Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

[Leen Besselink]

Hi,

Sounds like a strange problem.

Just to make sure it's set up correctly.

Could you check that Postfix is talking to PowerDNS Recursor ? Because Postifx 
has a seperate resolv.conf (which gets updated when starting Postfix):

/var/spool/postfix/etc/resolv.conf

On Thu, Aug 18, 2016 at 02:20:25PM +, Michael wrote:
> Hi all,
> 
> I have been using pdns_recursor package on my Ubuntu 14.04 quite
> some time to resolve host names locally. That worked fine for the
> entire system.
> 
> Last week I updated to Ubuntu 16.04. So I have a new Postfix version
> (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).
> 
> Since this update Postfix does not receive correct answers for a
> particular query anymore. Concretely, queries for A entries of
> Office365 mail servers.
> 
> For example if Postfix asks for the A entry of
> nxp-com.mail.protection.outlook.com, pdns_recursor returns to
> Postfix that there does not exists a A record.
> However, if I manually do this query with dig, I do get an correct
> answer. Please see the logs at the end of the mail.
> 
> Besides the queries of Office365 mail servers, the rest is working
> fine. I have no idea how to track down that issue? Is there any
> setting in pdns_recursor I have to change?
> 
> Thanks,
> Michael
> 
> 
> Postfix log
> =
> Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2:
> from=, size=865, nrcpt=1 (queue active)
> Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for
> nxp.com has a valid address record
> Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2:
> to=, relay=none, delay=1492, delays=1492/0.12/0.81/0,
> dsn=4.4.3, status=deferred (Host or domain name not found. Name
> service error for name=nxp-com.mail.protection.outlook.com type=A:
> Host not found, try again)
> =
> 
> pdns_recursor log after Postfix query
> =
> Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for
> 'nxp.com.|MX' from 127.0.0.1
> Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question
> 'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms,
> 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
> Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for
> 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
> Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question
> 'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional,
> took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp
> connections, rcode=2
> =
> 
> pdns_log after dig query
> =
> Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for
> 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
> Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question
> 'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional,
> took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp
> connections, rcode=0
> =
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

[Leen Besselink]

On Fri, May 20, 2016 at 08:10:23AM +0200, Bit World Computing - Michael Mertel 
wrote:
> Hi Leen,
> 
> thanks for clearing this up. My approach was a bit to naive but my recursor 
> is now returning whats expected.
> 
> The +dnssec Parameter is the essential trick, and depending on dnssec=off or 
> =process in my recursor.conf the recursor is returning the correct 
> information.
> 
> Thanks for your feedback.
> 

I forgot to mention, when you query a recursor, the recursor can also indicate 
that the response is DNSSEC-validated, you need to look at the AD-bit.

See the dig output here:

https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation

You will need the ad-bit if you have an application which depends on that, but 
it can't really be trusted unless it's running on the same machine aka: 
localhost

But it is also an indicator from the recursor that it did the 
DNSSEC-validation, so it's useful if you want to know what the recursor is 
doing.

> —Michael
> 
> 
> > Am 19.05.2016 um 17:36 schrieb Leen Besselink <l...@consolejunkie.net>:
> > 
> > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael 
> > Mertel wrote:
> >> Hi,
> >> 
> > 
> > Hi,
> > 
> >> I’am currently trying to get a better unterstanding of DNSSEC. But even if 
> >> I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC 
> >> related answer from it. What do I’am doing wrong here, I’am somewhat lost?
> >> 
> >> —
> >> --- direct query 
> >> dig @ns1.denic.de ANY www.denic.de
> >> ;; ANSWER SECTION:
> >> www.denic.de.  3600IN  A   81.91.170.12
> >> www.denic.de.  3600IN  RRSIG   A 8 3 3600 
> >> 2016060209 2016051909 26155 denic.de. 
> >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
> >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
> >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
> >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
> >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
> >> 
> >> ;; AUTHORITY SECTION:
> >> denic.de.  3600IN  NS  ns2.denic.de.
> >> denic.de.  3600IN  NS  ns3.denic.de.
> >> denic.de.  3600IN  NS  ns1.denic.de.
> >> 
> >> ;; ADDITIONAL SECTION:
> >> ns1.denic.de.  3600IN  A   81.91.170.1
> >> ns1.denic.de.  3600IN  2a02:568:121:6:2::2
> >> ns2.denic.de.  3600IN  A   78.104.145.26
> >> ns3.denic.de.  3600IN  A   81.91.173.19
> > 
> > 
> > DENIC can return whatever they want with an ANY-query, but that doesn't 
> > mean it's DNSSEC.
> > 
> >> 
> >> —
> >> — query through dnsdist —
> >> dig @192.168.1.5 ANY www.denic.de
> >> 
> >> ;; ANSWER SECTION:
> >> www.denic.de.  2083IN  A   81.91.170.12
> >> www.denic.de.  2083IN  RRSIG   A 8 3 3600 
> >> 2016060109 2016051809 26155 denic.de. 
> >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
> >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
> >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
> >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
> >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
> >> 
> >> —
> >> — query through recursor (no forwarders, dnssec=process) —
> >> dig -p 5153 @192.168.1.5 ANY www.denic.de
> >> 
> >> ;; ANSWER SECTION:
> >> www.denic.de.  2724IN  A   81.91.170.12
> >> 
> >> —
> >> 
> >> Thanks in advance.
> >> 
> > 
> > This would be the usual way to check DNSSEC. Without:
> > 
> > $ dig @d.ns.nic.cz labs.nic.cz A
> > 
> > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> > ;; WARNING: recursion requested but not available
> > 
> > ;; QUESTION SECTION:
> > ;labs.nic.cz.   IN  A
> > 
> > ;; ANSWER SECTION:
> > labs.nic.cz.

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

[Leen Besselink]

On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael Mertel 
wrote:
> Hi,
> 

Hi,

> I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
> answer from it. What do I’am doing wrong here, I’am somewhat lost?
> 
> —
> --- direct query 
> dig @ns1.denic.de ANY www.denic.de
> ;; ANSWER SECTION:
> www.denic.de. 3600IN  A   81.91.170.12
> www.denic.de. 3600IN  RRSIG   A 8 3 3600 2016060209 
> 2016051909 26155 denic.de. 
> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
> 
> ;; AUTHORITY SECTION:
> denic.de. 3600IN  NS  ns2.denic.de.
> denic.de. 3600IN  NS  ns3.denic.de.
> denic.de. 3600IN  NS  ns1.denic.de.
> 
> ;; ADDITIONAL SECTION:
> ns1.denic.de. 3600IN  A   81.91.170.1
> ns1.denic.de. 3600IN  2a02:568:121:6:2::2
> ns2.denic.de. 3600IN  A   78.104.145.26
> ns3.denic.de. 3600IN  A   81.91.173.19


DENIC can return whatever they want with an ANY-query, but that doesn't mean 
it's DNSSEC.

> 
> —
> — query through dnsdist —
> dig @192.168.1.5 ANY www.denic.de
> 
> ;; ANSWER SECTION:
> www.denic.de. 2083IN  A   81.91.170.12
> www.denic.de. 2083IN  RRSIG   A 8 3 3600 2016060109 
> 2016051809 26155 denic.de. 
> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
> 
> —
> — query through recursor (no forwarders, dnssec=process) —
> dig -p 5153 @192.168.1.5 ANY www.denic.de
> 
> ;; ANSWER SECTION:
> www.denic.de. 2724IN  A   81.91.170.12
> 
> —
> 
> Thanks in advance.
> 

This would be the usual way to check DNSSEC. Without:

$ dig @d.ns.nic.cz labs.nic.cz A

; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;labs.nic.cz.   IN  A

;; ANSWER SECTION:
labs.nic.cz.1800IN  A   217.31.205.52

;; AUTHORITY SECTION:
nic.cz. 1800IN  NS  a.ns.nic.cz.
nic.cz. 1800IN  NS  b.ns.nic.cz.
nic.cz. 1800IN  NS  d.ns.nic.cz.

