The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Issues with pdns and transfers

Discussion in 'Bind / DNS / Nameserver Issues' started by Spork Schivago, Jul 18, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I run PowerDNS and I'm using the bind backend.

    I just did a systemctl status pdns and saw this:
    Code:
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' allowed: client IP 2600:3c02::a is in allow-axfr-ips
    Jul 18 22:19:37 franklin.example.com pdns[4072]: Not doing AXFR of an NSEC3 narrow zone 'example' for 2600:3c02::a
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied to 2600:3c02::a
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' initiated by 45.79.214.181
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied: client IP 45.79.214.181 has no permission
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' failed: 45.79.214.181 cannot request AXFR
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' initiated by 2600:3c02::a
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' allowed: client IP 2600:3c02::a is in allow-axfr-ips
    Jul 18 22:19:37 franklin.example.com pdns[4072]: Not doing AXFR of an NSEC3 narrow zone 'jetbbs.com' for 2600:3c02::a
    Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied to 2600:3c02::a
    
    Not really sure how to fix these AXFR of domain 'example.com' denied to 2600:3c02::a.

    This is what my /etc/named.conf looks like:
    Code:
    options {
    ...
        allow-transfer {
             104.237.137.10;
             65.19.178.10;
             75.127.96.10;
             207.192.70.10;
             109.74.194.10;
             2600:3c00::a;
             2600:3c01::a;
             2600:3c02::a;
             2600:3c03::a;
             2a01:7e00::a;
         };
         also-notify {
             104.237.137.10;
             65.19.178.10;
             75.127.96.10;
             207.192.70.10;
             109.74.194.10;
             2600:3c00::a;
             2600:3c01::a;
             2600:3c02::a;
             2600:3c03::a;
             2a01:7e00::a;
         };
         allow-query {
             104.237.137.10;
             65.19.178.10;
             75.127.96.10;
             207.192.70.10;
             109.74.194.10;
             2600:3c00::a;
             2600:3c01::a;
             2600:3c02::a;
             2600:3c03::a;
             2a01:7e00::a;
         };
    ...
    
    Should these options actually be under the
    Code:
    zone "example.com" {
    ...
    }
    
    section? Is that why it's failing?

    This is what I have in the pdns.conf file:
    Code:
    allow-axfr-ips=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
    also-notify=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
    
    I couldn't find an allow-query directive for pdns.conf. Am I doing something wrong?

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Did you enable narrow mode when enabling DNSSEC for your domain names (it's used by default)? The "nsec3_narrow" parameter on the following document explains it's purpose:

    UAPI Functions - DNSSEC::set_nsec3 - Software Development Kit - cPanel Documentation

    If so, try using inclusive mode for a domain name to see if you can reproduce the same results. Additionally, check to verify what's configured for "disable-axfr" in your /etc/pdns/pdns.conf file.

    Thank you.
     
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I don't think I saw an option for narrow mode or any of that when I enabled DNSSEC. Perhaps I enabled DNSSEC the wrong way? I went to cpanel.example.com, logged in, then went to the cPanel >> DOMAINS >> Advanced Zone Editor. There was an option to enable DNSSEC. I clicked that, then I picked a KeyTag, an Algorithm (8 RSA/SHA-256 2,048 bits), and a Digest Type (2 SHA-256). Finally, I went to GoDaddy (where I registered the domain name) and entered all the options.

    Where would be the option to select the mode type? My disable-axfr is set to no:
    Code:
    setuid=named
    setgid=named
    launch=bind
    bind-config=/etc/named.conf
    bind-dnssec-db=/etc/pdns/dnssec.db
    local-ipv6=::
    local-ipv6-nonexist-fail=no
    distributor-threads=1
    disable-axfr=no
    allow-axfr-ips=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
    also-notify=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
    slave=yes
    master=yes
    version-string=anonymous
    
    
    # Autogenerated configuration file template
    ....
    
    If NSEC / NSEC3 was enabled, in the zone file, wouldn't I see something about NSEC or NSEC3? I don't see anything that has NSEC or NSEC3 in /var/named/example.com.db
     
    #3 Spork Schivago, Jul 19, 2017
    Last edited: Jul 19, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you try disabling DNSSec for one of the affected domain names, and then enabling it again? This time, when enabling it, use the following UAPI function instead of the "Zone Editor" option in cPanel:

    UAPI Functions - DNSSEC::enable_dnssec - Software Development Kit - cPanel Documentation

    When enabling it, set narrow mode to "0". EX:

    Code:
    uapi --user=username DNSSEC enable_dnssec domain=example.com nsec3_narrow=0
    Thank you.
     
