Issues with pdns and transfers

Hello,

I run PowerDNS and I'm using the bind backend.

I just did a systemctl status pdns and saw this:

Code:

Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' allowed: client IP 2600:3c02::a is in allow-axfr-ips
Jul 18 22:19:37 franklin.example.com pdns[4072]: Not doing AXFR of an NSEC3 narrow zone 'example' for 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied to 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' initiated by 45.79.214.181
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied: client IP 45.79.214.181 has no permission
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' failed: 45.79.214.181 cannot request AXFR
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' initiated by 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' allowed: client IP 2600:3c02::a is in allow-axfr-ips
Jul 18 22:19:37 franklin.example.com pdns[4072]: Not doing AXFR of an NSEC3 narrow zone 'jetbbs.com' for 2600:3c02::a
Jul 18 22:19:37 franklin.example.com pdns[4072]: AXFR of domain 'example.com' denied to 2600:3c02::a

Not really sure how to fix these AXFR of domain 'example.com' denied to 2600:3c02::a.

This is what my /etc/named.conf looks like:

Code:

options {
...
    allow-transfer {
         104.237.137.10;
         65.19.178.10;
         75.127.96.10;
         207.192.70.10;
         109.74.194.10;
         2600:3c00::a;
         2600:3c01::a;
         2600:3c02::a;
         2600:3c03::a;
         2a01:7e00::a;
     };
     also-notify {
         104.237.137.10;
         65.19.178.10;
         75.127.96.10;
         207.192.70.10;
         109.74.194.10;
         2600:3c00::a;
         2600:3c01::a;
         2600:3c02::a;
         2600:3c03::a;
         2a01:7e00::a;
     };
     allow-query {
         104.237.137.10;
         65.19.178.10;
         75.127.96.10;
         207.192.70.10;
         109.74.194.10;
         2600:3c00::a;
         2600:3c01::a;
         2600:3c02::a;
         2600:3c03::a;
         2a01:7e00::a;
     };
...

Should these options actually be under the

Code:

zone "example.com" {
...
}

section? Is that why it's failing?

This is what I have in the pdns.conf file:

Code:

allow-axfr-ips=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
also-notify=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a

I couldn't find an allow-query directive for pdns.conf. Am I doing something wrong?

Thanks!

 

I don't think I saw an option for narrow mode or any of that when I enabled DNSSEC. Perhaps I enabled DNSSEC the wrong way? I went to cpanel.example.com, logged in, then went to the cPanel >> DOMAINS >> Advanced Zone Editor. There was an option to enable DNSSEC. I clicked that, then I picked a KeyTag, an Algorithm (8 RSA/SHA-256 2,048 bits), and a Digest Type (2 SHA-256). Finally, I went to GoDaddy (where I registered the domain name) and entered all the options.

Where would be the option to select the mode type? My disable-axfr is set to no:

Code:

setuid=named
setgid=named
launch=bind
bind-config=/etc/named.conf
bind-dnssec-db=/etc/pdns/dnssec.db
local-ipv6=::
local-ipv6-nonexist-fail=no
distributor-threads=1
disable-axfr=no
allow-axfr-ips=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
also-notify=104.237.137.10, 65.19.178.10, 75.127.96.10, 207.192.70.10, 109.74.194.10, 2600:3c00::a, 2600:3c01::a, 2600:3c02::a, 2600:3c03::a, 2a01:7e00::a
slave=yes
master=yes
version-string=anonymous


# Autogenerated configuration file template
....

If NSEC / NSEC3 was enabled, in the zone file, wouldn't I see something about NSEC or NSEC3? I don't see anything that has NSEC or NSEC3 in /var/named/example.com.db

 

Do I have to pass the various subdomains to the uapi command? Like:

Code:

uapi --user=<myusername> DNSSEC enable_dnssec domain=example.com domain=franklin.example.com domain=webmail.example.com nsec3_narrow=0

I just did it for just the main domain and then I went to GoDaddy and deleted the old DNSSEC stuff and then created a new one with the new DNSSEC stuff that was displayed in the Zone Editor. Any suggestions on how I can tell if it worked? There's still no NSEC / NSEC3 data in the /var/named/example.com.db file....

