Hi,
I think I have solved the issue. Turns out there is an issue when a Zone
has multiple TSIG Keys.
See this PowerDNS ticket:
https://github.com/PowerDNS/pdns/issues/10637
By default, the Bitfolk Secondary DNS does not use a TSIG Key so by
setting send-signed-notify to 'no' in the PowerDNS config the secondary
DNS notify is now working again.
Cheers,
Will
On 22/12/2021 16:01, William Wright wrote:
> Hi Andy,
>
> On 22/12/2021 15:26, Andy Smith wrote:
>> How long are you pausing between inserting the record and checking
>> for existence of the record?
>
> Initially, 120 seconds but I incremented it to 300 seconds.
>
>> Have you confirmed by command line usage of the "nsupdate" tool or
>> equivalent that you are able to:
>>
>> 1. Add a record in your powerdns (any record, just some silly TXT
>> record for debugging)
>>
>> 2. See AXFR take place to a.authns.bitfolk.co.uk
>>
>> 3. Query the record you just added, from a.authns.bitfolk.co.uk?
>
> Using the ACME Plugin for PFSense, I was able to insert the TXT Record
> and generate a certificate. I am not sure whether it queried ns1 or
> bitfolk at the authoritative level to achieve this.
>
> In my traefik configuration, I found it necessary to override my local
> Unbound DNS instance included within PFSense and query an alternative
> DNS resolver (1.1.1.1 in my case).
>
>> When was the last time you tried an update? BitFolk last saw an
>> update:
>>
>> 22-Dec-2021 14:05:29.575 general: info: zone m6wiq.uk/IN: Transfer
>> started.
>> 22-Dec-2021 14:05:29.576 xfer-in: info: transfer of 'm6wiq.uk/IN' from
>> 85.119.82.174#53: connected using 85.119.80.222#47928
>> 22-Dec-2021 14:05:29.590 general: info: zone m6wiq.uk/IN: transferred
>> serial 2021121127
>>
>> So by 14:05:29.590 a.authns.bitfolk.co.uk should be seeing (and
>> serving) whatever update it was you made in serial 2021121127.
>>
>> Something I find odd is that your powerdns server at 85.119.82.174 has
>> serial
>> number 2021121140 but all the BitFolk servers have only 2021121127.
>> You also list ns6.gandi.net which I assume is taking an AXFR from
>> somewhere; that also only has serial 2021121127. I don't know if
>> this is a problem particularly.
>
> I have removed the Gandi secondary name server from the configuration to
> remove any potential complications. This has incremented the serial to
> 2021121141. The set of commands I have been using to notify secondary
> servers are:
>
> pdnsutil increase-serial m6wiq.uk
> pdns_control notify m6wiq.uk
>
> After running these commands, querying a.authns.bitfolk.co.uk returns:
>
> dig m6wiq.uk @a.authns.bitfolk.co.uk SOA
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> m6wiq.uk @a.authns.bitfolk.co.uk SOA
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1864
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 8
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;m6wiq.uk. IN SOA
>
> ;; ANSWER SECTION:
> m6wiq.uk. 3600 IN SOA ns1.m6wiq.uk. hostmaster.m6wiq.uk.
> 2021121127 10800 3600 604800 3600
>
> However, on ns1.m6wiq.uk:
>
> dig m6wiq.uk @ns1.m6wiq.uk SOA
>
> ; <<>> DiG 9.16.1-Ubuntu <<>> m6wiq.uk @ns1.m6wiq.uk SOA
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48457
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;m6wiq.uk. IN SOA
>
> ;; ANSWER SECTION:
> m6wiq.uk. 3600 IN SOA ns1.m6wiq.uk. hostmaster.m6wiq.uk.
> 2021121141 10800 3600 604800 3600
>
>> I'm afraid that I lack experience with powerdns and dynamic DNS
>> updates.
>
> I have the same issue on my end. I wonder if there is a better method of
> notifying the secondary DNS rather than "pdns_control notify"?
>
> Cheers,
>
> William
>
--
William Wright
Callsign: M6WIQ
Mail: william@???