;; ADDITIONAL SECTION:
a.ns.nic.cz.1800IN  A   194.0.12.1
a.ns.nic.cz.1800IN  2001:678:f::1
b.ns.nic.cz.1800IN  A   194.0.13.1
b.ns.nic.cz.1800IN  2001:678:10::1
d.ns.nic.cz.1800IN  A   193.29.206.1
d.ns.nic.cz.1800IN  2001:678:1::1

With DNSSEC:

$ dig +dnssec @d.ns.nic.cz labs.nic.cz A

; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;labs.nic.cz.   IN  A

;; ANSWER SECTION:
labs.nic.cz.1800IN  A   217.31.205.52
labs.nic.cz.1800IN  RRSIG   A 5 3 1800 20160531125753 
20160518035002 37152 nic.cz. 
0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 
CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw 
wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU=

;; AUTHORITY SECTION:
nic.cz. 1800IN  NS  a.ns.nic.cz.
nic.cz. 1800IN  NS  b.ns.nic.cz.
nic.cz. 1800IN  NS  d.ns.nic.cz.
nic.cz. 1800IN  RRSIG   NS 5 2 1800 20160531192914 
20160518035002 37152 nic.cz. 
eddprYYJBlc+xmv1WAuOLJ8zek0G4dtXlOSx3cNp4KFwscwsKBKD07k7 
jScwCdvHZsnD2tOjDtJ0cPyMl/JffL9s4lXp5nqh7rtrTPPHMzqER3Zy 
MsY+/Nl0MJV3Z15wRzgSvnG/EjXxHLJ+vRIShWceXXhdFCt+5vR2wwng evk=

;; ADDITIONAL SECTION:
a.ns.nic.cz.1800IN  A   194.0.12.1
a.ns.nic.cz.1800IN  2001:678:f::1
b.ns.nic.cz.1800

Re: [Pdns-users] Fwd: Power DNS recursor entered failed state

[Leen Besselink]

On Mon, Dec 07, 2015 at 11:23:31AM +, Federico Olivieri wrote:
> Hi Guys,
> 
> Not 100% sure if is a PDNS problem but yesterday I have upgraded it (for
> mistake!)  via apt-get command and now I'm running the
> version 0.0.410g1cfe8b4
> 
> Since the Upgrade the memory allocation seems not uniform compared to before
> 
> Also, it seems that stop to run after a while and I need to restart the
> process manually
> 
> That is the error form syslog
> 
> Dec 07 10:54:45 T1000 kernel: pdns_recursor[30724]: segfault at 0 ip
> 7ff1c8464a94 sp 7ff1bcac4830 error 4 in
> pdns_recursor[7ff1c82ae000+276000]
> Dec 07 10:54:45 T1000 systemd[1]: pdns-recursor.service: main process
> exited, code=killed, status=11/SEGV
> Dec 07 10:54:45 T1000 systemd[1]: Unit pdns-recursor.service entered failed
> state.
> 
> Also, you can see the server on Metronome with the name of t1000-gtel
> 
> Any suggestion? Any quick way to roll-back the PDNS version installed
> 

Sounds like you are using Debian or Ubuntu or similar flavor.

Hete is how you do that with apt-get/dpkg:

If you look in /var/log/apt/ you can see what the previous version was that was 
installed:

Preparing to replace pdns-recursor old-version (using 
.../pdns-recursor-new-version.deb) ...

Probably best to use apt-get to install the old version:

apt-get install pdns-recursor=version-number

If that doesn't work:

You can look in /var/cache/apt/archives/ you might find the old version.

Depending on the depencies, you might be able to just install the old version 
with:

dpkg -i /var/cache/apt/archives/pdns-recursor-something.deb

> Thank You
> 
> P.S.
> 
> I re-sent the e-mail without image attached because it was too big
> 
> Federico

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS 3.x with PDNS 2.9.x Database Schema

[Leen Besselink]

On Wed, Jul 22, 2015 at 02:10:34PM +0200, Jan-Piet Mens wrote:
 (no need to take this off-list)
 
  the only problem is that I am doing MySQL master/slave database
  replication. upgrading the schema on the slave(s) will break the
  replication process unfortunately.
 
 You spoke of PowerDNS master and slaves from which I gathered AXFR.
 
 -JP
 

If I remmeber correctly you should be able to upgrade the database schema of 
all PowerDNS servers without any problems:

Q: Can 2.9.x versions read the 3.0 DNSSEC database schema?

A: Yes, every database can be altered to the new schema without impact on 2.9. 
The new fields and tables are ignored.

https://doc.powerdns.com/md/authoritative/upgrading/#database-schema

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC trouble

[Leen Besselink]

Hi Peter,

Just had a quick look at the docs. What version are you running ? Did you see 
this ?:

When using slaves that AXFR your signed zones, be sure that your slaves 
actually support serving DNSSEC. Some servers will gladly AXFR a signed zone, 
but not perform DNSSEC processing on it. This goes for PowerDNS 2.9.x

http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP

Have a good day,
Leen.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC trouble

[Leen Besselink]

On Wed, May 20, 2015 at 12:26:50PM +0200, Leen Besselink wrote:
 On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote:
  Dear experts,
  
  I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
  for desec.io, and I'd like to ask for your help once more.
  
  I have a hidden primary which does the signing in live mode (MySQL
  backend), and two public nameservers ns1.desec.io and ns2.desec.io which
  receive the zones via AXFR (bind backend). All are using PowerDNS 3.3
  from Ubuntu 14.04.
  
  After communicating my DS records to the .io registry, the DNSSEC
  debugger http://dnssec-debugger.verisignlabs.com/desec.io tells me the
  everything is fine, except that desec.io does not have RRSIG records,
  and my resolver says SERVAIL.
  
  Screenshot: https://www.a4a.de/_temp/DNSSEC.png
  (I removed the DS records again from the .io zone.)
  
  However,
  dig RRSIG desec.io @ns1.desec.io
  dig RRSIG desec.io @ns2.desec.io
  
  gives the RRSIG records. Why does the debugger not find them?
  
 
 Hi,
 
 Wouldn't consider myself an expert, but RRSIG isn't normally something you 
 query for,
 these are the signatures which get added with DNSSEC-signed response.
 
 Judging by the image it looks like DNSSEC debugger does 3 queries:
 
 dig @ns1.desec.io +dnssec +norec desec.io DS # that worked and did include 
 the RRSIG records
 
 # these failed:
 dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
 dig @ns1.desec.io +dnssec +norec desec.io A
 
 Here is a working example with an RRSIG for the DNSKEY query:
 
 $ dig +dnssec +norec @194.171.17.10 nl. DNSKEY
 
 ;  DiG 9.8.1-P1  +dnssec +norec @194.171.17.10 nl. DNSKEY
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 9281
 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;nl.IN  DNSKEY
 
 ;; ANSWER SECTION:
 nl. 7200IN  DNSKEY  256 3 8 
 AwEAActQKGjyxDvKZrmtecDqXu5i7hDRnkBH71kukkBWMqi7GlRVnwng 
 tXGLg41p8cBP+HsLLDxr125ukadG0peYLfjx5gBj0CE6VMguwqRtn7MP 
 MIym5outGSRm2uTcO7mxp1ZykusE1GnavVFDUhgoipGaXQ/q0w3Lpyij NE9GZmyH
 nl. 7200IN  DNSKEY  257 3 8 
 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN 
 bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX 
 qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh 
 hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 
 FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 
 yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0=
 nl. 7200IN  RRSIG   DNSKEY 8 1 7200 
 20150526002957 20150511201503 21362 nl. 
 lXOt9uoPC+0NdnY2GiPVvCSwK2XeJVfMu1r8d84k47Au2sYc3rExtCGQ 
 JT7Smx6heHQ8kWPPLJ58FTd0oht5yG/0E6Voe2qNh5xKp8htoseTEysv 
 hejOXEevpWkxfkc3JFu7qHzYqNYAEIwKNXIWMhxmVarhwACKkKIelZXy 
 6o/hD2JspOHCzZO6uK5X1pRQyBFnRt2PgZ6oMWCi4h7/mMNQRAAqcR1V 
 hFmBnYEPQuk3Twiq6geHdP3aq0FxvHnUqHXczVPz2BAf6bV4sl2XRjxP 
 EEtmSRRAkkT8YTNOlKytU8V5bnjAMqeh3nkIHvugdJzDwrkODhrIsLKo 3ywe/A==
 
 ;; Query time: 7 msec
 ;; SERVER: 194.171.17.10#53(194.171.17.10)
 ;; WHEN: Wed May 20 12:25:14 2015
 ;; MSG SIZE  rcvd: 745
 
 Hope that helps.
 

