Issues with pdns and transfers

[Spork Schivago]

Hello,

I run PowerDNS and I'm using the bind backend.

I just did a systemctl status pdns and saw this:

Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' allowed: client IP 2600:3c02::a is in allow-axfr-ips
Jul 18 22:19:37 franklin.example.com pdns[4072]: Not doing AXFR of an NSEC3 narrow zone 'example' for 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied to 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' initiated by 45.79.214.181
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied: client IP 45.79.214.181 has no permission
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' failed: 45.79.214.181 cannot request AXFR
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' initiated by 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' allowed: client IP 2600:3c02::a is in allow-axfr-ips
Jul 18 22:19:37 franklin.example.com pdns[4072]: Not doing AXFR of an NSEC3 narrow zone 'jetbbs.com' for 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied to 2600:3c02::a

Not really sure how to fix these AXFR of domain 'example.com' denied to 2600:3c02::a.

This is what my /etc/named.conf looks like:

options {
...
    allow-transfer {
         104.237.137.10;
         65.19.178.10;
         75.127.96.10;
         207.192.70.10;
         109.74.194.10;
         2600:3c00::a;
         2600:3c01::a;
         2600:3c02::a;
         2600:3c03::a;
         2a01:7e00::a;
     };
     also-notify {
         104.237.137.10;
         65.19.178.10;
         75.127.96.10;
         207.192.70.10;
         109.74.194.10;
         2600:3c00::a;
         2600:3c01::a;
         2600:3c02::a;
         2600:3c03::a;
         2a01:7e00::a;
     };
     allow-query {
         104.237.137.10;
         65.19.178.10;
         75.127.96.10;
         207.192.70.10;
         109.74.194.10;
         2600:3c00::a;
         2600:3c01::a;
         2600:3c02::a;
         2600:3c03::a;
         2a01:7e00::a;
     };
...

Should these options actually be under the

zone "example.com" {
...
}

section? Is that why it's failing?

This is what I have in the pdns.conf file:

allow-axfr-ips=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
also-notify=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a

I couldn't find an allow-query directive for pdns.conf. Am I doing something wrong?

Thanks!

 

[cPanelMichael]

Hello,

Did you enable narrow mode when enabling DNSSEC for your domain names (it's used by default)? The "nsec3_narrow" parameter on the following document explains it's purpose:

UAPI Functions - DNSSEC::set_nsec3 - Software Development Kit - cPanel Documentation

If so, try using inclusive mode for a domain name to see if you can reproduce the same results. Additionally, check to verify what's configured for "disable-axfr" in your /etc/pdns/pdns.conf file.

Thank you.

 

[Spork Schivago]

I don't think I saw an option for narrow mode or any of that when I enabled DNSSEC. Perhaps I enabled DNSSEC the wrong way? I went to cpanel.example.com, logged in, then went to the cPanel >> DOMAINS >> Advanced Zone Editor. There was an option to enable DNSSEC. I clicked that, then I picked a KeyTag, an Algorithm (8 RSA/SHA-256 2,048 bits), and a Digest Type (2 SHA-256). Finally, I went to GoDaddy (where I registered the domain name) and entered all the options.

Where would be the option to select the mode type? My disable-axfr is set to no:

setuid=named
setgid=named
launch=bind
bind-config=/etc/named.conf
bind-dnssec-db=/etc/pdns/dnssec.db
local-ipv6=::
local-ipv6-nonexist-fail=no
distributor-threads=1
disable-axfr=no
allow-axfr-ips=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
also-notify=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
slave=yes
master=yes
version-string=anonymous


# Autogenerated configuration file template
....

If NSEC / NSEC3 was enabled, in the zone file, wouldn't I see something about NSEC or NSEC3? I don't see anything that has NSEC or NSEC3 in /var/named/example.com.db

 

[cPanelMichael]

Hello,

Could you try disabling DNSSec for one of the affected domain names, and then enabling it again? This time, when enabling it, use the following UAPI function instead of the "Zone Editor" option in cPanel:

UAPI Functions - DNSSEC::enable_dnssec - Software Development Kit - cPanel Documentation

When enabling it, set narrow mode to "0". EX:

uapi --user=username DNSSEC enable_dnssec domain=example.com nsec3_narrow=0

Thank you.

 

[Spork Schivago]

Hello,

Could you try disabling DNSSec for one of the affected domain names, and then enabling it again? This time, when enabling it, use the following UAPI function instead of the "Zone Editor" option in cPanel:

UAPI Functions - DNSSEC::enable_dnssec - Software Development Kit - cPanel Documentation

When enabling it, set narrow mode to "0". EX:

uapi --user=username DNSSEC enable_dnssec domain=example.com nsec3_narrow=0

Thank you.

Do I have to pass the various subdomains to the uapi command? Like:

uapi --user=<myusername> DNSSEC enable_dnssec domain=example.com domain=franklin.example.com domain=webmail.example.com nsec3_narrow=0

I just did it for just the main domain and then I went to GoDaddy and deleted the old DNSSEC stuff and then created a new one with the new DNSSEC stuff that was displayed in the Zone Editor. Any suggestions on how I can tell if it worked? There's still no NSEC / NSEC3 data in the /var/named/example.com.db file....

Thanks!

 

[cPanelMichael]

Hello,

The UAPI function needs to have a domain name that's added to the cPanel account and has it's own DNS zone.

I just did it for just the main domain and then I went to GoDaddy and deleted the old DNSSEC stuff and then created a new one with the new DNSSEC stuff that was displayed in the Zone Editor. Any suggestions on how I can tell if it worked? There's still no NSEC / NSEC3 data in the /var/named/example.com.db file....

