On 21/06/2021 08:53, Cheikh Dieng via Pdns-users wrote:
Hi,
My powerdns reject request for zone transfert .
My powerdns domain is "cloud.lfpw.dsna.fr
<http://cloud.lfpw.dsna.fr/>" it is a sub domain of "lfpw.dsna.fr
<http://lfpw.dsna.fr/>" (this parent domain is not a powerdns solution).
For Letsencrypt protocol to generate certificate I have to enable zone
transfer in my powerdns.
That doesn't make much sense: the Letsencrypt protocol DNS01 challenge
does not use zone transfers.
It might make sense if cloud.lfpw.dsna.fr were delegated to a separate
set of publicly-reachable nameservers, and your powerdns is a hidden
primary that those servers perform zone transfers from. That looks like
it's possible:
$ dig +trace @8.8.8.8 _acme-challenge.cloud.lfpw.dsna.fr.
...
*lfpw.dsna.fr. 86400 IN NS vitre.cena.fr.**
**lfpw.dsna.fr. 86400 IN NS hilar.cena.fr.**
*;; Received 108 bytes from 2001:4b98:aaaa::fa#53(ns-249-a.gandi.net) in
18 ms
...
*cloud.lfpw.dsna.fr. 172800 IN NS vitre.cena.fr.**
**cloud.lfpw.dsna.fr. 172800 IN NS vip-in.cloud.lfpw.dsna.fr.**
*;; Received 125 bytes from 195.83.98.1#53(hilar.cena.fr) in 39 ms
However the cloud.lfpw.dsna.fr domain looks to be totally broken. One
nameserver gives servfail:
$ dig @vitre.cena.fr. cloud.lfpw.dsna.fr. ns
; <<>> DiG 9.10.3-P4-Debian <<>> @vitre.cena.fr. cloud.lfpw.dsna.fr. ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 33460
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cloud.lfpw.dsna.fr. IN NS
;; Query time: 36 msec
;; SERVER: 2001:660:6607:100::1#53(2001:660:6607:100::1)
;; WHEN: Mon Jun 21 09:20:26 BST 2021
;; MSG SIZE rcvd: 47
The other nameserver, "vip-in.cloud.lfpw.dsna.fr" does not resolve at all:
$ dig @vip-in.cloud.lfpw.dsna.fr. cloud.lfpw.dsna.fr. ns
; <<>> DiG 9.10.3-P4-Debian <<>> @vip-in.cloud.lfpw.dsna.fr.
cloud.lfpw.dsna.fr. ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
The address from the glue record doesn't work either:
$ dig @195.83.98.243 cloud.lfpw.dsna.fr. ns
; <<>> DiG 9.10.3-P4-Debian <<>> @195.83.98.243 cloud.lfpw.dsna.fr. ns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Only one of the two nameservers for lfpw.dsna.fr *is* working - this is
where I got the glue record from.
$ dig @hilar.cena.fr. cloud.lfpw.dsna.fr. ns
; <<>> DiG 9.10.3-P4-Debian <<>> @hilar.cena.fr. cloud.lfpw.dsna.fr. ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10103
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cloud.lfpw.dsna.fr. IN NS
;; AUTHORITY SECTION:
*cloud.lfpw.dsna.fr. 172800 IN NS vip-in.cloud.lfpw.dsna.fr.**
**cloud.lfpw.dsna.fr. 172800 IN NS vitre.cena.fr.**
*
;; ADDITIONAL SECTION:
*vip-in.cloud.lfpw.dsna.fr. 172800 IN A 195.83.98.243*
;; Query time: 39 msec
;; SERVER: 195.83.98.1#53(195.83.98.1)
;; WHEN: Mon Jun 21 09:23:11 BST 2021
;; MSG SIZE rcvd: 109
In summary: lfpw.dsna.fr is half-broken, and cloud.lfpw.dsna.fr is
completely broken. Getting Letsencrypt certificates is the least of
your worries right now.
Is my pdns.conf file correct ?
local-address = 0.0.0.0, ::
launch = ldap
guardian = yes
ldap-host = ldap: //200.17.xx.xx: 1389 /
ldap-basedn = dc = cloud, dc = lfpw, dc = dsna, dc = fr
ldap-binddn = cn = admin, dc = dsna, dc = fr
ldap-secret = xxxxx
ldap-method = simple
disable-axfr = no
allow-axfr-ips = 127.0.0.0 / 8,195.xx.xx.xx / 32,51.91.xx.xx / 32
local-port = 53
cache-ttl = 0
loglevel = 9
logging-facility = 0
api = yes
api-key = xxxxx
master = yes
include-dir = / etc / powerdns / pdns.d
My powerdns listen in port 2053.
That doesn't make sense either. You have "local-port=53", but you say
it listens on port 2053 ??
What does powerdns log when you try to make a zone transfer? Can you
use tcpdump to prove the query is arriving?
The AXFR request failed, see bellow:
[pduser@hyp03 ~]$ dig axfr @0 cloud.lfpw.dsna.fr
<http://cloud.lfpw.dsna.fr/> -p 2053
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> axfr @0
cloud.lfpw.dsna.fr <http://cloud.lfpw.dsna.fr/> -p 2053
; (1 server found)
;; global options: +cmd
; Transfer failed.
It looks like you haven't copy-pasted correctly. "dig @0" is certainly
going to fail:
;; Connection to 0.0.0.0#2053(0.0.0.0) for cloud.lfpw.dsna.fr failed:
connection refused.
So I can only guess what host you're trying to transfer from. I tried
"dig @0.cloud.lfpw.dsna.fr", but that also fails because it doesn't resolve.
Regards,
Brian.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
