Sqlite + GeoIP backend working on primary, failing on all secondaries

[anuragbhatia]

I am trying to achieve basic GeoIP responses with pickclosest alongside of keeping my zones in SQLite backend.

On primary it works absolutely fine but not on any of secondaries. Config on primary & secondary is mostly similar and so does the packages (to best of my knowledge).

Primary config:

launch=gsqlite3,geoip
local-address=<hidden>
gsqlite3-database=/var/lib/powerdns/pdns.db
gsqlite3-dnssec=yes
primary=yes
allow-axfr-ips=<hidden>
also-notify=<hidden>
only-notify=<hidden>
logging-facility=0
enable-lua-records=yes
lua-health-checks-interval=5
geoip-database-files=mmdb:/usr/share/GeoIP/GeoLite2-City.mmdb

and secondary:

launch=gsqlite3,geoip
local-address=<hidden>
gsqlite3-database=/var/lib/powerdns/pdns.db
gsqlite3-dnssec=yes
secondary=yes
allow-notify-from=<hidden>
logging-facility=0
loglevel=5
enable-lua-records=yes
lua-health-checks-interval=5
geoip-database-files=mmdb:/usr/share/GeoIP/GeoLite2-City.mmdb

Packages wise both have:

1. PDNS auth server
2. PDNS Sqlite and GeoIP backend
3. geoipupdate to get the GeoIP database

I see geo records on secondaries when looking at pdnsutil list-zone <domain> output but not query shows nothing with status: NOERROR.

Unsure if I am missing some package on secondary or somehow this setup just doesn't work on secondaries?

[Habbie]

I see geo records on secondaries when looking at pdnsutil list-zone <domain> output but not query shows nothing with status: NOERROR.

can you show us the list-zone output from both machines, and dig output from both machines?

[anuragbhatia]

Thanks for helping out @Habbie

List zone output from both machines:

Note: Grepping out the specific record as overall zone is pretty large.

Primary

sudo pdnsutil list-zone anuragbhatia.com | grep geo.an
geo.anuragbhatia.com	60	IN	LUA	A "pickclosest({'45.64.190.32','144.91.67.7','65.19.151.10'})"

Secondary

sudo pdnsutil list-zone anuragbhatia.com | grep geo.an
geo.anuragbhatia.com	60	IN	LUA	A "pickclosest({'45.64.190.32','144.91.67.7','65.19.151.10'})"
geo.anuragbhatia.com	60	IN	RRSIG	LUA 13 3 60 20240912000000 20240822000000 48932 anuragbhatia.com lNgo0BXITuDWqqjxF8hNy6HJAbKfKWC1yFEerNimsG+20lkfetGKGXnO2y1b99tOgFozAAh4ZFD0/MDdAnsK/g==
geo.anuragbhatia.com	300	IN	RRSIG	NSEC 13 3 300 20240912000000 20240822000000 48932 anuragbhatia.com 96Y9+Y5eQf7myUdeYrxivU6tpOzROqfEpYwV2wDAr2BcbXna3R063NiSUpveattn0L4d+Dle2Wb18T5ZzuXjmQ==

and here is query output:

Primary

anurag@anurag-desktop ~> dig @ns1.anuragbhatia.com geo.anuragbhatia.com a 

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @ns1.anuragbhatia.com geo.anuragbhatia.com a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58118
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;geo.anuragbhatia.com.		IN	A

;; ANSWER SECTION:
geo.anuragbhatia.com.	60	IN	A	45.64.190.32

;; Query time: 149 msec
;; SERVER: 144.91.67.7#53(ns1.anuragbhatia.com) (UDP)
;; WHEN: Thu Aug 29 17:20:49 IST 2024
;; MSG SIZE  rcvd: 65

anurag@anurag-desktop ~> 

Secondary

anurag@anurag-desktop ~> dig @ns3.anuragbhatia.com geo.anuragbhatia.com a

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @ns3.anuragbhatia.com geo.anuragbhatia.com a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57915
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;geo.anuragbhatia.com.		IN	A

;; AUTHORITY SECTION:
anuragbhatia.com.	300	IN	SOA	ns1.anuragbhatia.com. me.anuragbhatia.com. 2024082902 1800 600 1209600 300

;; Query time: 30 msec
;; SERVER: 45.64.190.62#53(ns3.anuragbhatia.com) (UDP)
;; WHEN: Thu Aug 29 17:21:03 IST 2024
;; MSG SIZE  rcvd: 92

anurag@anurag-desktop ~> 

[Habbie]

can you do pdnsutil show-zone on both?

[anuragbhatia]

Sure, here it is:

Primary

sudo pdnsutil show-zone anuragbhatia.com
This is a Master zone
Last SOA serial number we notified: 2024082902 == 2024082902 (serial in the database)
Metadata items:
	API-RECTIFY	1
	SOA-EDIT-API	DEFAULT
Zone has NSEC semantics
keys:
ID = 8 (CSK), flags = 257, tag = 48932, algo = 13, bits = 256	  Active	 Published  ( ECDSAP256SHA256 )
CSK DNSKEY = anuragbhatia.com. IN DNSKEY 257 3 13 Rel4gSs1e7LIqyebogIi1bz6XyS24h0iZ+78lN93SPv7nD018gG+806S8DrvIaBFPfNHBsgobHbJMytVmEElKw== ; ( ECDSAP256SHA256 )
DS = anuragbhatia.com. IN DS 48932 13 2 f22961399a3b895d77eac4954efac96e6794124c465dc92638ca4122dfb36b2f ; ( SHA256 digest )
DS = anuragbhatia.com. IN DS 48932 13 4 6bddeb2b5e69300633cb7461e3c164cfa99275d3190d1b640e6e49197d25de6845acef8065cb69569c18037c6f743fd9 ; ( SHA-384 digest )

Secondary

sudo pdnsutil show-zone anuragbhatia.com
This is a Slave zone
Primary: 100.64.0.3:53
Last time we got update from primary: Thu 2024-08-29 19:00:01
SOA serial in database: 2024082902
Refresh interval: 1800 seconds
Metadata items:
	PRESIGNED	1
Zone is presigned
Zone has NSEC semantics
keys:
KSK, tag = 48932, algo = 13, bits = 256
DNSKEY = anuragbhatia.com. IN DNSKEY 257 3 13 Rel4gSs1e7LIqyebogIi1bz6XyS24h0iZ+78lN93SPv7nD018gG+806S8DrvIaBFPfNHBsgobHbJMytVmEElKw==; ( ECDSAP256SHA256 )
DS = anuragbhatia.com. IN DS 48932 13 2 f22961399a3b895d77eac4954efac96e6794124c465dc92638ca4122dfb36b2f ; ( SHA256 digest )
DS = anuragbhatia.com. IN DS 48932 13 4 6bddeb2b5e69300633cb7461e3c164cfa99275d3190d1b640e6e49197d25de6845acef8065cb69569c18037c6f743fd9 ; ( SHA-384 digest )

[Habbie]

if (rr.dr.d_type == QType::LUA && !d_dk.isPresigned(d_sd.qname)) {

as I somewhat started to suspect when I saw DNSSEC signatures in your list-zone, we don't execute LUA records in presigned zones, because we can't generate valid signatures for the output. You'll have to switch to native replication, or have both machines AXFR the zone from an unsigned (hidden) primary and have the private key on both.

[anuragbhatia]

Interesting. Thanks a lot for this input.

How about something like having “geo” as a sub unsigned zone with delegation on same set of servers ? (Surely not as safe as signed zone as effectively dnssec would be disabled) but curious to see if that will work.

[Habbie]

oh yes, that should work. Do remember to put NS records for geo in the parent zone, even if they're on the same servers.