Re: [Pdns-users] default-api-rectify not working
Hello Sean, On Thu, 2020-05-28 at 19:00 +, Sean Lair via Pdns-users wrote: > Hi all - just wanted to follow up. Is there any additional information I can > provide? > > Since PowerDNS Admin is configured to use the PowerDNS API, the zones should > be auto-rectifying. We are running PDNS 4.2.0 where default-api-rectify=yes > and I have verified that is not being overridden by any domain metadata > entries. Please see the output at the end of this email. > > What am I missing on this? > > MariaDB [powerdns]> select * from domains where domains.name = > 'xx.com'; > ++++++-+-+ > > id | name | master | last_check | type | notified_serial | > > account | > ++++++-+-+ > > 47 | xx.com | NULL | NULL | NATIVE |NULL | > > ippcorp | > ++++++-+-+ > 1 row in set (0.00 sec) > > MariaDB [powerdns]> select * from domainmetadata where id=47; > Empty set (0.00 sec) First, please read https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ Second, the currently supported version in the 4.2.x train is 4.2.2. We will generally not investigate bugs in an older version for the same train. So, normally we'd ask you to first try an upgrade to 4.2.2 or 4.3.0. However, in this case I found you are running into a known bug ( https://github.com/PowerDNS/pdns/pull/8497). The fix is in 4.3.0 and up, and 4.2.1 and up. For some reason it did not make it into https://doc.powerdns.com/authoritative/changelog/4.2.html, we will fix that document. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] LUA records + DNSSEC
On Wed, 2020-05-27 at 11:39 +0200, Martijn Grendelman via Pdns-users wrote: > Hi, > > We have a simple setup with a PowerDNS master and two PowerDNS slaves (AXFR). > Our zones are generally signed with DNSSEC and everything has been working > fine. Recently, I started experimenting with LUA records, and for those, > we're seeing problems (SERVFAIL) when we query them through 3rd party > resolvers. > > At first, I seem to have missed this tiny paragraph in the documentation for > LUA records: > > "LUA records can be DNSSEC signed, but because they are dynamic, it is not > possible to combine pre-signed DNSSEC zone and LUA records. In other words, > the signing key must be available on the server creating answers based on LUA > records." > > It makes sense, and indeed, when I query the slaves for the LUA records, I > don't get any RRSIGs, so I suspect that this must be the problem. > > My question is: how do I make the signing key availabe on the slaves? Does > this imply that I have to switch to a form of native replication, or is there > a way to make this work with AXFR? I spent a few hours Googling for this, but > I haven't found any clues. Native replication is one option. The other option is having a non-signing master that your slaves, that all have a copy of your keys, AXFR from. The 'remove presigned' trigger from your other email might work but is not a configuration we support or run tests for - so it could break on upgrades. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records
Yes! This worked as expected. I assumed it was a designed choice, and it seemed it was. Thank you Bert and Roman for these quick answers. Oscar Koeroo > On 31 May 2020, at 12:14, bert hubert wrote: > > On Sun, May 31, 2020 at 12:08:36PM +0200, Oscar Koeroo via Pdns-users wrote: > >> I’m using the following LUA script to intercept, but I don’t understand >> the results. Why doesn’t the dig get the CNAME to got to the A record I >> have in my domain.local zone? I expected dig to try to get the CNAME >> value of qr.domain.net and the CNAME value of that result, which seems to >> halt there. > > Hi Oscar! > > So firstly, a resolver is expected to provide a complete answer. If it > supplies only a CNAME, a client can assume there is nothing more. A > stub-resolver won't itself recurse. > >> The expected result I was looking for was: > > The good news is, we thought of this scenario, and we have this: > > "CNAME chain resolution > > It may be useful to return a CNAME record for Lua, and then have the > PowerDNS Recursor continue resolving that CNAME. This can be achieved by > setting dq.followupFunction to followCNAMERecords and dq.followupDomain to > “www.powerdns.com”. PowerDNS will do the rest. " > > https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution > > Good luck! > > Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records
