Re: [Pdns-users] Reset Data on Slave

[Klaus Darilion via Pdns-users]

Hi Sebastian!

The term "cached data" usually does not refer to the data in the database, but 
to data cached in the PDNS process (packet cache, query cache).

If you want to clean the "cache" the fastest method is to restart the PDNS 
process (a short service interruption). To adjust caching timeouts see 
https://doc.powerdns.com/authoritative/settings.html and grep for "ttl".

You do not mention how to replicate the data to your 2 slaves:
a) Using DNS zone transfers (AXFR), or
b) MySQL replication

If you use a) the you could just force a zone transfer on the slave with 
"pdns_control retrieve ".
If you use b) there actually should not be any needs to do that manually, the 
MySQL replication will take care that everything is consistent. But if for 
whatever reason the data on the Slave DB is out of sync, you have to delete the 
data on the Slave DB an re-sync from the master. How this is done depends on 
the type of replication you are using - refer to the MySQL manual. But be 
aware: When you delete the data in the slave DB and resync, this will cause 
service interruptions on the Slave, and even worse the slave may return wrong 
data. 

Regards
Klaus

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im
> Auftrag von sebastian--- via Pdns-users
> Gesendet: Dienstag, 9. Januar 2024 19:55
> An: pdns-users@mailman.powerdns.com
> Cc: sebast...@debianfan.de
> Betreff: [Pdns-users] Reset Data on Slave
> 
> Hi @all,
> 
> how do i reset the DNS-Data on the first & second slave-dns-server?
> 
> We have dns01 - master, dns02 - slave & dns03 - slave.
> 
> The two slave-servers should forget all the caching information and
> should ask the master for new and complete data.
> 
> How to do? (i found a tutorial but i don't want to edit the mysql
> database...).
> 
> Is there any shell command at powerdns ?
> 
> Tnx
> 
> Sebastian
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Adding multiple records to all zones at once

[Klaus Darilion via Pdns-users]

> Why not do something along the lines of (PostgreSQL syntax as that's
> what I know, and completely untested):
> 
> INSERT INTO records (domain_id, name, type, content, ttl)
>SELECT domain.id, 'autoconfig.' || domains.name, 'CNAME, ' zone>, 3600
>FROM domains
>JOIN records ON domains.id = records.domain_id
>WHERE domains.id NOT IN (
>SELECT domains_id FROM records
>JOIN domains ON domains.id = records.domain_id
>WHERE name = 'autoconfig.' || domains.name );
> 
> You may want to just run the SELECT first to see that it gives you what
> you want.

When you insert records directly into the DB, the zone may be broken (NSEC, 
NSEC3 ordername, empty non-terminal RRs ...).

Therefore you have to call "rectify" for every zone that was changed and 
PowerDNS will check and if necessary fix the zone.

regards
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Problem with master and slave config

[Klaus Darilion via Pdns-users]

I have never used pdnsutil. Maybe the domain is created with type NATIVE 
instead of MASTER. Check the 'domains' table.

Klaus


Gesendet über BlackBerry Work (www.blackberry.com)

Von: Pdns-users  im Namen von Andres 
Alejandro Dobie via Pdns-users 
Gesendet: 12.10.2023 19:09
An: pdns-users@mailman.powerdns.com
Cc: Andres Alejandro Dobie 
Betreff: [Pdns-users] Problem with master and slave config

Hi all, and sorry for my english. Its not my mother language.

I have 2 PDNS servers, master and slave

PDNS Master - 192.168.0.200 - ns1.example.com
PDNS Slave - 192.168.0.201 - ns2.example.com

both with PowerDNS Authoritative Server 4.8.1

My master config:

allow-axfr-ips=192.168.0.201
allow-dnsupdate-from=127.0.0.0/8,::1
allow-notify-from=0.0.0.0/0,::/0

default-soa-content=ns1.example.com. 
sysadmin.example.com. 2023101402 21600 3600 
1209600 21600
disable-axfr=no
disable-syslog=no
#include-dir=/etc/powerdns/pdns.d

launch=gmysql
gmysql-host=localhost
gmysql-user=pdnsadmin
gmysql-password=Superlogico*96
gmysql-dbname=pdns

log-dns-queries=yes
log-timestamp=yes
loglevel=5
master=yes
primary=yes
query-logging=yes
also-notify=192.168.0.201


My slave config:


disable-syslog=no
#include-dir=/etc/powerdns/pdns.d

#nuevo
allow-notify-from=192.168.0.200

setgid=pdns
setuid=pdns

#nuevo
local-address=192.168.0.201
local-port=53
query-local-address=192.168.0.201
server-id=ns2.example.com

launch=gmysql

gmysql-host=localhost
gmysql-user=pdnsadmin
gmysql-password=Superlogico*96
gmysql-dbname=pdns

log-dns-queries=yes
log-timestamp=yes
query-logging=yes
#nuevo
master=no
superslave=yes
#slave=yes
slave-cycle-interval=2
autosecondary=yes


I do the follow, crate zone in master and add some records:

pdnsutil create-zone testing.dev

pdnsutil add-record testing.dev @ NS 
ns1.example.com
pdnsutil add-record testing.dev @ NS 
ns2.example.com

after that...

pdnsutil increase-serial testing.dev

At this point I suposse the slave srv comunicate with master and replicate de 
zones but Nothing happens... at least not automatically...

If I do in master:

pdns_control notify testing.dev

Master send and comunicate with slave and replicate de zones correctly

Master:
pdns_control list-zones
testing.dev.

Slave:
pdns_control list-zones
testing.dev.

But it does not do it automatically, I must carry out this process by hand 
knowing the area in advance. How can I carry out this process independently? Is 
there something wrong with my Master/Slave configuration?

Thank you very much in advance for your appreciated help.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Return answer according to availability of a server

[Klaus Darilion via Pdns-users]

You can do this in PowerDNS Authoritative using LUA records, see:
https://doc.powerdns.com/authoritative/lua-records/

regards
Klaus

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im
> Auftrag von Riccardo Brunetti via Pdns-users
> Gesendet: Dienstag, 26. September 2023 18:43
> An: pdns-users@mailman.powerdns.com
> Cc: Riccardo Brunetti 
> Betreff: [Pdns-users] Return answer according to availability of a server
> 
> Hello everybody.
> 
> I'm trying to figure out if it is possible to make pdns (or dnsdist) to 
> return a
> different answer according to the availability of a service.
> 
> Suppose we have:
> 
> 
> - server A with IP: XXX.XXX.XXX.XXX
> 
> - server B with IP: YYY.YYY.YYY.YYY
> 
> 
> Server A and B are two web servers which are configured to answer to a
> given http GET like http://myservice.net.
> 
> They are both configured in the same way and are independent.
> 
> 
> I would like the DNS query to return XXX.XXX.XXX.XXX as long as the server A
> is working (returns 200 to the GET) or return YYY.YYY.YYY.YYY when server A
> is not working.
> 
> In other words, I would like to have two records A for myservice.net with a
> somehow "intelligent" behavior and not a simple round-robin.
> 
> 
> Can you suggest me how to achieve this, if it's possible?
> 
> 
> Thanks a lot
> 
> Riccardo
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] listen on net iface

[Klaus Darilion via Pdns-users]

PS: This sound like you want to run PDNS in an active-standby HA-setup with a 
"hot" standby. But if this PDNS instance has SLAVE and MASTER zones configure, 
it will peform slave-checks and master-checks and writes into the backend 
(which may be a database). To avoid issues with multiple PDNS processes writing 
into a single DB you can configure your HA manager to start PDNS only once the 
floating IP is migrated to the standby server.

regards
Klaus

-- 
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im Auftrag von
> Klaus Darilion via Pdns-users
> Gesendet: Freitag, 28. Juli 2023 09:19
> An: pdns-users@mailman.powerdns.com
> Cc: Klaus Darilion 
> Betreff: Re: [Pdns-users] listen on net iface
> 
> Configure pdns to listen to the floating IP and set
> net.ipv4.ip_nonlocal_bind.
> Klaus
> 
> 
> Gesendet über BlackBerry Work (www.blackberry.com)
> 
> 
> Von: Pdns-users  im Namen von
> lejeczek via Pdns-users 
> Gesendet: 28.07.2023 06:05
> An: pdns-users@mailman.powerdns.com
> Cc: lejeczek 
> Betreff: [Pdns-users] listen on net iface
> 
> 
> Hi guys.
> 
> Would you know if it's possible to have _pdns_ to listen on an net iface
> instead of an IP?
> eg. eth0 - such interface would not be fully initialized, configured,
> meaning not IP config.
> Case is such where so called floating-IP travels from node to node but
> _pdns_ would be able to bind to such iface before IP bits get there.
> 
> many thanks, L.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] listen on net iface

[Klaus Darilion via Pdns-users]

Configure pdns to listen to the floating IP and set net.ipv4.ip_nonlocal_bind.
Klaus


Gesendet über BlackBerry Work (www.blackberry.com)

Von: Pdns-users  im Namen von lejeczek 
via Pdns-users 
Gesendet: 28.07.2023 06:05
An: pdns-users@mailman.powerdns.com
Cc: lejeczek 
Betreff: [Pdns-users] listen on net iface

Hi guys.

Would you know if it's possible to have _pdns_ to listen on an net iface 
instead of an IP?
eg. eth0 - such interface would not be fully initialized, configured, meaning 
not IP config.
Case is such where so called floating-IP travels from node to node but _pdns_ 
would be able to bind to such iface before IP bits get there.

many thanks, L.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] IXFR Stability Feedback

[Klaus Darilion via Pdns-users]

> -Ursprüngliche Nachricht-
> Von: William Edwards 
> Gesendet: Samstag, 15. April 2023 23:51
> An: Peter Thomassen 
> Cc: Klaus Darilion ; pdns-
> us...@mailman.powerdns.com
> Betreff: Re: [Pdns-users] IXFR Stability Feedback
> 
> 
> > Op 15 apr. 2023 om 23:01 heeft Peter Thomassen via Pdns-users  us...@mailman.powerdns.com> het volgende geschreven:
> >
> > Hi Klaus,
> >
> >> On 4/15/23 22:09, Klaus Darilion via Pdns-users wrote:
> >> Hence, I would consider enabling IXFR for this zone, but until now I always
> tried to stay away from IXFR as there were always bugs in PDNS regarding
> IXFR, and according to the documentation removing of ENTs is not supported
> (does this have a real word impact?).
> >
> > Wouldn't the main obstacle be that pdns does not support outgoing IXFR?
> 
> I take it Klaus uses native replication and a non-PowerDNS primary.

Correct. With native replication (in our case postgresql logical replication) 
outgoing is more or less the same as incoming: if incoming is an AXFR, the 
DELETE and INSERT for all RRs get replicated. For IXFR we would only have to 
replicate the affected table rows.

regards
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] IXFR Stability Feedback

[Klaus Darilion via Pdns-users]

Hi!

