On 08/08/2011 11:34 PM, Leen Besselink wrote:
On 08/08/2011 06:57 PM, Jan-Piet Mens wrote:
Hello,
I was curious as to wether PowerDNS would sign records produced by the
PIPE back-end, particularly since the release notes indicate it may be
possible ([3] also says partial support).
I set up a small test with PowerDNS 3.0.1 [1] and the example
backend-v3.pl [2]. I encountered the following issues:
I tried that too. I did rename mine test.net and used gpsqlite3 because
I already had that setup.
0. Configuration `powerdns.conf` contains only:
daemon=no
launch=gmysql,pipe
gmysql-dnssec
gmysql-dbname=pdns
gmysql-host=127.0.0.1
gmysql-port=3306
gmysql-user=pdns
gmysql-password=secret
cache-ttl=0
query-cache-ttl=0
log-dns-details=yes
loglevel=4
pipe-command=/etc/powerdns/backend-v3.pl
pipebackend-abi-version=3
1. A query of type ANY produces a SERVFAIL with the sample back-end. The
console logs:
Exception building answer packet (Parsing record content: Data field
in DNS should start with quote () at position 3 of ' hallo
allemaal!') sending out servfail
Changing quotes to single quotes, or removing them altogether doesn't
improve: I can't get PowerDNS to reply with a TXT RR.
Seems that part works for me if I remove all quotes:
print DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n;
Although it does add a space at the start:
$ dig +short +norec +dnssec @127.0.0.1 test.net txt
TXT 8 2 3600 2011081800 2011080400 63826 test.net.
fD8xqLMN9vcBK1Y0CwAJrgr9CfFQRwdc3j9OVijHXjvU5TdMDZ4s4y0g
JcmUCREUFAdbmasrKmthPEzGvtrD/K41zWSdjwArMDzehmozrCswU8Vq
oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g=
hallo allemaal!
2. I created a zone in gmysql called example.com, type=NATIVE and
signed it with `pdnssec secure-zone example.com`. (Records table for
the zone is empty)
Yes, it won't work without a records-table.
3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get
expected results including 3 DNSKEY RR
4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and
powerdns aborts with the following message on the console:
Default beforeAndAfterAbsolute called!
Got a signal 6, attempting to print trace
...
A bug or two, surely? :-)
It does work for +dnssec for webserver.$domain A or $domain SOA
Which is really encouraging.
But it crashes as stated above if it just doesn't find things and needs
to do DNSSEC.
I was using NSEC and asking for also crashes the whole thing.
A normal request to the pipe-backend looks like:
24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32
24718 Sent SOA records
24718 End of data
But a request just before a crash says:
�/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8
24724 Sent SOA records
24724 End of data
Which suggests to me something in the PowerDNS-code isn't able to handle
it when
there is no result from any backend in combination with DNSSEC.
I forgot to add:
It also seems to ask the wrong question ? Or atleast use the wrong
'realRemote' and maybe that breaks the protocol ?
I didn't immediately found the cause for it.
Additionally, I note that the documentation for the PIPE backend [3]
has no mention of ABI version 3, nor does it describe the bits and auth
returned by the example pipe backend. Could somebody explain what the
`bits' are?
Thanks regards,
-JP
[1]: http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
[2]:
http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239
[3]: http://doc.powerdns.com/backends-detail.html#pipebackend
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users