Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Until this issue is resolved and pdns/ldap becomes capable of sending
Notify messages as Master, I had to find a temporary - I hope -
solution, and now I have managed to bring it to a working mode.
So, I have installed notify-dns-slaves included in the package
slapi-dnsnotify-0.2.1.tar.gz (see
http://memberwebs.com/stef/software/slapi-dnsnotify/).
[I remind you that slapi-dnsnotify plugin could not be loaded by the
standard Openldap 2.3.43 CentOS package.]
Then, I created this little script (remember I'm in CentOS 5.5):
#!/bin/bash
# Find the current zone serial number and store it in newsn variable.
# Note that "grep sysadmin" is there to isolate the sOARecord line
from the output of ldapsearch,
# simply because I'm using sysad...@example.com as the DNS
administrator email.
# awk then isolates the serial number from the SOA line.
#
newsn=`ldapsearch -x -D "uid=userxxx,ou=system,dc=example,dc=com" -w
-s sub -b \
"ou=dns,dc=example,dc=com"
"(&(dc:dn:=10.10.10.in-addr.arpa)(soarecord=*))" \
soarecord | grep sysadmin | awk '{ print $4 }'`
# This is where the most recent serial number is saved
File=/etc/pdns/notifyscr/reversesn.txt
# Read the latest stored serial number from the above file
{
read oldsn
} < $File
# If serial has been incremented, store the new serial in the place
of the old one, then send Notify to server 10.10.10.101
#
if [ "$newsn" -gt "$oldsn" ]
then
echo $newsn > /etc/pdns/notifyscr/reversesn.txt
/usr/local/bin/notify-dns-slaves 10.10.10.in-addr.arpa 10.10.10.101
fi
exit 0
We have to repeat the above for any other (forward or reverse zone). So,
I have "multiplied" it by 7 (1 forward, 6 reverse zones). The script
(when *not* sending Notify) for the 7 zones runs in 345 ms (every three
minutes), which means that it doesn't cause any serious load to my server.
Finally, we schedule the script in cron to run as often as we want (I
run it every three minutes to achieve slave DNS server sync in three
minutes max):
# Run the script every three minutes, and do not send email
notifications
*/3 * * * * /etc/pdns/notifyscr/scr1 >/dev/null 2>&1
If someone can optimize the script, or make it in a form which would
deal with many zones without repeating the same piece of source code, it
would be a welcome addition. I might work on it too, when I have time.
I have not managed to find a solution on implementing triggered Notify
(I might try openldap accesslog overlay, as indicated in some discussions).
The above is a working solution (at least when few zones are involved).
Still, - even by its nature - it *underlines the importance of
supporting Notify natively in powerdns / ldap backend*.
Thanks again to Jean-Piet Mens for notify-dns-slaves tool.
Nick
On 2/10/2010 4:58 μμ, Nikolaos Milas wrote:
I have now filed a bug ("new enhancement") for this, it's No. 318.
(http://wiki.powerdns.com/trac/ticket/318).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Thanks Nils,
I have now filed a bug ("new enhancement") for this, it's No.
318. (http://wiki.powerdns.com/trac/ticket/318).
Nick.
On 2/10/2010 4:20 μμ, Nils Breunese (Lemonbit) wrote:
I believe most public bug trackers are also used for
feature requests and enhancements. The PowerDNS bug tracker even
has 'enhancement' as a ticket type ('defect' and 'task' are the
other two).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Nikolaos Milas wrote;
> In any case, returning to pdns/ldap notify support, I thought of filing a
> bug, but this simply is not a bug, but rather expected behavior, athough we
> ldap-backend users have a hard time with it!
I believe most public bug trackers are also used for feature requests and
enhancements. The PowerDNS bug tracker even has 'enhancement' as a ticket type
('defect' and 'task' are the other two).
Nils.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
First, the question why use ldap as dns backend tends to be more or
less philosophical, but in two words, (at least) when you have medium
sized zones and organizations, LDAP is *a very convenient central
repository of all organizational information* and is easily administered
using e.g. phpldapadmin and other ldap browsers. Openldap is fast and
has cached indexes, which speeds up queries. It also has extended
access-control capabilities and fast real-time replication mechanism
(syncrepl) which can be used to run dns queries from a local slave
("consumer"). Especially when expected number of authoritative queries
in not extremely high, pdns/ldap can handle them nicely.
One could argue that you can do all that quite well with mysql, and I
can't argue against that. I would say only that when data in the
repository does not change very often (i.e. is not "transactional"),
LDAP is very well suited (also standards-based, well-defined and
supported by all modern software for authentication etc.). There is a
good discussion in all major LDAP textbooks. One can also find a good
discussion on why use bdb as openldap database against relational db (at
the openldap pages).