As far as reproducing the issue, I was under the impression that the "AXFR" error messages in your initial post were stemming from an action you were attempting to perform. Is that the case, or did you simply notice those errors in the log without noticing any problems with the DNS? It's not abnormal to see those AXFR denied messages. Here's a URL you may find helpful:

DNSSEC: Complexities and Considerations

Thank you.

 

[Spork Schivago]

Hello,

The UAPI function needs to have a domain name that's added to the cPanel account and has it's own DNS zone.



As far as reproducing the issue, I was under the impression that the "AXFR" error messages in your initial post were stemming from an action you were attempting to perform. Is that the case, or did you simply notice those errors in the log without noticing any problems with the DNS? It's not abnormal to see those AXFR denied messages. Here's a URL you may find helpful:

DNSSEC: Complexities and Considerations

Thank you.

I received a message from Linode saying because I'm running my own DNS server, I needed to remove an IP address from the allow-transfer and the also-notify sections of named.conf (or change it in whatever DNS server I use) and add a different IP address, because they were changing something and the IP address was changing.

So, I check and noticed I already had the proper IP addresses listed. I ran systemctl status pdns though and noticed that IP addresses that I list for allowing transfers and allowing the notifies are being denied. I thought only the approved IP addresses I listed would be allowed to do those AXFRs, but it appears the IPs I've listed are being denied the AXFRs.

That's why I came here and asked.

 

[Spork Schivago]

I'm reading that link you sent me cPanelMichael. I see this:

Asking for the NSEC record of example.com gives the following....

How does one ask for the NSEC or the NSEC3 record? I've tried googling it but couldn't find anything.

I've tried

dig +dnssec example.com

and I see an RRSIG and an A record in the answer section.

I've tried

dig all +dnssec example.com

and I see NSEC records in the authority section, but only an A record in the answer section.

I've tried

dig nsec3param example.com

and I see the nsec3param info in the answer section for example.com (I use my real domain).

I check the zone file itself though:

grep -i nsec /var/named/example.com.db

and I see nothing. I'm reading that article, but I'm missing something here. I'm still googling and reading additional articles. I believe I understand the difference between NSEC and NSEC3 and I want to verify NSEC3 is enabled and properly configured. I still don't understand why I see the failed AXFR messages though.

I run

dig any +multi example.com

and I see my main domain and the MX record, plus the subdomain for the MX record. I would expect if NSEC3 wasn't properly configured, I'd see all my subdomains. So I test this by running the same command on cpanel.net, expecting to see all the subdomains (forums.cpanel.net, for example), but I don't. And I believe cPanel doesn't have DNSSEC enabled, right?

Thanks.

 

[cPanelMichael]

Hello,

The issue is that AXFR isn't supported when narrow mode is enabled. You can verify if narrow mode is enabled by running the following command for a specific domain name:

uapi --user=username DNSSEC fetch_ds_records domain=example.com

You will see "nsec3_narrow" in the output. Per the documentation on this UAPI function:

• 1 — Narrow mode.
• 0 — Inclusive mode.

Thank you.

 

[Spork Schivago]

Okay, I see that nsec3 is enabled. Does that mean my PowerDNS server is sending out those white lies ( RFC 7129 - Authenticated Denial of Existence in the DNS )?

 

[cPanelMichael]

Hello,

Per the PowerDNS documentation:

NSEC3 in 'narrow' mode uses additional hashing calculations to provide hashed secure denial of existence 'on the fly', without further involving the database.

I actually found a comment from another user that applies to the same situation that you have described:

DNSSEC support in Clustering

Let me know if that helps.

Thank you.

 

[Spork Schivago]

Hello,

Per the PowerDNS documentation:



I actually found a comment from another user that applies to the same situation that you have described:

DNSSEC support in Clustering

Let me know if that helps.

Thank you.

For some reason, the AXFR's are now working. From what you were saying though, I was under the impression they shouldn't work when in narrow mode.

I had trouble finding information from PowerDNS's site with version 3.4 of PDNS. I found plenty of documentation on version 4.x and saw that if PDNS was configured for narrow mode, it'd send out those white lies. I appreciate you taking the time to find this for me.

Jul 25 13:06:08 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 207.192.70.10 finished
Jul 25 13:21:02 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 75.127.96.10 with serial 2017062618
Jul 25 13:21:02 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 75.127.96.10 is in allow-axfr-ips
Jul 25 13:21:02 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 75.127.96.10 finished
Jul 25 14:02:07 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 207.192.70.10 with serial 2017062618
Jul 25 14:02:07 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 207.192.70.10 is in allow-axfr-ips
Jul 25 14:02:07 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 207.192.70.10 finished
Jul 25 14:22:20 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 75.127.96.10 with serial 2017062618
Jul 25 14:22:20 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 75.127.96.10 is in allow-axfr-ips
Jul 25 14:22:20 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 75.127.96.10 finished

**EDIT: Shoot! I just realized I'm in inclusive mode, not narrow. Which means my DNS can be walked. I gotta change that now. I'd rather have the AXFR's fail then my domain being able to be walked.

**EDIT2: Duh! I disabled it a few days okay. I reenabled it now. Boy do I feel sheepish!

Thanks!

 

[cPanelMichael]

**EDIT: Shoot! I just realized I'm in inclusive mode, not narrow. Which means my DNS can be walked. I gotta change that now. I'd rather have the AXFR's fail then my domain being able to be walked.

**EDIT2: Duh! I disabled it a few days okay. I reenabled it now. Boy do I feel sheepish!

Thanks!

Hello,

Let us know if you have any additional questions.

Thanks!