We have a customer zone with ~1.1 mio RRs (~200K NSEC3 RRs) with zone updates 
every few minutes. We use the Postgresql backend and replicate the zone to the 
secondaries using logical replication. It is not very smart pushing out 5GB of 
(almost same) data every few minutes, and it is causing additional load to the 
database (write operations) on secondaries with older hardware.

Hence, I would consider enabling IXFR for this zone, but until now I always 
tried to stay away from IXFR as there were always bugs in PDNS regarding IXFR, 
and according to the documentation removing of ENTs is not supported (does this 
have a real word impact?).

So, I reach out for some people how use or have used PDNS with IXFR and DB 
backend, regarding stability and if my concerns are justifiable or over-the-top?

Thanks
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS DB Backend with presigned Master Zones via API

[Klaus Darilion via Pdns-users]

Hello!

Has anyone ever tried inserting presigned Zones via the PowerDNS API? We have a 
customer request and I wonder if that would ever work.

Would PDNS accept DNSKEY, CDS/CDNSKEY, NSEC3PARAM, RRSIGs, NSEC(3) via the API? 
Would presigned-domainmetadata be set automatically or do I have to set it 
manually?

Thanks
Klaus


--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] master receiving notifies from slave

[Klaus Darilion via Pdns-users]

PDNS sends only NOTIFYs for SLAVE zones is slave-renotify is turned on 
(globally, or per zone in domainmetadata table).

So, if your SLAVEs shoudl not send NOTIFYs make sure to disable slave-renotify.

If a PDNS instance slaves zones from a master, but also acts as master to other 
slaves, then you can fine tune NOTIFYs.

I use "only-notify=" (empty value to disable all implizit NOTIFYs). Further I 
use "ALSO-NOTIFY" domainmetadata settings to specify NOTIFY targets per zone.

regards
Klaus

Von: Pdns-users  Im Auftrag von Curtis 
Maurand via Pdns-users
Gesendet: Donnerstag, 9. März 2023 00:06
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] master receiving notifies from slave

Hello,
I have a pair of powerdns servers running on a debian derivative equivalent to 
bullseye: Devuan chimaera.  I am running pdns authoritative version 4.7.3 from 
the powerdns debian repo.  Devuan does not use systemd.  I'm using sysvinit.  
The upgrade removes /etc/init.d/pdns script which is not good nor can I find it 
in the sources even though the docs say it's in there. That's not really why 
I'm writing.

The slave server is sending notifies for one, and only one slave domain 
maurand.com to the master and the master (a supermaster) is refusing them, but 
they are happening several times per second.  Boths servers are behind NAT 
firewalls and that would be the reason for the private IP in the notify.

Mar  8 16:34:30 sirius pdns[27219]: Received NOTIFY for maurand.com from 
192.168.100.1 but we are primary (Refused)

Mar  8 16:34:35 sirius pdns[27219]: Received NOTIFY for maurand.com from 
192.168.100.1 but we are primary (Refused)


On the master  (208.105.217.26) I have:

 52 | maurand.com   | NULL   |   NULL | MASTER |  2023030804 | 
NULL| NULL|   50 | NULL|

On the slave (208.105.219.27) I have:

| 17 | maurand.com   | 208.105.217.26 | 1678315385 | SLAVE |
NULL | | NULL| NULL|

As I was typing out my cry for help, here, I may have solved this by upgrading 
the master to 4.7.3 from version 4.4.1 (which is what is in the debian repos), 
but after the upgrade, I still received a few more notifies after the upgrade, 
but It seems to have settled down.

I searched around the net for answers, but I can't find any.  I've been running 
powerdns for a very long time.  Does anyone have any ideas what might be 
causing this?

Thanks in advance,
Curtis



Curtis

https://curtis.maurand.com
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] ENUM NAPTR queries

[Klaus Darilion via Pdns-users]

Hi Alexis!

One thing: If a number is not found in ENUM you should check if returning 
NXDOMAIN or NODATA (empty answer section). Because there may be a number below 
the asked one and then NXDOMAIN is wrong and may lead to problems if the DNS 
client (recursing name server) implements RFC8020.

regards
Klaus 

> -Ursprüngliche Nachricht-
> Von: Alexis Fidalgo 
> Gesendet: Montag, 13. Februar 2023 16:02
> An: Klaus Darilion 
> Cc: pdns-users@mailman.powerdns.com
> Betreff: Re: [Pdns-users] ENUM NAPTR queries
> 
> No worries, I’m working now in a combination between mongo and redis and
> compiled regexp’s to deal with it, looks promising :)
> 
> Thanks again for your help
> 
> Enviado desde dispositivo móvil
> 
> > El 13 feb. 2023, a la(s) 09:28, Klaus Darilion  
> > escribió:
> >
> > Probably things are different when using a dynamic backend vs. a DB 
> > backend.
> Unfortunately I am not familiar with the remote backend.
> >
> > regards
> > Klaus
> >
> >
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Alexis Fidalgo 
> >> Gesendet: Montag, 13. Februar 2023 15:20
> >> An: Klaus Darilion 
> >> Cc: pdns-users@mailman.powerdns.com
> >> Betreff: Re: [Pdns-users] ENUM NAPTR queries
> >>
> >> Bur Mongo db is not seen at all from pdns , is hidden by my code used by
> >> the remote backend via http. My app is the one acceding mongo and
> >> responding to this http to remote backend.
> >>
> >> The question was how to avoid this big loop of questions since the first
> >> one has a correct answer, and zone information was answered before the
> >> naptr query, I want only one query if possible.
> >>
> >>
> >>
> >> Enviado desde dispositivo móvil
> >>
> >>> El 13 feb. 2023, a la(s) 09:12, Klaus Darilion 
> >> escribió:
> >>>
> >>> Before PowerDNS answers the query, it has to find the authoritative
> >> zone. Therefore it loops over the labels to find the zone apex.
> >>>
> >>> But this behavior was changed with 4.5 when
> >> https://doc.powerdns.com/authoritative/settings.html#zone-cache-refresh-
> >> interval was introduced. So maybe you have disabled the zone-cache,
> >> using an old PowerDNs version, or this feature is not supported with
> >> MongoDB.
> >>>
> >>> regards
> >>> Klaus
> >>>
> >>> --
> >>> Klaus Darilion, Head of Operations
> >>> nic.at GmbH, Jakob-Haringer-Straße 8/V
> >>> 5020 Salzburg, Austria
> >>>
> >>>
>  -Ursprüngliche Nachricht-
>  Von: Pdns-users  Im
> Auftrag
> >> von
>  Alexis Fidalgo via Pdns-users
>  Gesendet: Montag, 6. Februar 2023 13:49
>  An: pdns-users@mailman.powerdns.com
>  Betreff: [Pdns-users] ENUM NAPTR queries
> 
>  Hello all, good morning.
> 
>  Im working developing a http app to be used with remote backend, this
>  app uses a mongodb backend in order to read Local Number Portability
>  records (around 400MM) queried to powerdns auth server using NAPTR
> >> type.
> 
>  Everything works ok but im facing a kind of no go now. Up to now, the
>  pdns auth server is getting around 20/30 qps because is under test.
> >> Next
>  step is to deploy the pdns auth inside a docker swarm, set 10/15
>  replicas and start receiving 1500qps and grow up to 20/25k qps.
> 
>  a normal query is like this
> 
>  —
>  alz@nuc  ~  dig @localhost 6.8.0.7.0.0.9.9.3.2.lesi.com.ar NAPTR
> 
>  ; <<>> DiG 9.16.33-Debian <<>> @localhost
>  6.8.0.7.0.0.9.9.3.2.lesi.com.ar NAPTR
>  ; (2 servers found)
>  ;; global options: +cmd
>  ;; Got answer:
>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21129
>  ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>  ;; WARNING: recursion requested but not available
> 
>  ;; OPT PSEUDOSECTION:
>  ; EDNS: version: 0, flags:; udp: 1232
>  ;; QUESTION SECTION:
>  ;6.8.0.7.0.0.9.9.3.2.lesi.com.ar. IN NAPTR
> 
>  ;; ANSWER SECTION:
>  6.8.0.7.0.0.9.9.3.2.lesi.com.ar. 1 IN NAPTR 100 10 "u" "E2U+SIP"
>  "!^.*$!sip:+2399007...@ims.mnc790.mcc313.3gppnetwork.org!" .
>  6.8.0.7.0.0.9.9.3.2.lesi.com.ar. 1 IN NAPTR 100 10 "u" "E2U+pstn:tel"
>  "!^.*$! tel:2399007086;npdi;rn=2324832232!" .
> 
>  ;; Query time: 1507 msec
>  ;; SERVER: 127.0.0.1#53(127.0.0.1)
>  ;; WHEN: Mon Feb 06 09:34:15 -03 2023
>  ;; MSG SIZE  rcvd: 205
>  —
> 
>  in the remote backend i can see the query
>  {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
>  "6.8.0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
>  "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> 
>  answered
> 
> 
> >> {"result":[{"qtype":"NAPTR","qname":"6.8.0.7.0.0.9.9.3.2.lesi.com.ar.","
>  content":"100 10 \"u\" \"E2U+SIP\"
>  \"!^.*$!sip:+2399007...@ims.mnc790.mcc313.3gppnetwork.org!\"
> 
> >> .","ttl":1},{"qtype":"NAPTR","qname":"6.8.0.7.0.0.9.9.3.2.lesi.com.ar.",
>  "content":"100 10 \"u\" \"E2U+pstn:tel\" \"!^.*$! 