As I mentioned, I'm no expert so I forgot to add:

The DS is signed by the parent, so that is why the DS-query did work.

As we can see, no RRSIG-record on your domain, my guess would be the transfered 
domain isn't properly signed before it's transfered:

$ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY

;  DiG 9.8.1-P1  +dnssec +norec @ns1.desec.io desec.io DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 41947
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;desec.io.  IN  DNSKEY

;; ANSWER SECTION:
desec.io.   3600IN  DNSKEY  257 3 8 
AwEAAcw5QLr0IjC0wKbGoBPQv4qmeqHy9mvL5qGQTuaG5TSrNqEAR6b/ 
qvxDx6my4JmEmjUPA1JeEI9YfTUieMr2UZflu7aIbZFLw0vqiYrywCGr 
CHXLalOrEOmrvAxLvq4vHtuTlH7JIszzYBSes8g1vle6KG7xXiP3U5Ll 
96Qiu6bZ31rlMQSPB20xbqJJh6psNSrQs41QvdcXAej+K2Hl1Wd8kPri 
ec4AgiBEh8sk5Pp8W9ROLQ7PcbqqttFaW2m7N/Wy4qcFU13roWKDEAst 
bxH5CHPoBfZSbIwK4KM6BK/uDHpSPIbiOvOCW+lvu9TAiZPc0oysY6as lO7jXv16Gws=
desec.io.   3600IN  DNSKEY  256 3 8 
AwEAAday3UX323uVzQqtOMQ7EHQYfD5Ofv4akjQGN2zY5AgB/2jmdR/+ 
1PvXFqzKCAGJv4wjABEBNWLLFm7ew1hHMDZEKVL17aml0EBKI6Dsz6Mx 
t6n7ScvLtHaFRKaxT4i2JxiuVhKdQR9XGMiWAPQKrRM5SLG0P+2F+TLK l3D0L/cD

;; Query time: 85 msec
;; SERVER: 54.88.76.245#53(54.88.76.245)
;; WHEN: Wed May 20 12:30:26 2015
;; MSG SIZE  rcvd: 461

I would try the same query on the hidden master first.

  Thanks a lot for your help,
  Peter
  -- 
  OpenPGP Key: 0x3EF22D2F
  
 
 
 ___
 Pdns-users mailing list
 Pdns-users

Re: [Pdns-users] DNSSEC trouble

[Leen Besselink]

On Wed, May 20, 2015 at 01:34:59PM +0200, Peter Thomassen wrote:
 Hi Leen,
 
 On 05/20/2015 12:32 PM, Leen Besselink wrote:
  # these failed:
  dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
  dig @ns1.desec.io +dnssec +norec desec.io A
 
  Here is a working example with an RRSIG for the DNSKEY query:
 [...]
  As we can see, no RRSIG-record on your domain, my guess would be the 
  transfered domain isn't properly signed before it's transfered:
  
  $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY
 [...]
  I would try the same query on the hidden master first.
 
 I did try that, and when I query the hidden master, in fact I do get the
 RRSIG records for free. Why is that not the case for the slaves?
 
 I made the hidden master available at desec.io temporarily -- so, compare
 
 dig +dnssec +norec @desec.io desec.io A
 dig +dnssec +norec @ns1.desec.io desec.io A
 
 This really confuses me.
 

Does your slave have DNSSEC enabled in the config ?

Looks like BIND zone file backend needs: bind-dnssec-db:

https://doc.powerdns.com/md/authoritative/backend-bind/

And maybe you need to do an extra step ?:

PowerDNS needs to know if a zone should receive DNSSEC processing. To 
configure, run pdnssec set-presigned zone.

https://doc.powerdns.com/md/authoritative/dnssec/#from-existing-dnssec-non-powerdns-setups-pre-signed

 Best,
 Peter

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)

[Leen Besselink]

On Fri, Jun 27, 2014 at 01:26:07AM +0200, Michael Ströder wrote:
 k...@rice.edu wrote:
  On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
  For the DNSSEC part, is there a way to create the DNSSEC information just 
  by SQL ?
 
  If not, the solution is to run pdnssec secure-zone ZONE in a loop on a 
  cron script, am I right?
  
  I do not know about a SQL only solution for MySQL DNSSEC signing, but I
  know that there is a sample schema for Oracle that includes the needed
  triggers and functions and that I have a basically complete version of
  the same for PostgreSQL that I will be submitting to the PDNS folks once
  we have it vetted for production.
 
 Hmm, am I the only one who is concerned about the security of the signing 
 process?
 
 Please don't get me wrong. But people are advocating DANE nowadays and aim to
 completely replace X.509 certs with that. So security of the signed RRs is
 crucial just like issuing X.509 certs. And yes, I know that it's hard to
 achieve a higher level of operational security.
 
 Ciao, Michael.
 

Hi Michael,

DNSSEC allows a domain owner to be as secure or insecure as they want to be.

You can do online or offline signing.

Or do part of the signing online and part of it offline, because DNSSEC allows 
the use of a Zone Signing Key and a Key Signing Key for your domain.

Or you can choose to not use DNSSEC at all.

Online signing is similar to most VPN- and SSL/TLS-deployments, like 
HTTPS/POP3S/IMAPS.

Offline signing allows you put the key in a 24/7 guarded safe.

Most Certificate Authorities do online signing too. Just look at OCSP.
Pobably they only use that for their sub-CAs (that is the certificate of the 
intermediate you need when you deploy for HTTPS, etc.).

Does that now make you less or more concerned ?

Have a good weekend,
Leen.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor

[Leen Besselink]

On Wed, Apr 23, 2014 at 01:49:17PM +0200, Johan Kooijman wrote:
 Hi all,
 
 I'm seeing  something I cannot explain. I've setup my pdns daemon to send
 requests for recursions to Google DNS for now. But when I execute a host
 lookup, I'm seeing this:
 
 *[13:35:42 jkooijman /home/jkooijman]$ host cnn.com http://cnn.com IP*
 *Using domain server:*
 *Name: hostname*
 *Address: IP#53*
 *Aliases:*
 
 *cnn.com.jkit.nl http://cnn.com.jkit.nl mail is handled by 10
 mail.jkit.nl http://mail.jkit.nl*.
 
 Now.. jkit.nl is a domain in the DNS database itself, but I don't really
 understand why pdns adds it to my query.
 

It's probably based on your /etc/resolv.conf

One tip: do not test with nslookup or host they are trying to be smart.

Try testing with: dig it does what you ask it to do and nothing more.

dig @server-ip cnn.com
( the default query is for 'A' )

 My config:
 
 setuid=pdns
 setgid=pdns
 launch=gmysql
 gmysql-host=localhost
 gmysql-user=username
 gmysql-password=password
 gmysql-dbname=dns
 disable-axfr=no
 allow-axfr-ips=127.0.0.1/32 more IP's
 allow-recursion=127.0.0.1/32 more IP's
 recursor=8.8.8.8
 local-address=IP
 loglevel=2
 
 Am I missing something here?
 
 -- 
 Met vriendelijke groeten / With kind regards,
 Johan Kooijman

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Insert foreign DNSKEY?

[Leen Besselink]

On Wed, Mar 05, 2014 at 03:43:02PM +0100, Gilles Massen wrote:
 Hello,
 
 This feels a bit like an FAQ, but I wasn't able to dig it out, so: how
 can I insert a 'foreign' DNSKEY record in a zone? I don't have the key
 material, but I want it signed by the pdns-managed keys (it is for a
 secure DNS operator change).
 
 What I tried is an insert into records, type=DNSKEY and content=257 3 8
 public key, but that seems to be happily ignored.
 
 Any clues?
 

Hi Gilles,

The latest version of PowerDNS Authoritive server is 3.3.1.

That version has an option called direct-dnskey. Which might have been 
available in an earlier version, but that code was still experimental.

It is mentioned in the documentation here:

http://doc.powerdns.com/html/dnssec-transfers.html

Hope that helps.

 best,
 Gilles
 

Have a good day,
Leen.

