On 08/08/2011 11:34 PM, Leen Besselink wrote: > On 08/08/2011 06:57 PM, Jan-Piet Mens wrote: >> Hello, >> >> I was curious as to wether PowerDNS would sign records produced by the >> PIPE back-end, particularly since the release notes indicate it may be >> possible ([3] also says "partial support"). >> >> I set up a small test with PowerDNS 3.0.1 [1] and the example >> backend-v3.pl [2]. I encountered the following issues: >> > I tried that too. I did rename mine test.net and used gpsqlite3 because > I already had that setup. > >> 0. Configuration `powerdns.conf` contains only: >> >> daemon=no >> launch=gmysql,pipe >> gmysql-dnssec >> gmysql-dbname=pdns >> gmysql-host=127.0.0.1 >> gmysql-port=3306 >> gmysql-user=pdns >> gmysql-password=secret >> cache-ttl=0 >> query-cache-ttl=0 >> log-dns-details=yes >> loglevel=4 >> pipe-command=/etc/powerdns/backend-v3.pl >> pipebackend-abi-version=3 >> >> 1. A query of type ANY produces a SERVFAIL with the sample back-end. The >> console logs: >> Exception building answer packet (Parsing record content: Data field >> in DNS should start with quote (") at position 3 of '" "hallo >> allemaal!""') sending out servfail >> >> Changing quotes to single quotes, or removing them altogether doesn't >> improve: I can't get PowerDNS to reply with a TXT RR. >> > Seems that part works for me if I remove all quotes: > > print "DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n"; > > Although it does add a space at the start: > > $ dig +short +norec +dnssec @127.0.0.1 test.net txt > TXT 8 2 3600 20110818000000 20110804000000 63826 test.net. > fD8xqLMN9vcBK1Y0CwAJrgr9CfFQRwdc3j9OVijHXjvU5TdMDZ4s4y0g > JcmUCREUFAdbmasrKmthPEzGvtrD/K41zWSdjwArMDzehmozrCswU8Vq > oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g= > " hallo allemaal!" > >> 2. I created a zone in gmysql called example.com, type=NATIVE and >> signed it with `pdnssec secure-zone example.com`. (Records table for >> the zone is empty) >> > Yes, it won't work without a records-table. > >> 3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get >> expected results including 3 DNSKEY RR >> >> 4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and >> powerdns aborts with the following message on the console: >> >> Default beforeAndAfterAbsolute called! >> Got a signal 6, attempting to print trace >> ... >> >> A bug or two, surely? :-) >> > It does work for +dnssec for webserver.$domain A or $domain SOA > > Which is really encouraging. > > But it crashes as stated above if it just doesn't find things and needs > to do DNSSEC. > > I was using NSEC and asking for AAAA also crashes the whole thing. > > A normal request to the pipe-backend looks like: > > 24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32 > 24718 Sent SOA records > 24718 End of data > > But a request just before a crash says: > > �/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8 > 24724 Sent SOA records > 24724 End of data > > Which suggests to me something in the PowerDNS-code isn't able to handle > it when > there is no result from any backend in combination with DNSSEC. >
I forgot to add: It also seems to ask the wrong question ? Or atleast use the wrong 'realRemote' and maybe that breaks the protocol ? I didn't immediately found the cause for it. >> Additionally, I note that the documentation for the PIPE backend [3] >> has no mention of ABI version 3, nor does it describe the bits and auth >> returned by the example pipe backend. Could somebody explain what the >> `bits' are? >> >> Thanks & regards, >> >> -JP >> >> [1]: http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm >> [2]: >> http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239 >> [3]: http://doc.powerdns.com/backends-detail.html#pipebackend >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users