Re: [Pdns-users] ENUM NAPTR queries

[Klaus Darilion via Pdns-users]

Probably things are different when using a dynamic backend vs. a DB backend. 
Unfortunately I am not familiar with the remote backend.

regards
Klaus



> -Ursprüngliche Nachricht-
> Von: Alexis Fidalgo 
> Gesendet: Montag, 13. Februar 2023 15:20
> An: Klaus Darilion 
> Cc: pdns-users@mailman.powerdns.com
> Betreff: Re: [Pdns-users] ENUM NAPTR queries
> 
> Bur Mongo db is not seen at all from pdns , is hidden by my code used by
> the remote backend via http. My app is the one acceding mongo and
> responding to this http to remote backend.
> 
> The question was how to avoid this big loop of questions since the first
> one has a correct answer, and zone information was answered before the
> naptr query, I want only one query if possible.
> 
> 
> 
> Enviado desde dispositivo móvil
> 
> > El 13 feb. 2023, a la(s) 09:12, Klaus Darilion 
> escribió:
> >
> > Before PowerDNS answers the query, it has to find the authoritative
> zone. Therefore it loops over the labels to find the zone apex.
> >
> > But this behavior was changed with 4.5 when
> https://doc.powerdns.com/authoritative/settings.html#zone-cache-refresh-
> interval was introduced. So maybe you have disabled the zone-cache,
> using an old PowerDNs version, or this feature is not supported with
> MongoDB.
> >
> > regards
> > Klaus
> >
> > --
> > Klaus Darilion, Head of Operations
> > nic.at GmbH, Jakob-Haringer-Straße 8/V
> > 5020 Salzburg, Austria
> >
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Pdns-users  Im Auftrag
> von
> >> Alexis Fidalgo via Pdns-users
> >> Gesendet: Montag, 6. Februar 2023 13:49
> >> An: pdns-users@mailman.powerdns.com
> >> Betreff: [Pdns-users] ENUM NAPTR queries
> >>
> >> Hello all, good morning.
> >>
> >> Im working developing a http app to be used with remote backend, this
> >> app uses a mongodb backend in order to read Local Number Portability
> >> records (around 400MM) queried to powerdns auth server using NAPTR
> type.
> >>
> >> Everything works ok but im facing a kind of no go now. Up to now, the
> >> pdns auth server is getting around 20/30 qps because is under test.
> Next
> >> step is to deploy the pdns auth inside a docker swarm, set 10/15
> >> replicas and start receiving 1500qps and grow up to 20/25k qps.
> >>
> >> a normal query is like this
> >>
> >> —
> >> alz@nuc  ~  dig @localhost 6.8.0.7.0.0.9.9.3.2.lesi.com.ar NAPTR
> >>
> >> ; <<>> DiG 9.16.33-Debian <<>> @localhost
> >> 6.8.0.7.0.0.9.9.3.2.lesi.com.ar NAPTR
> >> ; (2 servers found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21129
> >> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; OPT PSEUDOSECTION:
> >> ; EDNS: version: 0, flags:; udp: 1232
> >> ;; QUESTION SECTION:
> >> ;6.8.0.7.0.0.9.9.3.2.lesi.com.ar. IN NAPTR
> >>
> >> ;; ANSWER SECTION:
> >> 6.8.0.7.0.0.9.9.3.2.lesi.com.ar. 1 IN NAPTR 100 10 "u" "E2U+SIP"
> >> "!^.*$!sip:+2399007...@ims.mnc790.mcc313.3gppnetwork.org!" .
> >> 6.8.0.7.0.0.9.9.3.2.lesi.com.ar. 1 IN NAPTR 100 10 "u" "E2U+pstn:tel"
> >> "!^.*$! tel:2399007086;npdi;rn=2324832232!" .
> >>
> >> ;; Query time: 1507 msec
> >> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >> ;; WHEN: Mon Feb 06 09:34:15 -03 2023
> >> ;; MSG SIZE  rcvd: 205
> >> —
> >>
> >> in the remote backend i can see the query
> >> {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
> >> "6.8.0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
> >> "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> >>
> >> answered
> >>
> >>
> {"result":[{"qtype":"NAPTR","qname":"6.8.0.7.0.0.9.9.3.2.lesi.com.ar.","
> >> content":"100 10 \"u\" \"E2U+SIP\"
> >> \"!^.*$!sip:+2399007...@ims.mnc790.mcc313.3gppnetwork.org!\"
> >>
> .","ttl":1},{"qtype":"NAPTR","qname":"6.8.0.7.0.0.9.9.3.2.lesi.com.ar.",
> >> "content":"100 10 \"u\" \"E2U+pstn:tel\" \"!^.*$! tel:2399007086;npdi
> >>  ;rn=2324832232!\" .","ttl":1}]}
> >>
> >> but after that i can see
> >> {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
> >> "8.0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
> >> "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> >> answered: {“result": false}
> >>
> >> then
> >> {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
> >> "0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
> >> "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> >>
> >> and so on.
> >>
> >> I dont need all those queries, if the first one (the complete phone
> >> number which is 2399007086) has no porting information, that’s it, no
> >> more queries. i can’t afford x10 queries on the database with no use
> at
> >> all.
> >>
> >> All are phone calls in setup stage (at least trying to) and time is
> >> important (beside processing, etc)
> >>
> >>
> >> How can i stop this kind of loop recursion?
> >>
> >>
> >> Thanks in advance.
> >> BR
> >>
> >

Re: [Pdns-users] ENUM NAPTR queries

[Klaus Darilion via Pdns-users]

Before PowerDNS answers the query, it has to find the authoritative zone. 
Therefore it loops over the labels to find the zone apex.

But this behavior was changed with 4.5 when 
https://doc.powerdns.com/authoritative/settings.html#zone-cache-refresh-interval
 was introduced. So maybe you have disabled the zone-cache, using an old 
PowerDNs version, or this feature is not supported with MongoDB.

regards
Klaus

-- 
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria


> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im Auftrag von
> Alexis Fidalgo via Pdns-users
> Gesendet: Montag, 6. Februar 2023 13:49
> An: pdns-users@mailman.powerdns.com
> Betreff: [Pdns-users] ENUM NAPTR queries
> 
> Hello all, good morning.
> 
> Im working developing a http app to be used with remote backend, this
> app uses a mongodb backend in order to read Local Number Portability
> records (around 400MM) queried to powerdns auth server using NAPTR type.
> 
> Everything works ok but im facing a kind of no go now. Up to now, the
> pdns auth server is getting around 20/30 qps because is under test. Next
> step is to deploy the pdns auth inside a docker swarm, set 10/15
> replicas and start receiving 1500qps and grow up to 20/25k qps.
> 
> a normal query is like this
> 
> —
>  alz@nuc  ~  dig @localhost 6.8.0.7.0.0.9.9.3.2.lesi.com.ar NAPTR
> 
> ; <<>> DiG 9.16.33-Debian <<>> @localhost
> 6.8.0.7.0.0.9.9.3.2.lesi.com.ar NAPTR
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21129
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;6.8.0.7.0.0.9.9.3.2.lesi.com.ar. IN NAPTR
> 
> ;; ANSWER SECTION:
> 6.8.0.7.0.0.9.9.3.2.lesi.com.ar. 1 IN NAPTR 100 10 "u" "E2U+SIP"
> "!^.*$!sip:+2399007...@ims.mnc790.mcc313.3gppnetwork.org!" .
> 6.8.0.7.0.0.9.9.3.2.lesi.com.ar. 1 IN NAPTR 100 10 "u" "E2U+pstn:tel"
> "!^.*$! tel:2399007086;npdi;rn=2324832232!" .
> 
> ;; Query time: 1507 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Feb 06 09:34:15 -03 2023
> ;; MSG SIZE  rcvd: 205
> —
> 
> in the remote backend i can see the query
> {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
> "6.8.0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
> "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> 
> answered
> 
> {"result":[{"qtype":"NAPTR","qname":"6.8.0.7.0.0.9.9.3.2.lesi.com.ar.","
> content":"100 10 \"u\" \"E2U+SIP\"
> \"!^.*$!sip:+2399007...@ims.mnc790.mcc313.3gppnetwork.org!\"
> .","ttl":1},{"qtype":"NAPTR","qname":"6.8.0.7.0.0.9.9.3.2.lesi.com.ar.",
> "content":"100 10 \"u\" \"E2U+pstn:tel\" \"!^.*$! tel:2399007086;npdi
>  ;rn=2324832232!\" .","ttl":1}]}
> 
> but after that i can see
> {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
> "8.0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
> "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> answered: {“result": false}
> 
> then
> {"method": "lookup", "parameters": {"local": "0.0.0.0", "qname":
> "0.7.0.0.9.9.3.2.lesi.com.ar.", "qtype": "ANY", "real-remote":
> "172.17.0.1/32", "remote": "172.17.0.1", "zone-id": -1}}
> 
> and so on.
> 
> I dont need all those queries, if the first one (the complete phone
> number which is 2399007086) has no porting information, that’s it, no
> more queries. i can’t afford x10 queries on the database with no use at
> all.
> 
> All are phone calls in setup stage (at least trying to) and time is
> important (beside processing, etc)
> 
> 
> How can i stop this kind of loop recursion?
> 
> 
> Thanks in advance.
> BR
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Help needed debugging knot_control timeouts

[Klaus Darilion via Pdns-users]

Hello!

We regularly use "pdns_control retrieve" (via TCP) to trigger zone transfers. 
Very often we receive:
Timeout error: Error from remote in receive(): Resource temporarily unavailable

Our PDNS is quite busy, plenty of NOTIFYs, SLAVE checks and incoming AXFRs.

What exactly happens when "pdns_control retrieve" is called? Is the "retrieve" 
asynchron (zone gets added to AXFR queue) or is it synchronous (client + server 
hast o wait until PDNS has time to do the transfer)?

For us it would be good even if PDNS is busy, the "retrieve" request should be 
answered instantly and the zone just added to the AXFR queue. Or does adding 
the zone to the queue also requires some locks that cause the timeout?

Any hints are appreciated.

Thanks
Klaus

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] INCEPTION-INCREMENT for a signed zone

[Klaus Darilion via Pdns-users]

Hi Tomas!

I can not speak about INCEPTION-INCREMENT.  But I remember when we had to 
decide which increment-method to choose we have chosen INCREMENT-WEEKS because 
it is the only method that works always - regardless of the serial format 
chosen by the zone editor. With INCREMENT-WEEKS the serial does not look nice 
nice, but it works.

regards
Klaus

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im
> Auftrag von Tomas Habarta via Pdns-users
> Gesendet: Donnerstag, 25. August 2022 10:42
> An: pdns-users@mailman.powerdns.com
> Betreff: [Pdns-users] INCEPTION-INCREMENT for a signed zone
> 
> Hello,
> 
> could anyone please shed some light on SOA-EDIT for a signed zone?
> 
> Setup:
> PowerDNS Authoritative Server 4.6.2, hidden master, isc bind slaves, bind
> backend, default-soa-edit-signed=INCEPTION-INCREMENT, zone makes use
> of MMDDSS serial
> 
> Situation:
> I have got a zone which is "maintained" by people who don't know (and even
> don't want to know) anything about dnssec. They just use it the same way
> for ages -- open file, add/remove record, increase serial and reload.
> Recently, there has been a pressure on to sign this zone as it is a subzone of
> already signed one...
> Since the serial is MMDDSS format, they are used to start with 00 which
> then makes trouble when using INCEPTION-INCREMENT for soa-edit-signed.
> 
> On inception day:
> When RRSIG changes on inception day, serial is correctly increased, but when
> it comes to the zone modification the same day, with the second edit, there
> is no serial increase, so it looks like this (202208 part omitted):
> 
> zonepdns
> 
> 2307 -> 2501
> 2500 -> 2502  1st zone edit
> 2501 -> 2502  2nd zone edit
> 2502 -> 2503
> 2503 -> 2504
> 
> Problem is the second edit as no serial increase means no public masters
> update -- we run a hidden master, so this is not much a real big thing but 
> still
> a bit confusing. Reading operation instructions does not make it more clear as
> it seems to be dated (increment 2). Looking at the source in
> pdns/serialtweaker.cc and history of the changes (mainly #2377) it seems it
> used to be that way but had another consequences...
> I am sure there must be some historical reasons why it was designed the way
> it is (mainly initial skip by 2 seems to complicate things unnecessarily), but
> with my limited view I am unable to spot them or see the possible harm on
> other parts of pdns... Of course, I can work around that, but this still 
> involve a
> human factor...
> Anyway, any information on this will be appreciated.
> 
> 
> Many thanks
> Tomas
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

[Klaus Darilion via Pdns-users]

In old dnsdist versions the chache was per "cookie". So make sure to test with 
DNS cookies.
regards
Klaus

Von: dnsdist  Im Auftrag von Jacob Bunk 
Nielsen via dnsdist
Gesendet: Freitag, 22. Juli 2022 12:28
An: dnsd...@mailman.powerdns.com
Betreff: Re: [dnsdist] Dnsdist not reading from the cache

On 22/07/2022 12.11, SAMI RAHAL via dnsdist wrote:

Hello dnsdist community,

The dnsdist cache does not work

Version: dnsdist 1.7.0 (Lua 5.1.4 [LuaJIT 2.0.4])



here is my configuration:
setPoolServerPolicy(leastOutstanding, "cacheTestiong")
test_pc = newPacketCache(200, {maxTTL=43200, 
minTTL=0,temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool("cacheTestiong"):setCache(test_pc)
addAction(AllRule(), PoolAction("cacheTestiong"))



Are you certain that this is your entire configuration? I'm guessing it's not.



