Re: [Pdns-users] where cvn and lua postresolve in 3.4-pre
This is caused by firewalling on our end. It does not indicate any problems. I suppose that would depend on your position in regards Path MTU. One of the modern wonders of t'internet. Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [Help] - PDNS stop suddenly after every night
HI Vinh, Is this the authoritative or recursive server ? if its authoritative which backends are you using and which version ? Thanks Chris From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Ð?c Vinh H? Sent: 29 March 2012 03:52 To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] [Help] - PDNS stop suddenly after every night Hi all, I successfully install using PDNS. That's good for me But i face to stupid problem that after 5-8hours working, PDNS suddenly stop working. And i have to start PDNS manually. And the loop continued, after 5-8 hour, it stop working again. What's wrong with that ? Any idea to solve that ? p/s : i compile pdns from source and i start/stop pdns by using : # killall pdns_server #/usr/local/pdns/sbin/pdns_server and i add the command /usr/local/pdns/sbin/pdns_server to rc.local as well Regarding, Vinh Ho Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS in an ISP environment
Hi All, Quick question - is anyone on the list using PDNS in an ISP environment, especially for auth services ? Have prepped PDNS to replace our Bind instances however management have raised concerns over moving away from the industry standard, so have asked for more justification on the change in software. Already have some ideas but some real world use cases would really be the clincher. Have spotted a new names on a couple of things published by Bert, and those of PlusNET but fpdns (yes, a little out of date signatures I acknowledge) seem to suggest no match (could be pdns 3) but mostly Bind. ie: [root@ns1 ~]# fpdns -D plus.net fingerprint (plus.net, 195.166.128.16): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (plus.net, 195.166.128.17): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D register.com fingerprint (register.com, 216.21.227.12): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (register.com, 216.21.227.11): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (register.com, 216.21.230.12): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D .tk fingerprint (.tk, 202.125.44.173): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.tk, 207.36.228.217): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.tk, 217.199.176.121): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D .mn fingerprint (.mn, 199.254.62.1): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.mn, 199.249.116.1): No match found fingerprint (.mn, 202.72.241.5): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.mn, 202.131.0.10): ISC BIND 9.2.3rc1 -- 9.4.0a4 Have also done a few scans on some of the top hosts in the UK ISPA, some PDNS but mostly myDNS and/or bind. This isn't to get into one server is better than another or individual choices, I like PDNS, more just looking for some use cases so I can get this over the line :) Cheers Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
Hi Bert, The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html Cheers, that's a good start :) Measuring the 'company domain name' with fpdns is of limited utility - the company domain name itself is often not on the ISP production platform. Yes I know, it more was I was expecting pdns or no match, but it came back with bind. It's not so much the question of is this supported 24x7 etc, I`m already impressed with the level of support provided on these lists which your response is a fine example of which says how good the commercial support would be. We may go down that route but I think their feedback is really more just about a name. My direct manager knows Bind, so I have to justify not bind, if you see what I mean. Thanks Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdnssec secure-zone failing
Hi Eric, Might seem like a few silly question, but do you have 'gpgsql-dnssec' set in pdns.conf ? Cheers Chris From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Eric Sent: 16 August 2011 09:10 To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] pdnssec secure-zone failing Greetings, I searched around, but I was unable to find an resolution to my problem. I have a very vanilla install of PowerDNS 3.0 installed with a PostgreSQL 8.4 backend configured. Everything works as expected. Now I want to sign my zone, so I extended my schema as outlined here: http://doc.powerdns.com/generic-mypgsql-backends.html#id444731 Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS recursor Dual Stack
Hi Chris, Is the firewall disabled ? What are the contents of your allow_from and local_address lines ? Thanks Chris From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Chris Hesselrode Sent: 22 July 2011 06:11 To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] PDNS recursor Dual Stack When setting pdns recursor to use an IPv4 and IPv6 address (comma separated in local-ip) the server doesn't respond to queries over IPv6. Any quick tips to look at? Thanks Sent via Wireless Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