 -- 
 Fondation RESTENA - DNS-LU
 6, rue Coudenhove-Kalergi
 L-1359 Luxembourg
 tel: (+352) 424409
 fax: (+352) 422473
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS on ispconfig 3

[Leen Besselink]

On Wed, Feb 26, 2014 at 09:27:42AM +0100, Steffan Noord wrote:
 Im not sure if this was sent to the list i didnt recieve the e-mail myself
 

It did reach the list, no worries.

 -Oorspronkelijk bericht-
 Van: Steffan Noord [mailto:steffanno...@gmail.com] 
 Verzonden: dinsdag 25 februari 2014 9:08
 Aan: pdns-users@mailman.powerdns.com
 Onderwerp: PDNS on ispconfig 3
 
 Hello list,
 
 Is it possible to use powerdns with the ispconfig 3 interface ?
 On there site it says yes but i only can find very old treads abouth it.
 
 Is there somewhere a howto 
 i allready use pdns but want to start using ispconfig
 
 Thanxs
 
 Steffan
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Installation PDNS Server auf Raspberry Pi (weezy)

[Leen Besselink]

On Fri, Aug 16, 2013 at 02:31:56PM +0200, abang wrote:
 Hi Gerald,
 
 it works on my Pi. So there must be a config failure on your side.
 Please try
 
 /usr/sbin/pdns_recursor --daemon=no --trace=yes
 
 on commandline and try again with dig and post us the error messages
 if present.
 

I would try running dig on the Pi:

dig @127.0.0.1 facebook.com A

to see if it's the IP-/subnet-check.

 
 
 Am 16.08.2013 14:20, schrieb Gerald:
 Hi Marc,
 
 
 I have done as written in the citation below and the compilation worked
 with putting a lot of messages like this:
 Warning: swp{b} use is deprecated for this architecture
 
 The program is running, but not delivering an address:
 
 pechoc@bmeson-a:~$ dig facebook.com A @192.168.10.233
 
 ;  DiG 9.8.1-P1  facebook.com A @192.168.10.233
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 4233
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;facebook.com.   IN  A
 
 ;; Query time: 8 msec
 ;; SERVER: 192.168.10.233#53(192.168.10.233)
 ;; WHEN: Fri Aug 16 14:13:11 2013
 ;; MSG SIZE  rcvd: 30
 
 I have a Raspberry Pi Type B with Debian Wheezy.
 
 kind regards
 Gerald
 
 On 2013-08-16 13:58, Marc Haber wrote:
 pdns-users is an english language mailing list.
 
 On Fri, Aug 16, 2013 at 10:09:44AM +0200, abang wrote:
 aber ich brauche eines für Debian auf Raspberry Pi.
 wo du ein fertiges Binary für armv6l bekommst weiß ich nicht. Aber
 du könntest versuchen, selbst zu kompilieren.
 
 apt-get install libboost-dev
 wget http://downloads.powerdns.com/releases/pdns-recursor-3.5.2.tar.bz2
 tar -xjf pdns-recursor-3.5.2.tar.bz2
 cd pdns-recursor-3.5.2
 ./configure
 make all
 
 Ich versuchs auch gerade. Dauert allerdings gefühlt ewig auf dem Pi ;-)
 The PowerDNS recursor cannot be compiled on arm architectures. It
 needs a feature called swapcontext which is not available on arm. See
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579194
 
 Greetings
 Marc
 
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [Pdns-dev] PowerDNS Authoritative Server 3.3 Release Candidate 1 available

[Leen Besselink]

Hi,

 
   * commit 496073b: Since 3.0, pdnssec secure-zone has always generated 3 
 keys:
 one KSK and two ZSK, with one ZSK active. For most, if not almost all,
 users, this inactive ZSK is never used. We now no longer generate this
 useless ZSK. The resulting smaller DNSKEY RRset improves interoperability
 with certain validators. Closes ticket 824.
 

Peter, I assume this means it's still in the database and in the pdnssec 
output, but
PowerDNS won't send it to DNS-clients ?

Have a great day,
Leen.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] publish SPF and TXT records?

[Leen Besselink]

On Thu, Sep 06, 2012 at 02:35:13PM +, Marc van de Geijn wrote:
 Thanks, Arsen, for this information.
 
 Are there any statistics on the number of mailservers/... requesting SPF 
 records instead of TXT records?
 

I know some of the software on our mailservers doesn't even try SPF.

isc.org and ietf.org do publish both, but they seem to be the exception.

hotmail.com , gmail.com , sendmail.com and many others only have TXT and no SPF.

 -Oorspronkelijk bericht-
 Van: Arsen STASIC [mailto:arsen.sta...@univie.ac.at] 
 Verzonden: donderdag 6 september 2012 16:15
 Aan: Marc van de Geijn
 CC: Peter van Dijk; pdns-users Users
 Onderwerp: Re: [Pdns-users] publish SPF and TXT records?
 
 * Marc van de Geijn m...@bhosted.nl [2012-09-05 16:14 (+)]:
  According to rfc's the dns server should publish both spf and txt. We now 
  create the spf, but not the txt version of the same spf.
 
 Hi Marc,
 
 Just take into consideration the ongoing IETF discussion about obsoleting SPF 
 RR.
 
 12.1.  The SPF DNS Record Type
 
Per [RFC4408], the IANA assigned the Resource Record Type and Qtype
from the DNS Parameters Registry for the SPF RR type with code 99.
The format of this type is identical to the TXT RR [RFC1035].  The
character content of the record is encoded as [US-ASCII].  Use of
this record type is obsolete for SPF Version 1.
 
IANA is requested to add an annotation to the SPF RRTYPE saying
(OBSOLETE - use TXT) in the DNS Parameters registry.
 
[NOTE TO RFC EDITOR: (to be changed to  ... has added ... upon
publication)]
 
 This is taken from the latest draft:
 https://tools.ietf.org/wg/spfbis/draft-ietf-spfbis-4408bis/draft-ietf-spfbis-4408bis-06-from-05.wdiff.html
 
 just my 2ct
 -arsen
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] suspend domains

[Leen Besselink]

On Fri, Aug 03, 2012 at 04:44:00PM -0300, Mitsue Acosta Murakami wrote:
 Hello,


 I am using powerdns 2.9.22-8 with MySQL backend on Debian Squeeze  and I  
 need to disable domains from pdns without deleting them. I followed  
 these instructions:

 http://osdir.com/ml/network.dns.powerdns.user/2006-06/msg00144.html

 I added a field status to domains table but it doesn't work.

 Does anyone know where I can find instructions to do this configuration?

 Any help will be highly appreciated./


The one you linked to (this is more readable):

http://osdir.com/ml/network.dns.powerdns.user/2006-06/msg00138.html

Is actually the way to do it.

Did you add the same status-column as described: char (1) ? I think you need to 
add it to the domains and records tables.

Did you set an 'A' in each status-column ?

Did you change the queries as described on the mailinglist ?

 /

 -- 
 Mitsue


 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] configuring ALSO-NOTIFY support using the domain metadata table

[Leen Besselink]

On 08/18/2011 05:22 PM, Bauer, Steven J. wrote:
 -Original Message-
 From: bert hubert [mailto:bert.hub...@netherlabs.nl]
 Sent: Thursday, August 18, 2011 9:11 AM
 To: Bauer, Steven J.
 Cc: pdns-users@mailman.powerdns.com
 Subject: Re: [Pdns-users] configuring ALSO-NOTIFY support using the
 domain metadata table

 On Thu, Aug 18, 2011 at 08:53:11AM -0600, Bauer, Steven J. wrote:
 After looking through the source it appears that dnssec queries have
 to be enabled to get data out of the domainMetadata table.  In the
 code file
 Hi Steven,

 This is indeed correct. If the 'gmysql-dnssec' (or gpsql- or gsqlite3-) flag 
 is
 not specified, PowerDNS can't assumes the domainmetadata table is there.

 The '-dnssec' flag really means 'the database has been setup for dnssec
 support', not 'everything is dnssec'.
 With this flag though it implies more functionality changes in the software 
 doesn't it?  Things like using the auth columns or am I misunderstanding the 
 discussions that have happened over the past few weeks on the list?


