Re: [Pdns-users] How to understand cause of rejected notify
Hi MRob, Could you please try a ‘dig AXFR domain.com’ from your slave? Could you also provide us a full packet capture (pcap if possible)? I am starting to suspect a firewall issue… Frank > On 1 Dec 2018, at 22:44, MRob wrote: > >> All supermaster problems I know of can be resolved by checking the >> checklist: >> https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves > > * supermaster support must be enabled > I already asked about this on unanswered inquiry over a week ago. Master is > version 4.1 where I think the setting is not recognized (according to docs, > added in 4.2) thus no- I didn't use it. Would appreciate to have > clarification the use of that setting, how 4.1 works without it and what it > adds to 4.2. Also if you have supermaster=yes then should master=yes be > removed? Documentation does not make it clear > > * The supermaster must carry a SOA record for the notified domain > Yes it does > > * The supermaster IP must be present in the ‘supermaster’ table > Yes, I said in my last email it exists and can assume this is working because > as I explained the supermaster causes an entry to the ``domains'' table on > the slave if I use 4.1 slave. 4.2 slave alone is refusing the NOTIFY. > > * The set of NS records for the domain, as retrieved by the slave from the > supermaster, must include the name that goes with the IP address in the > supermaster table > dig shows me this is true, both @ the master and without @ to local resolver > > * If your master sends signed NOTIFY it will mark that TSIG key as the TSIG > key used for retrieval as well > When slave is 4.1 yes it added entry to ``domainmetadata'' table as well as > ``domains''. So appears working good. Just not adding to ``records'' with no > error expressed. Only v4.2 just refusing the NOTIFY with no error to help > diagnose. > > * If you turn off allow-unsigned-supermaster, then your supermaster(s) are > required to sign their notifications. > Per above I think this is ok > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to understand cause of rejected notify
All supermaster problems I know of can be resolved by checking the checklist: https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves * supermaster support must be enabled I already asked about this on unanswered inquiry over a week ago. Master is version 4.1 where I think the setting is not recognized (according to docs, added in 4.2) thus no- I didn't use it. Would appreciate to have clarification the use of that setting, how 4.1 works without it and what it adds to 4.2. Also if you have supermaster=yes then should master=yes be removed? Documentation does not make it clear * The supermaster must carry a SOA record for the notified domain Yes it does * The supermaster IP must be present in the ‘supermaster’ table Yes, I said in my last email it exists and can assume this is working because as I explained the supermaster causes an entry to the ``domains'' table on the slave if I use 4.1 slave. 4.2 slave alone is refusing the NOTIFY. * The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table dig shows me this is true, both @ the master and without @ to local resolver * If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well When slave is 4.1 yes it added entry to ``domainmetadata'' table as well as ``domains''. So appears working good. Just not adding to ``records'' with no error expressed. Only v4.2 just refusing the NOTIFY with no error to help diagnose. * If you turn off allow-unsigned-supermaster, then your supermaster(s) are required to sign their notifications. Per above I think this is ok ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to understand cause of rejected notify
On Sat, Dec 01, 2018 at 08:37:16PM +, MRob wrote: > As I have had no luck to understand why supermaster only create entry in > Received NOTIFY for example.com from 1.1.1.1:2101 for which we are not > authoritative (Refused) > > Received unsuccessful notification report for 'example.com' from 2.2.2.2:53, > error: Query Refused Hi "MRob", We can do nothing with example.com and 1.1.1.1. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ All supermaster problems I know of can be resolved by checking the checklist: https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves If that doesn't work, please share real domain names & IP addresses and a pcap of a notification that does not lead to a zonetransfer. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] How to understand cause of rejected notify
As I have had no luck to understand why supermaster only create entry in ``domains'' table but not in ``records'' and AXFR never happen again (https://mailman.powerdns.com/pipermail/pdns-users/2018-November/025624.html) I think maybe it's a bug in pdns 4.1 so I install 4.2 on slave (master still 4.1) to hope that can fix the bug. Now problem is worse, slave won't even set up ``domains'' table, only see this: Received NOTIFY for example.com from 1.1.1.1:2101 for which we are not authoritative (Refused) How do I know the reason? Config is still same as before when version 4.1 was populated ``domains'' table (supermaster db table has correct setup) Master log also not helpful: Received unsuccessful notification report for 'example.com' from 2.2.2.2:53, error: Query Refused loglevel=6 on both slave/master, nothing else coming to the logs to explain refused reason ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users