date:20200531

Re: [Pdns-users] default-api-rectify not working

2020-05-31 Thread Peter van Dijk via Pdns-users

Hello Sean,

On Thu, 2020-05-28 at 19:00 +, Sean Lair via Pdns-users wrote:
> Hi all - just wanted to follow up.  Is there any additional information I can 
> provide?
> 
> Since PowerDNS Admin is configured to use the PowerDNS API, the zones should 
> be auto-rectifying.  We are running PDNS 4.2.0 where default-api-rectify=yes 
> and I have verified that is not being overridden by any domain metadata 
> entries.  Please see the output at the end of this email.
> 
> What am I missing on this?
> 
> MariaDB [powerdns]> select * from domains where domains.name = 
> 'xx.com';
> ++++++-+-+
> > id | name   | master | last_check | type   | notified_serial | 
> > account |
> ++++++-+-+
> > 47 | xx.com | NULL   |   NULL | NATIVE |NULL | 
> > ippcorp |
> ++++++-+-+
> 1 row in set (0.00 sec)
> 
> MariaDB [powerdns]> select * from domainmetadata where id=47;
> Empty set (0.00 sec)

First, please read 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Second, the currently supported version in the 4.2.x train is 4.2.2. We
will generally not investigate bugs in an older version for the same
train. So, normally we'd ask you to first try an upgrade to 4.2.2 or
4.3.0.

However, in this case I found you are running into a known bug (
https://github.com/PowerDNS/pdns/pull/8497). The fix is in 4.3.0 and
up, and 4.2.1 and up. For some reason it did not make it into 
https://doc.powerdns.com/authoritative/changelog/4.2.html, we will fix
that document.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA records + DNSSEC

2020-05-31 Thread Peter van Dijk via Pdns-users

On Wed, 2020-05-27 at 11:39 +0200, Martijn Grendelman via Pdns-users wrote:
> Hi,
> 
> We have a simple setup with a PowerDNS master and two PowerDNS slaves (AXFR). 
>  Our zones are generally signed with DNSSEC and everything has been working 
> fine. Recently, I started experimenting with LUA records, and for those, 
> we're seeing problems (SERVFAIL) when we query them through 3rd party 
> resolvers.
> 
> At first, I seem to have missed this tiny paragraph in the documentation for 
> LUA records:
> 
> "LUA records can be DNSSEC signed, but because they are dynamic, it is not 
> possible to combine pre-signed DNSSEC zone and LUA records. In other words, 
> the signing key must be available on the server creating answers based on LUA 
> records."
> 
> It makes sense, and indeed, when I query the slaves for the LUA records, I 
> don't get any RRSIGs, so I suspect that this must be the problem.
> 
> My question is: how do I make the signing key availabe on the slaves? Does 
> this imply that I have to switch to a form of native replication, or is there 
> a way to make this work with AXFR? I spent a few hours Googling for this, but 
> I haven't found any clues.

Native replication is one option. The other option is having a non-signing 
master that your slaves, that all have a copy of your keys, AXFR from.

The 'remove presigned' trigger from your other email might work but is not a 
configuration we support or run tests for - so it could break on upgrades.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

2020-05-31 Thread Oscar Koeroo via Pdns-users

Yes! This worked as expected. I assumed it was a designed choice, and it seemed 
it was.
Thank you Bert and Roman for these quick answers.


Oscar Koeroo



> On 31 May 2020, at 12:14, bert hubert  wrote:
> 
> On Sun, May 31, 2020 at 12:08:36PM +0200, Oscar Koeroo via Pdns-users wrote:
> 
>> I’m using the following LUA script to intercept, but I don’t understand
>> the results.  Why doesn’t the dig get the CNAME to got to the A record I
>> have in my domain.local zone?  I expected dig to try to get the CNAME
>> value of qr.domain.net and the CNAME value of that result, which seems to
>> halt there.
> 
> Hi Oscar!
> 
> So firstly, a resolver is expected to provide a complete answer. If it
> supplies only a CNAME, a client can assume there is nothing more. A
> stub-resolver won't itself recurse.
> 
>> The expected result I was looking for was:
> 
> The good news is, we thought of this scenario, and we have this:
> 
> "CNAME chain resolution
> 
> It may be useful to return a CNAME record for Lua, and then have the
> PowerDNS Recursor continue resolving that CNAME.  This can be achieved by
> setting dq.followupFunction to followCNAMERecords and dq.followupDomain to
> “www.powerdns.com”.  PowerDNS will do the rest.  "
> 
> https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution
> 
> Good luck!
> 
>   Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

2020-05-31 Thread bert hubert via Pdns-users

On Sun, May 31, 2020 at 12:08:36PM +0200, Oscar Koeroo via Pdns-users wrote:

> I’m using the following LUA script to intercept, but I don’t understand
> the results.  Why doesn’t the dig get the CNAME to got to the A record I
> have in my domain.local zone?  I expected dig to try to get the CNAME
> value of qr.domain.net and the CNAME value of that result, which seems to
> halt there.

Hi Oscar!

So firstly, a resolver is expected to provide a complete answer. If it
supplies only a CNAME, a client can assume there is nothing more. A
stub-resolver won't itself recurse.

