[Pdns-users] Challenge with DNS rewrite
Hi, How feasable is it to create a PowerDNS caching name server that can rewrite all requests to a specific non-existing top level domain and strip that top level domain from the request before passing it on towards the rest of the world? Due to a rather silly choise of the powers that be there exists something called SUWI and their mail uses a fake toplevel domain on top of existing domains. So my domain vanderkooij.org would become vanderkooij.org.suwi in their view. And I would like to setup a caching/forwarding server that would first strip .suwi from the request and then check if the domain exists and if it exists return that information. Your thoughts are welcome. Hugo. -- hvdko...@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Challenge with DNS rewrite
On Thu, Feb 24, 2011 at 01:10:31PM +0100, Hugo van der Kooij wrote: Hi, How feasable is it to create a PowerDNS caching name server that can rewrite all requests to a specific non-existing top level domain and strip that top level domain from the request before passing it on towards the rest of the world? Due to a rather silly choise of the powers that be there exists something called SUWI and their mail uses a fake toplevel domain on top of existing domains. So my domain vanderkooij.org would become vanderkooij.org.suwi in their view. And I would like to setup a caching/forwarding server that would first strip .suwi from the request and then check if the domain exists and if it exists return that information. Your thoughts are welcome. Hugo. I think that you can do this using the lua scripting support in the latest release of the PDNS recursor. Cheers, Ken ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Format of private keys in PowerDNSSEC (gmysql) doesn't correspond to BIND's
Hello,
PowerDNSSEC stores private keys in the cryptokey table. The blob
contained there appears to be Private-key-format: v1.2, however there
is a difference between keys stored by PDNS and those created by BIND's
`dnssec-keygen -C' utility. I discovered this upon attempting to read
the private key extracted from the back-end database with ldns 1.6.8.
BINDPDNS MySQL
-
Private-key-format: v1.2Private-key-format: v1.2
Algorithm: 8 (RSASHA256)Algorithm: 8 (RSASHA256)
Modulus:Coefficient:
PublicExponent: Exponent1:
PrivateExponent:Exponent2:
Prime1: Modulus:
Prime2: Prime1:
Exponent1: Prime2:
Exponent2: PrivateExponent:
Coefficient:PublicExponent:
If I extract the key from the database, and run it through the following
program, the output is indeed parseable by ldns:
#!/usr/bin/perl
# reformatkey.pl by Jan-Piet Mens, Feb 2011
# Read a private key as stored by PowerDNSSEC in MySQL, and print
# it out in the correct order. This allows e.g. ldns to
# read the key with ldns_key_new_frm_fp_l(3).
# Note, that I'm not sure whether this is errnoneous on the part of
# PowerDNSSEC, or whether ldns(3) is being lazy. (An example
# in RFC 5702 suggests BIND's format is correct.)
use strict;
my %keyparts;
while () {
my ($k, $v) = split(/: /, $_, 2);
$keyparts{$k} = $v;
}
out('Private-key-format');
out('Algorithm');
out('Modulus');
out('PublicExponent');
out('PrivateExponent');
out('Prime1');
out('Prime2');
out('Exponent1');
out('Exponent2');
out('Coefficient');
sub out {
my ($k) = @_;
print $k: , $keyparts{$k};
}
As noted in the comment, I'm not sure whether this small error is on
PDNS' part or in ldns, but an example in RFC 5702 suggests BIND's format
is correct.