Alright so i think we're getting closer to the culprit. You will need to have the auth field set to '1' i.e. True for most if not all Yes, I knew it was RTFM :-/ .. this sorted the issue. Many thanks for your time looking into this Stefan, and also Bert Thanks Chris Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
.. and I hope the answer is RTFM, but... I`m looking to push out PDNS as our new primary auth servers and also with DNS-SEC, however only on certain zones. (Essentially to allow 2 migrations, one to PDNS then one to enable DNS-SEC). It is possible for pdnssec to also server non auth zones ? if so, how :) Using pdns-static-3.0rc3.20110719.2239-1, fairly standard options (gmysql-dnssec) - with the auth field set to 0, I can return an SOA, but no A records for non auth domains. Cheers Chris Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] IPv4 and IPv6 sockets at the same time
Hi Martin, Actually, as a confirm, we have allow_from set specifically too. So +1 to it being the local nets. Cheers Chris Line 123 in pdns_recursor.cc defines the default allow-from rules: #define LOCAL_NETS 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
Hi Stefan, Thanks for the reply. Sorry for the confusion. I think option for dns-sec in the backend is the key here, because I have this set, as I want to serve some dns-sec zones but not all. Essentially, PDNS, with Mysql Backend (only), and I`m trying to serve dns-sec, and non dns-sec zones. launch=gmysql gmysql-dnssec Set in pdns.conf. In the database: Domains: | 6 | wibble.com | NULL | NULL | NATIVE | NULL | NULL| ++--++++-+-+ mysql select * from records where domain_id=6; +-+---+-+--+--+---+--+-+---+--+ | id | domain_id | name| type | content | ttl | prio | change_date | ordername | auth | +-+---+-+--+--+---+--+-+---+--+ | 694 | 6 | wibble.com | SOA | ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 | 86400 |0 | NULL | |0 | | 695 | 6 | mail.wibble.com | A| 1.1.1.1 | 86400 |0 | NULL | |0 | | 696 | 6 | wibble.com | NS | ns1.server.co.uk | 86400 |0 | NULL | |0 | So I have name server (ns1.server.co.uk is the physical server), SOA and an A record. The auth field (for DNS-SEC is 0) However results from dig: [root@ns1 ~]# dig wibble.com @localhost SOA ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 wibble.com @localhost SOA ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18174 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wibble.com.IN SOA ;; ANSWER SECTION: wibble.com. 86400 IN SOA ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:22:56 2011 ;; MSG SIZE rcvd: 101 So, no issues with the SOA, but the A [root@ns1 ~]# dig mail.wibble.com @localhost A ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 mail.wibble.com @localhost A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57290 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.wibble.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:28:20 2011 ;; MSG SIZE rcvd: 33 And in the logs: Jul 21 17:25:19 ns1 pdns[14821]: Should not get here (mail.wibble.com|1): please run pdnssec rectify-zone wibble.com Im guessing as I have gmysql-dnssec set, its assuming all zones are DNS-SEC enabled. So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database. Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Stefan Schmidt I am not sure what you mean by 'auth zone'. You can run non DNSSEC zones alongside DNSSEC signed ones no problem, PowerDNS will default to non-DNSSEC operation for a Zone if it doesn't find any key material or option for it in the backend. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
As an addendum, also tried multi launch with the same issue specifying dnssec on one launch: launch=gmysql:sec,gmysql:nonsec gmysql-sec-dnssec gmysql-sec-host=127.0.0.1 gmysql-sec-user=x gmysql-sec-dbname=y gmysql-sec-password=z gmysql-nonsec-host=127.0.0.1 gmysql-nonsec-user=x gmysql-nonsec-dbname=y gmysql-nonsec-password=z Have to be missing something silly here. Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Chris Russell Sent: 21 July 2011 17:38 To: zaph...@zaphods.net Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec. Hi Stefan, Thanks for the reply. Sorry for the confusion. I think option for dns-sec in the backend is the key here, because I have this set, as I want to serve some dns-sec zones but not all. Essentially, PDNS, with Mysql Backend (only), and I`m trying to serve dns-sec, and non dns-sec zones. launch=gmysql gmysql-dnssec Set in pdns.conf. In the database: Domains: | 6 | wibble.com | NULL | NULL | NATIVE | NULL | NULL| ++--++++-+-+ mysql select * from records where domain_id=6; +-+---+-+--+--+---+--+-+---+--+ | id | domain_id | name| type | content | ttl | prio | change_date | ordername | auth | +-+---+-+--+--+---+--+-+---+--+ | 694 | 6 | wibble.com | SOA | ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 | 86400 |0 | NULL | |0 | | 695 | 6 | mail.wibble.com | A| 1.1.1.1 | 86400 |0 | NULL | |0 | | 