I'm working on a not-yet-provisioned pdns superslave.
I wand pdns to be autoprovisioned on authorized NOTIFY from my bind9 master
Currently, in pdns logs I've the following error
...
Dec 31 11:55:07 dns pdns[1677]: Received secure NOTIFY for example.com
from 10.1.1.53, allowed by TSIG key 'pdns-key'
Dec 31 11:55:07 dns pdns[1677]: Query: select
id,name,master,last_check,notified_serial,type,account from domains where
name=:domain
Dec 31 11:55:07 dns pdns[1677]: Received NOTIFY for example.com from
10.1.1.53 for which we are not authoritative
Dec 31 11:55:08 dns pdns[1677]: Query: select account from supermasters
where ip=:ip and nameserver=:nameserver
Dec 31 11:55:08 dns pdns[1677]: Unable to find backend willing to host
example.com for potential supermaster 10.1.1.53. Remote nameservers:
Dec 31 11:55:08 dns pdns[1677]: dnsint.example.net
...
NOTE the 'remote nameserver' == dnsint.example.net
That's the SOA ns for my master's *internal* (LAN only) view, not the
*external*, to-be-signed, view data.
I've set up my master so that for a given zone, config consists of internal &
external zone views+files,
...
view "internal" {
match-clients { !pdns-key ; ... };
...
zone "example.com" IN { type master; file
"/namedb/master/example.com.zone"; };
...
}
view "external" {
match-clients { pdns-key ; ... };
...
zone "example.com" IN { type master; file
"/namedb/master/example.com.zone";
notify explicit; also-notify { powerdns_ip; };
};
...
}
...
With this config, and TSIG-signed client that uses key == 'pdns-key', should
match the 'external' view.
This can be verified for
unsigned,
dig @10.1.1.53 SOA example.com +short
dnsint.example.net. hostmaster.example.net. 1483204233 7200
1800 604800 5
& unsigned
dig @10.1.1.53 SOA example.com +short -k
/usr/local/etc/named/keys/pdns.key
dnsext.example.net. soacontact.example.net. 1483204233 7200
1800 604800 5
and, for reference
host dnsint.example.net
dnsint.example.net is an alias for dns.example.net.
dns.example.net has address 10.1.1.53
host dnsext.example.net
dnsext.example.net has address II.PP.VV.44 (real/public ip
address)
So, since I want pdns to access the *external* view, it needs to communicate
to/with the master with TSIG_signed requests, but it needs to do so on the
master's IP (either 127.0.0.1 or 10.1.1.53 ...).
And, since I'm setting up pdns as an auto-provisioned superslave -- i.e., I
don't have the domain IDs in pdns.db until after 'first contact" from the
master -- I'm attempting to use an sqlite3 trigger.
sqlite3 /var/pdns/powerdns.sqlite3 <
/usr/local/powerdns/share/doc/pdns/schema.sqlite3.sql
sqlite3 /var/pdns/powerdns.sqlite3
>
INSERT INTO `supermasters` ( ip, nameserver, account ) VALUES (
'10.1.1.53', 'dnsint.example.net', 'admin' );
INSERT INTO `tsigkeys` (name, algorithm, secret) VALUES
('pdns-key', 'hmac-sha256', 'xxxxxxxx');
DROP TRIGGER IF EXISTS `domains_after_create`;
CREATE TRIGGER IF NOT EXISTS `domains_after_create`
AFTER INSERT ON `domains`
FOR EACH ROW WHEN NEW.`type` = 'SLAVE'
BEGIN
INSERT INTO `domainmetadata` (`domain_id`, `kind`, `content`)
VALUES (NEW.`id`, 'AXFR-MASTER-TSIG', 'pdns-key');
END
;
.exit
That fires no errors on entry, but I get the ERROR on transaction between the
pdns slave and bind master as reported above.
Apparently, pdns is making an UNSIGNED request to the master, and I've failed
to get it to use the 'pdns-key'.
What piece is missing to get pdns to sign that comm, and access the *external*
view
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
