Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Until this issue is resolved and pdns/ldap becomes capable of sending
Notify messages as Master, I had to find a temporary - I hope -
solution, and now I have managed to bring it to a working mode.
So, I have installed notify-dns-slaves included in the package
slapi-dnsnotify-0.2.1.tar.gz (see
http://memberwebs.com/stef/software/slapi-dnsnotify/).
[I remind you that slapi-dnsnotify plugin could not be loaded by the
standard Openldap 2.3.43 CentOS package.]
Then, I created this little script (remember I'm in CentOS 5.5):
#!/bin/bash
# Find the current zone serial number and store it in newsn variable.
# Note that grep sysadmin is there to isolate the sOARecord line
from the output of ldapsearch,
# simply because I'm using sysad...@example.com as the DNS
administrator email.
# awk then isolates the serial number from the SOA line.
#
newsn=`ldapsearch -x -D uid=userxxx,ou=system,dc=example,dc=com -w
-s sub -b \
ou=dns,dc=example,dc=com
((dc:dn:=10.10.10.in-addr.arpa)(soarecord=*)) \
soarecord | grep sysadmin | awk '{ print $4 }'`
# This is where the most recent serial number is saved
File=/etc/pdns/notifyscr/reversesn.txt
# Read the latest stored serial number from the above file
{
read oldsn
} $File
# If serial has been incremented, store the new serial in the place
of the old one, then send Notify to server 10.10.10.101
#
if [ $newsn -gt $oldsn ]
then
echo $newsn /etc/pdns/notifyscr/reversesn.txt
/usr/local/bin/notify-dns-slaves 10.10.10.in-addr.arpa 10.10.10.101
fi
exit 0
We have to repeat the above for any other (forward or reverse zone). So,
I have multiplied it by 7 (1 forward, 6 reverse zones). The script
(when *not* sending Notify) for the 7 zones runs in 345 ms (every three
minutes), which means that it doesn't cause any serious load to my server.
Finally, we schedule the script in cron to run as often as we want (I
run it every three minutes to achieve slave DNS server sync in three
minutes max):
# Run the script every three minutes, and do not send email
notifications
*/3 * * * * /etc/pdns/notifyscr/scr1 /dev/null 21
If someone can optimize the script, or make it in a form which would
deal with many zones without repeating the same piece of source code, it
would be a welcome addition. I might work on it too, when I have time.
I have not managed to find a solution on implementing triggered Notify
(I might try openldap accesslog overlay, as indicated in some discussions).
The above is a working solution (at least when few zones are involved).
Still, - even by its nature - it *underlines the importance of
supporting Notify natively in powerdns / ldap backend*.
Thanks again to Jean-Piet Mens for notify-dns-slaves tool.
Nick
On 2/10/2010 4:58 μμ, Nikolaos Milas wrote:
I have now filed a bug (new enhancement) for this, it's No. 318.
(http://wiki.powerdns.com/trac/ticket/318).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Why openldap refuses to load the plugin (one way or another)? Am I doing something wrong? I'd say your slapd has no support for loadable modules -- you're going to have to rebuild it. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
I have reached to the same conclusion. However, rebuilding openldap doesn't seem to be easy or straightforward (but I'll give it a try when I can)... It is commonly accepted that in production servers, pre-built, platform-specific RPMs are preferred (to avoid all sorts of problems), compiled by few experts, and I am not a master in compiling :(. Even if it had worked, I would continue to urge pdns developers to support pdns/ldap Master functionality (essentially NOTIFY) in the core code. It's an important feature. We users (eventually) find solutions one way or another (always with developers' and experienced users' help), but supporting features that help avoid implementation complexity leads to better production systems and to happier administrators :). So, my request to add master support to ldap backend remains open! I also tried the notify-dns-slaves tool (which might be of great value) manually, but I'm getting errors: notify-dns-slaves -d 4 'x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa' dns2.example.com notify-dns-slaves: building notification packet for x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: resolving address: dns2.example.com notify-dns-slaves: resolved address for: [unknown] notify-dns-slaves: preparing notification to: dns2.example.com notify-dns-slaves: resolved address for: 10.10.10.101 notify-dns-slaves: preparing notification to: dns2.example.com notify-dns-slaves: starting processing notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: received successful response for server: dns2.example.com notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: notification to server timed out: dns2.example.com notify-dns-slaves: processing done What does it mean by Bad file descriptor? What can I do? Thanks for your great help and support, Nick On 2/10/2010 10:53 πμ, Jan-Piet Mens wrote: Why openldap refuses to load the plugin (one way or another)? Am I doing something wrong? I'd say your slapd has no support for loadable modules -- you're going to have to rebuild it. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
An addition: despite the reported errors, notify is sent and received successfully, so notify-dns-slaves works fine! So, this tool could be used with a cron'ed custom (bash) script (if one can't make slapi-dnsnotify work) which would regularly ldapsearch soarecord serials and send notify (when changed), as discussed earlier in this thread (something which I concluded could not be done with pdns_control for the ldap backend). Nick On 2/10/2010 1:01 μμ, Nikolaos Milas wrote: What does it mean by Bad file descriptor? What can I do? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Nikolaos Milas wrote: So, my request to add master support to ldap backend remains open! I have no experience with using LDAP as a backend myself (I don't even know why you'd want to use LDAP as a backend), but have you actually filed a request ticket in the bug tracker? http://wiki.powerdns.com/ Nils. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Nikolaos Milas wrote;
In any case, returning to pdns/ldap notify support, I thought of filing a
bug, but this simply is not a bug, but rather expected behavior, athough we
ldap-backend users have a hard time with it!
