[Opendnssec-user] AXFR's Between OpenDNSSEC + PowerDNS

Sebastian Castro sebastian at nzrs.net.nz
Mon Jun 20 00:30:52 UTC 2011

On 06/20/2011 12:08 PM, Craig Whitmore wrote:
>>> I am trying to use  PowerDNS -> OpenDNSSEC (signing) -> PowerDNS
>>> (slaves) as PowerDNS at the moment is not (IMHO) not good enough yet to
>>> do the signing/roll overs etc  at the moment.
>>> Reading: http://comments.gmane.org/gmane.network.dns.opendnssec.user/631
>>> On the slave if I do a pdns_control retrieve <domain> it sends a notify
>>> without the AA bit set
>> Just to clarifiy, Usually a master will send a notify, not the slave. Do
>> you mean an AXFR?
> Yes an AXFR.. The slave requesting the ZONE.
> Ie from powerdns slave
> pdns_control retrieve spam.co.nz ( I want the slave to do an AXFR from
> openDNSsec to get a copy of the zone)
> I get
> Jun 19 22:20:25 database1 pdns[12413]: Initiating transfer of 'spam.co.nz'
> from remote ''
> Jun 19 22:20:25 database1 pdns[12413]: gmysql Connection successful
> Jun 19 22:20:25 database1 pdns[12413]: last message repeated 2 times
> Jun 19 22:20:25 database1 pdns[12413]: Unable to AXFR zone
> 'videobears.co.nz' from remote '' (resolver): Remote
> nameserver closed TCP connection

You are missing one important point. OpenDNSSEC doesn't provide outgoing
zone transfers, it has to rely on a nameserver to do that. It can do
incoming zone transfer (pull a zone from a nameserver).

> From opendnssec
> ods-signerd: zone fetcher drop bad notify

Because opendnssec doesn't handle zone transfer requests, you are
exercising the notify handler code, that's why you get that "strange"

On my testbed, I have OpenDNSSEC to sign the zones, the post-signing
hook to load the signed zone file in a nameserver running in the same
box, which later takes care of handling the zone transfer requests.

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list