"Specifying Notify Source IP for PowerDNS in Kubernetes Cluster

[SowAbdoul]

Hi @pschiffe

I have a Kubernetes cluster running PowerDNS, using a LoadBalancer service to expose port 53, referred to as the primary, and I have 2 slaves on separate VMs.

Initially, when I create a zone on the primary:

Primary:
Notification request for zone 'test.cloud' received from operator
Received unsuccessful notification report for 'test.cloud' from (IP of Slave 1):53, error: Query Refused
Received unsuccessful notification report for 'test.cloud' from (IP of Slave 2):53, error: Query Refused

Slaves:
Received NOTIFY for test.cloud from (IP address of a Kubernetes worker different from IP for PowerDNS LoadBalancer), but the remote is not providing a TSIG key or in allow-notify-from (Refused)

To address this, I added the worker and control plane IP addresses to PDNS_allow_notify_from and PDNS_allow_axfr_ips:

PDNS_allow_notify_from: "IP of CP-1, IP of Worker 1, IP of Worker-2"
PDNS_allow_axfr_ips: "IP of CP-1, IP of Worker 1, IP of Worker-2"

Now, the error has changed:

Primary:
Notification request for zone 'test.cloud' received from operator

Slaves:
Received NOTIFY for test.cloud from "IP of Worker-2" for which we are not authoritative, trying supermaster
Error resolving SOA or NS for test.cloud at: "IP of Worker-2": Timeout waiting for answer from "IP of Worker-2"

I've tried the following commands:

dig @ "IP of Worker-2" test.cloud SOA: NOK
dig @ "IP of PowerDNS LoadBalancer" test.cloud SOA: OK

My question is: How can I configure PowerDNS notifications to use the dedicated IP of the primary (the LoadBalancer service that exposes port 53)?

[pschiffe]

Hi @SowAbdoul, for this to work, you also need to configure NS records of the domain correctly, including the IPs of all (master and slave) dns servers. SOA as well, hence the error Error resolving SOA or NS for test.cloud.

Also please note that powerdns really doesn't like NAT / LBs / Proxy, so you may have to jump through couple of hoops.

[SowAbdoul]

Do you have any ideas that I cloud explore?

kubectl -n powerdns get svc
powerdns-dns     LoadBalancer   10.98.187.135   LOAD_BALANCER_IP   53:31936/TCP,53:31936/UDP   197d

I also tried this

PDNS_local_address: "LOADBALANCER_IP"

"
Error Message:

Jan 17 Our pdns instance exited with code 1, respawning
Jan 17 Guardian is launching an instance
Jan 17 Loading '/usr/lib/pdns/pdns/libgmysqlbackend.so'
Jan 17 This is a guarded instance of pdns
Jan 17 Unable to bind UDP socket to 'LOAD_BALANCER_IP:53': Address not available
Jan 17 Fatal error: Unable to bind to UDP socket

[pschiffe]

The LB's IP is not available in the pdns pod, so pdns won't be able to bind to it. For binding I would keep the address 0.0.0.0.

There will be different IPs for pdns and LB. And this is really the issue. Most configuration about who is the master, who can transfer zones and where can I answer are about IPs in the powerdns.

To make master <-> slave communication easier I would suggest to setup mysql replication instead of pdns zone transfers. One mysql primary can have multiple replicas, when behind NAT / LB, it easier to setup. Content of the mysql db is the same for pdns masters and slaves.

Then you only need to deal with LB and primary pdns. Maybe using the IP of LB in NS zone records can do it. If not, add also IP of pdns pod.