Best regards,

Jacob
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative 4.6.2, how to log served responses (i.e. NOERROR, NXDOMAIN, SERVFAIL, etc)?

[Klaus Darilion via Pdns-users]

Hi Dmitriy!

Recently we had a similar requirement for our resolvers (which only do query 
logging, not response logging) and we decided to use packetbeat for this 
purpose. IT should be easy to integrate if you have an existing Elasic Search 
cluster!

regards
Klaus

Von: Pdns-users  Im Auftrag von 
frank+pdns--- via Pdns-users
Gesendet: Dienstag, 14. Juni 2022 15:23
An: Dmitriy Koff 
Cc: pdns-users-ml 
Betreff: Re: [Pdns-users] PowerDNS Authoritative 4.6.2, how to log served 
responses (i.e. NOERROR, NXDOMAIN, SERVFAIL, etc)?

Hi Dmitriy,

https://doc.powerdns.com/authoritative/settings.html#log-dns-queries states 
that it logs "all incoming DNS queries", not the results.

If you want to log the results, you'll need to either increase the loglevel, 
tcpdump the results and parse those, or add something in front of the server 
(eg dnsdist) where you'd capture the result codes and log.

Frank




On 14 Jun 2022, at 13:38, Dmitriy Koff via Pdns-users 
mailto:pdns-users@mailman.powerdns.com>> wrote:

Hello!

I'm trying to configure log for PowerDNS (4.6.2) and cannot figure how to log 
served responses (i.e. NOERROR, NXDOMAIN, SERVFAIL, etc)
/etc/pdns/pdns.conf (parameters regarding logs)
loglevel=5
log-dns-details=yes
log-dns-queries=yes
query-logging=no

# nslookup example.com 127.0.0.1
Server: 127.0.0.1
Address:127.0.0.1#53
** server can't find example.com: NXDOMAIN

All i've got in log is packetcache status of request (miss or hit) --
"Remote 127.0.0.1 wants 'example.com|A', do = 0, bufsize = 
512: packetcache MISS"

Expected something like
"Remote 127.0.0.1 wants 'example.com|A', do = 0, bufsize = 
512: packetcache MISS, NXDOMAIN"

Thanks in advance.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

[Klaus Darilion via Pdns-users]

https://github.com/PowerDNS/pdns/issues/10150

Von: Pdns-users  Im Auftrag von Klaus 
Darilion via Pdns-users
Gesendet: Dienstag, 31. Mai 2022 06:35
An: j...@elsif.net; pdns-users@mailman.powerdns.com
Betreff: Re: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Alias does not support dnssec. See issues on github. Klaus­


Gesendet über BlackBerry Work (www.blackberry.com<http://www.blackberry.com>)

Von: Pdns-users 
mailto:pdns-users-boun...@mailman.powerdns.com>>
 im Namen von Jake via Pdns-users 
mailto:pdns-users@mailman.powerdns.com>>
Gesendet: 30.05.2022 22:10
An: pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com>
Betreff: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Created a domain called "aliastest.ca".

Set the options recursive= and expand-alias= as prescribed.

All works...

Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all
easier than I expected, so yay!

However...when I query for records under the zone...

# dig @localhost A www.aliastest.ca<http://www.aliastest.ca>. +dnssec +short
4.4.4.4
A 13 3 3600 2022060900 2022051900 30598 aliastest.ca.
sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj
SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==

I see NSEC records...great!

# dig @localhost A aliastest.ca. +dnssec +short
151.101.125.67

I don't see NSEC records...why?

I somewhat assumed that PowerDNS would be signing the recursive output
from the ALIAS target...is this some other option I don't know about?

> select * from domains where name="aliastest.ca";
+-+--++++-+-+
| id  | name | master | last_check | type   | notified_serial
| account |
+-+--++++-+-+
| 403 | aliastest.ca | NULL   |   NULL | NATIVE |NULL
| NULL|
+-+--++++-+-+

> select * from records where domain_id="403";
+--+---++---+-+--+--+-+--+---+--+
| id   | domain_id | name   | type  | content
| ttl  | prio | change_date | disabled | ordername | auth |
+--+---++---+-+--+--+-+--+---+--+
| 4814 |   403 | aliastest.ca   | SOA   | ns01.aliastest.ca
admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |0 |
NULL |0 |   |1 |
| 4815 |   403 | aliastest.ca   | NS| ns01.aliastest.ca
| 3600 |0 |NULL |0 |   |1 |
| 4816 |   403 | aliastest.ca   | NS| ns02.aliastest.ca
| 3600 |0 |NULL |0 |   |1 |
| 4817 |   403 | aliastest.ca   | MX| mail1.aliastest.ca
| 3600 |   10 |NULL |0 |   |1 |
| 4818 |   403 | aliastest.ca   | MX| mail2.aliastest.ca
| 3600 |   20 |NULL |0 |   |1 |
| 4819 |   403 | aliastest.ca   | MX| mail3.aliastest.ca
| 3600 |   30 |NULL |0 |   |1 |
| 4820 |   403 | ns01.aliastest.ca  | A | 10.6.20.71
| 3600 |0 |NULL |0 | ns01  |1 |
| 4821 |   403 | ns02.aliastest.ca  | A | 10.6.20.72
| 3600 |0 |NULL |0 | ns02  |1 |
| 4822 |   403 | mail1.aliastest.ca | A | 1.1.1.1
| 3600 |0 |NULL |0 | mail1 |1 |
| 4823 |   403 | mail2.aliastest.ca | A | 2.2.2.2
| 3600 |0 |NULL |0 | mail2 |1 |
| 4824 |   403 | mail3.aliastest.ca | A | 3.3.3.3
| 3600 |0 |NULL |0 | mail3 |1 |
| 4825 |   403 | www.aliastest.ca<http://www.aliastest.ca>   | A | 
4.4.4.4
| 3600 |0 |NULL |0 | www   |1 |
| 4826 |   403 | aliastest.ca   | ALIAS | 
www.cnn.com<http://www.cnn.com>
| 3600 |0 |NULL |0 |   |1 |
+--+---++---+-+--+--+-+--+---+--+

Thanks all,
-jake
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com<mailto:Pdns-users@mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

[Klaus Darilion via Pdns-users]

Alias does not support dnssec. See issues on github. Klaus­


Gesendet über BlackBerry Work (www.blackberry.com)

Von: Pdns-users  im Namen von Jake via 
Pdns-users 
Gesendet: 30.05.2022 22:10
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] Question about DNSSEC + ALIAS (cname at the apex hack)

Created a domain called "aliastest.ca".

Set the options recursive= and expand-alias= as prescribed.

All works...

Used "pdnsutil secure-zone aliastest.ca"...and it signed the zone...all
easier than I expected, so yay!

However...when I query for records under the zone...

# dig @localhost A www.aliastest.ca. +dnssec +short
4.4.4.4
A 13 3 3600 2022060900 2022051900 30598 aliastest.ca.
sIhw7mNWncSfshFAf5hXtblduAFy1bFyhR32mYedzj4br7WWG8angHMj
SnOqnU7jJzW1u6INtskuwMuNbR+4WQ==

I see NSEC records...great!

# dig @localhost A aliastest.ca. +dnssec +short
151.101.125.67

I don't see NSEC records...why?

I somewhat assumed that PowerDNS would be signing the recursive output
from the ALIAS target...is this some other option I don't know about?

> select * from domains where name="aliastest.ca";
+-+--++++-+-+
| id  | name | master | last_check | type   | notified_serial
| account |
+-+--++++-+-+
| 403 | aliastest.ca | NULL   |   NULL | NATIVE |NULL
| NULL|
+-+--++++-+-+

> select * from records where domain_id="403";
+--+---++---+-+--+--+-+--+---+--+
| id   | domain_id | name   | type  | content
| ttl  | prio | change_date | disabled | ordername | auth |
+--+---++---+-+--+--+-+--+---+--+
| 4814 |   403 | aliastest.ca   | SOA   | ns01.aliastest.ca
admin-dns.aliastest.ca 2022030101 1800 900 604800 300 | 3600 |0 |
NULL |0 |   |1 |
| 4815 |   403 | aliastest.ca   | NS| ns01.aliastest.ca
| 3600 |0 |NULL |0 |   |1 |
| 4816 |   403 | aliastest.ca   | NS| ns02.aliastest.ca
| 3600 |0 |NULL |0 |   |1 |
| 4817 |   403 | aliastest.ca   | MX| mail1.aliastest.ca
| 3600 |   10 |NULL |0 |   |1 |
| 4818 |   403 | aliastest.ca   | MX| mail2.aliastest.ca
| 3600 |   20 |NULL |0 |   |1 |
| 4819 |   403 | aliastest.ca   | MX| mail3.aliastest.ca
| 3600 |   30 |NULL |0 |   |1 |
| 4820 |   403 | ns01.aliastest.ca  | A | 10.6.20.71
| 3600 |0 |NULL |0 | ns01  |1 |
| 4821 |   403 | ns02.aliastest.ca  | A | 10.6.20.72
| 3600 |0 |NULL |0 | ns02  |1 |
| 4822 |   403 | mail1.aliastest.ca | A | 1.1.1.1
| 3600 |0 |NULL |0 | mail1 |1 |
| 4823 |   403 | mail2.aliastest.ca | A | 2.2.2.2
| 3600 |0 |NULL |0 | mail2 |1 |
| 4824 |   403 | mail3.aliastest.ca | A | 3.3.3.3
| 3600 |0 |NULL |0 | mail3 |1 |
| 4825 |   403 | www.aliastest.ca   | A | 
4.4.4.4
| 3600 |0 |NULL |0 | www   |1 |
| 4826 |   403 | aliastest.ca   | ALIAS | 
www.cnn.com
| 3600 |0 |NULL |0 |   |1 |
+--+---++---+-+--+--+-+--+---+--+

Thanks all,
-jake
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Questions about PowerDNS - CNAME@APEX, Capacity, management, etc...

