[Opendnssec-user] AXFR's Between OpenDNSSEC + PowerDNS
sebastian at nzrs.net.nz
Mon Jun 20 00:30:52 UTC 2011
On 06/20/2011 12:08 PM, Craig Whitmore wrote:
>>> I am trying to use PowerDNS -> OpenDNSSEC (signing) -> PowerDNS
>>> (slaves) as PowerDNS at the moment is not (IMHO) not good enough yet to
>>> do the signing/roll overs etc at the moment.
>>> Reading: http://comments.gmane.org/gmane.network.dns.opendnssec.user/631
>>> On the slave if I do a pdns_control retrieve <domain> it sends a notify
>>> without the AA bit set
>> Just to clarifiy, Usually a master will send a notify, not the slave. Do
>> you mean an AXFR?
> Yes an AXFR.. The slave requesting the ZONE.
> Ie from powerdns slave
> pdns_control retrieve spam.co.nz ( I want the slave to do an AXFR from
> openDNSsec to get a copy of the zone)
> I get
> Jun 19 22:20:25 database1 pdns: Initiating transfer of 'spam.co.nz'
> from remote '188.8.131.52'
> Jun 19 22:20:25 database1 pdns: gmysql Connection successful
> Jun 19 22:20:25 database1 pdns: last message repeated 2 times
> Jun 19 22:20:25 database1 pdns: Unable to AXFR zone
> 'videobears.co.nz' from remote '184.108.40.206' (resolver): Remote
> nameserver closed TCP connection
You are missing one important point. OpenDNSSEC doesn't provide outgoing
zone transfers, it has to rely on a nameserver to do that. It can do
incoming zone transfer (pull a zone from a nameserver).
> From opendnssec
> ods-signerd: zone fetcher drop bad notify
Because opendnssec doesn't handle zone transfer requests, you are
exercising the notify handler code, that's why you get that "strange"
On my testbed, I have OpenDNSSEC to sign the zones, the post-signing
hook to load the signed zone file in a nameserver running in the same
box, which later takes care of handling the zone transfer requests.
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user