In any case, returning to pdns/ldap notify support, I thought of filing
a bug, but this simply is not a bug, but rather expected behavior,
athough we ldap-backend users have a hard time with it!
All the best,
Nick
On 2/10/2010 1:49 μμ, Nils Breunese (Lemonbit) wrote:
I have no experience with using LDAP as a backend myself (I don't even
know why you'd want to use LDAP as a backend), but have you actually
filed a request ticket in the bug tracker?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Nikolaos Milas wrote: > So, my request to add master support to ldap backend remains open! I have no experience with using LDAP as a backend myself (I don't even know why you'd want to use LDAP as a backend), but have you actually filed a request ticket in the bug tracker? http://wiki.powerdns.com/ Nils. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
An addition: despite the reported errors, notify is sent and received successfully, so notify-dns-slaves works fine! So, this tool could be used with a cron'ed custom (bash) script (if one can't make slapi-dnsnotify work) which would regularly ldapsearch soarecord serials and send notify (when changed), as discussed earlier in this thread (something which I concluded could not be done with pdns_control for the ldap backend). Nick On 2/10/2010 1:01 μμ, Nikolaos Milas wrote: What does it mean by "Bad file descriptor"? What can I do? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
I have reached to the same conclusion. However, rebuilding openldap doesn't seem to be easy or straightforward (but I'll give it a try when I can)... It is commonly accepted that in production servers, pre-built, platform-specific RPMs are preferred (to avoid all sorts of problems), compiled by few experts, and I am not a master in compiling :(. Even if it had worked, I would continue to urge pdns developers to support pdns/ldap Master functionality (essentially NOTIFY) in the core code. It's an important feature. We users (eventually) find solutions one way or another (always with developers' and experienced users' help), but supporting features that help avoid implementation complexity leads to better production systems and to happier administrators :). So, my request to add master support to ldap backend remains open! I also tried the notify-dns-slaves tool (which might be of great value) manually, but I'm getting errors: notify-dns-slaves -d 4 'x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa' dns2.example.com notify-dns-slaves: building notification packet for x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: resolving address: dns2.example.com notify-dns-slaves: resolved address for: [unknown] notify-dns-slaves: preparing notification to: dns2.example.com notify-dns-slaves: resolved address for: 10.10.10.101 notify-dns-slaves: preparing notification to: dns2.example.com notify-dns-slaves: starting processing notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: received successful response for server: dns2.example.com notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: sending notify for zone x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com notify-dns-slaves: couldn't send packet to server: dns2.example.com: Bad file descriptor notify-dns-slaves: notification to server timed out: dns2.example.com notify-dns-slaves: processing done What does it mean by "Bad file descriptor"? What can I do? Thanks for your great help and support, Nick On 2/10/2010 10:53 πμ, Jan-Piet Mens wrote: Why openldap refuses to load the plugin (one way or another)? Am I doing something wrong? I'd say your slapd has no support for loadable modules -- you're going to have to rebuild it. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
> Why openldap refuses to load the plugin (one way or another)? Am I doing > something wrong? I'd say your slapd has no support for loadable modules -- you're going to have to rebuild it. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Thanks again for your help, JP. I describe in short some more things I tried (I still need your guidance): Initially, I found out that the plugin was not being loaded in openldap (as recorded in ldap.log): /etc/openldap/slapd.conf: line 182: keyword ignored And: # slaptest -d 255 -f slapd.conf ... line 186 (plugin postoperation /usr/local/lib/slapi-dnsnotify.so plugin_init base-dn=ou=dns1,dc=example,dc=com zone-attribute=associatedDomain notify-delay=10) slapd.conf: line 186: keyword ignored ... config file testing succeeded Trying to solve the problem (why the plugin is not loaded), I came to the conclusion that I should probably add a "moduleload slapi-dnsnotify.la" directive in slapd.conf. So I copied the files "slapi-dnsnotify.*" to the directory where all openldap modules exist (/usr/lib64/openldap/) and tried again. But now openldap doesn't start at all: # slaptest -d 255 -f slapd.conf ... line 59 (moduleload slapi-dnsnotify.la) loaded module slapi-dnsnotify.la module slapi-dnsnotify.la: init_module() failed slapd.conf: line 59: handler exited with 1! slaptest: bad configuration file! Why openldap refuses to load the plugin (one way or another)? Am I doing something wrong? Nick On 1/10/2010 6:50 μμ, Jan-Piet Mens wrote: Changing the SOA serial doesn't seem to trigger any NOTIFY to NS Servers defined for the zone. Also, I see no sign of logging anywhere... It's as if the configuration statement included in slapd.conf is accepted, but never doing something. No hints really, as I haven't used that bit for some time. It worked for me once without problems at all. I'd try the following: 1. Ensure the slapi plugin is indeed being loaded by your slapd. (Check the slapd log.) 2. Ensure you've compiled slapi-plugin with WITH_SYSLOG defined, or it won't log. 3. I assume you've started the notify-dns-slaves daemon? That is the one which will send out the NOTIFY. 4. Once again, check the logs (var/log/messages); there must be something there... Good luck, -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
