Very Thanks, It's clear for me. For dnsdist i need HA pour my Powerdns.
>>The delegation is done at the parent level, yes. However the delegated domain still needs to contain NS records and a SOA record for its own zone: Yes, this is some details [pduser@hyp03 ~]$ podman exec pdns pdnsutil list-zone cloud.lfpw.dsna.fr Jun 10 15:53:06 [LdapBackend] LDAP servers = ldap://200.17.66.30:1389/ Jun 10 15:53:06 [LdapBackend] Ldap connection succeeded Jun 10 15:53:06 [LdapBackend] LDAP servers = ldap://200.17.66.30:1389/ Jun 10 15:53:06 [LdapBackend] Ldap connection succeeded Jun 10 15:53:06 [LdapBackend] Search = basedn: dc=cloud,dc=lfpw,dc=dsna,dc=fr, filter: (associatedDomain=*. cloud.lfpw.dsna.fr) $ORIGIN . Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype: SOA, ttl: 3600, content: ns.cloud.lfpw.dsna.fr hostmas...@cloud.lfpw.dsna.fr 2002010401 1800 3600 604800 84600 Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype: NS, ttl: 3600, content: ns.cloud.lfpw.dsna.fr Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype: MX, ttl: 3600, content: 20 mail2.cloud.lfpw.dsna.fr Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype: MX, ttl: 3600, content: 10 mail.cloud.lfpw.dsna.fr Jun 10 15:53:06 [LdapBackend] Record = qname: cloud.lfpw.dsna.fr, qtype: A, ttl: 3600, content: 195.83.98.243 Jun 10 15:53:06 [LdapBackend] Record = qname: *.cloud.lfpw.dsna.fr, qtype: A, ttl: 3600, content: 195.83.98.243 Jun 10 15:53:06 [LdapBackend] Record = qname: vip-in.cloud.lfpw.dsna.fr, qtype: A, ttl: 3600, content: 195.83.98.243 Jun 10 15:53:06 [LdapBackend] Record = qname: mail2.cloud.lfpw.dsna.fr, qtype: CNAME, ttl: 3600, content: vip-in.cloud.lfpw.dsna.fr Jun 10 15:53:06 [LdapBackend] Record = qname: www.cloud.lfpw.dsna.fr, qtype: CNAME, ttl: 3600, content: vip-in.cloud.lfpw.dsna.fr Jun 10 15:53:06 [LdapBackend] Record = qname: _ acme-challenge.cloud.lfpw.dsna.fr, qtype: TXT, ttl: 3600, content: "G4d-NJvGcOyN4L6FPZunTfRYeuVOvOG3afGjCby6Ncs" cloud.lfpw.dsna.fr 3600 IN SOA ns.cloud.lfpw.dsna.fr hostmas...@cloud.lfpw.dsna.fr 2002010401 1800 3600 604800 84600 cloud.lfpw.dsna.fr 3600 IN NS ns.cloud.lfpw.dsna.fr. cloud.lfpw.dsna.fr 3600 IN MX 20 mail2.cloud.lfpw.dsna.fr. cloud.lfpw.dsna.fr 3600 IN MX 10 mail.cloud.lfpw.dsna.fr. cloud.lfpw.dsna.fr 3600 IN A 195.83.98.243 *.cloud.lfpw.dsna.fr 3600 IN A 195.83.98.243 vip-in.cloud.lfpw.dsna.fr 3600 IN A 195.83.98.243 mail2.cloud.lfpw.dsna.fr 3600 IN CNAME vip-in.cloud.lfpw.dsna.fr. www.cloud.lfpw.dsna.fr 3600 IN CNAME vip-in.cloud.lfpw.dsna.fr. _acme-challenge.cloud.lfpw.dsna.fr 3600 IN TXT "G4d-NJvGcOyN4L6FPZunTfRYeuVOvOG3afGjCby6Ncs" This is my Ldap declaration for basedn just tell if it's correct: dn: dc=cloud,dc=lfpw,dc=dsna,dc=fr objectClass: top objectClass: domainRelatedObject objectClass: dNSDomain2 objectClass: PdnsDomain dc: cloud sOARecord: ns.cloud.lfpw.dsna.fr hostmas...@cloud.lfpw.dsna.fr 2002010401 1800 3600 604800 84600 nSRecord: ns.cloud.lfpw.dsna.fr mXRecord: 10 mail.cloud.lfpw.dsna.fr mXRecord: 20 mail2.cloud.lfpw.dsna.fr arecord: 195.83.98.243 associateddomain: cloud.lfpw.dsna.fr PdnsDomainId: 1 PdnsDomainType: master PdnsDomainMaster: 200.17.xx.xx Thanks for your reply! Le mer. 23 juin 2021 à 09:24, Brian Candler <b.cand...@pobox.com> a écrit : > On 22/06/2021 23:30, Cheikh Dieng wrote: > > Hi, excuse for delay.. > > For context: > My powerdns listen in port 2053 > My dnsdist listen in port 1053 > We are an translating port through 53 (from external request) to 1053 . > That's why from external we use port 53 and in internal we can use port > 1053 or 2053 > > In that case I would have thought your powerdns authoritative needs > "local-port = 2053", not "local-port = 53" > > Do you have a particular reason for using dnsdist? It does add complexity > that is often not required. > > > > > * Detail: DNS problem: query timed out looking up TXT for > _acme-challenge.cloud.lfpw.dsna.fr > <http://acme-challenge.cloud.lfpw.dsna.fr>* > > As I explained before, your entire domain "cloud.lfpw.dsna.fr" is > broken. ACME challenges and DNS updates are not the problem; the problem > is that *nobody* can resolve *any* address within that domain. > > $ dig @8.8.8.8 cloud.lfpw.dsna.fr. soa > > ... > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL*, id: 7572 > > > That's the problem you need to fix first. To repeat: > > $ dig +trace @8.8.8.8 cloud.lfpw.dsna.fr > ... > lfpw.dsna.fr. 86400 IN NS vitre.cena.fr. > lfpw.dsna.fr. 86400 IN NS hilar.cena.fr. > > dig +norec @vitre.cena.fr. cloud.lfpw.dsna.fr. txt >> answer is SERVFAIL > > dig +norec @hilar.cena.fr. cloud.lfpw.dsna.fr. txt >> gives delegation > (NS) to vitre.cena.fr. and vip-in.cloud.lfpw.dsna.fr. > > >> we already know that vitre.cena.fr gives SERVFAIL > > >> we cannot resolve the name vip-in.cloud.lfpw.dnsa.fr, and therefore we > cannot send a DNS query to it > > >> therefore, 2 out of 2 nameservers for cloud.lfpw.dnsa.fr are not > reachable > > >> therefore, the entire domain cloud.lfpw.dnsa.fr is broken > > > For first conclusion I understand from your return that: > > - the Letsencrypt protocol DNS01 challenge does not use zone > transfers > - cloud.lfpw.dsna.fr is a subdomain and doesn't have to configure > delagation (it make sense). This delegation configuration should be done > at parent level (lfpw.dsna.fr) > > The delegation is done at the parent level, yes. However the delegated > domain still needs to contain NS records and a SOA record for its own zone. > > Regards, > > Brian. >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