DNSSEC is enabled on per domain basis based on the domainmetadata-table.

So if you don't enable it on any domains, everything else should stays
the same. It should not look at the auth-columns.

 Steve

  Bert

 --
 PowerDNS Website: http://www.powerdns.com/ PowerDNS Community
 Website: http://wiki.powerdns.com/
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC rectify-zone setuid and setgid

[Leen Besselink]

On 08/05/2011 06:31 AM, kim Doff wrote:
 Hello,

Hi,

 Could you help me?


Well, I can try and give you some information and pointers.

 1.

 DNSSEC Master/Slave are working faultlessly.

 I have PowerDNS v3, PowerAdmin 2.1.5 and MySQL Database Replication
 With SSL Encryption. 

 Here is my question.

 When I modify zone domain.com http://domain.com through PowerAdmin
 by adding a subdomain like test.domain.com http://test.domain.com

 Master/Slave are updated (SOA serial is updated) 
 but Master/Slave do not bind test.domain.com http://test.domain.com,

 I have to rectify zone domain.com http://domain.com in Master
 to bind test.domain.com http://test.domain.com in Master/Slave

 # pdnssec rectify-zone domain.com http://domain.com

 Is there a way to do it automatically through PowerDNS?


First you'll have to know where all the documentation is:
http://powerdnssec.org/
http://wiki.powerdns.com/trac/wiki/PDNSSEC
http://doc.powerdns.com/powerdnssec-auth.html
http://wiki.powerdns.com/trac/wiki/PDNSSEC/details
http://wiki.powerdns.com/trac/wiki/PDNSSEC/backends

Next you should know that if you choose how PowerDNS should do the
live-signing for the domain.

If you choose one that does not need an ordered zone, like for example
NSEC3-narrow, you can just add the right auth=TRUE to the database and
it will 'just work'.

Because that is all that rectify-zone does for un-ordered zones.

(zone-transfers will not be signed by the way with NSEC3-narrow, if I
remember correctly, if you need them you might not what to choose that)

 2.

 When I enable setuid=pdns and setgid=pdns in pdns.conf,
 Master/Slave are down.


Have you tried running pdns_server with --daemon=no --guardian=no
--config=/your-config ? I think this should not detach from the console.
If you also add something like strace -f -F than you can also see what
is doing.

There most be something that the pdns-user or -group does not have
rights to that it needs.

 Why?

 Thanks,

 Kim


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS in an ISP environment

[Leen Besselink]

On 08/16/2011 09:42 PM, Erik Weber wrote:
 On Tue, Aug 16, 2011 at 8:29 PM, Anthony Eden anthonye...@gmail.com wrote:
 On Tue, Aug 16, 2011 at 8:23 PM, Posner, Sebastian s.pos...@telekom.de
 wrote:
 Erik Weber wrote:
 Some other things to consider why running PDNS is better:
 [...]
 Just shooting in with a feature that I just came to remember.

 6) Fancy records.
 3.0 doesn't support fancy records any more.
 I, for one, am sad about this.
 We're still running PowerDNS 2.x and haven't faced this change yet.
 Shouldn't it be a matter of extending the records table with a column
 with the URL information, and just insert the record as a normal A
 record?

 Your management software and the forwarding software would have to
 confront the URL field, but to PowerDNS it should look like a normal
 record.


I've never seen the need for the use of any 'special' record for
redirects. I prefer simple, hopefully future prove, solutions.

We used a seperate table from the start in the same database as PowerDNS
uses* so the management software does not need 2 databases and can join
some tables if needed. We just have the management software insert the
A-record for the redirect normally.

We also allow for redirects in the table which don't have a domain our
DNS. Sometimes it is easier to point an external domain at your own
redirect than to convince an other provider to do the redirect.

It keeps our DNS clean.

PowerDNS doesn't mind if there is an extra table (I think it doesn't
mind extra columns as you mentioned above either).

Hope that helps,
Leen.

* Or actually the management software works on the master database,
PowerDNS and redirect use slave databases.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pipe-backend: ABI-v3, TXT, and DNSSEC

[Leen Besselink]

On 08/08/2011 11:34 PM, Leen Besselink wrote:
 On 08/08/2011 06:57 PM, Jan-Piet Mens wrote:
 Hello,

 I was curious as to wether PowerDNS would sign records produced by the
 PIPE back-end, particularly since the release notes indicate it may be
 possible ([3] also says partial support).

 I set up a small test with PowerDNS 3.0.1 [1] and the example
 backend-v3.pl [2]. I encountered the following issues:

 I tried that too. I did rename mine test.net and used gpsqlite3 because
 I already had that setup.

 0. Configuration `powerdns.conf` contains only:

 daemon=no
 launch=gmysql,pipe
 gmysql-dnssec
 gmysql-dbname=pdns
 gmysql-host=127.0.0.1
 gmysql-port=3306
 gmysql-user=pdns
 gmysql-password=secret
 cache-ttl=0
 query-cache-ttl=0
 log-dns-details=yes
 loglevel=4
 pipe-command=/etc/powerdns/backend-v3.pl
 pipebackend-abi-version=3

 1. A query of type ANY produces a SERVFAIL with the sample back-end. The
console logs: 
Exception building answer packet (Parsing record content: Data field
in DNS should start with quote () at position 3 of ' hallo
allemaal!') sending out servfail

Changing quotes to single quotes, or removing them altogether doesn't
improve: I can't get PowerDNS to reply with a TXT RR.

 Seems that part works for me if I remove all quotes:

 print DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n;

 Although it does add a space at the start:

 $ dig +short +norec +dnssec @127.0.0.1 test.net txt
 TXT 8 2 3600 2011081800 2011080400 63826 test.net.
 fD8xqLMN9vcBK1Y0CwAJrgr9CfFQRwdc3j9OVijHXjvU5TdMDZ4s4y0g
 JcmUCREUFAdbmasrKmthPEzGvtrD/K41zWSdjwArMDzehmozrCswU8Vq
 oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g=
  hallo allemaal!

 2. I created a zone in gmysql called example.com, type=NATIVE and
signed it with `pdnssec secure-zone example.com`. (Records table for
the zone is empty)

 Yes, it won't work without a records-table.

 3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get
expected results including 3 DNSKEY RR

 4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and
powerdns aborts with the following message on the console:

 Default beforeAndAfterAbsolute called!
 Got a signal 6, attempting to print trace
 ...

 A bug or two, surely? :-)

 It does work for +dnssec for webserver.$domain A or $domain SOA

 Which is really encouraging.

 But it crashes as stated above if it just doesn't find things and needs
 to do DNSSEC.

 I was using NSEC and asking for  also crashes the whole thing.

 A normal request to the pipe-backend looks like:

 24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32
 24718 Sent SOA records
 24718 End of data

 But a request just before a crash says:

 �/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8
 24724 Sent SOA records
 24724 End of data

 Which suggests to me something in the PowerDNS-code isn't able to handle
 it when
 there is no result from any backend in combination with DNSSEC.


I forgot to add:

It also seems to ask the wrong question ? Or atleast use the wrong
'realRemote' and maybe that breaks the protocol ?

I didn't immediately found the cause for it.

 Additionally, I note that the documentation for the PIPE backend [3]
 has no mention of ABI version 3, nor does it describe the bits and auth
 returned by the example pipe backend. Could somebody explain what the
 `bits' are?

 Thanks  regards,

 -JP

 [1]: http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
 [2]: 
 http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239
 [3]: http://doc.powerdns.com/backends-detail.html#pipebackend
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] powerdns recursor and dns prefix

[Leen Besselink]

On 06/17/2011 09:30 PM, Konstantine Karosanidze wrote:
 Hello,


Hi,

 I run powerdns recursor  (v 3.3, from freebsd ports) as an ISP
 recursive dns (allmost default config I just use nxdomain lua script
 for not found domain to be redirected to search page).

 It's been working fine for a while but couple days ago I noticed that
 some clients have problem with resolving.

 Problem is following: all my clients get dns prefix from dhcp, lets
 say : domain.com http://domain.com

 and i see some requests to dns like: google.com.domain.com
 http://google.com.domain.com that does not resolv and it's correct
 that it does not resolve.

