On 7/8/2012 8:31 PM, Fred Wittekind wrote: > On 07/05/2012 06:00 PM, bert hubert wrote: >> On Jul 5, 2012, at 8:18 PM, Fred Wittekind wrote: >>> Then I got this error when trying to start nproxy (IP address >>> censored): >>> nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53': >>> Address already in use >>> >>> Which of course makes sense after seeing it, pdns is already binding >>> to the same IP/port. >>> >>> So, my question is this... Can the functionality of nproxy be >>> rolled into pdns so that pdns itself can forward the notify to >>> another instance of pdns (on the master server), or can nproxy and >>> pdns be made to work on the same IP. I looked into trying to see >>> if I could get iptables to split out the notify messages to a >>> different destination IP so I could put nproxy on a different IP >>> than pdns, but, I didn't figure out a good (reliable) way to do this. >> Interesting. The original use case was where the outside world would >> never be talking to that master, or at least not taking the >> initiative to do so. So the outside world would think the nproxy IP >> address was the slave, and nproxy would then relay that to the real >> slave, which would reach out over TCP to make it happen. I think some >> NAT trick is used to make sure that the outgoing traffic appears as >> the address that was notified. >> >> If you want to have this integrated, what exactly is your use case? >> Better protection for the hidden master? >> >> Please don't get me wrong, I get the impression what you want is >> reasonable, but I can't quite wrap my head around your exact >> requirements. >> >> Please let us know! >> >> Bert >> PowerDNS >> >> > > What we are trying to do is have what we call NSMS, which is a server > that sits behind our firewall, and is the MySQL master db server. > Then we are going to have 3 name servers on public IPs that will be > MySQL slaves of NSMS (what PDNS calls native replication I think). We > would then have some type of web interface managing the DNS records on > NSMS. This setup covers the need of 90+% of the domains we host. > > We have a small handful of domains that we slave from one of our > client's servers. The 3 name servers we would have on public IPs > would be unable to write to there local MySQL instance, because they > are MySQL slaves, so we would need that notify to be passed on to > NSMS, which our 3 public name servers can talk to, but our client > server's can't. > > Right now, the client's are configured to send the notify to one of > our existing 3 public name servers, and it has a script on it that > intercepts that notify and passes it on to the existing NSMS. I would > prefer to avoid solutions that require the clients to change there > configuration. Our new PDNS based servers are intended to take over > the IP addresses of our old name servers. > > Looks like it would be pretty easy to re-write one of the SQL queries > so that the 3 public name servers get back "native" as the replication > mode for all domains including the ones that NSMS actually slaves off > a client server. The trick I think is just going to be getting the > notify forwarded to NSMS (since it's the only server with MySQL write > access). > > Fred Wittekind >
I've been looking at the code in nproxy, and the code in pdns that tests against the trusted-notification-proxy setting, and I see that it tests that the notify came from the trusted-notification-proxy, and that it tests that the domain the notify is for has a master, but, I do not see that it checks that the original notify came from the master, or that nproxy even passes along that information to pdns. Am I missing something or am I reading the code correctly? If I am reading the code correctly, would it be possible or a good idea for nproxy to forward along the IP address it received the notify from, and for pdns to check that IP against the master for the zone? Fred Wittekind _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