    Spork Schivago likes this.
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Do I have to pass the various subdomains to the uapi command? Like:
    Code:
    uapi --user=<myusername> DNSSEC enable_dnssec domain=example.com domain=franklin.example.com domain=webmail.example.com nsec3_narrow=0
    
    I just did it for just the main domain and then I went to GoDaddy and deleted the old DNSSEC stuff and then created a new one with the new DNSSEC stuff that was displayed in the Zone Editor. Any suggestions on how I can tell if it worked? There's still no NSEC / NSEC3 data in the /var/named/example.com.db file....

    Thanks!
     
    #5 Spork Schivago, Jul 20, 2017
    Last edited: Jul 20, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The UAPI function needs to have a domain name that's added to the cPanel account and has it's own DNS zone.

    As far as reproducing the issue, I was under the impression that the "AXFR" error messages in your initial post were stemming from an action you were attempting to perform. Is that the case, or did you simply notice those errors in the log without noticing any problems with the DNS? It's not abnormal to see those AXFR denied messages. Here's a URL you may find helpful:

    DNSSEC: Complexities and Considerations

    Thank you.
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I received a message from Linode saying because I'm running my own DNS server, I needed to remove an IP address from the allow-transfer and the also-notify sections of named.conf (or change it in whatever DNS server I use) and add a different IP address, because they were changing something and the IP address was changing.

    So, I check and noticed I already had the proper IP addresses listed. I ran systemctl status pdns though and noticed that IP addresses that I list for allowing transfers and allowing the notifies are being denied. I thought only the approved IP addresses I listed would be allowed to do those AXFRs, but it appears the IPs I've listed are being denied the AXFRs.

    That's why I came here and asked.
     
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm reading that link you sent me cPanelMichael. I see this:
    Code:
    Asking for the NSEC record of example.com gives the following....
    
    How does one ask for the NSEC or the NSEC3 record? I've tried googling it but couldn't find anything.

    I've tried
    Code:
    dig +dnssec example.com
    
    and I see an RRSIG and an A record in the answer section.

    I've tried
    Code:
    dig all +dnssec example.com
    
    and I see NSEC records in the authority section, but only an A record in the answer section.

    I've tried
    Code:
    dig nsec3param example.com
    
    and I see the nsec3param info in the answer section for example.com (I use my real domain).

    I check the zone file itself though:
    Code:
    grep -i nsec /var/named/example.com.db
    
    and I see nothing. I'm reading that article, but I'm missing something here. I'm still googling and reading additional articles. I believe I understand the difference between NSEC and NSEC3 and I want to verify NSEC3 is enabled and properly configured. I still don't understand why I see the failed AXFR messages though.

    I run
    Code:
    dig any +multi example.com
    
    and I see my main domain and the MX record, plus the subdomain for the MX record. I would expect if NSEC3 wasn't properly configured, I'd see all my subdomains. So I test this by running the same command on cpanel.net, expecting to see all the subdomains (forums.cpanel.net, for example), but I don't. And I believe cPanel doesn't have DNSSEC enabled, right?

    Thanks.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The issue is that AXFR isn't supported when narrow mode is enabled. You can verify if narrow mode is enabled by running the following command for a specific domain name:

    Code:
    uapi --user=username DNSSEC fetch_ds_records domain=example.com
    You will see "nsec3_narrow" in the output. Per the documentation on this UAPI function:

    Thank you.
     
    Spork Schivago likes this.
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Per the PowerDNS documentation:

    I actually found a comment from another user that applies to the same situation that you have described:

    DNSSEC support in Clustering

    Let me know if that helps.

    Thank you.
     
    Spork Schivago likes this.
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    For some reason, the AXFR's are now working. From what you were saying though, I was under the impression they shouldn't work when in narrow mode.

    I had trouble finding information from PowerDNS's site with version 3.4 of PDNS. I found plenty of documentation on version 4.x and saw that if PDNS was configured for narrow mode, it'd send out those white lies. I appreciate you taking the time to find this for me.

    Code:
    Jul 25 13:06:08 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 207.192.70.10 finished
    Jul 25 13:21:02 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 75.127.96.10 with serial 2017062618
    Jul 25 13:21:02 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 75.127.96.10 is in allow-axfr-ips
    Jul 25 13:21:02 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 75.127.96.10 finished
    Jul 25 14:02:07 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 207.192.70.10 with serial 2017062618
    Jul 25 14:02:07 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 207.192.70.10 is in allow-axfr-ips
    Jul 25 14:02:07 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 207.192.70.10 finished
    Jul 25 14:22:20 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 75.127.96.10 with serial 2017062618
    Jul 25 14:22:20 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 75.127.96.10 is in allow-axfr-ips
    Jul 25 14:22:20 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 75.127.96.10 finished
    
    **EDIT: Shoot! I just realized I'm in inclusive mode, not narrow. Which means my DNS can be walked. I gotta change that now. I'd rather have the AXFR's fail then my domain being able to be walked.

    **EDIT2: Duh! I disabled it a few days okay. I reenabled it now. Boy do I feel sheepish!

    Thanks!
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Let us know if you have any additional questions.

    Thanks!
     
Loading...

Share This Page