Best regards,
-JP
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Multiple IPs per host name / round robin
Here's your DNS noob question for the day. (I'm not a real sysadmin. I only pretend to be when backed into a corner.) I've been running PowerDNS (with a MySQL backend) successfully and happily for a couple of years now. It's really basic stuff, one A record per host name. Now I'm in a situation where I need to serve up two possible IP addresses for a certain host name. From my treks through Google, I'm assuming the following: 1) I simply enter multiple A records into the database, one for each IP. 2) PowerDNS does not randomize these. [informational] 3) Recursors are supposed to do this. [informational] So all I need to do, really, is enter in the multiple A records. What I'm confused about is the role of the recursor. Is it already installed as part of PowerDNS? If not, do I need to install the recursor on my name servers? Does it take over port 53? From reading about recursors, the answer is, No, I think. But I'm not completely sure when one would run a recursor. Thanks for making something so simple and reliable. :) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Multiple IPs per host name / round robin
The recursive resolver is what clients talk to locally. AKA a caching resolver, it's not part of your authoritative infrastructure at all. In fact, if you're using your authoritative nameservers as caching resolvers, you should stop. For most people the recursive resolver is provided by their ISP unless they elect to run their own (like I do) or to use an external one (like OpenDNS or Google's DNS). What makes them recursive is that they answer queries that aren't necessarily in their cache or known from zone files by recursing up the tree until it finds an answer it knows (either from root hints or previous cached lookups) then works it's way back down the tree to the answer. On Thu, Feb 24, 2011 at 10:25 AM, PLists jkli...@ifm-services.com wrote: Here's your DNS noob question for the day. (I'm not a real sysadmin. I only pretend to be when backed into a corner.) I've been running PowerDNS (with a MySQL backend) successfully and happily for a couple of years now. It's really basic stuff, one A record per host name. Now I'm in a situation where I need to serve up two possible IP addresses for a certain host name. From my treks through Google, I'm assuming the following: 1) I simply enter multiple A records into the database, one for each IP. 2) PowerDNS does not randomize these. [informational] 3) Recursors are supposed to do this. [informational] So all I need to do, really, is enter in the multiple A records. What I'm confused about is the role of the recursor. Is it already installed as part of PowerDNS? If not, do I need to install the recursor on my name servers? Does it take over port 53? From reading about recursors, the answer is, No, I think. But I'm not completely sure when one would run a recursor. Thanks for making something so simple and reliable. :) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Format of private keys in PowerDNSSEC (gmysql) doesn't correspond to BIND's
Hello Maik, The current version of the format is 1.3, but BIND accepts 1 point anything Newer versions of `dnssec-keygen' generate a 1.3 version unless option `-C' is used, in which case a version 1.2 is created: Compatibility mode: generates an old-style key, without any metadata. By default, dnssec-keygen will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the -C option suppresses them. In my opinion, the ldns parser should be adjusted to work the same way. You're probably right, but seeing ldns came first, their authors may be reluctant to add some flexibility to it. :-) As an aside, and FWIW, neither Net::DNS nor ldns (both by NLnetlabs) support the 1.3 format. This issue isn't terribly important, but I thought I'd point it out before the release of PowerDNSSEC. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Multiple IPs per host name / round robin
The recursive resolver is what clients talk to locally. AKA a caching resolver, it's not part of your authoritative infrastructure Ah, I see. So there are really two separate parts to the system. Clients talk to the resolvers and resolvers talk to the authoritative servers. So all I need to do on my authoritative servers is add multiple A records with different IP addresses. The resolvers will do the rest. All too easy. Thanks. :) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] stuck tcp sessions on recursor
Howdy, I'm seeing an issue with tcp queries on powerdns recursor 3.2. We run two instances of pdns recursor on an internal network and it's mainly hit by lots of qmail delivery servers. They are doing a ton of lookups, I think we peak around 4000 queries/second. With more people using dnssec, many providers returning insanely huge lists of mxers, and qmail's propensity for any queries, we're finding that our tcp queries are going way up. What we are seeing is that when max-tcp-clients is exceeded, it appears that pdns is not properly closing sockets. We then get a pile-up of qmail-remotes that are stuck and deliveries stop until pdns is restarted. netstat shows the connections in state CLOSED. We're running FreeBSD 8.1 on all the hosts involved. This mailing list post is interesting, and explains why these CLOSED sockets are in that state: http://lists.freebsd.org/pipermail/freebsd-net/2008-June/018544.html Any pointers on how to troubleshoot this further? Thanks, Charles ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Manually Changing SOA Serial Number
Hi everyone. I'm new to the lists and I have a few questions. How do you manually change the following things in PowerDNS? 1.)SOA serial number. 2.)SOA Refresh value 3.)SOA Expire value Thanks! Linda Pagillo - Owner LPDynamix 931-284-9291 li...@lpdynamix.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stuck tcp sessions on recursor