696 | 6 | wibble.com | NS | ns1.server.co.uk | 86400 |0 | NULL | |0 | So I have name server (ns1.server.co.uk is the physical server), SOA and an A record. The auth field (for DNS-SEC is 0) However results from dig: [root@ns1 ~]# dig wibble.com @localhost SOA ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 wibble.com @localhost SOA ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18174 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wibble.com.IN SOA ;; ANSWER SECTION: wibble.com. 86400 IN SOA ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:22:56 2011 ;; MSG SIZE rcvd: 101 So, no issues with the SOA, but the A [root@ns1 ~]# dig mail.wibble.com @localhost A ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 mail.wibble.com @localhost A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57290 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.wibble.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:28:20 2011 ;; MSG SIZE rcvd: 33 And in the logs: Jul 21 17:25:19 ns1 pdns[14821]: Should not get here (mail.wibble.com|1): please run pdnssec rectify-zone wibble.com Im guessing as I have gmysql-dnssec set, its assuming all zones are DNS-SEC enabled. So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database. Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Stefan Schmidt I am not sure what you mean by 'auth zone'. You can run non DNSSEC zones alongside DNSSEC signed ones no problem, PowerDNS will default to non-DNSSEC operation for a Zone if it doesn't find any key material or option for it in the backend. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(n on) sec + sec.
Hi stefan Have Dns sec working without issue its the non sec which isn't R Thanks Chris --- original message --- From: Stefan Schmidt zaph...@zaphods.net Subject: Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec. Date: 21st July 2011 Time: 6:21:57 pm On Thu, Jul 21, 2011 at 6:46 PM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: As an addendum, also tried multi launch with the same issue specifying dnssec on one launch: launch=gmysql:sec,gmysql:nonsec gmysql-sec-dnssec ... Have to be missing something silly here. I'm not sure if it makes any difference but this works for me with gmysql-priv-dnssec=yes Something equally silly would be if you were missing the tables necessary for DNSSEC operations as specified at http://doc.powerdns.com/generic-mypgsql-backends.html#id479879 where it says To support or migrate to DNSSEC, the following SQL statements must be executed. Is your table structure 'DNSSEC-ready'? for mail. the ordername should be 'mail' although as you are not querying with +dnssec i don't think PowerDNS would bother. what does a `pdnssec show-zone wobble.com` say? Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Authoritative Server 3.0-rc3 (FINAL!) released
If he also can document (in detail!) the process of building these packages, we will appreciate that! This will enable other people to +1, like Nick I've tried before to do this and struggled every time. Cheers Chris Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Small site backend recommendations
Hi Charles, We're in a similar position right now (a current scripted solution, active development in other servers, etc) and I've came up against some of the same issues. Decided against the Bind DLZ system, despite meeting some of the ISC staffers and am sticking with PowerDNS. I can't comment on the backend options but a hidden master is preferable to hide some of the keyring information on DNS-SEC. That said, right now I`m torn between using a similar solution to yourself in a database driven hidden master and DNS slave backends, or using MySQL replication to do a similar role. One thing I did find, not sure if it's still current is this - http://community.plus.net/blog/2008/03/13/about-the-plusnet-authoritative-dns-system/ There seems to be loads of information of creating a very basic setup, but little in terms of who's really using PowerDNS and how. That said though, the list is very helpful :) Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Charles Sprickman Sent: 12 May 2011 08:37 To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] Small site backend recommendations Hello, We've been using the PDNS recursor for some time now and have been quite happy with it. It replaced dnscache and has proven to perform much better. We're now looking at moving away from tinydns, mainly to get IPv6 support without patching and to get started with DNSSEC. I don't see us with more than a few thousand zones anytime soon, and we aren't looking at anything above 1000 qps (across three servers) anytime soon. I'm not sure I completely understand the PowerDNS philosophy quite yet, but it looks like BCP is to run a db server on each name server (postgres or mysql). This feels a little too heavyweight for us. What might be some interesting options? Would something like one master with a real db backend (in our case PostgreSQL) and then two slaves running SQLite work well? Is there anything lighter than SQLite that we could stick on the slaves? Is the SQLite backend well-supported? Any pointers greatly appreciated. We are committed to a database-backed DNS server (we currently have a script that dumps db data to a tinydns data file), and there do not seem to be that many actively-developed options out there... Thanks, Charles ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Questions on powerdnssec
