Open rmuehl opened 5 years ago
@rmuehl Any reason to do a custom dig
command to do an AXFR? I'd suggest to run a 'hidden slave' next to the hidden master with the bind-backend which can receive the zones presigned if you want it to, then - if you really need an rsync-way to sync - you can rsync
from the files on that slave (yes the files are updated atomically).
I have moved this to the 'helpneeded' ("we think fixing this makes sense but will not make it a priority") milestone because it is a niche use case.
Short description
When I do a zonetransfer for an DNSSEC enabled domain and use it on a pdns with bind-backend, I get warnings from pdnsutil check-zone:
because of the trailing dot notation.
Environment
Name : pdns Version : 4.1.7 Release : 1pdns.el7 Architecture: x86_64 Install Date: Mi 20 Mär 2019 14:21:16 CET Group : System Environment/Daemons Size : 9378948 License : GPLv2 Signature : RSA/SHA256, Mo 18 Mär 2019 14:45:37 CET, Key ID 1b0c6205fd380fbb Source RPM : pdns-4.1.7-1pdns.el7.src.rpm Build Date : Mo 18 Mär 2019 14:06:48 CET Build Host : a884a35d682c
Steps to reproduce
Expected behaviour
Actual behaviour
Other information
We're running a hidden master powerdns server with postgres backend. To transfer the zones to the front-nameservers running powerdns with bind-backend, we're doing a zonetransfer on the hidden master:
dig +nosplit +onesoa @127.0.0.1 example.com AXFR > file
(NSEC entries are cut off afterwards) The file gets rsynched to the nameservers (including a named.conf) and is loaded withpdns_control rediscover
. The zone is working as expected:dig @127.0.0.1 test.example.com +dnssec
But when checking the zone, it generates warnings foreach entry
pdnsutil check-zone example.com
Tho the zone is working well, the warnings are bad. Especically when having hundrets of DNSSEC enabled domains. And it is odd to seperate the good from the bad warnings on the monitoring systems.
I don't know if it would be possible to change this behavier without breaking the DNS Signatures.
There might be a other/better way to transfer the domains from the hidden master to the front servers I'm not aware of. But Master/Slave is not an option, cuz every fornt-nameserver needs to be authoritative master, and hidden master needs to be invisible and unreachable.
Or maybe I'm doing something wrong.... every hint would be great.
No problems with NOT DNSSEC-enabled domains.