[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: [Pdns-users] how to force pdns4 autoprovisioned superslave to TSIG-sign responses to supermaster?
From: PGNet Dev <pgnet.dev () gmail ! com>
Date: 2016-12-31 20:21:57
Message-ID: 573763a6-6411-1215-2c4a-cdb2ce90424c () gmail ! com
[Download RAW message or body]
I'm working on a not-yet-provisioned pdns superslave.
I wand pdns to be autoprovisioned on authorized NOTIFY from my bind9 master
Currently, in pdns logs I've the following error
...
Dec 31 11:55:07 dns pdns[1677]: Received secure NOTIFY for example.com from \
10.1.1.53, allowed by TSIG key 'pdns-key'
Dec 31 11:55:07 dns pdns[1677]: Query: select \
id,name,master,last_check,notified_serial,type,account from domains where \
name=:domain
Dec 31 11:55:07 dns pdns[1677]: Received NOTIFY for example.com from 10.1.1.53 for \
which we are not authoritative
Dec 31 11:55:08 dns pdns[1677]: Query: select account from supermasters where ip=:ip \
and nameserver=:nameserver
Dec 31 11:55:08 dns pdns[1677]: Unable to find backend willing to host example.com \
for potential supermaster 10.1.1.53. Remote nameservers:
Dec 31 11:55:08 dns pdns[1677]: dnsint.example.net
...
NOTE the 'remote nameserver' == dnsint.example.net
That's the SOA ns for my master's *internal* (LAN only) view, not the *external*, \
to-be-signed, view data.
I've set up my master so that for a given zone, config consists of internal & \
external zone views+files,
...
view "internal" {
match-clients { !pdns-key ; ... };
...
zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; };
...
}
view "external" {
match-clients { pdns-key ; ... };
...
zone "example.com" IN { type master; file "/namedb/master/example.com.zone";
notify explicit; also-notify { powerdns_ip; };
};
...
}
...
With this config, and TSIG-signed client that uses key == 'pdns-key', should match \
the 'external' view.
This can be verified for
unsigned,
dig @10.1.1.53 SOA example.com +short
dnsint.example.net. hostmaster.example.net. 1483204233 7200 1800 604800 5
& unsigned
dig @10.1.1.53 SOA example.com +short -k /usr/local/etc/named/keys/pdns.key
dnsext.example.net. soacontact.example.net. 1483204233 7200 1800 604800 5
and, for reference
host dnsint.example.net
dnsint.example.net is an alias for dns.example.net.
dns.example.net has address 10.1.1.53
host dnsext.example.net
dnsext.example.net has address II.PP.VV.44 (real/public ip address)
So, since I want pdns to access the *external* view, it needs to communicate to/with \
the master with TSIG_signed requests, but it needs to do so on the master's IP \
(either 127.0.0.1 or 10.1.1.53 ...).
And, since I'm setting up pdns as an auto-provisioned superslave -- i.e., I don't \
have the domain IDs in pdns.db until after 'first contact" from the master -- I'm \
attempting to use an sqlite3 trigger.
sqlite3 /var/pdns/powerdns.sqlite3 < \
/usr/local/powerdns/share/doc/pdns/schema.sqlite3.sql sqlite3 \
/var/pdns/powerdns.sqlite3 >
INSERT INTO `supermasters` ( ip, nameserver, account ) VALUES ( '10.1.1.53', \
'dnsint.example.net', 'admin' );
INSERT INTO `tsigkeys` (name, algorithm, secret) VALUES ('pdns-key', \
'hmac-sha256', 'xxxxxxxx');
DROP TRIGGER IF EXISTS `domains_after_create`;
CREATE TRIGGER IF NOT EXISTS `domains_after_create`
AFTER INSERT ON `domains`
FOR EACH ROW WHEN NEW.`type` = 'SLAVE'
BEGIN
INSERT INTO `domainmetadata` (`domain_id`, `kind`, `content`) VALUES \
(NEW.`id`, 'AXFR-MASTER-TSIG', 'pdns-key'); END
;
.exit
That fires no errors on entry, but I get the ERROR on transaction between the pdns \
slave and bind master as reported above.
Apparently, pdns is making an UNSIGNED request to the master, and I've failed to get \
it to use the 'pdns-key'.
What piece is missing to get pdns to sign that comm, and access the *external* view
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic