also-notify and allow-axfr with powerdns

Brian Hope

• February 08, 2026 20:22

I am using dnsmadeeasy.com as an authoritative DNS server and my cpanel server is a "shadow master" for them. This means a few unusual things:

1. The name servers that are listed as NS records in my zone are not my cpanel server IPs at all. They are ns100.digicertdns.com, ns101.digicertdns.com, and ns102.digicertdns.com.
2. I need to send notify messages and allow AXFR from 3 DIFFERENT servers, none of which are the ns100.digicertdns.com hosts. I need to send notifications to and allow AXFR from: 208.94.147.135, 208.94.150.198, and 63.219.151.12.

I'm running cPanel 132.0.23 and I found this support article. It seems to suggest that all I need to do is put this line in `/etc/named.conf`:

allow-transfer    { 208.94.147.135; 208.94.150.198; 63.219.151.12; };

I have done that. I run rebuilddnsconfig and it exits successfully. I can see the log messages in /var/log/syslog indicating that pdns has restarted successfully. It doesn't work. In /var/log/syslog I see messages like this:

Feb  8 14:38:08 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '63.219.151.12:10499', transfer initiated
Feb  8 14:38:08 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '63.219.151.12:10499', failed: client may not request AXFR
Feb  8 14:38:23 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '63.219.151.12:29003', transfer initiated
Feb  8 14:38:23 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '63.219.151.12:29003', failed: client may not request AXFR
Feb  8 14:38:25 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '208.94.150.198:23167', transfer initiated
Feb  8 14:38:25 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '208.94.150.198:23167', failed: client may not request AXFR
Feb  8 14:38:40 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '208.94.150.198:37897', transfer initiated
Feb  8 14:38:40 cpanel pdns_server[2382096]: AXFR-out zone 'example.org', client '208.94.150.198:37897', failed: client may not request AXFR

 I have also gone into /etc/pdns/pdns.conf and added the following:

allow-axfr-ips=127.0.0.0/8,::1,208.94.147.135/32,208.94.150.198/32,63.219.151.12/32

I notice that my /etc/pdns/pdns.conf file had the line:

disable-axfr=yes

And that wasn't my doing. I think the support article is missing a mandatory step, because I've got a pretty new cPanel install and I don't think I've messed with this at all until now. I think disable-axfr is yes by default and people would need to change that to make the named.conf adjustments effective.

So I fix the pdns.conf option, rebuild and restart. The serial number of the cPanel zone is higher than the serial number that was on my old shadow name server (2026020804 versus 2024032508). I see the log here that shows AXFR initiated.

Feb  8 14:53:58 cpanel pdns_server[2504365]: AXFR-out zone 'example.org', client '208.94.147.135:18889', transfer initiated

That's what a successful zone transfer log looks like on my other non-cPanel pdns servers elsewhere. 

If I run dig @myserver example.org. axfr I get transfer denied. Then I add my personal IP address to pdns.conf and NOT to named.conf, and I get an AXFR successfully to my laptop. So I think that support article is incorrect.

Also, I want to get powerdns to send notifies when there are changes. dnsmadeeasy is happy to poll based on the SOA refresh value, but that's 1 hour. As you can tell by the serial numbers, the domain's contents don't change often. If I can't send notifies, then 99.99% of the time it's going to do an AXFR that is totally unnecessary.

I ran commands like:

pdnsutil set-meta example.org ALSO-NOTIFY "63.219.151.12, 208.94.147.135, 208.94.150.198"

And dnsmadeeasy is still complaining that it does not receive notifies. Is it possible to turn on notifies? And can someone please fix/double-check that support article?

• 

  cPRex Jurassic Moderator

  • February 09, 2026 16:42

  Hey there!  For the notifies function, can you try this option mentioned here?

  https://www.ncartron.org/making-powerdns-send-notifies-to-secondaries.html

  Can you get me more details on what specifically you're changing in regards to the laptop IP to get that working?

  0
• 

  Brian Hope

  • May 27, 2026 01:33

  I know this was a long time ago, but that blog post says to run a command that I don't think works on cPanel because cPanel uses the BIND backend:

  pdnsutil set-kind example.com primary

  And so when I ran it on my cPanel 134.0.30 server, I got:

  May 26 21:15:01 [bindbackend] Done parsing domains, 0 rejected, 30 new, 0 removed
  Could not find backend willing to accept new zone configuration

  I have found another thing that interferes. ALIAS records are super dangerous. I get it. I created the silly file that says yes, yes, I know they're dangerous. Here's one of the ways they can cause problems.

  ALIAS records need a fully qualified domain name, including the trailing dot, much like a CNAME. I had a record like:

  example.com. 86400   IN      ALIAS   example-com.firebaseapp.com

  And that resolves to example-com.firebaseapp.com.example.com. And that doesn't resolve at all, so the ALIAS record doesn't work. But the error in /var/log/syslog is really misleading:

  May 26 21:07:46 cpanel pdns_server[2330730]: AXFR-out zone 'example.com',
   client '111.111.111.111:37163', example.com: error resolving AAAA record
   for ALIAS target example-com.firebaseapp.com.example.com.,
   continuing AXFR

  See, it SAYS "continuing AXFR" but I'm pretty sure it did not. Because my upstream DNS server was complaining that it was not getting the records. My upstream service was giving me a confusing connection refused error, but I don't think the connection was refused at all. I think the AXFR was crashing or stopping in the middle or something.

  Anyways, fixing the ALIAS record so that it would resolve got AXFRs to complete successfully.

  I'm using DNS Made Easy as my public DNS servers, and I have my cPanel server as a "shadow master." That is, my cPanel server's IP is not published as an NS record in the zone. Only the DNS Made Easy servers are published.

  Here's my total solution for this shadow master arrangement. Note there is a really interesting asymmetry here. For a lot of systems, the DNS server that you notify is the same server that will initiate the AXFR. At DME, they have one set of IPs that I send notifies to, and a different set of IPs that actually initiate the transfer.

  1. Put disable-axfr=no in /etc/pdns/pdns.conf
  2. Put allow-axfr-ips=127.0.0.0/8,::1,208.94.148.13/32,208.80.124.13/32,208.80.126.13/32 into /etc/pdns/pdns.conf
  3. Put allow-transfer { 208.94.148.13/32; 208.80.124.13/32; 208.80.126.13/32; }; into /etc/named.conf
  4. Edited the /etc/named.conf configuration for example.com so it looks like:

     zone "example.com" {
             type master;
             file "/var/named/example.com.db";
             also-notify { 208.94.147.135; 208.94.150.198; 63.219.151.12; };
     };

     There are 2 views, internal and external. I put this also-notify line in both views, but I'm sure it's unnecessary in the internal view.

  Any time I add a zone that I want to do a shadow master configuration I have to edit /etc/named.conf directly like that. I write this all up so maybe someone else looking for similar information can find it here.

  0
• 

  cPRex Jurassic Moderator

  • May 27, 2026 17:39

  Thanks for sharing - you're correct that the command may not work on the latest cPanel systems.  

  0

Please sign in to leave a comment.