 I understand that it happens because windows machine ads prefix to
 requested domain, but is there any possibility to overcome this problem?


It isn't just Windows machines, just seen the 'search'-option in
resolv.conf(5) on any Unix-like system.

If possible I wouldn't try to redirect the nxdomain it breaks many
things, especially domains which are down for a short while. I would
like to ask you don't do that.

But if really think you must and what to fix it then I would change the
lua script to understand that domain.com should not be redirected.

I would probably also keep the ttl as low as I possible to make problems
you create go away as fast as possible, as low as I think the recursors
can handle (as it will obviously get a lot more queries) with a margin
ofcourse.

Have a nice weekend,
Leen.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Updating Wiki/Posting Bugs

[Leen Besselink]

 I tried no space a number of times and it didn't work but just tried again
 and... It works.. Arghhh. Thanks

My guess is, this works really well against spammers too. ;-)


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Updating Wiki/Posting Bugs

[Leen Besselink]

On 06/17/2011 02:28 AM, Craig Whitmore wrote:
 The username/password given (anon/No Spam) doesn't seem to work
 on http://wiki.powerdns.com/trac


It says: no space in between

 Thanks



 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] svn access to pdns backends

[Leen Besselink]

On 05/26/2011 09:12 AM, Nick Milas wrote:
 Hi,


Hi Nick,

 Can anyone please tell me how I can have svn access to pdns backends
 source tree?


When I look at the http://wiki.powerdns.com/trac/ it says exactly the
same thing you did.

 I used:
 svn co svn://svn.powerdns.com/pdns/trunk/pdns pdns

So I did the same thing. And I got revision 2199 just like it says here:

http://wiki.powerdns.com/trac/log/trunk/pdns

 as indicated here: http://wiki.powerdns.com/trac/wiki/HACKING but in
 there I only see gmysql and bind backends.

 I am mainly interested in LDAP and mongodb backends.


I see the directories and files in pdns/modules/ (not pdns/pdns/backends !!)

 (Trying to probably become a hacker, now in my late days. ;-) )

 Thanks,
 Nick
Hope that helps.

Have a nice day,
Leen.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Small site backend recommendations

[Leen Besselink]

On 05/21/2011 06:27 AM, Charles Sprickman wrote:
 On Thu, 12 May 2011, k...@rice.edu wrote:

 On Thu, May 12, 2011 at 03:37:24AM -0400, Charles Sprickman wrote:
 Hello,

 We've been using the PDNS recursor for some time now and have been
 quite
 happy with it.  It replaced dnscache and has proven to perform much
 better.

 We're now looking at moving away from tinydns, mainly to get IPv6
 support without patching and to get started with DNSSEC.  I don't
 see us
 with more than a few thousand zones anytime soon, and we aren't looking
 at anything above 1000 qps (across three servers) anytime soon.

 I'm not sure I completely understand the PowerDNS philosophy quite yet,
 but it looks like BCP is to run a db server on each name server
 (postgres or mysql).  This feels a little too heavyweight for us.  What
 might be some interesting options?  Would something like one master
 with
 a real db backend (in our case PostgreSQL) and then two slaves
 running
 SQLite work well?  Is there anything lighter than SQLite that we
 could
 stick on the slaves?  Is the SQLite backend well-supported?

 Any pointers greatly appreciated.  We are committed to a
 database-backed
 DNS server (we currently have a script that dumps db data to a tinydns
 data file), and there do not seem to be that many actively-developed
 options out there...

 Thanks,

 Charles

 Hi Charles,

 The advantages to having a db for each server is redundancy. A single
 server can easily serve 10X you expected load on a single box. I
 addition
 using db replication to move the updates around provides for a much more
 real-time process across all of your systems.

 I do understand the general concept, but going from scp'ing a tiny
 .cdb file around to running a full-blown PostgreSQL instance on each
 nameserver just feels a little bit too heavy for us.  SQLite is
 certainly a little simpler and less resource-intensive.

 I've been running through the docs again, and I'm finding there's a
 bit of a lack of best common practices sort of information.  So what
 I'd really like to get some feedback on is whether the following
 should work properly, especially given the (comparatively) small
 number of queries we'll be serving:

 -One server as master/supermaster that is backed with gpgsql backend
 that will be where all records are added/deleted/changed.  This may
 also be a hidden master at some point as we change our general
 provisioning setup.
 -Two servers as slaves using the gsqlite3 backend.

 If I've understood the documentation correctly this should (at least
 in theory) work.  We add a zone on the supermaster and the slaves,
 even though they are running a different backend, will be notified of
 the new zone and fetch it via axfr.  Changes in existing zones are
 also fetched via axfr.

 My only concerns after looking at the docs is whether the gsqlite3
 backend is thoroughly tested and whether using traditional
 master/slave and axfr will lead to any issues with the servers being
 out of sync with each other (since it seems most pdns installations
 are larger and have gone with a full-blown db w/replication for each
 server).


I find it is usually better to test for ourselfs how it works in our
setup than rely on others. ;-)

Personally I've never seen the gpgsql open a lot of connections which is
where the overhead might be in PostgreSQL (in PowerDNS 3 it is more on
purpose though). PowerDNS has 2 caches if I understand it correctly. One
where the queries are cached and one where packets are cached, both for
a short time. So many clients asking the same question will never go to
the database more than ones.

With your intended setup as long as you test everything and make sure
the SOA-serial is updated when changes are made and a notify is sent to
the slaves that should be fine.

DNSSEC adds key material to the mix and would also need to change those
keys every few weeks or months (depends on your preference) and you have
to make sure the serial gets updated again as well.

 Thanks,

 Charles

 Cheers,
 Ken

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME pointing to URL forwarding record

[Leen Besselink]

On 03/31/2011 09:18 AM, Anthony Eden wrote:


 On Wed, Mar 30, 2011 at 2:28 PM, Stefan Schmidt zaph...@zaphods.net
 mailto:zaph...@zaphods.net wrote:

 Hi Anthony,

 On Wed, Mar 30, 2011 at 10:22 AM, Anthony Eden
 anthonye...@gmail.com mailto:anthonye...@gmail.com wrote:

 When I point a CNAME record to a URL forwarding record
 PowerDNS returns a SERVFAIL for the CNAME query when I go
 through a resolver. If I dig directly against the
 authoritative server it works just fine. Any suggestions on
 how I can fix this, other than just replacing the CNAME with
 another URL


Actually, if you use dig and pay really close attention you should see
you request www.wemakednssimple.com http://www.sunnybliss.com

But it returns wemakednssimple.com. without the www. Which is wrong. A
recursor will recognise this and just ignore that part of the answer
(there is nothing else in the answer so you get nothing).

I don't know what the cause is, but this is the result and why it
doesn't work.

 forwarding record?


 Please tell us what you dig for and which server - presumably
 yours - you are asking.
 As there is no such thing as a URL forwarding record in DNS in
 general, is it safe to assume that you mean a URL fancy record
 type such as in http://doc.powerdns.com/fancy-records.html ?


 Working: dig @ns1.dnsimple.com http://ns1.dnsimple.com
 www.wemakednssimple.com http://www.sunnybliss.com
 Not working: dig @8.8.8.8 http://8.8.8.8 www.wemakednssimple.com
 http://www.sunnybliss.com

 And yes, by URL forwarding record I mean the URL fancy record type as
 described in the PowerDNS documentation.

 Any help would be appreciated. Thanks.

 Sincerely,
 Anthony Eden

 -- 
 http://anthonyeden.com | twitter: @aeden | skype: anthonyeden


 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME pointing to URL forwarding record

[Leen Besselink]

On 03/31/2011 11:42 AM, Anthony Eden wrote:


 On Thu, Mar 31, 2011 at 11:32 AM, Leen Besselink
 l...@consolejunkie.net mailto:l...@consolejunkie.net wrote:

 On 03/31/2011 09:18 AM, Anthony Eden wrote:
 
 
  On Wed, Mar 30, 2011 at 2:28 PM, Stefan Schmidt
 zaph...@zaphods.net mailto:zaph...@zaphods.net
  mailto:zaph...@zaphods.net mailto:zaph...@zaphods.net wrote:
 
  Hi Anthony,
 
  On Wed, Mar 30, 2011 at 10:22 AM, Anthony Eden
  anthonye...@gmail.com mailto:anthonye...@gmail.com
 mailto:anthonye...@gmail.com mailto:anthonye...@gmail.com wrote:
 
  When I point a CNAME record to a URL forwarding record
  PowerDNS returns a SERVFAIL for the CNAME query when I go
  through a resolver. If I dig directly against the
  authoritative server it works just fine. Any suggestions on
  how I can fix this, other than just replacing the CNAME with
  another URL
 

 Actually, if you use dig and pay really close attention you should see
 you request www.wemakednssimple.com
 http://www.wemakednssimple.com http://www.sunnybliss.com

 But it returns wemakednssimple.com http://wemakednssimple.com.
 without the www. Which is wrong. A
 recursor will recognise this and just ignore that part of the answer
 (there is nothing else in the answer so you get nothing).