[Klaus Darilion via Pdns-users]

Hi Jake!

This answers are probably worth some  for consulting. Anyways...

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im
...
> Does PowerDNS load all of the zones into memory, and then start serving
> (like BIND), or does it load each zone and start serving said zone
> immediately upon load (like KNOT)?

It may depend on the backend. I can only talk about the postgresql backend. As 
the zone data is stored in the backend, PowerDNS will not load any zones into 
memory. Hence it will answer queries immediately. Where immediately means, that 
of course the backend hast o load the data from the disk. But this is not done 
in advance but on request.

Btw: My Knots (secondaries) will only start answering if ALL zones are loaded.


> When in "secondary" mode, how does PowerDNS select which "primary" to
> retrieve a zone from?  Is it based on the configured list, is it based on
> performance, or is it based on which server it first received a notify
> from?

For regular SOA Checks it should select randomly. For SOA checks triggered by 
NOTIFY it should query the name server that sent the NOTIFY but I have not 
tested this (implemented quite recently)

> What's the best method for updating a backend with DNS changes in an
> instance where there are 6 million+ zones?  Assuming updating the database
> isn't the best method, what kind of volume can the API or dynamic update
> paths handle?  Is my assumption correct that I only have to worry about
> this in a "primary" configuration, and that a "secondary" configuration
> can rely entirely on standard zone transfers?

Why wouldn't updateing the DB not the best method? It is a possibilty but it 
requires some actions to make it correctly (rectify zone). Yes, the API would 
take care that everyting is correct in the DB.

You could also use AXFR inbound into to your "primary" if zones are coming from 
some other systems.

Regarding secondary you have 2 choices: standard AXFR or database replication. 
Standard AXFR gives you the possibilty to also integrate other name server 
products, but database replication would also solve the provisioning.

When talking about secondaries, the zone transfer is the most easiest part. The 
challenges are:
1. Zone provisioning on the secondary (how will powerdns knot that it should be 
secondary for a certain zone?)
Solutions:
a) out of band management
b) PowerDNs Superslave Feature (deletion of zones must be done out of 
band/manually)
c) Catalog zones (not yet implemented in PDNS) 
d) database replication (the easiest solution)

2. Checking the Sync status. You probably want to know if some zone at some 
secondary is not in sync with the primary. NOTIFYs can get lost, AXFR can fail. 
There can and will be temporary network issues to your secondaries, so during 1 
minute network issues you may miss plenty of NOTIFYs. To work around you could 
configure SOA refresh checks every hour. With 6 mio zones that would be 
constantly 1700q/s on your primary. With 20 secondaries you have 34kq/s only 
for soa checks (which fully the the backend on your primary as you usually want 
to disable caching on the primary, at least if you plan to manipulate the 
backend DB directly).
Customers always detect this very fast an complain. Hence, you do want to 
detect such issues automatically and automatically retransfer zones.
Solutions:
a) plenty of SOA checks
b) out of band check
c) database replication (the easiest solution) - here you just monitor the 
replication lag which is a single metric for all your zones

> CNAME @ APEX questions:
Actually it is: CNAME besides other RRs, other RRs below DNAME,  

> Would I be right in my assumption that if one wants to use the CNAME @
> APEX recursion hack, that the entire ecosystem (both distribution servers
> and cloud servers) would need to be PowerDNS to accomplish this, given
> that BIND and KNOT will not load a zone with CNAME @ APEX?

Knot master will accept CNAMEs/DNAME errors if semantic checks are set to 
"soft". NSD accepts such zones as secondary. MAybe Bind also accepts them if 
you disable all the syntax check. Of course, when disabling such check, you can 
never know if the response is what you expect - as it is not defined how the 
answer should look  like. For example Knot with CNAME checks disabled responds 
differently as PowerDNS for CNAMEs@APEX.

So, stop accepting CNAME bugs, and have work arounds for existing zones until 
the are fixed (I know this is not easy)

> What about DNS software vendor diversity?  Anyone else out there doing
> CNAME @ APEX that you find is a good mix with PowerDNS?
> 
> 
> 
> Capacity questions:
> 
> Can a PowerDNS instance handle 6 million zones and 300 million records?

It depends on the server and the query load. The more queries, the more CPUs 
you need. The more ressource records you have, the more RAM you need to have.

So, with a very fat server you can handle it.

> Does one backend perform better than the others at this capacity?

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

[Klaus Darilion via Pdns-users]

n_id = 9644;
> +--+---+---++---+-
> ---+
> | id   | domain_id | flags | active | published | content
> 
> |
> +--+---+---++---+-
> ---+
> | 9603 |  9644 |   257 |  1 | 1 | Private-key-format:
> v1.2
> Algorithm: 13 (ECDSAP256SHA256)
> PrivateKey: [HIDDEN]
>   |
> +--+---+---++---+-
> ---+
> 1 row in set (0.00 sec)
> 
> MariaDB [powerdns]> SELECT * FROM domainmetadata WHERE domain_id =
> 9644;
> +---+---+--+-+
> | id| domain_id | kind | content |
> +---+---+--+-+
> | 28902 |  9644 | API-RECTIFY  | 1   |
> | 28901 |  9644 | SOA-EDIT-API | EPOCH   |
> +---+---+--+-+
> 2 rows in set (0.00 sec)
> 
> $ pdnsutil show-zone egogo.eu
> This is a Master zone
> Last SOA serial number we notified: 1650634625 == 1650634625 (serial in
> the database)
> Metadata items:
>   API-RECTIFY 1
>   SOA-EDIT-APIEPOCH
> Zone has NSEC semantics
> keys:
> ID = 9603 (CSK), flags = 257, tag = 14759, algo = 13, bits = 256
> Active Published  ( ECDSAP256SHA256 )
> CSK DNSKEY = egogo.eu. IN DNSKEY 257 3 13 [HIDDEN] ; ( ECDSAP256SHA256
> )
> DS = egogo.eu. IN DS 14759 13 1
> bc33e7dfe6ad30a0744c5f238d6acb8f0ffdfbd3
> ; ( SHA1 digest )
> DS = egogo.eu. IN DS 14759 13 2
> 5b575f4eb351432995808a5c5a5e94d7459760c315248a344ec63c1f273c52f3 ; (
> SHA256 digest )
> DS = egogo.eu. IN DS 14759 13 4
> 559f28bb6bf445611ddfc34d1c590f784c9472a6ff1a2adae36225c0f597343ce318
> 990ed86531d49bfdad0e35fef6b0
> ; ( SHA-384 digest )
> 
> 
> $ pdnsutil list-zone egogo.eu
> $ORIGIN .
> *.egogo.eu900 IN  A   54.36.54.239
> autodiscover.egogo.eu 900 IN  CNAME
>   autodiscover.outlook.com.
> autodiscover2.egogo.eu900 IN  CNAME   egogo.nl.
> egogo.eu  900 IN  A   54.36.54.239
> egogo.eu  900 IN  MX  10 mail.egogo.eu.
> egogo.eu  3600IN  NS  ns1.mijn.host.
> egogo.eu  3600IN  NS  ns2.mijn.host.
> egogo.eu  3600IN  NS  ns3.mijn.host.
> egogo.eu  3600IN  SOA ns1.mijn.host hostmaster.egogo.eu
> 1650634625 10800
> 3600 604800 3600
> 
> 
> Klaus Darilion via Pdns-users schreef op 2022-04-22 18:59:
> > And how do you fill records into the mysql db? Can you show the
> > relevenat rows of the records and domains table?
> > regards
> > Klaus
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Pdns-users  Im
> >> Auftrag von Marijn via Pdns-users
> >> Gesendet: Freitag, 22. April 2022 18:54
> >> An: pdns-users@mailman.powerdns.com
> >> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> >>
> >> I have pdnsutil 4.5.4 running with MySQL backend and native MySQL
> >> replication.
> >>
> >> In pdns.conf I have the following value. Maybe the @ doesn't work?
> >>
> >> default-soa-content=ns1.mijn.host hostmaster.@ 0 10800 3600 604800
> >> 3600
> >>
> >> Klaus Darilion schreef op 2022-04-22 18:06:
> >> > I do not see any difference of the two cases. But in any case,
> >> > returning an answer AND nxdomain is just broken.
> >> >
> >> >
> >> > # dig @ns1.mijn.host. autodiscover.egogo.eu
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62514
> >> > ...
> >> > ;; QUESTION SECTION:
> >> > ;autodiscover.egogo.eu. IN  A
> >> >
> >> > ;; ANSWER SECTION:
> >> > autodiscover.egogo.eu.  900 IN  CNAME
> >> > autodiscover.outlook.com.
> >> >
> >> > ;; AUTHORITY SECTION:
> >> > .   3600IN  SOA ns1.mijn.host.
> >> > hostmaster. 1643556361 10800 3600 604800 3600
> >> >
> >> > this is a very broken setup. SOA reports "." = root zone.
> >> >
> >> > which pdns version/backend/ zone setup are you using?
> >> >
> >> > regards
> >> > Klaus
> >> >
> >> >> -Ursprüngliche Nachricht-
> >> >> Von: Pdns-users  Im
> >> >> Auftrag von Marijn via Pdns-users
> >> >> Gesendet: Fr

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

[Klaus Darilion via Pdns-users]

And how do you fill records into the mysql db? Can you show the relevenat rows 
of the records and domains table?
regards
Klaus

