[Opendnssec-user] AXFR's Between OpenDNSSEC + PowerDNS

Mon Jun 20 00:30:52 UTC 2011

On 06/20/2011 12:08 PM, Craig Whitmore wrote:
> 
>>
>>> I am trying to use  PowerDNS -> OpenDNSSEC (signing) -> PowerDNS
>>> (slaves) as PowerDNS at the moment is not (IMHO) not good enough yet to
>>> do the signing/roll overs etc  at the moment.
>>>
>>> Reading: http://comments.gmane.org/gmane.network.dns.opendnssec.user/631
>>>
>>> On the slave if I do a pdns_control retrieve <domain> it sends a notify
>>> without the AA bit set
>>>
>>
>> Just to clarifiy, Usually a master will send a notify, not the slave. Do
>> you mean an AXFR?
> 
> Yes an AXFR.. The slave requesting the ZONE.
> 
> Ie from powerdns slave
> 
> pdns_control retrieve spam.co.nz ( I want the slave to do an AXFR from
> openDNSsec to get a copy of the zone)
> 
> I get
> 
> Jun 19 22:20:25 database1 pdns[12413]: Initiating transfer of 'spam.co.nz'
> from remote '114.23.33.130'
> Jun 19 22:20:25 database1 pdns[12413]: gmysql Connection successful
> Jun 19 22:20:25 database1 pdns[12413]: last message repeated 2 times
> Jun 19 22:20:25 database1 pdns[12413]: Unable to AXFR zone
> 'videobears.co.nz' from remote '114.23.33.130' (resolver): Remote
> nameserver closed TCP connection
> 

You are missing one important point. OpenDNSSEC doesn't provide outgoing
zone transfers, it has to rely on a nameserver to do that. It can do
incoming zone transfer (pull a zone from a nameserver).

> 
> From opendnssec
> 
> ods-signerd: zone fetcher drop bad notify
> 

Because opendnssec doesn't handle zone transfer requests, you are
exercising the notify handler code, that's why you get that "strange"
message.

On my testbed, I have OpenDNSSEC to sign the zones, the post-signing
hook to load the signed zone file in a nameserver running in the same
box, which later takes care of handling the zone transfer requests.

Cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535