PowerDNS pulling secondary zones from another server

[sozotech]

I am wanting to host some non-cpanel domain zones on our DNS cluster for some legacy systems. We recently switched from BIND to PowerDNS. What I used to do on bind was simply put an include in the /etc/named.conf like such

include "/etc/named.custom_include.conf";

I put this include file in both the internal and external view sections. Then in the named.custom_include.conf simply list the zones as such.

zone "somedomain.com" {
        type slave;
        file "/var/named/somedomain.com.db";
        masters { 1.2.3.4 ; };
};

For some reason this is not working. It looks like the config only likes having one include file, so I put that in just the external view and then the config passes. However when I restart pdns, I get the following error.

no file found for new slave domain

pdns_server: [bindbackend] error at 2020-12-08 10:34:21 -0500 no file found for new slave domain 'somedomain.com'. Has not been AXFR'd yet

# pdns_control retrieve somedomain.com
Added retrieval request for 'somedomain.com.' from master 1.2.3.4

However, the zone file never seems to be created in /var/named and I don't see any errors in the log file. If I do a

dig axfr somedomain.com @1.2.3.4

It works without any issues, so I know I have the transfer ACL's setup correctly on the master DNS server.

I am fairly new to PowerDNS so can anyone tell me if I missed anything or did something wrong? Appreciate any advice.

Best regards,
Eric

 

[cPRex]

Hey there! I've been looking into this for a bit now, and it seems that is working normally with the way that PowerDNS is implemented on a cPanel system. By default, AXFR is disabled in our PowerDNS configuration file:

# grep disable-axfr /etc/pdns/pdns.conf
disable-axfr=yes
# disable-axfr    Disable zonetransfers but do allow TCP queries
# disable-axfr=no
# disable-axfr-rectify    Disable the rectify step during an outgoing AXFR. Only required for regression testing.
# disable-axfr-rectify=no

so it seems this configuration may not be possible.

Is there any reason you couldn't continue to use BIND on these systems?

 

[sozotech]

Hey there! I've been looking into this for a bit now, and it seems that is working normally with the way that PowerDNS is implemented on a cPanel system. By default, AXFR is disabled in our PowerDNS configuration file:

# grep disable-axfr /etc/pdns/pdns.conf
disable-axfr=yes
# disable-axfr    Disable zonetransfers but do allow TCP queries
# disable-axfr=no
# disable-axfr-rectify    Disable the rectify step during an outgoing AXFR. Only required for regression testing.
# disable-axfr-rectify=no

so it seems this configuration may not be possible.

Is there any reason you couldn't continue to use BIND on these systems?

Well, I believe the disable-axfr setting is for pulling zones FROM PowerDNS which is not what I am trying to do, though on a side note, I changed this option to Yes, and I can pull zones from other servers using the PowerDNS as the master server. One of our data centers, secondaries our PTR zones for reverse IP lookups so I can confirm that works.

I would like to use PowerDNS since it seems to be higher performing. The PDNS process sure starts WAY FASTER than BIND. It might take BIND 30 minutes to load all the zones after a reboot and PowerDNS loads up in seconds. I would really like to have PDNS to secondary the legacy zones so I don't have to have to go back to BIND or have separate servers.

Best regards,
Eric

 

[cPRex]

It might be best to put in a ticket for this to get some more details, as I didn't find much related to this specific situation. If you do that, please post the number here so I can follow along and keep the community updated.

 

[sozotech]

It might be best to put in a ticket for this to get some more details, as I didn't find much related to this specific situation. If you do that, please post the number here so I can follow along and keep the community updated.

Thanks. I've opened ticket #94004794 . We'll se what that turns up.

 

[cPRex]

Great - I'm following that now on my end too :D