I have three DNS servers: x.y.z.10 which is configured as supermaster, x.y.z.11 and x.y.z.12 which both are configured as superslaves. On all three machines:
- dnsdist is running on port 53 for (yet to be done) high availability
- pdns is running on port 1054 as authoritative server
- pdns-recursor is running on port 1055 as recursing resolver
Despite following the advice of dnsdist (https://dnsdist.org/advanced/axfr.html), a sudo pdns_control notify xxx.de
on the master yields the same error on all slaves: pdns_server[]: Received NOTIFY for xxx.de from 127.0.0.1:39562 which is not a master (Refused)
.
dnsdist
is configured to pass SOA, AXFR and IXFR requests that originate from the network to pdns and everything else to pdns-recursor:
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("x.y.z.0/27"))}), RCodeAction(DNSRCode.REFUSED))
addAction(AndRule({OpcodeRule(DNSOpcode.Notify),NotRule(makeRule("x.y.z.0/24"))}), RCodeAction(DNSRCode.REFUSED))
addAction(OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction("primary"))
addAction(AllRule(), PoolAction("recursor"))
pdns
is configured as a (super)slave and to accept AXFR/NOTIFY only from localhost:
master = no
slave = yes
superslave = yes
allow-axfr-ips = 127.0.0.1
disable-axfr = no
allow-notify-from = 127.0.0.1
What/where did I mess up?