Thanks!

 

I received a message from Linode saying because I'm running my own DNS server, I needed to remove an IP address from the allow-transfer and the also-notify sections of named.conf (or change it in whatever DNS server I use) and add a different IP address, because they were changing something and the IP address was changing.

So, I check and noticed I already had the proper IP addresses listed. I ran systemctl status pdns though and noticed that IP addresses that I list for allowing transfers and allowing the notifies are being denied. I thought only the approved IP addresses I listed would be allowed to do those AXFRs, but it appears the IPs I've listed are being denied the AXFRs.

That's why I came here and asked.

 

I'm reading that link you sent me cPanelMichael. I see this:

Code:

Asking for the NSEC record of example.com gives the following....

How does one ask for the NSEC or the NSEC3 record? I've tried googling it but couldn't find anything.

I've tried

Code:

dig +dnssec example.com

and I see an RRSIG and an A record in the answer section.

I've tried

Code:

dig all +dnssec example.com

and I see NSEC records in the authority section, but only an A record in the answer section.

I've tried

Code:

dig nsec3param example.com

and I see the nsec3param info in the answer section for example.com (I use my real domain).

I check the zone file itself though:

Code:

grep -i nsec /var/named/example.com.db

and I see nothing. I'm reading that article, but I'm missing something here. I'm still googling and reading additional articles. I believe I understand the difference between NSEC and NSEC3 and I want to verify NSEC3 is enabled and properly configured. I still don't understand why I see the failed AXFR messages though.

I run

Code:

dig any +multi example.com

and I see my main domain and the MX record, plus the subdomain for the MX record. I would expect if NSEC3 wasn't properly configured, I'd see all my subdomains. So I test this by running the same command on cpanel.net, expecting to see all the subdomains (forums.cpanel.net, for example), but I don't. And I believe cPanel doesn't have DNSSEC enabled, right?

Thanks.

 

Okay, I see that nsec3 is enabled. Does that mean my PowerDNS server is sending out those white lies ( RFC 7129 - Authenticated Denial of Existence in the DNS )?

 

For some reason, the AXFR's are now working. From what you were saying though, I was under the impression they shouldn't work when in narrow mode.

I had trouble finding information from PowerDNS's site with version 3.4 of PDNS. I found plenty of documentation on version 4.x and saw that if PDNS was configured for narrow mode, it'd send out those white lies. I appreciate you taking the time to find this for me.

Code:

Jul 25 13:06:08 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 207.192.70.10 finished
Jul 25 13:21:02 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 75.127.96.10 with serial 2017062618
Jul 25 13:21:02 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 75.127.96.10 is in allow-axfr-ips
Jul 25 13:21:02 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 75.127.96.10 finished
Jul 25 14:02:07 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 207.192.70.10 with serial 2017062618
Jul 25 14:02:07 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 207.192.70.10 is in allow-axfr-ips
Jul 25 14:02:07 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 207.192.70.10 finished
Jul 25 14:22:20 franklin.example.com pdns[4600]: IXFR of domain 'example.com' initiated by 75.127.96.10 with serial 2017062618
Jul 25 14:22:20 franklin.example.com pdns[4600]: AXFR of domain 'example.com' allowed: client IP 75.127.96.10 is in allow-axfr-ips
Jul 25 14:22:20 franklin.example.com pdns[4600]: IXFR of domain 'example.com' to 75.127.96.10 finished

**EDIT: Shoot! I just realized I'm in inclusive mode, not narrow. Which means my DNS can be walked. I gotta change that now. I'd rather have the AXFR's fail then my domain being able to be walked.

**EDIT2: Duh! I disabled it a few days okay. I reenabled it now. Boy do I feel sheepish!

Thanks!