On Thu, Feb 24, 2011 at 01:20:13PM -0500, Charles Sprickman wrote: Howdy, I'm seeing an issue with tcp queries on powerdns recursor 3.2. We run two instances of pdns recursor on an internal network and it's mainly hit by lots of qmail delivery servers. They are doing a ton of lookups, I think we peak around 4000 queries/second. With more people using dnssec, many providers returning insanely huge lists of mxers, and qmail's propensity for any queries, we're finding that our tcp queries are going way up. What we are seeing is that when max-tcp-clients is exceeded, it appears that pdns is not properly closing sockets. We then get a pile-up of qmail-remotes that are stuck and deliveries stop until pdns is restarted. netstat shows the connections in state CLOSED. We're running FreeBSD 8.1 on all the hosts involved. This mailing list post is interesting, and explains why these CLOSED sockets are in that state: http://lists.freebsd.org/pipermail/freebsd-net/2008-June/018544.html Any pointers on how to troubleshoot this further? Thanks, Charles There is not much to troubleshoot. This is a known bug. Try running the latest release instead. They really do fix bugs. :) Cheers, Ken ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stuck tcp sessions on recursor
On Thu, Feb 24, 2011 at 01:33:24PM -0500, Charles Sprickman wrote: Simon Bedford, Brad Dameron and Laurient Papier discovered relatively high TCP/IP loads could cause TCP/IP service to shut down over time. Addressed in commits 1546, 1640, 1652, 1685, 1698. Additional information provided by Zwane Mwaikambo, Nicholas Miell and Jeff Roberson. Testing by Christian Hofstaedtler and Michael Renner I was scanning for stuck in CLOSED and similar stuff. I'll try 3.3 and see how that goes, thanks! this definitely sounds like 3.3 material! Bert (PowerDNS) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stuck tcp sessions on recursor
On Thu, 24 Feb 2011, bert hubert wrote: On Thu, Feb 24, 2011 at 01:33:24PM -0500, Charles Sprickman wrote: Simon Bedford, Brad Dameron and Laurient Papier discovered relatively high TCP/IP loads could cause TCP/IP service to shut down over time. Addressed in commits 1546, 1640, 1652, 1685, 1698. Additional information provided by Zwane Mwaikambo, Nicholas Miell and Jeff Roberson. Testing by Christian Hofstaedtler and Michael Renner I was scanning for stuck in CLOSED and similar stuff. I'll try 3.3 and see how that goes, thanks! this definitely sounds like 3.3 material! So far so good, nearly 500,000 tcp queries without any lingering sockets. Totally unrelated, but I see a stat that's not mentioned in the docs: no-packet-error 492682. What is that, and is it any cause for concern? I'm really happy with the recursor so far, we previously used dnscache and we're seeing about 1/5 the cpu usage and I believe we're also answering queries that we weren't before - our overall qps went up quite a bit after the switch. Thanks, Charles Bert (PowerDNS) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] stuck tcp sessions on recursor
On Thu, Feb 24, 2011 at 03:06:12PM -0500, Charles Sprickman wrote: this definitely sounds like 3.3 material! So far so good, nearly 500,000 tcp queries without any lingering sockets. Good! Totally unrelated, but I see a stat that's not mentioned in the docs: no-packet-error 492682. What is that, and is it any cause for concern? It is a debugging metric we added to see if our event multiplexing infrastructure is operating as well as it could. Can you give me the output of 'rec_control get-all' after some time of operation? It is probably of no concern, but it might waste some CPU cycles. Probably no-packet-error is a lot smaller than your number of questions and outqueries. I'm really happy with the recursor so far, we previously used dnscache and we're seeing about 1/5 the cpu usage and I believe we're also answering queries that we weren't before - our overall qps went up quite a bit after the switch. great! Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Manually Changing SOA Serial Number
Actually, I need to know where to go to change the following. 1.)SOA Serial number. 2.)SOA Refresh value 3.)SOA Expire value 4.)SOA MNAME Value 5.)SOA Retry Value 6.)SOA TTL Value Thanks again. Linda Pagillo - Owner LPDynamix 931-284-9291 li...@lpdynamix.com From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Linda Pagillo Sent: Thursday, February 24, 2011 12:23 PM To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] Manually Changing SOA Serial Number Hi everyone. I'm new to the lists and I have a few questions. How do you manually change the following things in PowerDNS? 1.)SOA serial number. 2.)SOA Refresh value 3.)SOA Expire value Thanks! Linda Pagillo - Owner LPDynamix 931-284-9291 li...@lpdynamix.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Manually Changing SOA Serial Number
On Feb 24, 2011, at 2:29 PM, Linda Pagillo wrote: Actually, I need to know where to go to change the following… These are all in the SOA record. See the documentation http://doc.powerdns.com/types.html ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Manually Changing SOA Serial Number
On 25 February 2011 06:35, Elfyn McBratney el...@nyfle.co.uk wrote: WRT MNAME (aka $ORIGIN), that's not supported in PowerDNS as it is in BIND (at least as far as I know -- I could be wrong!). If you're migrating existing BIND zones, zone2sql can handle that automatically with its --zone option. Again, I'd recommend reading the manual at the aforementioned URL as this is all explained there in a much more coherent fashion. ;) Eek, disregard that paragraph please. My, er, morning coffee hadn't quite kicked in. The so-called MNAME field is the first part of a record's content field, which would be ns1.nyfle.co.uk in my previous example. Best, Elfyn ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns error sendto
Hi, I have double checked and I did configured the firewall port 53 tcp/udp. Could it possible there are other port that need to be opened.? I am using APF firewall. If anyone is also using that, please share your configuration. If it's not firewall, where else can I look? What other logs? Thanks. Liong Kok Foo On 2/21/2011 5:31 PM, Marc Haber wrote: On Mon, Feb 21, 2011 at 02:07:00PM +0800, Liong Kok Foo wrote: Sorry for my noobness, but could you explain on what you mean by local packet filter? Do you mean firewall? If yes, then what port do I look? FYI, I have open port 53 tcp/udp for outgoing and incoming. That should be enough, if it was done right. Greetings Marc ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
