Re: [Pdns-users] Zone transfert rejected in Powerdns Letsencrypt challenge

Wed, 23 Jun 2021 00:24:47 -0700 

On 22/06/2021 23:30, Cheikh Dieng wrote:

Hi, excuse for delay..

For context:
My powerdns listen in port 2053
My dnsdist listen in port 1053
We are an translating port through 53 (from external request) to 1053 . That's why from external we use port 53 and in internal we can use port 1053 or 2053
In that case I would have thought your powerdns authoritative needs "local-port = 2053", not "local-port = 53"
Do you have a particular reason for using dnsdist?  It does add complexity that is often not required. 





        * Detail: DNS problem: query timed out looking up TXT for
        _acme-challenge.cloud.lfpw.dsna.fr
        <http://acme-challenge.cloud.lfpw.dsna.fr>*
As I explained before, your entire domain "cloud.lfpw.dsna.fr" is broken.  ACME challenges and DNS updates are not the problem; the problem is that *nobody* can resolve *any* address within that domain. 

$ dig @8.8.8.8 cloud.lfpw.dsna.fr. soa

...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 7572


That's the problem you need to fix first.  To repeat:

$ dig +trace @8.8.8.8 cloud.lfpw.dsna.fr
...
lfpw.dsna.fr.        86400    IN    NS    vitre.cena.fr.
lfpw.dsna.fr.        86400    IN    NS    hilar.cena.fr.

dig +norec @vitre.cena.fr. cloud.lfpw.dsna.fr. txt   >> answer is SERVFAIL
dig +norec @hilar.cena.fr. cloud.lfpw.dsna.fr. txt   >> gives delegation (NS) to vitre.cena.fr. and vip-in.cloud.lfpw.dsna.fr. 

>> we already know that vitre.cena.fr gives SERVFAIL
>> we cannot resolve the name vip-in.cloud.lfpw.dnsa.fr, and therefore we cannot send a DNS query to it
>> therefore, 2 out of 2 nameservers for cloud.lfpw.dnsa.fr are not reachable 

>> therefore, the entire domain cloud.lfpw.dnsa.fr is broken




For first conclusion I understand from your return that:

  *   the Letsencrypt protocol DNS01 challenge does not use zone transfers
  * cloud.lfpw.dsna.fr <http://cloud.lfpw.dsna.fr> is a subdomain and
    doesn't have to configure delagation (it make sense).  This
    delegation configuration should be done at parent level
    (lfpw.dsna.fr <http://lfpw.dsna.fr>)
The delegation is done at the parent level, yes.  However the delegated domain still needs to contain NS records and a SOA record for its own zone. 

Regards,

Brian.


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to