I believe most public bug trackers are also used for feature requests and
enhancements. The PowerDNS bug tracker even has 'enhancement' as a ticket type
('defect' and 'task' are the other two).
Nils.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Thanks Nils,
I have now filed a bug ("new enhancement") for this, it's No.
318. (http://wiki.powerdns.com/trac/ticket/318).
Nick.
On 2/10/2010 4:20 , Nils Breunese (Lemonbit) wrote:
I believe most public bug trackers are also used for
feature requests and enhancements. The PowerDNS bug tracker even
has 'enhancement' as a ticket type ('defect' and 'task' are the
other two).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Thanks again for your help, JP. I describe in short some more things I tried (I still need your guidance): Initially, I found out that the plugin was not being loaded in openldap (as recorded in ldap.log): /etc/openldap/slapd.conf: line 182: keyword plugin ignored And: # slaptest -d 255 -f slapd.conf ... line 186 (plugin postoperation /usr/local/lib/slapi-dnsnotify.so plugin_init base-dn=ou=dns1,dc=example,dc=com zone-attribute=associatedDomain notify-delay=10) slapd.conf: line 186: keyword plugin ignored ... config file testing succeeded Trying to solve the problem (why the plugin is not loaded), I came to the conclusion that I should probably add a moduleload slapi-dnsnotify.la directive in slapd.conf. So I copied the files slapi-dnsnotify.* to the directory where all openldap modules exist (/usr/lib64/openldap/) and tried again. But now openldap doesn't start at all: # slaptest -d 255 -f slapd.conf ... line 59 (moduleload slapi-dnsnotify.la) loaded module slapi-dnsnotify.la module slapi-dnsnotify.la: init_module() failed slapd.conf: line 59: moduleload handler exited with 1! slaptest: bad configuration file! Why openldap refuses to load the plugin (one way or another)? Am I doing something wrong? Nick On 1/10/2010 6:50 μμ, Jan-Piet Mens wrote: Changing the SOA serial doesn't seem to trigger any NOTIFY to NS Servers defined for the zone. Also, I see no sign of logging anywhere... It's as if the configuration statement included in slapd.conf is accepted, but never doing something. No hints really, as I haven't used that bit for some time. It worked for me once without problems at all. I'd try the following: 1. Ensure the slapi plugin is indeed being loaded by your slapd. (Check the slapd log.) 2. Ensure you've compiled slapi-plugin with WITH_SYSLOG defined, or it won't log. 3. I assume you've started the notify-dns-slaves daemon? That is the one which will send out the NOTIFY. 4. Once again, check the logs (var/log/messages); there must be something there... Good luck, -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Hi, I didn't receive any replies on this. As we are deploying a new DNS server infrastructure in our organization and we have planned to use pdns/ldap on our primary master (already in operation), it would be important to us to know whether NOTIFY from pdns/ldap (master operation) will be offered as a feature in upcoming authoritative server releases or not, or if a patch or (Lua or other) script is available by pdns developers/community to provide such NOTIFY functionality (I haven't been able to find something). This would affect to some extent our deployment architecture (type of slaves, type of remote slaves, etc.), because, unfortunately, we can't use ldap backend on all slaves, and we don't want those slaves to remain not-synchronized for long, nor we can use very short refresh times. Please, could you give a hint? Thanks, Nick On 25/9/2010 12:54 πμ, Nikolaos Milas wrote: So, can we hope for such a feature to be included in the next official release or, if you deem this is undesirable due to whatever specs, could it be offered as a patch, as the BIND/sdb one, or even as a Lua script ? ... If not, can you suggest any other good solution(s) to trace ldap record changes and force AXFRs to slaves? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Hi, I guess a simple shell script can do the job for you: * ldapsearch SOA records that changed today (provided your SOA numbering is using dates) * for each entry pdns_control notify domainname Just my $.02 Dennis Roos Nikolaos Milas wrote: Hi, I didn't receive any replies on this. As we are deploying a new DNS server infrastructure in our organization and we have planned to use pdns/ldap on our primary master (already in operation), it would be important to us to know whether NOTIFY from pdns/ldap (master operation) will be offered as a feature in upcoming authoritative server releases or not, or if a patch or (Lua or other) script is available by pdns developers/community to provide such NOTIFY functionality (I haven't been able to find something). This would affect to some extent our deployment architecture (type of slaves, type of remote slaves, etc.), because, unfortunately, we can't use ldap backend on all slaves, and we don't want those slaves to remain not-synchronized for long, nor we can use very short refresh times. Please, could you give a hint? Thanks, Nick On 25/9/2010 12:54 πμ, Nikolaos Milas wrote: So, can we hope for such a feature to be included in the next official release or, if you deem this is undesirable due to whatever specs, could it be offered as a patch, as the BIND/sdb one, or even as a Lua script ? ... If not, can you suggest any other good solution(s) to trace ldap record changes and force AXFRs to slaves? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
