DNSOnly, DNS Cluster "Could not communicate with remote API server."

Ross Healy

Registered
May 10, 2018
4
0
1
United Kingdom
cPanel Access Level
Root Administrator
Hello All,

Does anyone have any suggestions on rectifying this error?

I've attempted to cluster NS1 & NS2 to syncronize records. For the purpose of fault finding I've removed any limitations on the API token's access to include all privillages as well as removed specific whitelisted IP's for the API token, as well as network traffic to port 2087. When clustering it seems there is also an issue configuring a reverse trust relationship.

Name Server 1 (NS1)
CPanel DNSOnly
Cpanel Version: V98.0.8
DNS: PowerDNS
InBound Port Configuration: 22 TCP, 25 TCP, 53 TCP/UDP, 443 TCP, 953 TCP/UDP, 2087 TCP
OutBound Port Configuration: 25 TCP, 53 TCP/UDP, 443 TCP, 953 TCP/UDP, 2089 TCP
Resolver Configuration: 8.8.8.8, 8.8.4.4
Static IP Assigned

Name Server 2 (NS2)
CPanel DNSOnly
Cpanel Version: V98.0.8
DNS: PowerDNS
InBound Port Configuration: 22 TCP, 25 TCP, 53 TCP/UDP, 443 TCP, 953 TCP/UDP, 2087 TCP
OutBound Port Configuration: 25 TCP, 53 TCP/UDP, 443 TCP, 953 TCP/UDP, 2089 TCP
Resolver Configuration: 8.8.8.8, 8.8.4.4
Static IP Assigned

DNSCluster_Error.png
DNSCluster_Reverse_Trust.png
 
Last edited by a moderator:

Ross Healy

Registered
May 10, 2018
4
0
1
United Kingdom
cPanel Access Level
Root Administrator
It's worth noting I have reviewed the following articles;

.
.
.

The workaround of ignoring the error doesn't sit well with me.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Hey there! Are you getting the "Line 529" error as mentioned in the second article you linked? If so, that's a known issue and something that we're looking into. The current recommendation to ignore the error if the cluster is working is a valid workaround, as our developers are working to resolve the issue.

If you're seeing a different error message, it would be best to submit a ticket to our team so we can check this out directly on the affected system(s) as it seems you've already done a good bit of troubleshooting to try and isolate the issue.
 

Ross Healy

Registered
May 10, 2018
4
0
1
United Kingdom
cPanel Access Level
Root Administrator
Hello cPRex,

Unfortunatley I'm not seeing that, but could have missed it? Looking at the session_log there were several HTTP 200's for POST/GETs so it doesn't look to be timing out in anyway.

I may purge all my logs to slim them down and see if I can Identify any timeouts., if I don't I shall raise a ticket.

Out of interest can you confirm that "they" should be communicating over 2087 so I can remove 443 from my configured open ports?

I'm also interested to know if the following token permissions are sufficent or can they be slimmed down futher for a "Synchronize Changes" Role between NS1 & NS2 ;

Initial Privileges
Managed DNS Records​
Nameserver Configuration​
DNS
Add DNS Zones​
Remove DNS Zones​
Clustering
DNS Clustering​