dnscontrol icon indicating copy to clipboard operation
dnscontrol copied to clipboard
verified publisher icon StackExchange

[axfrdns] Fails to initialize new zones due to servfail

Open mweinelt opened this issue 1 year ago • 2 comments

NOTE: Have a general question? You'll get a better response on the dnscontrol-discuss email list!

Describe the bug Using AXFR on a freshly configured zone, that does not have yet any zonedata expectedly fails with rcode2 (SERVFAIL), and therefore cannot be initialized from dnscontrol.

dnscontrol:
Error getting corrections (manda): [Error] AXFRDDNS: nameserver refused to transfer the zone 8.b.d.1.0.0.2.ip6.arpa: dns: bad xfr rcode: 2
knot:
# journalctl -u knot --grep=dnscontrol
knotd[1204]: debug: [8.b.d.1.0.0.2.ip6.arpa.] ACL, allowed, action transfer, remote 192.0.2.0@52766, key dnscontrol.

# knotc zone-status
[8.b.d.1.0.0.2.ip6.arpa.] role: master | serial: -

To Reproduce Steps to reproduce the behavior:

  1. Install and configure Knot
  2. Configure a new zone with ACLs for dnscontrol
  3. Run dnscontrol check or apply

Expected behavior A nameserver without zonedata will return SERVFAIL for the zone. Ideally dnscontrol would allow applying the initial zonedata.

DNS Provider

  • axfrdns

Additional context It starts working, once I create zonedata on the nameserver in any way:

knotc zone-begin 8.b.d.1.0.0.2.ip6.arpa.
knotc zone-set 8.b.d.1.0.0.2.ip6.arpa. @ 3600 SOA ns1.example.com. dns.example.com. 1 3600 600 604800 1440
knotc zone-commit 8.b.d.1.0.0.2.ip6.arpa.

mweinelt avatar Jun 10 '24 13:06 mweinelt

Ping @hnrgrgr, the maintainer of the AXFR+DDNS provider.

cafferata avatar Jun 10 '24 13:06 cafferata

I can't get Knot to initialize an empty zone using nsupdate, so this is probably a Knot bug and not a DNSControl bug:

$ cat knot.conf

server:
  listen: [::@53]
  async-start: on

log:
  - target: stderr
    any: debug

acl:
  - id: allow_all
    address: ["0.0.0.0/0", "::/0"]
    action: [transfer, notify, update]

zone:
    # From https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#example-2
  - domain: test.internal.
    zonefile-sync: -1
    zonefile-load: none
    journal-content: all
    acl: allow_all

$ podman run --rm --pull=newer --volume=./knot.conf:/config/knot.conf:ro,z --publish=[::1]:53:53/udp docker.io/cznic/knot:latest /usr/sbin/knotd &

2025-01-03T06:48:17+0000 info: Knot DNS 3.4.3 starting
2025-01-03T06:48:17+0000 info: loaded configuration file '/config/knot.conf', mapsize 500 MiB
2025-01-03T06:48:17+0000 info: using UDP reuseport, incoming TCP Fast Open
2025-01-03T06:48:17+0000 info: binding to interface ::@53
2025-01-03T06:48:17+0000 info: loading 1 zones
2025-01-03T06:48:17+0000 info: [test.internal.] zone will be loaded
2025-01-03T06:48:17+0000 info: starting server
2025-01-03T06:48:17+0000 info: [test.internal.] zone not found
2025-01-03T06:48:17+0000 error: [test.internal.] zone event 'load' failed (not exists)
2025-01-03T06:48:17+0000 info: control, binding to '/rundir/knot.sock'
2025-01-03T06:48:17+0000 info: server started in the foreground, PID 1

$ dig +noall +question +answer @localhost CH TXT version.bind.

;version.bind.			CH	TXT
version.bind.		0	CH	TXT	"Knot DNS 3.4.3"

$ echo 'server localhost
        zone test.internal.
        update add test.internal. 300 IN SOA localhost. invalid.invalid. 300 300 300 300 300
        update add test.internal. 300 IN NS localhost.
        update add test.internal. 300 IN TXT "test"
        send
        answer' | nsupdate -d

Sending update to ::1#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  55401
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 3, ADDITIONAL: 0
;; ZONE SECTION:
;test.internal.                 IN      SOA

;; UPDATE SECTION:
test.internal.          300     IN      SOA     localhost. invalid.invalid. 300 300 300 300 300
test.internal.          300     IN      NS      localhost.
test.internal.          300     IN      TXT     "test"

2025-01-03T06:48:38+0000 debug: [test.internal.] ACL, allowed, action update, remote fd11:214b:df5::834@49595 UDP

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  55401
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;test.internal.                 IN      SOA

Answer:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  55401
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;test.internal.                 IN      SOA

$ dig +noall +question +answer +comments @localhost SOA test.internal.

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46749
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 24 (Invalid Data)
;; QUESTION SECTION:
;test.internal.			IN	SOA

gucci-on-fleek avatar Jan 03 '25 06:01 gucci-on-fleek