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im
> Auftrag von Marijn via Pdns-users
> Gesendet: Freitag, 22. April 2022 18:54
> An: pdns-users@mailman.powerdns.com
> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> 
> I have pdnsutil 4.5.4 running with MySQL backend and native MySQL
> replication.
> 
> In pdns.conf I have the following value. Maybe the @ doesn't work?
> 
> default-soa-content=ns1.mijn.host hostmaster.@ 0 10800 3600 604800 3600
> 
> Klaus Darilion schreef op 2022-04-22 18:06:
> > I do not see any difference of the two cases. But in any case,
> > returning an answer AND nxdomain is just broken.
> >
> >
> > # dig @ns1.mijn.host. autodiscover.egogo.eu
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62514
> > ...
> > ;; QUESTION SECTION:
> > ;autodiscover.egogo.eu. IN  A
> >
> > ;; ANSWER SECTION:
> > autodiscover.egogo.eu.  900 IN  CNAME
> > autodiscover.outlook.com.
> >
> > ;; AUTHORITY SECTION:
> > .   3600IN  SOA ns1.mijn.host.
> > hostmaster. 1643556361 10800 3600 604800 3600
> >
> > this is a very broken setup. SOA reports "." = root zone.
> >
> > which pdns version/backend/ zone setup are you using?
> >
> > regards
> > Klaus
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Pdns-users  Im
> >> Auftrag von Marijn via Pdns-users
> >> Gesendet: Freitag, 22. April 2022 16:39
> >> An: pdns-users@mailman.powerdns.com
> >> Betreff: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> >>
> >> I have PowerDNS 4.5.1 running.
> >>
> >> DNSSEC is working on the domain:
> >> https://dnssec-analyzer.verisignlabs.com/egogo.eu
> >>
> >> ---
> >>
> >> But when I have DNSSEC active and I create a CNAME record, which
> >> doesn't
> >> have DNSSEC, I get a NXDOMAIN error.
> >>
> >> ```
> >> $ dig CNAME autodiscover.egogo.eu +short
> >> autodiscover.outlook.com.
> >> ```
> >>
> >> Here you can see the error
> >> https://dnssec-analyzer.verisignlabs.com/autodiscover.egogo.eu
> >>
> >> - Zone egogo.eu (83.96.241.95) returns NXDOMAIN for
> >> autodiscover.egogo.eu
> >> - No NSEC records in response
> >>
> >> ---
> >>
> >> When I create a CNAME record to a domain with DNSSEC, it's working.
> >> ```
> >> $ dig CNAME autodiscover2.egogo.eu +short
> >> egogo.nl.
> >> ```
> >> https://dnssec-analyzer.verisignlabs.com/autodiscover2.egogo.eu
> >> - No errors
> >>
> >> ---
> >>
> >> Why is DNSSEC not working with CNAME record
> autodiscover.outlook.com?
> >> Or could there be something wrong in my configuration?
> >> ___
> >> Pdns-users mailing list
> >> Pdns-users@mailman.powerdns.com
> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN

[Klaus Darilion via Pdns-users]

I do not see any difference of the two cases. But in any case, returning an 
answer AND nxdomain is just broken.


# dig @ns1.mijn.host. autodiscover.egogo.eu
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62514
...
;; QUESTION SECTION:
;autodiscover.egogo.eu. IN  A

;; ANSWER SECTION:
autodiscover.egogo.eu.  900 IN  CNAME   autodiscover.outlook.com.

;; AUTHORITY SECTION:
.   3600IN  SOA ns1.mijn.host. hostmaster. 
1643556361 10800 3600 604800 3600

this is a very broken setup. SOA reports "." = root zone. 

which pdns version/backend/ zone setup are you using?

regards
Klaus

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im
> Auftrag von Marijn via Pdns-users
> Gesendet: Freitag, 22. April 2022 16:39
> An: pdns-users@mailman.powerdns.com
> Betreff: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> 
> I have PowerDNS 4.5.1 running.
> 
> DNSSEC is working on the domain:
> https://dnssec-analyzer.verisignlabs.com/egogo.eu
> 
> ---
> 
> But when I have DNSSEC active and I create a CNAME record, which doesn't
> have DNSSEC, I get a NXDOMAIN error.
> 
> ```
> $ dig CNAME autodiscover.egogo.eu +short
> autodiscover.outlook.com.
> ```
> 
> Here you can see the error
> https://dnssec-analyzer.verisignlabs.com/autodiscover.egogo.eu
> 
> - Zone egogo.eu (83.96.241.95) returns NXDOMAIN for
> autodiscover.egogo.eu
> - No NSEC records in response
> 
> ---
> 
> When I create a CNAME record to a domain with DNSSEC, it's working.
> ```
> $ dig CNAME autodiscover2.egogo.eu +short
> egogo.nl.
> ```
> https://dnssec-analyzer.verisignlabs.com/autodiscover2.egogo.eu
> - No errors
> 
> ---
> 
> Why is DNSSEC not working with CNAME record autodiscover.outlook.com?
> Or could there be something wrong in my configuration?
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] How do I build Debian/Ubuntu packages?

[Klaus Darilion via Pdns-users]

Hi! Last time I build PDNS myself was 4.0. I just wanted to build packages for 
master, but found out that the build-auth-debian script has gone.

What is the new way to build Debian packages?

Thanks
Klaus


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] RRSIG validity period

[Klaus Darilion via Pdns-users]

PowerDNS signature validity is always 3 weeks. Start is the second last 
Thursday 00:00 UTC, end is the next but one Thursday 00:00.


Start 
End
Thursday  Thursday   Today Thursday   
Thursday
00:00 00:0000:00  
00:00


Signatures are calculated "on the fly" for every response sent out. To have 
more or less "static" signatures the above algorithm is used. Thursday 00:00 is 
the beginning of the Linux epoch. Hence, every "epoch-week" the signature 
lifetimes are changed.

regards
Klaus


Von: Pdns-users  Im Auftrag von 
Alexander Varejão via Pdns-users
Gesendet: Dienstag, 29. März 2022 22:33
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] RRSIG validity period

Hi Dears,

Well, as I said before, I'm new to PowerDNS and I have some doubts about how it 
works.

In my tests I'm using three virtual machines:
- One authoritative with mysql backend
- Two Secundaries with sqlite3 backend

I'm confused about validity period of RRSIGs, could someone help me about it?

So, my primary Server has the following configuration:

/etc/powerdns/pdns.conf

---
allow-axfr-ips=ONE SECONDARY IP HERE,OTHER SECONDARY IP HERE
disable-axfr=no
master=yes
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
---

/etc/powerdns/pdns.d/pdns.local.gmysql.conf

---
# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql

# gmysql parameters
gmysql-host="PRIMARY IP"
gmysql-port=3306
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD HERE
gmysql-dnssec=yes
# gmysql-socket=
---

And my Secundary Servers have the following configuration

/etc/powerdns/pdns.conf

---
slave=yes
slave-cycle-interval=60
include-dir=/etc/powerdns/pdns.d
launch=
security-poll-suffix=
setgid=pdns
setuid=pdns
---

/etc/powerdns/pdns.d/pdns.local.gsqlite.conf

---
# SQLITE3 Configuration
#
# Launch gmysql backend
launch+=gsqlite3

# gsqlite3 parameters

gsqlite3-database=/var/lib/pdns/powerdns.db
setuid=pdns
setgid=pdns
gsqlite3-dnssec=yes
---

I created a fake zone "strangeword.com" and I sign it. 
On my primary server I ran the following commands

 pdnsutil secure-zone strangeworld.net

 pdnsutil increase-serial strangeworld.net

 pdns_control notify strangeworld.net

And running 'pdnsutil show-zone' it seems ok to me

 pdnsutil show-zone strangeworld.net

 Mar 29 20:03:57 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 
removed
 This is a Native zone
 Metadata items: None
 Zone has NSEC semantics
 keys:
 ID = 3 (CSK), flags = 257, tag = 14784, algo = 13, bits = 256  Active 
Published  ( ECDSAP256SHA256 )
 CSK DNSKEY = strangeworld.net. IN DNSKEY 257 3 13 
SnJ1JrZ7wiJ8tQKxEWMlAHfVk6lB90bx8G1J8/t+hQ5iPcdssqRj7YJ7IaXVysyaOCPjQZcNZSCIxSMqqQUFEA==
 ; ( ECDSAP256SHA256 )
 DS = strangeworld.net. IN DS 14784 13 1 
64cbfe2b545ed890a4c2b22a22c4ba76e2b211be ; ( SHA1 digest )
 DS = strangeworld.net. IN DS 14784 13 2 
edf9017ee79e36e0ecf144e63ddb8202b00e6fda58f94244a6def11f63ebcfa7 ; ( SHA256 
digest )
 DS = strangeworld.net. IN DS 14784 13 4 
60e7511e17f9841e4bdfc263140d9b800df09b08380f33797fe1213323a71666df5d630bb63eb2ce8532eadf86f52e59
 ; ( SHA-384 digest )

A few weeks later I created new fake zones and running 'pdnsutil show-zone' it 
seems ok to me too.

 pdnsutil show-zone anotherlife.net

 Mar 29 20:06:23 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 
removed
 This is a Native zone
 Metadata items: None
 Zone has NSEC semantics
 keys:
 ID = 15 (CSK), flags = 257, tag = 54620, algo = 13, bits = 256  Active 
Published  ( ECDSAP256SHA256 )
 CSK DNSKEY = anotherlife.net. IN DNSKEY 257 3 13 
fo66pKO4AgAWhkJ7nAo89ASFTlIedody5Hq/RvG9ntjEIKLRxg/DlTYcD0ZzzR5U5fC0YjQKq2jJK3xtlRp2tA==
 ; ( ECDSAP256SHA256 )
 DS = anotherlife.net. IN DS 54620 13 1 
34a8867caea8853a71567e03cf639dea0e1b7d49 ; ( SHA1 digest )
 DS = anotherlife.net. IN DS 54620 13 2 
5b7f150a199a6d29c64a0a27822a99bc1caa6d051ac62a42ccb022aad919058b ; ( SHA256 
digest )
 DS = anotherlife.net. IN DS 54620 13 4 
03d435af34a1508735234b54a1125aaea7e35d16570e44a2d0ab41255d02d8649d64e750ef6deaac4a698426f8f3ccef
 ; ( SHA-384 digest )

However, when I test my zones with 'dig command' I 

Re: [Pdns-users] Negative cache upon zone creation

[Klaus Darilion via Pdns-users]

IIRC you are right. But there were several updatest o the zone cache after 
release. If you use 4.5 make sure to use latest 4.5.x version. regards
Klaus

-Ursprüngliche Nachricht-
Von: Lucas Rolff  
Gesendet: Donnerstag, 24. Februar 2022 16:58
An: Klaus Darilion 
Cc: Andrea Biscuola ; Pdns-users@mailman.powerdns.com
Betreff: Re: [Pdns-users] Negative cache upon zone creation

zone-cache-refresh-interval should only be changed if updating the backend 
directly right? If using the API, this setting shouldn’t matter - as far as I 
know, the API will invalidate the zone-cache.

> On 24 Feb 2022, at 23:30, Klaus Darilion via Pdns-users 
>  wrote:
> 
> Have you really disabled all caches? Also 
> https://doc.powerdns.com/authoritative/settings.html#zone-cache-refresh-interval
>  ?
> regards
> Klaus
> 
> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im Auftrag von 
> Andrea Biscuola via Pdns-users
> Gesendet: Donnerstag, 24. Februar 2022 15:12
> An: pdns-users@mailman.powerdns.com
> Betreff: [Pdns-users] Negative cache upon zone creation
> 
> Hello.
> 
> In our PowerDNS setup, all of the PowerDNS authoritative server caches are 
> turned off, apart for the max-packet-cache-entries setting that is set to the 
> default, as the same service is given by a series of DNSDist daemons running 
> on top of the PowerDNS ones.
> 
> However, querying one of the PowerDNS servers directly for a zone that does 
> not exists, extends the negative response way after we created the zone. This 
> affects some automated systems, where the DNS servers are automatically 
> changed a the registrar, causing the registrar verification process to fail.
> 
> So, to recap:
> 
> 1 - We query PowerDNS (NOT DNSDist) for a non existing zone.
> 2 - Correctly, PowerDNS responds that the zone does not exists.
> 3 - In the meantime we create the zone.
> 4 - PowerDNS continues to respond with a negative response after the zone is 
> created.
> 5 - PowerDNS gives us the proper response, only after we stop querying it for 
> some time.
> 
> Are we missing something? Or is it expected to work just like that? Then we 
> could accomodate our software for that.
> 
> Thank you.
> 
> Andrea
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Negative cache upon zone creation

[Klaus Darilion via Pdns-users]

Have you really disabled all caches? Also 
https://doc.powerdns.com/authoritative/settings.html#zone-cache-refresh-interval
 ?
regards
Klaus

-Ursprüngliche Nachricht-
Von: Pdns-users  Im Auftrag von Andrea 
Biscuola via Pdns-users
Gesendet: Donnerstag, 24. Februar 2022 15:12
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] Negative cache upon zone creation

Hello.

