On 6 Jun 2022, at 11:17, Brian Candler <b.cand...@pobox.com> wrote:
>
> On 06/06/2022 10:52, Djerk Geurts via Pdns-users wrote:
>> Jun 06 11:28:29 host.example.com <http://host.example.com/>
>> pdns_server[3559402]: Fatal error: Trying to set unknown setting
>> 'lua-dns-script’
> "lua-dns-script" is not a valid setting for pdns authoritative server. See:
>
> https://doc.powerdns.com/authoritative/settings.html
> <https://doc.powerdns.com/authoritative/settings.html>
> https://doc.powerdns.com/authoritative/lua-records/index.html
> <https://doc.powerdns.com/authoritative/lua-records/index.html>Thank you,
> yeah that’s what I’ve found. Just making sure I absolutely hadn’t missed
> something obvious.
> It's not clear what you're trying to do when catching NXDOMAIN responses, but
> having a wildcard LUA record might achieve it.
>
We’re using wildcard records for ENUM resolution but have found that adding a
more specific record next to a wildcard means that the more specific
‘subdomain’ breaks neighbouring records as they no longer match the wildcard.
One option is to add child wildcards, but for us this means adding 3 extra
wildcards for thousands of specific records. So I’m trying to catch these
NXDOMAIN replies and replace them with a CNAME for a parent record (which
hopefully will result in a query that is resolved by the wildcard record.
Maybe if I add some examples:
1.2.3.4.5.6.e164.arpa. NAPTR “some text with sip call routing info: AAA”
*.4.5.6.e164.arpa. NAPTR “some different sip call routing info: BBB”
A query for 9.9.9.4.5.6.e164.arpa. will result in BBB
A query for 1.2.3.4.5.6.e164.arpa. yields AAA
A query for 3.3.3.4.5.6.e164.arpa. yields NXDOMAIN
The above is all according to RFC and expected PowerDNS behaviour.
I’m hoping the following Lua will help change the effective behaviour to what
we need it to be. In our case ENUM records are 12 fields long and the defined
zones are 9 fields long:
function nxdomain(dq)
dquery = dq.qname:toString()
pdnslog("nxdomain called for: "..dq.qname:toString())
if dq.qtype == pdns.NAPTR then
pdnslog("Search parent wildcard record")
if dquery:countLabels() == 12 then
dquery = dquery:chopOff()
end
if dquery:countLabels() > 9 then
dquery = dquery:chopOff()
end
pdnslog("Returning CNAME for: "..dquery)
dq.AddAnswer(pdns.CNAME, "*."..dquery)
dq.rcode = 0 -- make it a normal answer
dq.followupFunction = "followCNAMERecords"
return true
end
return false
end
What I still need to test is if this script actually works and what will happen
if the followupFunction also returns NXDOMAIN, if it hit the Lua script again
then nothing else is needed, else I’ll need to add more logic to keep going
with a chopOff() until the zone’s ‘root' wildcard record is found.
> Otherwise, as you suggested yourself, dnsdist is very powerful. (You
> definitely don't want to use a recursor as your authoritative server though)
>
Great, I’ll add dnsdist and apply the Lua script there. Thank you!
Thanks,
Djerk_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
