After the IP address of a PowerDNS secondary server (old term: slave server) was changed, the zone transfers (AXFR), initiated by the secondary server, stopped working.
Note: For this article the real IP addresses of the involved DNS name servers are obviously anonymized. For the primary server, IP address 192.168.100.53 is used. For the secondary server, the new IP 192.168.200.53 is used (another IP address was used before).
An article from 2019 (PowerDNS Master Slave DNS Replication with MySQL backend) explains in detail how the DNS replication works. But in a nutshell:
After changing a DNS zone on the primary server (old term: master server) the secondary DNS servers are notified. PowerDNS does look up the secondary server(s) dynamically by going through all the NS records of the modified zone. After the secondary server(s) received the NOTIFY message about the changed zone, a domain transfer (AXFR) is initiated from the secondary server. The primary server receives the AXFR and, if the secondary server is allowed to, the zone is sent to the secondary server.
After the IP address of the secondary server changed (using Opera DNS UI), zone transfers (AXFR) stopped working. After a change of a zone (example.com) on the primary server, the following logs showed up.
On the primary:
Feb 10 15:08:05 primary dnsui: client_ip=10.162.210.49;uid=claudio;zone=example.com.;object=rrset;action=add;name=dasdasdfasdf.example.com.
Feb 10 15:08:05 primary pdns_server[19977]: Queued notification of domain 'example.com' to 192.168.200.53:53
Feb 10 15:08:05 primary pdns_server[19977]: Queued notification of domain 'example.com' to 192.168.100.53:53
Feb 10 15:08:05 primary dnsui: client_ip=10.162.210.49;uid=claudio;zone=example.com.;object=zone;action=update;status=succeeded
Feb 10 15:08:05 primary pdns_server[19977]: Received NOTIFY for example.com from 192.168.100.53 but slave support is disabled in the configuration
Feb 10 15:08:06 primary pdns_server[19977]: AXFR of domain 'example.com' initiated by 192.168.200.53
Feb 10 15:08:06 primary pdns_server[19977]: AXFR of domain 'example.com' denied: client IP 192.168.200.53 has no permission
Feb 10 15:08:06 primary pdns_server[19977]: AXFR of domain 'example.com' failed: 192.168.200.53 cannot request AXFR
Feb 10 15:08:06 primary pdns_server[19977]: Removed from notification list: 'example.com' to 192.168.200.53:53 (was acknowledged)
Feb 10 15:08:06 primary pdns_server[19977]: Received unsuccessful notification report for 'example.com' from 192.168.100.53:53, error: Not Implemented
Feb 10 15:08:06 primary pdns_server[19977]: Removed from notification list: 'example.com' to 192.168.100.53:53 Not Implemented
On the secondary:
Feb 10 15:08:06 secondary pdns_server[1261]: Domain 'example.com' is stale, master serial 2022021004, our serial 2019101701
Feb 10 15:08:06 secondary pdns_server[1261]: Initiating transfer of 'example.com' from remote '192.168.100.53'
Feb 10 15:08:06 secondary pdns_server[1261]: Starting AXFR of 'example.com' from remote 192.168.100.53:53
Feb 10 15:08:06 secondary pdns_server[1261]: Unable to AXFR zone 'example.com' from remote '192.168.100.53' (resolver): AXFR chunk error: Server Not Authoritative for zone / Not Authorized
By only looking at the logs on the secondary server, the message ("Server Not Authoritative for zone") would make sense if the secondary's public NS record would still resolve to the previous IP address. However with dig, this can be verified:
$ dig -t A ns1.example.com +short
192.168.100.53
$ dig -t A ns2.example.com +short
192.168.200.53
Both records are up to date and the secondary (ns2.example.com) shows the new IP address.
But by looking at the primary logs, one message makes more sense and helps to understand where the problem might be: "AXFR of domain 'example.com' denied: client IP 192.168.200.53 has no permission".
Basically the PowerDNS primary server (NS1) says that an AXFR request was received and initiated by the slave server (NS2) from IP 192.168.200.53. But the zone transfer was denied, because client IP 192.168.200.53 has no permission. There could only be two reasons for that:
Let's verify this on the primary server:
root@primary:~# grep "allow-axfr" /etc/powerdns/pdns.conf
# allow-axfr-ips Allow zonetransfers only to these subnets
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=192.168.53.53
The old IP of NS2 (192.168.53.53) is still listed. This IP needs to be adjusted for the new IP:
root@primary:~# grep "allow-axfr" /etc/powerdns/pdns.conf
# allow-axfr-ips Allow zonetransfers only to these subnets
# allow-axfr-ips=127.0.0.0/8,::1
allow-axfr-ips=192.168.200.53
After a restart of the pdns service, PowerDNS should allow incoming AXFR requests from the secondary:
root@primary:~# systemctl restart pdns
After the PowerDNS restart, the logs on primary and secondary can be followed and zone transfers now work again.
On the primary:
Feb 10 15:17:06 primary pdns_server[23152]: AXFR of domain 'example.com' initiated by 192.168.200.53
Feb 10 15:17:06 primary pdns_server[23152]: AXFR of domain 'example.com' allowed: client IP 192.168.200.53 is in allow-axfr-ips
Feb 10 15:17:06 primary pdns_server[23152]: AXFR of domain 'example.com' to 192.168.200.53 finished
On the secondary:
Feb 10 15:17:06 secondary pdns_server[1261]: Domain 'example.com' is stale, master serial 2022021004, our serial 2019101701
Feb 10 15:17:06 secondary pdns_server[1261]: Initiating transfer of 'example.com' from remote '192.168.100.53'
Feb 10 15:17:06 secondary pdns_server[1261]: Starting AXFR of 'example.com' from remote 192.168.100.53:53
Feb 10 15:17:06 secondary pdns_server[1261]: AXFR started for 'example.com'
Feb 10 15:17:06 secondary pdns_server[1261]: AXFR of 'example.com' from remote 192.168.100.53:53 done
Feb 10 15:17:06 secondary pdns_server[1261]: Backend transaction started for 'example.com' storage
Feb 10 15:17:06 secondary pdns_server[1261]: AXFR done for 'example.com', zone committed with serial number 2022021004
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder