| opendevreview | Mikhail Samoylov proposed openstack/designate-tempest-plugin master: Add zone serial tests. https://review.opendev.org/c/openstack/designate-tempest-plugin/+/915069 | 14:19 |
|---|---|---|
| opendevreview | Mikhail Samoylov proposed openstack/designate master: Support using non unix timestamp serial. https://review.opendev.org/c/openstack/designate/+/914749 | 14:21 |
| samcat116 | Hi all, I am using Designate and PDNS4. I think I have the integration setup correctly. When I create a zone I see the zone show up as a secondary in PDNS with its masters as my openstack controllers and the mdns port. However if I try and manually create a recordset, it will sit in pending forever, even after the zone becomes active. If I manually trigger an "update from primary" on the powerdns side, it will actualy grab all the | 18:56 |
| samcat116 | records and create them on the pdns side and those will respond to dns requests, but the recordsets stay pending on the openstack side. Any ideas? | 18:56 |
| samcat116 | this is a bobcat deployment | 18:56 |
| johnsom | That sounds like a pool configuration issue | 18:59 |
| johnsom | Check that the "nameservers" section is correct. Also use the designate manage to see the running pool config vs. the config files | 19:00 |
| johnsom | My guess is the NOTIFY message from designate is not getting to the PDNS servers | 19:01 |
| samcat116 | I am actually seeing notify messages get to pdns | 19:03 |
| samcat116 | in the pdns logs | 19:03 |
| johnsom | PDNS is getting the NOTIFY but not starting an AXFR for the zone? | 19:03 |
| samcat116 | yes | 19:04 |
| johnsom | I wonder if PDNS isn't trusting the designate controllers, i.e. it doesn't see them as primary servers for the zone, or there is an allow list configured wrong. | 19:04 |
| samcat116 | when I create a new zone, I see a notify and then an axfr | 19:05 |
| samcat116 | and I see the @ NS record on pdns side | 19:05 |
| samcat116 | but then I never see another axfr for the zone | 19:05 |
| samcat116 | unless I manually trigger an update on the pdns side | 19:05 |
| johnsom | Yeah, so the NOTIFYs aren't working in PDNS for some reason | 19:05 |
| johnsom | https://doc.powerdns.com/authoritative/settings.html#allow-notify-from | 19:06 |
| samcat116 | I don't have that set so the default should be working | 19:07 |
| johnsom | If you are on 4.x, you may need to also configure https://doc.powerdns.com/authoritative/settings.html#setting-allow-unsigned-notify | 19:07 |
| samcat116 | I do have trusted-notification-proxy set as pdns is behind a LB. That part appears to be working as it isn't refusing the notify anymore | 19:08 |
| samcat116 | Ok, I'll try that then | 19:08 |
| samcat116 | well that default seems to be fine | 19:08 |
| johnsom | Are you using TSIG on the zones? | 19:08 |
| samcat116 | no | 19:08 |
| johnsom | Hmmm, then I am not sure why the NOTIFY isn't triggering PDNS to do a serial check/zone transfer. | 19:10 |
| samcat116 | I also dont see a notify after I create a recordset | 19:12 |
| samcat116 | strike that, I do | 19:13 |
| johnsom | It should send one on any zone update, but they can be "batched" so there might be a short delay. | 19:14 |
| samcat116 | yep that makes sense | 19:15 |
| johnsom | You said you have an LB in front, do the PDNS servers have a route back to the mini-DNS instances to do the AXFR pull? | 19:18 |
| johnsom | I would expect PDNS to log something if that was the case, but... I mostly work with BIND, so I don't know all of the details with PDNS | 19:19 |
| samcat116 | It should. it can do the axfr when the zone is created | 19:20 |
| samcat116 | I see that happening in the pdns logs | 19:20 |
| johnsom | That's right, you said a manually triggered transfer was successful. Hmmm | 19:20 |
| samcat116 | Should I see the SOA record on the PDNS side? I don't see that in any of my zones | 19:22 |
| samcat116 | its just on the openstack side | 19:22 |
| johnsom | I would expect it to be there, yes | 19:24 |
| johnsom | That is how PDNS can check it's serial number (in the SOA) with the one in mini-DNS | 19:24 |
| johnsom | The initial AXFR should have pulled that over. | 19:25 |
| samcat116 | It does not, just the NS record | 19:26 |
| johnsom | Double check the targets: masters settings in your pool config | 19:29 |
| johnsom | Maybe compare your running pool config with this one: https://docs.openstack.org/designate/latest/admin/pools.html#managing-pools | 19:30 |
| johnsom | The PDNS zone create just sends PDNS the zone and the list of masters, from that it should AXFR the zone | 19:31 |
| johnsom | I do recommend using "$ designate-manage pool show_config" just in case the config file on disk is different than the running config. | 19:34 |
| samcat116 | Oh I think this is due to the serial not being bumped on the designate side | 19:34 |
| samcat116 | the serial in desginate has not changed after adding recordsets | 19:34 |
| johnsom | It should still do the initial transfer though | 19:35 |
| samcat116 | the masters in my pool config are my controllers running mdns | 19:40 |
| samcat116 | So when I add a recordset to a zone, should that increase the serial? | 20:11 |
| johnsom | Yeah, after a short period of time (batching). | 20:16 |
| samcat116 | None of my zone serials have ever changed since creation | 20:18 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!