In our PowerDNS setup, all of the PowerDNS authoritative server caches are 
turned off, apart for the max-packet-cache-entries setting that is set to the 
default, as the same service is given by a series of DNSDist daemons running on 
top of the PowerDNS ones.

However, querying one of the PowerDNS servers directly for a zone that does not 
exists, extends the negative response way after we created the zone. This 
affects some automated systems, where the DNS servers are automatically changed 
a the registrar, causing the registrar verification process to fail.

So, to recap:

1 - We query PowerDNS (NOT DNSDist) for a non existing zone.
2 - Correctly, PowerDNS responds that the zone does not exists.
3 - In the meantime we create the zone.
4 - PowerDNS continues to respond with a negative response after the zone is 
created.
5 - PowerDNS gives us the proper response, only after we stop querying it for 
some time.

Are we missing something? Or is it expected to work just like that? Then we 
could accomodate our software for that.

Thank you.

Andrea
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] powerdns frequently crashes and restarts

[Klaus Darilion via Pdns-users]

So, when a zone gets updated, PowerDNS checks if it has to notify slaves and 
send NOTIFYs to the slaves. Once this is done, it updates the notified_serial 
in the domains table. This UPDATE, for whatever reason, causes a deadlock.

Maybe you can work around that problem. You mentioned that you use DB 
replication. So, if all the slaves get their zones via DB replication and NOT 
via NOTIFY/AXFR, then you can disable the NOTIFYs and "UPDATE 
notified_serial" query by setting master=no in pdns.conf.

So, if Powerdns need not send NOTIFYs, then set master=no.

regards
Klaus

Von: Pdns-users  Im Auftrag von Klaus 
Darilion via Pdns-users
Gesendet: Freitag, 18. Februar 2022 09:58
An: Riccardo Brunetti ; 
Pdns-users@mailman.powerdns.com
Betreff: Re: [Pdns-users] powerdns frequently crashes and restarts

Look in the mysql-server log. Maybe it mentions which other transaction causes 
the deadlock. That my help to find the cause.

Is this problem something new? I.e. started it after a PDNs or Mysql Upgrade?

regards
Klaus


Von: Pdns-users 
mailto:pdns-users-boun...@mailman.powerdns.com>>
 Im Auftrag von Riccardo Brunetti via Pdns-users
Gesendet: Freitag, 18. Februar 2022 09:55
An: pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com>
Betreff: [Pdns-users] powerdns frequently crashes and restarts

Hello.
We are having quite frequent crashes of our pdns server with the following 
syslog messages:

Feb 17 13:39:33 .x.xxx. pdns_server[26672]: Exiting because 
communicator thread died with error: GSQLBackend unable to refresh domain_id 
X: Could not execute mysql statement: update domains set notified_serial=? 
where id=?: Deadlock found when trying to get lock; try restarting transaction
Feb 17 13:39:34 .x.xxx. systemd[1]: pdns.service: main process 
exited, code=exited, status=1/FAILURE
Feb 17 13:39:34 .x.xxx. systemd[1]: Unit pdns.service entered 
failed state.
Feb 17 13:39:34 .x.xxx. systemd[1]: pdns.service failed.
Feb 17 13:39:35 .x.xxx. systemd[1]: pdns.service holdoff time over, 
scheduling restart.
Feb 17 13:39:35 .x.xxx. systemd[1]: Stopped PowerDNS Authoritative 
Server.
Feb 17 13:39:35 .x.xxx. systemd[1]: Starting PowerDNS Authoritative 
Server...
Feb 17 13:39:35 .x.xxx. pdns_server[25899]: Loading 
'/usr/lib64/pdns/libgmysqlbackend.so'
Feb 17 13:39:35 .x.xxx. pdns_server[25899]: This is a standalone 
pdns

I don't know if this can be related, but just before those crashes we see 
messages like:

Feb 17 13:39:32 .x.xxx. pdns_server[26672]: Request to queue 
notification for domain y.yy was processed, but no valid nameserver or 
ALSO-NOTIFYs found. Not notifying!

Just to mention briefly our setup: we are running:
PowerDNS Authoritative Server 4.5.2 (C)

in a percona mysql cluster with three nodes, each node having it's own mysql 
and pdns server (in order to have redundancy of database and APIs).

This cluster acts as a "backend master" for the real authoritative slaves, 
placed elsewhere, replicating the db.

Can you help us to understand why we have those crashes?

Thanks
Riccardo
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] powerdns frequently crashes and restarts

[Klaus Darilion via Pdns-users]

Look in the mysql-server log. Maybe it mentions which other transaction causes 
the deadlock. That my help to find the cause.

Is this problem something new? I.e. started it after a PDNs or Mysql Upgrade?

regards
Klaus


Von: Pdns-users  Im Auftrag von 
Riccardo Brunetti via Pdns-users
Gesendet: Freitag, 18. Februar 2022 09:55
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] powerdns frequently crashes and restarts

Hello.
We are having quite frequent crashes of our pdns server with the following 
syslog messages:

Feb 17 13:39:33 .x.xxx. pdns_server[26672]: Exiting because 
communicator thread died with error: GSQLBackend unable to refresh domain_id 
X: Could not execute mysql statement: update domains set notified_serial=? 
where id=?: Deadlock found when trying to get lock; try restarting transaction
Feb 17 13:39:34 .x.xxx. systemd[1]: pdns.service: main process 
exited, code=exited, status=1/FAILURE
Feb 17 13:39:34 .x.xxx. systemd[1]: Unit pdns.service entered 
failed state.
Feb 17 13:39:34 .x.xxx. systemd[1]: pdns.service failed.
Feb 17 13:39:35 .x.xxx. systemd[1]: pdns.service holdoff time over, 
scheduling restart.
Feb 17 13:39:35 .x.xxx. systemd[1]: Stopped PowerDNS Authoritative 
Server.
Feb 17 13:39:35 .x.xxx. systemd[1]: Starting PowerDNS Authoritative 
Server...
Feb 17 13:39:35 .x.xxx. pdns_server[25899]: Loading 
'/usr/lib64/pdns/libgmysqlbackend.so'
Feb 17 13:39:35 .x.xxx. pdns_server[25899]: This is a standalone 
pdns

I don't know if this can be related, but just before those crashes we see 
messages like:

Feb 17 13:39:32 .x.xxx. pdns_server[26672]: Request to queue 
notification for domain y.yy was processed, but no valid nameserver or 
ALSO-NOTIFYs found. Not notifying!

Just to mention briefly our setup: we are running:
PowerDNS Authoritative Server 4.5.2 (C)

in a percona mysql cluster with three nodes, each node having it's own mysql 
and pdns server (in order to have redundancy of database and APIs).

This cluster acts as a "backend master" for the real authoritative slaves, 
placed elsewhere, replicating the db.

Can you help us to understand why we have those crashes?

Thanks
Riccardo
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] TSIG-Keys for TSIG-ALLOW-AXFR

[Klaus Darilion via Pdns-users]

No.
This is a known issue.
https://doc.powerdns.com/authoritative/settings.html#send-signed-notify

regards
Klaus


Von: Pdns-users  Im Auftrag von Stefan 
Becker via Pdns-users
Gesendet: Dienstag, 15. Februar 2022 14:36
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] TSIG-Keys for TSIG-ALLOW-AXFR

Hi there,

Is it possible to use several different TSIG keys for a zone to communicate 
with different external secondary name servers? Or can there only be one domain 
metadata entry for TSIG-ALLOW-AXFR per zone?

Best regards
Stefan

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Serial increase not reflecte in database

[Klaus Darilion via Pdns-users]

> This would normally be fine, but the change seems to occur only in the
> service itself and is not reflected in the SOA record stored in the
> database.

SOA-Edit does not influence/manipulate the serial in the DB.
SOA-EDIT is used to fake the Serial (on outgoing NOTIFYs and responses which 
contains a SOA RR) compared to the value stored in DB.

So whenever a serial is used, th SOA-EDIT algorithm is used to construct a 
"faked" serial depending on DB-serial and datetime.

regards
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] How to stop automatic respawning

[Klaus Darilion via Pdns-users]

Hi! During random subdomain attacks we often hit the max-queue-length:

pdns_server-customer1[51284]: 5001 questions waiting for database/backend 
attention. Limit is 5000, respawning

This happens constantly (+50K q/s). Of course we try to filter with 
dnsdist/iptables/... but until our detection and dynamic filtering kicks in, 
the attacks fully hits PDNS and causes constant respawning. I think this 
respawning causes aditional load, backend DOWN/UP in dnsdist, outages during " 
Service hold-off time over".

When the queue is full, instead of respawning, I would like PowerDNS to:
- just stop reading from incoming sockets (Linux input buffer will overflow and 
packets will be dropped), or
- read packets from incoming sockets and discard them, or
- just flush the queue, or
- any other ideas?

Are there any options to avoid respawning but keep the queue-length at a sane 
value?

Thanks
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC Algorithm Rollover Documentation

[Klaus Darilion via Pdns-users]

Hi Daniel!

> -Ursprüngliche Nachricht-
> Von: Daniel Stirnimann 
> Gesendet: Montag, 3. Mai 2021 11:27
> An: Klaus Darilion ; Pdns-
> us...@mailman.powerdns.com
> Betreff: Re: [Pdns-users] DNSSEC Algorithm Rollover Documentation
> 
> Hello Klaus,
> 
> The DNSSEC Operational Practices (RFC 6781) documents this in chapter
> 4.1.4 Algorithm Rollovers:
> https://tools.ietf.org/html/rfc6781#section-4.1.4
> 
> The document mentions both a conservative and a liberal approach. 

Thanks - the description of the conservative approach makes clear why the 
"published" column in PDNS was introduced: I guess active=1 and publish=0 means 
that RRSIG will be produced but the key itself is not published as DNSKEY.

regards
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC Algorithm Rollover Documentation

[Klaus Darilion via Pdns-users]

Hi Daniel!

Thanks for the info.