On Sun, May 31, 2020 at 12:08:36PM +0200, Oscar Koeroo via Pdns-users wrote: > I’m using the following LUA script to intercept, but I don’t understand > the results. Why doesn’t the dig get the CNAME to got to the A record I > have in my domain.local zone? I expected dig to try to get the CNAME > value of qr.domain.net and the CNAME value of that result, which seems to > halt there. Hi Oscar! So firstly, a resolver is expected to provide a complete answer. If it supplies only a CNAME, a client can assume there is nothing more. A stub-resolver won't itself recurse. > The expected result I was looking for was: The good news is, we thought of this scenario, and we have this: "CNAME chain resolution It may be useful to return a CNAME record for Lua, and then have the PowerDNS Recursor continue resolving that CNAME. This can be achieved by setting dq.followupFunction to followCNAMERecords and dq.followupDomain to “www.powerdns.com”. PowerDNS will do the rest. " https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution Good luck! Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records
Hi, If I'm not wrong you need to tell pdns to resolve the CNAME: https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution Regards, Roman Am So., 31. Mai 2020 um 12:08 Uhr schrieb Oscar Koeroo via Pdns-users < pdns-users@mailman.powerdns.com>: > Hi, > > I’m using my the Recursor version 4.3.1 on my Pi and building the > following. I have a VPS and a home-server. I use “domain.net” for the > internet access and in my home I use “domain.local”. > > Due to NAT and how my home router works, I intercept the DNS requests and > provide a local answer instead of the WAN IP address for example. In other > case I would like to use “domain.net” > > > I’m using the following LUA script to intercept, but I don’t understand > the results. Why doesn’t the dig get the CNAME to got to the A record I > have in my domain.local zone? I expected dig to try to get the CNAME value > of qr.domain.net and the CNAME value of that result, which seems to halt > there. > > > > > The expected result I was looking for was: > > > dig qr.domain.net > > ;; ANSWER SECTION: > qr.domain.net. 3600IN CNAME qr.domain.local. > qr.domain.local.41584 IN CNAME apps.domain.local. > apps.koeroo.local. 40931 IN A 192.168.1.28 > - EOL > > > > I got: > > > dig qr.domain.net > > ;; ANSWER SECTION: > qr.domain.net. 3600IN CNAME qr.domain.local. > - EOL > > > dig cloud.domain.net > > ;; ANSWER SECTION: > cloud.domain.net. 3600IN A 192.168.1.15 > - EOL > > > > Script: > > function preresolve(dq) > if dq.qtype == pdns.A then > if (dq.qname:toString() == "cloud.domain.net.") then > pdnslog("preresolve: " .. dq.qname:toString(), > pdns.loglevels.Info) > dq:addAnswer(pdns.A, "192.168.1.15") > dq.rcode = pdns.NOERROR > return true > elseif (dq.qname:toString() == "vpn.domain.net.") then > pdnslog("preresolve: " .. dq.qname:toString(), > pdns.loglevels.Info) > dq:addAnswer(pdns.A, "192.168.1.37") > dq.rcode = pdns.NOERROR > return true > elseif (dq.qname:toString() == "qr.domain.net.") then > pdnslog("preresolve: " .. dq.qname:toString(), > pdns.loglevels.Info) > dq:addAnswer(pdns.CNAME, "qr.domain.local") > dq.rcode = pdns.NOERROR > return true > end > end > return false > end > > > Oscar Koeroo > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records
Hi, I’m using my the Recursor version 4.3.1 on my Pi and building the following. I have a VPS and a home-server. I use “domain.net” for the internet access and in my home I use “domain.local”. Due to NAT and how my home router works, I intercept the DNS requests and provide a local answer instead of the WAN IP address for example. In other case I would like to use “domain.net” I’m using the following LUA script to intercept, but I don’t understand the results. Why doesn’t the dig get the CNAME to got to the A record I have in my domain.local zone? I expected dig to try to get the CNAME value of qr.domain.net and the CNAME value of that result, which seems to halt there. The expected result I was looking for was: dig qr.domain.net ;; ANSWER SECTION: qr.domain.net. 3600IN CNAME qr.domain.local. qr.domain.local.41584 IN CNAME apps.domain.local. apps.koeroo.local. 40931 IN A 192.168.1.28 - EOL I got: dig qr.domain.net ;; ANSWER SECTION: qr.domain.net. 3600IN CNAME qr.domain.local. - EOL dig cloud.domain.net ;; ANSWER SECTION: cloud.domain.net. 3600IN A 192.168.1.15 - EOL Script: function preresolve(dq) if dq.qtype == pdns.A then if (dq.qname:toString() == "cloud.domain.net.") then pdnslog("preresolve: " .. dq.qname:toString(), pdns.loglevels.Info) dq:addAnswer(pdns.A, "192.168.1.15") dq.rcode = pdns.NOERROR return true elseif (dq.qname:toString() == "vpn.domain.net.") then pdnslog("preresolve: " .. dq.qname:toString(), pdns.loglevels.Info) dq:addAnswer(pdns.A, "192.168.1.37") dq.rcode = pdns.NOERROR return true elseif (dq.qname:toString() == "qr.domain.net.") then pdnslog("preresolve: " .. dq.qname:toString(), pdns.loglevels.Info) dq:addAnswer(pdns.CNAME, "qr.domain.local") dq.rcode = pdns.NOERROR return true end end return false end Oscar Koeroo ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users