Hi All, Few questions on using PowerDNSsec - using the latest RPM build (20110509.2190-1) in our IPv6 labs. Fundamentally - PDNS auth, Bind Recursor and Win7 client behind router, all dual stacked. Firstly, when using an external server as a recursor; can this be an IPv6 host ? I have the auth server forwarding to bind for any recursive queries, this works when I specify the bind IPv4 address, but not the IPv6 address. Both queries work fine if querying bind from the pdns server directly using dig on ipv4 or ipv6. Secondly, when using powerdns secure-zone and the gmysql backend, I`m guessing rectify-zone must be ran whenever any records are created to resign the zone. This being the case, does this lead to having a hidden master (ie: non publicly accessable) host or db in order to be slightly more secure [making the running of the signing process hidden] ? Finally, Is there any documentation of the validity length of the keys, or do these rollover automatically ? Bert as you thought, this build this resolves the issue I had with mysql going away and the server taking a while to reconnect. Its serving records from the cache just fine. Thanks Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Status of the LDAP backend in 3.0 release
Hi Bert, Well, what can I say. Some of the largest DNS hosters in the UK use PowerDNS, but perhaps they don't show up at UKNOF meetings? Only one I`m aware of is/was PlusNet (http://community.plus.net/blog/2008/03/13/about-the-plusnet-authoritative-dns-system/) - and this follows on from Nicks new posting on usage. It makes life easier to justify when you name companies :) It may also be a bit much to ask ISC to recommend PowerDNS! ;-) Yeah, some of the looks on the developers faces were quite interesting =o) i) Is there a correct Schema for MySQL ? I seem to have found 2 .. one The 'generic MySQL' one is the one to use. Thanks for this. Hmm, this may be due to http://wiki.powerdns.com/trac/changeset/2189 and http://mailman.powerdns.com/pipermail/pdns-dev/2011-April/000945.html Can you see if you can reproduce this issue against build 2189, which can be found on http://powerdnssec.org/downloads/ and Will do and will feed back. One thing I will say though, the Bind 10 roadmap does look rather interesting, almost giving a powershell type environment to Bind. Who knows where PowerDNS is three years from now. I wish BIND 10 the best of luck. As do it, that said, think PDNS may be the way to go for our AUth stuff - ironically my design pretty much matches the plusnet design :) Cheers Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Status of the LDAP backend in 3.0 release
Nick. If you search in the Internet, you'll find ample evidence that BIND / DLZ is not a production solution. In terms of performance, it Really glad someone started this thread as I was about to post something similar. Around 4-5 years ago when we started the ISP I looked into Bind DLZ, and I came to the same conclusion in that it was contrib code and the backend as such was unstable and not production ready. I ended up writing a web interface which translated to a database into text files to load into Bind. I`m now in a similar position, in that I need something more dynamic that my current solution, I've looked into DLZ and pretty saw not too much in the way of serious stability and I've ended up preparing a roll out of PowerDNS. However, I was at the UK version of NANOG (UKNOF) meeting a few weeks back, with a lot of people from ISP's and a few fairly senior people from ISC and I asked the same question - not one recomended Power DNS with pretty much similar arguements as you've made vs Bind DLZ. THis was however after 1 or 2 beers but this was some of the bigger UK specific players in networks, hosting and so on. I'm more than likely heading down the Power DNS route for my auth servers however, theres a couple of things I've noted which I'd appreciate if you could shed some light on: i) Is there a correct Schema for MySQL ? I seem to have found 2 .. one pretty basic, and one pretty advanced (with webforwards?) - is there a definitive schema to use ? ii) When using the MySQL backend, I've noted if the MySQL server is restarted, it often takes PowerDNS around a minute to realise this and in the interim sends failures - even for records which should be in the cache - is there a setting or settings I can look at to make this more efficient ? Am on the 2.9.22 stable RPM release and I admit I could be RTFM incorrectly :) One thing I will say though, the Bind 10 roadmap does look rather interesting, almost giving a powershell type environment to Bind. Although thats 3 years away :) Cheers Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users