> Changing the SOA serial doesn't seem to trigger any NOTIFY to NS Servers > defined for the zone. > > Also, I see no sign of logging anywhere... > > It's as if the configuration statement included in slapd.conf is accepted, > but never doing something. No hints really, as I haven't used that bit for some time. It worked for me once without problems at all. I'd try the following: 1. Ensure the slapi plugin is indeed being loaded by your slapd. (Check the slapd log.) 2. Ensure you've compiled slapi-plugin with WITH_SYSLOG defined, or it won't log. 3. I assume you've started the notify-dns-slaves daemon? That is the one which will send out the NOTIFY. 4. Once again, check the logs (var/log/messages); there must be something there... Good luck, -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
An update: I installed it on my ldap master too, but it doesn't seem to be sending NOTIFY as well. (All servers are CentOS 5.5 with openldap 2.3.43.el5_5.2-12-x86_64 and latest versions of powerdns available.) Changing the SOA serial doesn't seem to trigger any NOTIFY to NS Servers defined for the zone. Also, I see no sign of logging anywhere... It's as if the configuration statement included in slapd.conf is accepted, but never doing something. Any hint? Nick On 30/9/2010 9:02 μμ, Nikolaos Milas wrote: Thanks JP, I just tried it. I installed it on my master pdns/ldap server (I had no installation problems), but I haven't managed to make it work (yet). It doesnt' seem to send notify. I have the following questions: 1. The LDAP server used by my pdns primary master is a SLAVE LDAP server (using instant syncrepl, type=refreshAndPersist); So I am making changes on the LDAP master (on another box) and the pdns master box is using data from an ldap mirror (that's where I have installed slapi-dnsnotify, and this is why I have NOT used /enable-auto-serial/ - we increase it manually when we finish whatever changes). So, slapi-dnsnotify should work on a slave ldap (i.e. does it detect changes propagated using syncrepl and not done manually) or I should install it on the ldap master only ?? 2. The slaves which will receive the NOTIFY are those listed in zone NS records? 3. If the SOA serial number is increased, this should trigger a NOTIFY ? 4. I didn't find any syslog /daemon/ facility on CentOS. I looked into the default log file /var/log/messages but didn't find any entry. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Thanks JP, I just tried it. I installed it on my master pdns/ldap server (I had no installation problems), but I haven't managed to make it work (yet). It doesnt' seem to send notify. I have the following questions: 1. The LDAP server used by my pdns primary master is a SLAVE LDAP server (using instant syncrepl, type=refreshAndPersist); So I am making changes on the LDAP master (on another box) and the pdns master box is using data from an ldap mirror (that's where I have installed slapi-dnsnotify, and this is why I have NOT used /enable-auto-serial/ - we increase it manually when we finish whatever changes). So, slapi-dnsnotify should work on a slave ldap (i.e. does it detect changes propagated using syncrepl and not done manually) or I should install it on the ldap master only ?? 2. The slaves which will receive the NOTIFY are those listed in zone NS records? 3. If the SOA serial number is increased, this should trigger a NOTIFY ? 4. I didn't find any syslog /daemon/ facility on CentOS. I looked into the default log file /var/log/messages but didn't find any entry. For completeness, I include here the syslog.conf file: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # save OpenLDAP log local4.* /var/log/ldap.log # PowerDNS log local5.* /var/log/pdns.log Thanks, again, Nick Have you looked at slapi-dnsnotify? It's an OpenLDAP plugin that watches for a change in a zone's serial numbe and notifies DNS slaves. Works rather nicely, though you might have to adapt it to your schema, etc. http://memberwebs.com/stef/software/slapi-dnsnotify/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Nikolaos, > I know that ldap backend does not support NOTIFY (so it neither supports > master/slave operation), and that this is due to LDAP specifications (or > so). The same problem exists e.g. in BIND9 with sdb (ldap backend). Have you looked at slapi-dnsnotify? It's an OpenLDAP plugin that watches for a change in a zone's serial numbe and notifies DNS slaves. Works rather nicely, though you might have to adapt it to your schema, etc. http://memberwebs.com/stef/software/slapi-dnsnotify/ Disclaimer: if you have my book, I describe it therein. :-) -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Dennis,
Thanks for the reply.
In order to achieve quick sync (max 5 min), this would require a cron
job to run every, say, 5 minutes (this is not bad). A simple text file
would be used to record the latest retrieved SOA serials (for all zones
concerned), and then ldapsearch would find and compare the current SOA
serial with the one in the text file, and, if different, it would send
such a notify using pdns_control (and it would update the SOA serial
number in the text file).