> The expected result I was looking for was:

The good news is, we thought of this scenario, and we have this:

"CNAME chain resolution

It may be useful to return a CNAME record for Lua, and then have the
PowerDNS Recursor continue resolving that CNAME.  This can be achieved by
setting dq.followupFunction to followCNAMERecords and dq.followupDomain to
“www.powerdns.com”.  PowerDNS will do the rest.  "

https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

2020-05-31 Thread Roman Steinhart via Pdns-users

Hi,
If I'm not wrong you need to tell pdns to resolve the CNAME:
https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution

Regards,
Roman

Am So., 31. Mai 2020 um 12:08 Uhr schrieb Oscar Koeroo via Pdns-users <
pdns-users@mailman.powerdns.com>:

> Hi,
>
> I’m using my the Recursor version 4.3.1 on my Pi and building the
> following. I have a VPS and a home-server. I use “domain.net” for the
> internet access and in my home I use “domain.local”.
>
> Due to NAT and how my home router works, I intercept the DNS requests and
> provide a local answer instead of the WAN IP address for example. In other
> case I would like to use “domain.net”
>
>
> I’m using the following LUA script to intercept, but I don’t understand
> the results. Why doesn’t the dig get the CNAME to got to the A record I
> have in my domain.local zone? I expected dig to try to get the CNAME value
> of qr.domain.net and the CNAME value of that result, which seems to halt
> there.
>
>
>
>
> The expected result I was looking for was:
>
>
> dig qr.domain.net
>
> ;; ANSWER SECTION:
> qr.domain.net.  3600IN  CNAME   qr.domain.local.
> qr.domain.local.41584   IN  CNAME   apps.domain.local.
> apps.koeroo.local.  40931   IN  A   192.168.1.28
> - EOL
>
>
>
> I got:
>
>
> dig qr.domain.net
>
> ;; ANSWER SECTION:
> qr.domain.net.  3600IN  CNAME   qr.domain.local.
> - EOL
>
>
> dig cloud.domain.net
>
> ;; ANSWER SECTION:
> cloud.domain.net.   3600IN  A   192.168.1.15
> - EOL
>
>
>
> Script:
>
> function preresolve(dq)
> if dq.qtype == pdns.A then
> if (dq.qname:toString() == "cloud.domain.net.") then
> pdnslog("preresolve: " .. dq.qname:toString(),
> pdns.loglevels.Info)
> dq:addAnswer(pdns.A, "192.168.1.15")
> dq.rcode = pdns.NOERROR
> return true
> elseif (dq.qname:toString() == "vpn.domain.net.") then
> pdnslog("preresolve: " .. dq.qname:toString(),
> pdns.loglevels.Info)
> dq:addAnswer(pdns.A, "192.168.1.37")
> dq.rcode = pdns.NOERROR
> return true
> elseif (dq.qname:toString() == "qr.domain.net.") then
> pdnslog("preresolve: " .. dq.qname:toString(),
> pdns.loglevels.Info)
> dq:addAnswer(pdns.CNAME, "qr.domain.local")
> dq.rcode = pdns.NOERROR
> return true
> end
> end
> return false
> end
>
>
> Oscar Koeroo
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

2020-05-31 Thread Oscar Koeroo via Pdns-users

Hi,

I’m using my the Recursor version 4.3.1 on my Pi and building the following. I 
have a VPS and a home-server. I use “domain.net” for the internet access and in 
my home I use “domain.local”.

Due to NAT and how my home router works, I intercept the DNS requests and 
provide a local answer instead of the WAN IP address for example. In other case 
I would like to use “domain.net” 


I’m using the following LUA script to intercept, but I don’t understand the 
results. Why doesn’t the dig get the CNAME to got to the A record I have in my 
domain.local zone? I expected dig to try to get the CNAME value of 
qr.domain.net and the CNAME value of that result, which seems to halt there.




The expected result I was looking for was:


dig qr.domain.net

;; ANSWER SECTION:
qr.domain.net.  3600IN  CNAME   qr.domain.local.
qr.domain.local.41584   IN  CNAME   apps.domain.local.
apps.koeroo.local.  40931   IN  A   192.168.1.28
- EOL



I got:


dig qr.domain.net

;; ANSWER SECTION:
qr.domain.net.  3600IN  CNAME   qr.domain.local.
- EOL


dig cloud.domain.net

;; ANSWER SECTION:
cloud.domain.net.   3600IN  A   192.168.1.15
- EOL



Script:

function preresolve(dq)
if dq.qtype == pdns.A then
if (dq.qname:toString() == "cloud.domain.net.") then
pdnslog("preresolve: " .. dq.qname:toString(), pdns.loglevels.Info)
dq:addAnswer(pdns.A, "192.168.1.15")
dq.rcode = pdns.NOERROR
return true
elseif (dq.qname:toString() == "vpn.domain.net.") then
pdnslog("preresolve: " .. dq.qname:toString(), pdns.loglevels.Info)
dq:addAnswer(pdns.A, "192.168.1.37")
dq.rcode = pdns.NOERROR
return true
elseif (dq.qname:toString() == "qr.domain.net.") then
pdnslog("preresolve: " .. dq.qname:toString(), pdns.loglevels.Info)
dq:addAnswer(pdns.CNAME, "qr.domain.local")
dq.rcode = pdns.NOERROR
return true
end
end
return false
end


Oscar Koeroo



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] default-api-rectify not working

Re: [Pdns-users] LUA records + DNSSEC

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

[Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

6 matches

Site Navigation

Mail list logo

Footer information