> -Ursprüngliche Nachricht-
> Von: Daniel Stirnimann 
> Gesendet: Montag, 3. Mai 2021 11:27
> An: Klaus Darilion ; Pdns-
> us...@mailman.powerdns.com
> Betreff: Re: [Pdns-users] DNSSEC Algorithm Rollover Documentation
> 
> Hello Klaus,
> 
> The DNSSEC Operational Practices (RFC 6781) documents this in chapter
> 4.1.4 Algorithm Rollovers:
> https://tools.ietf.org/html/rfc6781#section-4.1.4
> 
> The document mentions both a conservative and a liberal approach. You
> can follow the liberal approach as by now all software handle this case
> correctly.

The question is - are all ISPs using the new software versions that support the 
liberal approach?

> It has even been done by TLDs.

That's a good indicator.

> Tony Finch has also documented how to do an algorithm rollover,
> https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html

I am not sure - Is this the conservative or liberal approach? I would think 
this is not conservative as the new DNSKEYs are published together with the new 
RRSIGs.

Further, in the liberal approach, it is necessary that KSK and ZSK algorithm 
rollover must be done at the same time, or may it be allowed to just introduce 
a KSK with new algorithm and still use the old ZSK?

thanks
Klaus


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Does the Bind Backend support journaling/IXFR?

[Klaus Darilion via Pdns-users]

Hi all!

Does the Bind backend support journaling and incoming/outgoing IXFR (as similar 
to Bind)?

Thanks
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNSSEC Algorithm Rollover Documentation

[Klaus Darilion via Pdns-users]

Hi all!

Is there somewhere documentation for an algorithm rollover?

The cryptokeys table recently received the "published" column to "Implement 
published and unpublished dnskeys to allow algorith rollovers.":
https://github.com/PowerDNS/pdns/commit/3391829938b4544a59c93c4734532ce2fdc311bf#diff-de175d2b28860458f7c4a143ab82aa94b44e5ac11fc51008fb4ac9b414130f91

But I do not find any documentation when to "publish" or "unpublish" a key 
during an algorithm rollover. In may case the key handling is completely 
outside of PDNS.

Thanks
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] retaining cache

[Klaus Darilion via Pdns-users]

So you want probably Bind's stale-answer-enable=yes?

Klaus


Gesendet über BlackBerry Work (www.blackberry.com)

Von: Mike via Pdns-users 
Gesendet: 27.05.2020 22:33
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] retaining cache

Hi,

I already know Im going to get in trouble with the dns protocol
police, and probably shoot myself in the foot at the same time, however

I know of a large service provider that has foolishly put both
authoritative name servers for their domain on the same subnet, and for
which has occasional routing propagation issues which make it impossible
to reach their domain servers from some portions of the net but not
others. The services themselves, such as their MX host, continues to be
accessible, but the nameservers that tell you where the MX host is, are
occasionally not. I was thinking one possible valid approach, could
simply be a secondary cache where pdns will move records that reach
normal cache expiration. This secondary cache then attempts to
re-validate records with the auth servers, and if it gets NXDOMAIN or
updated data, flush or update the cache per normal. But, pdns would
continue answering queries out of this secondary cache (with a low ttl),
as long as it has not received any other authoritative data, at which
point when it does, the entry could go back into primary cache (or remove).

I don't think the size of this secondary cache would grow out of
control because we're really just tracking records that we cannot a get
answers about either way from their primary auth servers. I don't see
where this would break anything either since, again, deletion from the
cache would be due to NXDOMAIN from an auth server, either the domain
auth or the root.

Anyone want to (gently) shoot me down?


Mike-



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative 4.3.0

[Klaus Darilion via Pdns-users]

> A notable new feature in 4.3 is support for hiding DNSSEC keys, which makes
> it possible to do algorithm rollovers. This feature was contributed by Robin
> Geuze of TransIP, thanks!

Can someone please provide link to a bug report/pull request/ir similar?

I want to understand why algorithm rollovers are a problem with PDNS < 4.3 and 
how the hiding solves the problem.

Thanks
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative 4.2.2 Released

[Klaus Darilion via Pdns-users]

> -Ursprüngliche Nachricht-
> Von: Pdns-users  Im Auftrag
> von Erik Winkels via Pdns-users
> Gesendet: Donnerstag, 9. April 2020 12:45
> An: pdns-annou...@mailman.powerdns.com; pdns-
> d...@mailman.powerdns.com; pdns-users@mailman.powerdns.com
> Betreff: [Pdns-users] PowerDNS Authoritative 4.2.2 Released
> 
> Hi,
> 
> (via: https://blog.powerdns.com/2020/04/09/powerdns-authoritative-
> server-4-2-2-released/ )
> 
> This release fixes issues in the IXFR receive code, improves cache
> management, and corrects a few other small things. If you use IXFR, please
> read the upgrade notes carefully.

The upgrade not states: "...You could accomplish that by deleting all records 
in the zone with an SQL query and waiting for a fresh transfer,..."

It shocks me that you suggest a solution which causes interupptions of DNS 
service for that zone, until the zone is retransfered. Your second workaround 
"..or (1) disabling IXFR (2) forcing a fresh transfer using pdns_control 
retrieve example.com (3) enabling IXFR again.." is much better and only a bit 
more work.

regards
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Clarification on which TSIG key signs notifications

[Klaus Darilion via Pdns-users]

There is an issue on github about this. You are correct, pdns just uses the 
first tsig key returned by the backend. The workaround was a config option to 
disable signed notifications.

Klaus


Gesendet über BlackBerry Work (www.blackberry.com)

Von: Matthew Monaco via Pdns-users 
Gesendet: 01.04.2020 23:53
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] Clarification on which TSIG key signs notifications

Relevant doc:

https://doc.powerdns.com/authoritative/tsig.html#provisioning-signed-notification-and-axfr-requests

After reading this, and trial and error, I'm not sure how I can control the 
TSIG key that the master uses to sign notifications.

I have 1 master and 2 slaves and a tsig key named after each. I am trying to 
configure things such that the master allows AXFRs to each of the slave TSIGs 
but uses it's own named TSIG for signing notifications. On the slaves then, I'm 
trying to configure things such that notifications are allowed by the master 
TSIG and AXFR requests are signed by their own named TSIG key.

It seems to me like the master is just using the first TSIG-ALLOW-AXFR key to 
sign notifications.

Is there any value to this setup? I wanted to be able to rotate the slaves' 
keys separately. However, the only thing that I can get to work is my 
historical setup of a single shared TSIG key for all master/slave notifications 
and zone transfers.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Hidden Master, Dynamic IPv4, IPv6 Privacy

[Klaus Darilion via Pdns-users]

DNS Master/Slave was not designed for dynamic IP addresses. As a workaround you 
could use some overlay whoch provides a static IP (OpenVPN, stunnel, ssh 
tunnels, ...)

Regards
Klaus



Gesendet über BlackBerry Work (www.blackberry.com)

Von: Matthew Monaco via Pdns-users 
Gesendet: 27.03.2020 17:24
An: pdns-users@mailman.powerdns.com
Betreff: [Pdns-users] Hidden Master, Dynamic IPv4, IPv6 Privacy

Hello!

What is PDNS protecting me from by requiring that the slave keeps a list of 
master IPs in the `domains` table? I think what I would like is for notifies to 
be allowed from any address, to rely on TSIG to protect AXFRs, and to use the 
SOA NS record for polling -- of course I'm wrong, I just don't know why yet :)

I have what I assume is a not too uncommon setup. I keep my master at home 
because 1) I only have a dynamic IPv4 address and 2) I want to keep my DNSSEC 
root close. The slaves are at more-stable cloud providers with static IPv4 and 
IPv6 and are the ones listed with my registrar. All instances are using the 
sqlite backend and are recent (4.2.1). So the outbound address from my master 
is:

 - From a dynamic IPv4 address
 - From a IPv6 prefix which should be stable but does change sometimes in 
practice
 - And/or from an IPv6 privacy-extension address with a limited lifetime.

Right now my workaround is to disable IPv6 privacy on the master, hope that my 
IPv4 and IPv6 prefixes change at different times, and run a script on the 
slaves to `change-slave-zone-master` based on the NS records for the master 
that are on the slave. Not part of the workaround is that I run a script near 
the master which uses rfc2136 to keep the master's A/ records up to date.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Hhow to safely import a DNSSEC signed zone

[Klaus Darilion via Pdns-users]

Answering myself after reading the code: The trick is to do below steps 
NOT in a single transaction but one step after other, considering the 
respective cache TTLs.


PowerDNS priorizes presigned zones over self signing. Hence, the correct 
order is:


UPDATE domains SET type='MASTER' where id=XXX;

INSERT INTO cryptokeys  (import the currently used ZSK+KSK);
sleep(dnssec-key-cache-ttl)

DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
sleep(domain-metadata-cache-ttl)

DELETE FROM records WHERE domain_id=xxx AND type IN 
('TYPE65534','DNSKEY', 'RRSIG');


Eventually tweak the domainmetadata, ie. for serial bumping. Also make 
sure that there are no zone changes while doing above process.


regards
Klaus




Am 13.02.2020 um 12:59 schrieb Klaus Darilion via Pdns-users:

Hello!

I have thousands of DNSSEC presigned-signed zones which I slave with 
PowerDNS (type='SLAVE'). I want to move all these zones to PowerDNS as 
type='MASTER'.


Basically this should be very simple:

For each zone:
BEGIN;
UPDATE domains SET type='MASTER' where id=XXX;

INSERT INTO cryptokeys  (import the currently used ZSK+KSK)

DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534', 
'DNSKEY', 'RRSIG');


DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
COMMIT;

I think that should be pretty safe. But I am concerned about the 
dnssec-key-cache and the domain-metadata-cache.


I think to be on the safe side I would need to flush those caches with 
the COMMIT;. Of course I could disable the caches at all, but I do not 
want to do this permanentely because the switch from SLAVE to MASTER is 
customer triggered.


So, do you have any hints on how to safely import the keys without any 
bogus answers of PowerDNS due to metadata and key caching?


Thanks
Klaus


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Hhow to safely import a DNSSEC signed zone

[Klaus Darilion via Pdns-users]

Hello!

I have thousands of DNSSEC presigned-signed zones which I slave with PowerDNS 
(type='SLAVE'). I want to move all these zones to PowerDNS as type='MASTER'.

Basically this should be very simple:

For each zone:
BEGIN;
UPDATE domains SET type='MASTER' where id=XXX;

INSERT INTO cryptokeys  (import the currently used ZSK+KSK)

DELETE FROM records WHERE domain_id=xxx AND type IN ('TYPE65534', 'DNSKEY', 
'RRSIG');

DELETE FROM domainmetadata WHERE domain_id=XXX AND kind='PRESIGNED';
COMMIT;

I think that should be pretty safe. But I am concerned about the 
dnssec-key-cache and the domain-metadata-cache.

I think to be on the safe side I would need to flush those caches with the 
COMMIT;. Of course I could disable the caches at all, but I do not want to do 
this permanentely because the switch from SLAVE to MASTER is customer triggered.

So, do you have any hints on how to safely import the keys without any bogus 
answers of PowerDNS due to metadata and key caching?

Thanks
Klaus
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users