 I don't know what the cause is, but this is the result and why it
 doesn't work.


 I wonder if setting skip-cname to yes would solve the problem and if
 so, what are the implications of doing so?


I wouldn't know. Seems to be a bug/issue the way it is.

I suggest you try it on a test-machine or something like that and try to
fix it there.

Maybe just change the settings of 1 server out of the 4 and drop packets
from other IP-addresses other then your recursor for a few seconds, so
they don't cache something which is wrong.

 Sincerely,
 Anthony Eden 

 -- 
 http://anthonyeden.com | twitter: @aeden | skype: anthonyeden



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns error sendto

[Leen Besselink]

On 02/25/2011 07:46 AM, Liong Kok Foo wrote:
 Hi,

 I have double checked and I did configured the firewall port 53
 tcp/udp. Could it possible there are other port that need to be opened.?

 I am using APF firewall. If anyone is also using that, please share
 your configuration.

 If it's not firewall, where else can I look? What other logs?


Sorry for the late reply.

It is not the firewall on some network device.

It is the firewall (like iptables, ipf or pf) on the machine running the
PowerDNS server.

 Thanks.


Hope that helps, if you haven't solved it already

 Liong Kok Foo



 On 2/21/2011 5:31 PM, Marc Haber wrote:
 On Mon, Feb 21, 2011 at 02:07:00PM +0800, Liong Kok Foo wrote:
 Sorry for my noobness, but could you explain on what you mean by local
 packet filter? Do you mean firewall? If yes, then what port do I look?
 FYI, I have open port 53 tcp/udp for outgoing and incoming.
 That should be enough, if it was done right.

 Greetings
 Marc

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes

[Leen Besselink]

-database instead.

As I've never created a sqlite3-database for powerdns before yesterday I
create one without dnssec first.

So I run zone2sql without the DNSSEC.

I disabled/change the settings:

#gsqlite3-dnssec
#bind-config
launch=gsqlite3

Look at the a .dump, it looks fine.

Run a dig and spot an other problem:

;; ANSWER SECTION:
www.test.net.   3600IN  CNAME   web.test.net.

Just the CNAME, no A-record.

This seems wrong, I think it is an ordering problem. So I add the
dnssec-schema and enable:

gsqlite3-dnssec

Again and run:

pdnssec rectify-zone test.net

Now it worked:
;; ANSWER SECTION:
www.test.net.   3600IN  CNAME   web.test.net.
web.test.net.   3600IN  A   10.0.0.238

But still signing does not work:

$ pdnssec secure-zone test.net
This should not happen, still no key!

And I go to bed because it is late. :-/

This morning I tried running the bind and sqlite3 again but changed:

launch=bind,gsqlite3

That did not help.

Then I figured out the problem, I forgot to add to the domains-table.

So I have 2 suggestions:

1. add the insert into domain line to zone2sql
2. the documentation should be changed from:

$ echo 'insert into domains (name, type) values ('powerdnssec.org', 'NATIVE') | 
sqlite3 ./powerdns.sqlite3

to:

$ echo insert into domains (name, type) values ('powerdnssec.org', 'NATIVE') 
| sqlite3 ./powerdns.sqlite3


So I retested, but the problem with the CNAME and sqlite3 remained when
running without a DNSSEC-schema and gsqlite3-dnssec-setting.

After ordering and singing and ordering the DNSSEC the CNAME problems
all went away and when I run dig with +trusted-key= and everything worked.

It also worked with or without the bind backend.

Have a nice day,
Leen Besselink.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look

[Leen Besselink]

On 01/06/2011 08:00 PM, bert hubert wrote:
 On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote:
 Excellent!  BTW, can PowerDNSSEC operate in the following way as one would 
 expect:

 PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka
 traditional PowerDNS) providing data to PowerDNS slaves.  If you use the
 new code with a compatible backend on the slaves (such as gsqlite3), and
 your whois servers only point to those slaves, will it work?
 Almost! If you did that up till just now, you would have had to run 'pdnssec
 rectify-zone' on your slaves after each AXFR.

 However, thank you for raising this idea, this sounds like a very valid use
 case.

 It has just been implemented in changeset
 http://wiki.powerdns.com/trac/changeset/1819

 I tested it against an ancient server, and now I have a fully
 operational DNSSEC zone!

 It works fully automatic on retrieving a zone for which we have local keying
 material.

 In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a
 bit like 'phreebird'. http://freshmeat.net/projects/phreebird

   Bert


Hi Bert,

Thank you for all your work so far, it is probably a lot of work.

I was thinking what about the opposite ?

A (possibly hidden) supermaster which does all the DNSSEC signing and
the superslaves which only do
zone-trasfers and no online DNSSEC-signing but do understand enough of
the protocol to be able to serve it.

I guess during the zone-transfer it would update any parts of the zone
that are not yet
(correctly) DNSSEC-signed ?

Would that also work ? Technically/DNSSEC-wise I would expect it to work
but maybe you don't have the right
configuration options yet. Also judging from the current documentation
it currently is not a mode of operations.

I ask this because I have a feeling not everyone wants their private key
material in several physical locations or
do not yet want to be hindered by the the DNSSEC-performance of the
current release for their public authoritive
servers.

Most of these requirements are already handled by the SQL-replication
mode of operation. I have a hunch not
atleast someone out there currently runs a supermaster/superslave
operation and would like to only add
DNSSEC to the supermaster and only upgrade (if needed) the slaves.

__

I really like how PowerDNSSEC and Phreebird are trying to lower the
administrative/operational burden.

But their is one part I'm missing a way to hook up an EPP-client for
sending the DS-record to the parent-zone.

Because when you setup the DS-record(s) at the parent-zone, you'll
eventually need to update it and the point
it is time when it needs to be updated is kind of dictated by the
software/crypto-algoritm.

So far the only effort I've seen is a some experimental/beta code
created by the OpenDNSSEC-people.

Any thoughts on that yet ? Or is it just to early at this point ?

Are their to many TLD's that do not have the needed EPP-extensions at
this time ? Or are their to many different
authentication scheme's ? Probably worse, I guess for some people they
have registrars in between. And some
currently have EPP, but probably not many have DNSSEC yet.

Anyway, when is the new DS known to PowerDNSSEC (and in the database) so
communication with all parties that
are involved can be initiated and how can it be recognised.

Would it be enough to run some script every day for example ?

I hope this is going to be a good year for everyone,
Leen Besselink.

 Thanks,
 = Matt

 On Jan 6, 2011, at 10:13, bert hubert wrote:

 Dear PowerDNS Community,

 With the help of many of you, we've now brought 'PowerDNSSEC' to the point
 where it might make sense for you to trial it on test domains.  We expect to
 make move some of our own important domains over to PowerDNSSEC early next
 week. PowerDNS.COM underlies the commercial DNS hosting service 'Express',
 and may have to wait a bit longer.

 To test, head over to http://www.powerdnssec.org (which of course is powered
 by PowerDNSSEC). More information is on
 http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started,
 and how to get help.

 In brief, PowerDNSSEC will allow you to continue operating as normal in many
 cases, with only slight changes to your installation. There is no need to
 run signing tools, nor is there a need to rotate keys or run scripts.

 Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic
 SQLite3, you should have an easy time. A small schema update is required,
 plus an invocation of 'pdnssec secure-zone domain-name  pdnssec
 rectify-zone domain-name' per domain you want to secure. And that should be
 it.

