying 'foocorp.com' to server: Unable to send > notify to [2001:1838:f001::10]:53: Network is unreachable > Mar 13 15:39:49 apricot pdns[7206]: AXFR of domain 'foocorp.com' > initiated by 74.52.92.34 > Mar 13 15:39:49 apricot pdns[7206]: AXFR of domain 'foocorp.com' allowed: > client IP 74.52.92.34 is in allow-axfr-ips > Mar 13 15:39:49 apricot pdns[7206]: AXFR of domain 'foocorp.com' to > 74.52.92.34 finished > Mar 13 15:39:49 apricot pdns[7206]: AXFR of domain 'foocorp.com' > initiated by 67.205.89.78 > Mar 13 15:39:49 apricot pdns[7206]: AXFR of domain 'foocorp.com' allowed: > client IP 67.205.89.78 is in allow-axfr-ips > Mar 13 15:39:49 apricot pdns[7206]: AXFR of domain 'foocorp.com' to > 67.205.89.78 finished > Mar 13 15:39:49 apricot pdns[7206]: Removed from notification list: > 'foocorp.com' to 67.205.89.78:53 (was acknowledged) > Mar 13 15:39:49 apricot pdns[7206]: Received unsuccessful notification > report for 'foocorp.com' from 64.68.192.210:53, rcode: 5 > Mar 13 15:39:49 apricot pdns[7206]: Removed from notification list: > 'foocorp.com' to 64.68.192.210:53 > Mar 13 15:39:49 apricot pdns[7206]: Removed from notification list: > 'foocorp.com' to 74.52.92.34:53 (was acknowledged) > Mar 13 15:39:49 apricot pdns[7206]: Received unsuccessful notification > report for 'foocorp.com' from 72.52.2.1:53, rcode: 5 > Mar 13 15:39:49 apricot pdns[7206]: Removed from notification list: > 'foocorp.com' to 72.52.2.1:53 > Mar 13 15:39:49 apricot pdns[7206]: Received unsuccessful notification > report for 'foocorp.com' from 64.68.196.10:53, rcode: 5 > Mar 13 15:39:49 apricot pdns[7206]: Removed from notification list: > 'foocorp.com' to 64.68.196.10:53 > Mar 13 15:39:51 apricot pdns[7206]: Error trying to resolve > '2001:1838:f001::10' for notifying 'foocorp.com' to server: Unable to send > notify to [2001:1838:f001::10]:53: Network is unreachable > Mar 13 15:39:51 apricot pdns[7206]: No master domains need notifications > Mar 13 15:39:56 apricot pdns[7206]: Error trying to resolve > '2001:1838:f001::10' for notifying 'foocorp.com' to server: Unable to send > notify to [2001:1838:f001::10]:53: Network is unreachable > Mar 13 15:40:05 apricot pdns[7206]: Error trying to resolve > '2001:1838:f001::10' for notifying 'foocorp.com' to server: Unable to send > notify to [2001:1838:f001::10]:53: Network is unreachable > > > > > ^C > [ dbharris@apricot: /var/log/ (1)]$ date > Thu Mar 13 15:47:59 EDT 2014 > [ dbharris@apricot: /var/log/ (1)]$ > > > Anybody have any ideas? Is there something I'm doing obviously wrong? If I > don't need it, can I take gpgsql-dnssec out of my pdns.conf? > > Thanks very much in advance, > > David > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- Arguing with an engineer is like wrestling with a pig in mud. After a while, you realise the pig is enjoying it. OpenPGP v4 key ID: 4096R/59DDCB9F Fingerprint: CC53 F124 35C0 7BC2 58FE 7A3C 157D DFD9 59DD CB9F Retrieve from subkeys.pgp.net _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