BUT, if I understand the documentation correctly, "pdns_control notify"
for ldap backend is NOT supported. pdns_control only gives instructions
to the backend to send a NOTIFY message, but the ldap_backend does not
support master operation and notify.
So the best solution I have found up to now would be to use a second
pdns slave server instance (e.g. on the same box, on another port, or on
another box) with a different backend (e.g. BIND) that supports notify
operations and then configure it, with a cron job or with SOA short
refresh intervals, to sync with the master and also send notify to other
slaves.
This will probably work, but I am not very satisfied with this setup;
simplicity - always a key parameter - is sacrificed. NOTIFY (Master
operation) should be available on the pdns/ldap master server (which
currently cannot behave as a true master).
Please correct me if I am wrong.
Thanks,
Nick
On 29/9/2010 2:33 μμ, Dennis Roos wrote:
Hi,
I guess a simple shell script can do the job for you:
* ldapsearch SOA records that changed today (provided your SOA
numbering is using dates)
* for each entry pdns_control notify domainname
Just my $.02
Dennis Roos
Nikolaos Milas wrote:
Hi,
I didn't receive any replies on this.
As we are deploying a new DNS server infrastructure in our
organization and we have planned to use pdns/ldap on our primary
master (already in operation), it would be important to us to know
whether NOTIFY from pdns/ldap ("master operation") will be offered as
a feature in upcoming authoritative server releases or not, or if a
patch or (Lua or other) script is available by pdns
developers/community to provide such NOTIFY functionality (I haven't
been able to find something).
This would affect to some extent our deployment architecture (type of
slaves, type of remote slaves, etc.), because, unfortunately, we
can't use ldap backend on all slaves, and we don't want those slaves
to remain not-synchronized for long, nor we can use very short
refresh times.
Please, could you give a hint?
Thanks,
Nick
On 25/9/2010 12:54 πμ, Nikolaos Milas wrote:
So, can we hope for such a feature to be included in the next
official release or, if you deem this is undesirable due to whatever
specs, could it be offered as a patch, as the BIND/sdb one, or even
as a Lua script ? ...
If not, can you suggest any other good solution(s) to trace ldap
record changes and force AXFRs to slaves?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Hi,
I guess a simple shell script can do the job for you:
* ldapsearch SOA records that changed today (provided your SOA
numbering is using dates)
* for each entry pdns_control notify domainname
Just my $.02
Dennis Roos
Nikolaos Milas wrote:
Hi,
I didn't receive any replies on this.
As we are deploying a new DNS server infrastructure in our
organization and we have planned to use pdns/ldap on our primary
master (already in operation), it would be important to us to know
whether NOTIFY from pdns/ldap ("master operation") will be offered as
a feature in upcoming authoritative server releases or not, or if a
patch or (Lua or other) script is available by pdns
developers/community to provide such NOTIFY functionality (I haven't
been able to find something).
This would affect to some extent our deployment architecture (type of
slaves, type of remote slaves, etc.), because, unfortunately, we can't
use ldap backend on all slaves, and we don't want those slaves to
remain not-synchronized for long, nor we can use very short refresh
times.
Please, could you give a hint?
Thanks,
Nick
On 25/9/2010 12:54 πμ, Nikolaos Milas wrote:
So, can we hope for such a feature to be included in the next
official release or, if you deem this is undesirable due to whatever
specs, could it be offered as a patch, as the BIND/sdb one, or even
as a Lua script ? ...
If not, can you suggest any other good solution(s) to trace ldap
record changes and force AXFRs to slaves?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?
Hi,
I didn't receive any replies on this.
As we are deploying a new DNS server infrastructure in our organization
and we have planned to use pdns/ldap on our primary master (already in
operation), it would be important to us to know whether NOTIFY from
pdns/ldap ("master operation") will be offered as a feature in upcoming
authoritative server releases or not, or if a patch or (Lua or other)
script is available by pdns developers/community to provide such NOTIFY
functionality (I haven't been able to find something).
This would affect to some extent our deployment architecture (type of
slaves, type of remote slaves, etc.), because, unfortunately, we can't
use ldap backend on all slaves, and we don't want those slaves to remain
not-synchronized for long, nor we can use very short refresh times.
Please, could you give a hint?
Thanks,
Nick
On 25/9/2010 12:54 πμ, Nikolaos Milas wrote:
So, can we hope for such a feature to be included in the next official
release or, if you deem this is undesirable due to whatever specs,
could it be offered as a patch, as the BIND/sdb one, or even as a Lua
script ? ...
If not, can you suggest any other good solution(s) to trace ldap
record changes and force AXFRs to slaves?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
