Hi,
I think I have solved the issue. Turns out there is an issue when a Zone
has multiple TSIG Keys.
See this PowerDNS ticket:
By default, the Bitfolk Secondary DNS does not use a TSIG Key so by
setting send-signed-notify to 'no' in the PowerDNS config the secondary
DNS notify is now working again.
Cheers,
Will
On 22/12/2021 16:01, William Wright wrote:
Hi Andy,
On 22/12/2021 15:26, Andy Smith wrote:
How long are you pausing between inserting the
record and checking
for existence of the record?
Initially, 120 seconds but I incremented it to 300 seconds.
Have you confirmed by command line usage of the
"nsupdate" tool or
equivalent that you are able to:
1. Add a record in your powerdns (any record, just some silly TXT
record for debugging)
2. See AXFR take place to a.authns.bitfolk.co.uk
3. Query the record you just added, from a.authns.bitfolk.co.uk?
Using the ACME Plugin for PFSense, I was able to insert the TXT Record
and generate a certificate. I am not sure whether it queried ns1 or
bitfolk at the authoritative level to achieve this.
In my traefik configuration, I found it necessary to override my local
Unbound DNS instance included within PFSense and query an alternative
DNS resolver (1.1.1.1 in my case).
When was the last time you tried an update?
BitFolk last saw an
update:
22-Dec-2021 14:05:29.575 general: info: zone m6wiq.uk/IN: Transfer
started.
22-Dec-2021 14:05:29.576 xfer-in: info: transfer of 'm6wiq.uk/IN' from
85.119.82.174#53: connected using 85.119.80.222#47928
22-Dec-2021 14:05:29.590 general: info: zone m6wiq.uk/IN: transferred
serial 2021121127
So by 14:05:29.590 a.authns.bitfolk.co.uk should be seeing (and
serving) whatever update it was you made in serial 2021121127.
Something I find odd is that your powerdns server at 85.119.82.174 has
serial
number 2021121140 but all the BitFolk servers have only 2021121127.
You also list
ns6.gandi.net which I assume is taking an AXFR from
somewhere; that also only has serial 2021121127. I don't know if
this is a problem particularly.
I have removed the Gandi secondary name server from the configuration to
remove any potential complications. This has incremented the serial to
2021121141. The set of commands I have been using to notify secondary
servers are:
pdnsutil increase-serial m6wiq.uk
pdns_control notify m6wiq.uk
After running these commands, querying a.authns.bitfolk.co.uk returns:
dig m6wiq.uk @a.authns.bitfolk.co.uk SOA
; <<>> DiG 9.16.1-Ubuntu <<>> m6wiq.uk @a.authns.bitfolk.co.uk
SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1864
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 8
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;m6wiq.uk. IN SOA
;; ANSWER SECTION:
m6wiq.uk. 3600 IN SOA ns1.m6wiq.uk. hostmaster.m6wiq.uk.
2021121127 10800 3600 604800 3600
However, on ns1.m6wiq.uk:
dig m6wiq.uk @ns1.m6wiq.uk SOA
; <<>> DiG 9.16.1-Ubuntu <<>> m6wiq.uk @ns1.m6wiq.uk SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48457
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;m6wiq.uk. IN SOA
;; ANSWER SECTION:
m6wiq.uk. 3600 IN SOA ns1.m6wiq.uk. hostmaster.m6wiq.uk.
2021121141 10800 3600 604800 3600
I'm afraid that I lack experience with
powerdns and dynamic DNS
updates.
I have the same issue on my end. I wonder if there is a better method of
notifying the secondary DNS rather than "pdns_control notify"?
Cheers,
William