Primary/Secondary servers on different hosts with Podman failing AXFR/Notify

[rheaalleen]

Hi,

I was experimenting with the container images from pschiffe/powerdns to get a cluster running. However with rootless podman I was unsuccessful so far when I split the primary/secondary to different hosts.

Running the primary/secondary on a single host was easy since I can attach the same network and define static IPs. After setting the NS/A records through PowerDNS-Admin I was seeing the Notify/AFXR.

However splitting the services to different hosts was unsuccesful. When triggering a manual notify-host from the primary the secondary it gets the error. The same configuration that was working now has problems because of the networking.

Received NOTIFY for domain.io from 172.7.0.21 but the remote is not providing a TSIG key or in allow-notify-from (Refused)

It's seeing its own IP as allow-notify source IP, switching the PDNS_allow_notify_from: '{{ pdns_master_ip }}' to PDNS_allow_notify_from: '{{ pdns_master_ip }}' in the secondary configuration changes the error message to

Mar 29 00:14:12 Received NOTIFY for domain.io from 172.7.0.21 for which we are not authoritative, trying autoprimary
Mar 29 00:14:12 Error resolving SOA or NS for domain.io at: 172.7.0.21: Query to '172.7.0.21' for SOA of 'domain.io' produced no answers

The messages arrive with their internal podman network IP and I didnt see any way to use the host IP.

Anything else, for the primary works, I can set records, query them with the defined IP:Port, just the communication for AXFR/Notify wont work.

Before setting the container IPs as ns1/2 records inside the containers /etc/hosts I had the server IPs which resulted in the same error

Mar 29 00:14:12 Received NOTIFY for domain.io from 172.7.0.21 for which we are not authoritative, trying autoprimary
Mar 29 00:14:12 Error resolving SOA or NS for domain.io at: 172.7.0.21: Query to '172.7.0.21' for SOA of 'domain.io' produced no answers

Trimmed configuration for both services/hosts

Secondary on Host B

---
- name: Variables
  ansible.builtin.set_fact:
    pdns_master_ip: 172.7.0.20
    pdns_slave_ip: 172.7.0.21

- name: Create a podman network
  become: true
  become_user: podman-deploy
  containers.podman.podman_network:
    name: powerdns
    force: true
    ip_range: 172.7.0.0/16
    subnet: 172.7.0.0/16
    gateway: 172.7.0.1

- name: Powerdns Container Slave
  become: true
  become_user: podman-deploy
  containers.podman.podman_container:
    name: powerdns_slave
    hostname: ns2.domain.io
    add_hosts:
      ns1.domain.io: '{{ pdns_master_ip }}'
      ns2.domain.io: '{{ pdns_slave_ip }}'
    image: pschiffe/pdns-pgsql
    state: created
    pull: "always"
    image_strict: true
    ip: '{{ pdns_slave_ip }}'
    ports:
      - "10.0.104.11:53:53"
      - "10.0.104.11:53:53/udp"
    env:
      PDNS_secondary: 'yes'
      PDNS_autosecondary: 'yes'
      PDNS_version_string: 'anonymous'
      PDNS_disable_axfr: 'yes'
      PDNS_allow_notify_from: '{{ pdns_master_ip }}'
      SUPERMASTER_IPS: '{{ pdns_master_ip }}'
      PDNS_gpgsql_host: "powerdns_db_dns_slave"
      PDNS_gpgsql_port: "5432"
      PDNS_gpgsql_user: "{{ POSTGRES_USER_powerdns_slave }}"
      PDNS_gpgsql_password: "{{ POSTGRES_PASSWORD_powerdns }}"
      PDNS_gpgsql_dbname: "powerdns_slave"
    requires:
      - "powerdns_db_dns_slave"
    network: powerdns
    generate_systemd:
      path: /home/podman-deploy/.local/share/systemd/user/
      restart_policy: always
      stop_timeout: 120
      names: true

Primary on Host A

---
- name: Variables
  ansible.builtin.set_fact:
    pdns_master_ip: 172.7.0.20
    pdns_slave_ip: 172.7.0.21

- name: Create a podman network
  become: true
  become_user: podman-deploy
  containers.podman.podman_network:
    name: powerdns
    force: true
    ip_range: 172.7.0.0/16
    subnet: 172.7.0.0/16
    gateway: 172.7.0.1

- name: Powerdns Container
  become: true
  become_user: podman-deploy
  containers.podman.podman_container:
    name: powerdns_master
    hostname: ns1.domain.io
    add_hosts:
      ns1.domain.io: '{{ pdns_master_ip }}'
      ns2.domain.io: '{{ pdns_slave_ip }}'
    image: pschiffe/pdns-pgsql
    state: created
    pull: "always"
    ports:
      - "10.0.104.10:53:53"
      - "10.0.104.10:53:53/udp"
    image_strict: true
    env:
      PDNS_primary: "yes"
      PDNS_version_string: "4.9"
      PDNS_default_ttl: "1500"
      PDNS_allow_axfr_ips: '{{ pdns_slave_ip }}'
      PDNS_only_notify: '{{ pdns_slave_ip }}'
      PDNS_disable_axfr: "no"
      PDNS_gpgsql_host: "powerdns_db_dns"
      PDNS_gpgsql_port: "5432"
      PDNS_gpgsql_user: "{{ POSTGRES_USER_powerdns }}"
      PDNS_gpgsql_password: "{{ POSTGRES_PASSWORD_powerdns }}"
      PDNS_gpgsql_dbname: "powerdns_master"
    requires:
      - "powerdns_db_dns"
    ip: '{{ pdns_master_ip }}'
    network: powerdns
    generate_systemd:
      path: /home/podman-deploy/.local/share/systemd/user/
      restart_policy: always
      stop_timeout: 120
      names: true