gpg: Signature made Wed Dec 22 16:43:50 2021 UTC
gpg: using DSA key 0E4236CB52951E14536066222099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
On Wed, Dec 22, 2021 at 04:01:27PM +0000, William Wright wrote:
> In my traefik configuration, I found it necessary to override my local
> Unbound DNS instance included within PFSense and query an alternative DNS
> resolver (1.1.1.1 in my case).
I am confused why you are telling any of these things which
resolver to use.
If you have an ACME client doing the DNS method, normally the only
thing you need to tell it is which DNS server is going to accept an
nsupdate from you. This would normally be an authoritative server
(like the powerdns that you run on 85.119.82.174), not a resolver.
Once the DNS update is done, the DNS server you did it with should
take care of sending out NOTIFY messages to any secondary servers to
tell them to do an AXFR.
So I think it is worth using the command line "nsupdate" utility to
do a simple DNS update against your powerdns and check that results
in an AXFR and the ability to query that record from any/all of the
secondary servers.
> pdnsutil increase-serial m6wiq.uk
> pdns_control notify m6wiq.uk
>
> After running these commands, querying a.authns.bitfolk.co.uk returns:
If this is what you did at ~14:05 then that is what resulted in the
AXFR of a zone with serial 2021121127. That is the last AXFR that
was seen here.
Interestingly, if I do an AXFR manually then I do see serial
2021121141:
$ dig -b 85.119.80.222 -t axfr m6wiq.uk @85.119.82.174 | grep SOA
m6wiq.uk. 3600 IN SOA ns1.m6wiq.uk. hostmaster.m6wiq.uk. 2021121141 10800 3600 604800 3600
I've just now done this:
$ sudo rndc retransfer m6wiq.uk
(Forces bind to check for and do another transfer from your
primary)
and got this:
22-Dec-2021 16:28:36.507 general: info: received control channel command 'retransfer m6wiq.uk'
22-Dec-2021 16:28:36.509 general: info: zone m6wiq.uk/IN: Transfer started.
22-Dec-2021 16:28:36.509 xfer-in: info: transfer of 'm6wiq.uk/IN' from 85.119.82.174#53: connected using 85.119.80.222#47207
22-Dec-2021 16:28:36.517 database: warning: addnode: NSEC node already exists
22-Dec-2021 16:28:36.517 general: info: zone m6wiq.uk/IN: transferred serial 2021121141
22-Dec-2021 16:28:36.517 xfer-in: info: transfer of 'm6wiq.uk/IN' from 85.119.82.174#53: Transfer completed: 3 messages, 68 records, 4861 bytes, 0.007 secs (694428 bytes/sec)
It then sends out NOTIFY to all of the other BitFolk secondary
servers. So they all have 2021121141 now.
So… from this I am thinking that we did not get any NOTIFY messages
from you before. What happened at 14:05 was probably just a
scheduled refresh and at that time the zone was at 20211211. I don't
think we are seeing NOTIFY messages when you do an update.
If you want to check that, try it now and say when you have done it
and I'll tell you.
Normally I wouldn't expect you to have to manually increase the
serial number and manually do a NOTIFY when doing DNS updates.
Normally I would expect any DNS server that supports DNS update to
do all that itself. But as I haven't done this with powerdns I don't
known exactly what is involved.
What backend do you use with powerdns out of interest?
Again I would really recommend verifying that simple command line
use of nsupdate to push an DNS update does work before wondering why
a much more complex config of an ACME client doesn't.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