 Supported are:
 * NSEC
 * NSEC3 in ordered mode (pre-hashed records)
 * NSEC3 in narrow mode (unmodified records)
 * Zone transfers (for NSEC)
 * Import of 'standard' private keys from BIND/NSD
 * Export of 'standard' private keys
 * RSASHA1
 * Pure PostgreSQL, SQLite3  MySQL operations
 * Hybrid BIND

Re: [Pdns-users] Recursor / pdns installation help

[Leen Besselink]

Hello Patrick,
 Each of my dns servers runs pdns and each has a slave copy of the
 master pdns mysql database and in turn each server looks up the dns
 locally via mysql.  This has been working great for 2 years.

 The problem each server is running pdns which has a DOS vulnerability.
 which is why I am upgrading to implement recursor.
 n...@mydomain.com http://mydomain.com - on server 1
 n...@mydomain.com http://mydomain.com - on server 2
 n...@mydomain.com http://mydomain.com - on server 3
 n...@mydomain.com mailto:n...@mydomain.com - on server 4

Sounds like you are trying to solve this problem the wrong way.

A recursor can not act as an authoritive server for a domain, when
serving domains, you need an authoritive servers like pdns (for example:
bind may combine the 2 functions into one server, but it can also by
default not be authoritive for domains it does not have the data for).

If you are worried about mysql being to slow to handle a DOS attack, you
should eliminate the database on (some of) the public servers

1. you should use something like the bind-zone file backend (files on
disk, instead of database) on those servers, that should be the fastest

2. those servers would be slave servers, the server with the database is
the master server

I thought I could recommend superslave operation where new domains are
automatically recognised and added, but it seems like that is not
supported on the file backend.

Bert: it looks like the option exists in the code, but it is not in the
documentation on http://doc.powerdns.com/ ?:

supermaster-config: Location of (part of) named.conf where pdns can
write zone-statements to
supermasters: List of IP-addresses of supermasters
supermaster-destdir: Destination directory for newly added slave zones

PS with superslaves, domains are not deleted, you should create a script
for that.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor / pdns installation help

[Leen Besselink]

On 12/21/2010 03:03 AM, Patrick Coffin wrote:
 Hi,

 This is the first time posting to this board. If I am posting to the
 wrong list, sorry, and please advise where I should post this request
 for assistance.

 We are setting up a new installation of pdns and recursor.

 We have been running pdns for a couple years without issue. I am
 attempting to implement recursor and pdns to avoid a potential DOS
 attack and pass security compliance, which under the current version I
 am running will not pass.

 Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5
 environment. Each with their own mysql slave db. Al l works great
 except for the DOS issue.

 I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a
 Centos 5.5 box and I now pass security compliance, but am not getting
 the expected responses on DNS queries.

 I setup recursor to respond on port 53 and pdns to respond on 5300.

 recursor.conf entries
 # forward-zones=
 forward-zones=x.x.x.x:5300

Hi,

I'm not quiet sure what you are trying to do, but I think forward-zones
needs 1 or more domainnames:

http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS

If it is just a few (or just the important) domains, that would work. If
it is an ever changing 1000's. Then this is not what you are looking for.

If security is your concern, it is normally not recommended to mix your
recursor with your authoritive nameserver on the same IP-address anyway.
So I suggest you don't.

But if you really want to, you can have pdns check the database first
before trying to resolve the request recursively, in that case you swap
them around (pdns on port 53 and pdns-recursor on port 5300) and use
these setting:

recursor=
allow-recursion=

http://doc.powerdns.com/all-settings.html

Hope that helps.

Have a nice day,
 Leen.

 local-port=53

 pdns.conf entries
 local-address=x.x.x.x
 local-port=5300

 If I query on a domain using dig I get the following error.  dig
 mytestdomain.com http://mytestdomain.com  @ns5

 --
 ;  DiG 9.6.0-APPLE-P2  mytestdomain.com
 http://mytestdomain.com @ns5
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18559
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ; mytestdomain.com http://mytestdomain.com.INA

 ;; Query time: 6 msec
 ;; SERVER: 209.3.87.44#53(209.3.87.44)
 ;; WHEN: Mon Dec 20 17:55:34 2010
 ;; MSG SIZE  rcvd: 28
 --

 logs output - 
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: Resolved 'mytestdomain.com.' NS
 ns5.mydomain. to: xx.xx.xx.xx
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: Trying IP xx.xx.xx.xx:53, asking
 'mytestdomain.com.|A'
 Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from
 packet cache from xx.xx.xx.xx
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: Got 0 answers from ns5.mydomain.net.
 (xx.xx.xx.xx), rcode=0, in 3ms
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: determining status after receiving this packet
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: status=noerror, other types may exist, but
 we are done 
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: Starting additional processing
 Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com
 http://mytestdomain.com.: Done with additional processing
 Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question
 'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0
 throttled, 0 timeouts, 0 tcp connections, rcode=0
 Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from
 packet cache from xx.xx.xx.xx

 It looks as if it is trying the local dns server on 53, but it is not
 getting a reply.  Also I do not see any queries hitting the database.

 If any additional information is needed, LMK

 Any help would be appreciated.

 Thanks,

 Patrick





 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor / pdns installation help

[Leen Besselink]

On 12/21/2010 09:09 PM, Patrick Coffin wrote:
 Leen,

 Thanks for the reply.  We are hosting 1000's of dns records so
 entering them in the forwards is not at option.

 I will take your advise to split the pdns and recursor to separate
 servers.

 Should I expect that if I move the pdns to a separate server that the
 looks up will work correctly with the information I have given?  I
 would move pdns back to port 53 and keep it connected to mysql for
 lookups.

 I would like it to be setup that recursor queries the pdns server and
 database if we are authoritative for the domain. Otherwise recursor
 should looks to the authoritative server for the answer.


If the pdns server is authoritive for the domain, every recursor in the
world will look at your pdns server when it want to ask about that
domain. Because the root and TLD will point them to your pdns server.

Thus so will your own recursor.

I suggest you set up a few domains in your recursor to point to your
pdns for the domains. The few domains you use internally (don't forget
your reverse DNS blocks).

Just in case you lose connectivity to the outside world and the external
root/TLD-servers can't be reached.

 Is there another resource that I can reference for this setup?  I
 believe I am just missing one or two pieces to get it working properly.


Well, I hope the above makes sense to you. Atleast if that is the setup
you want then it should not need any other configuration then what I
mentioned above.

 I appreciate the help!

 Thanks,
 Patrick



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns and Windows DNS integration

[Leen Besselink]

On 08/21/2010 08:30 PM, Vishal Uderani wrote:


Hey ,



Hi Vishal,


Ive managed to get a standalone installation of pdns Authoritative 
server  up and running with a mysql backend and poweradmin interface 
.  However , i havent found a single mention of a pdns installation 
integrating with a Windows DNS Server . Let me elaborate further :


We have a bunch of devs who would like to create/modify/delete records 
and zones in our internal DNS server (Active Directory Integrated) 
without them having to access the server itself .  so giving them an 
interface that does the above made sense . My pdns installation is on 
Linux . I came across the pdns-ldap backend but thats somehow not 
worked out for me . After compiling with --with-modules=ldap and 
making sure my pdns.conf pointed to the correct basedn , i was unable 
to pull down any of the zones from my Win DNS to my db . (assuming 
thats what it does)  I would really appreciate it if anyone could 
provide me any info or send me along the correct track here . Awaiting 
your prompt response .




No, that is not what it does.

The LDAP-backend does, like the MySQL-backend, does not copy anything 
(unless it's a slave-server, in which case powerdns copies data), is a 
database where zones exist which are queried when a client asks for a 
record.


I don't know if you can use these 2 backends at the same time.

Normally the easiest way to deal with seperate (authoritive) nameservers 
is to use seperate zones. So one nameserver has a zone: company.tld and 
an other nameserver has a sub-zone: other.company.tld


You setup the company.tld to point other.company.tld to the other 
nameserver(s) by creating a NS-record with the IP-address of the other 
nameserver.


That way a 'resolving nameserver' will know it should query an other 
authoritive nameserver for the other zone and there is no need to copy 
anything.



--

Regards ,

Vishal Uderani


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
   


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PTRs and SQL queries,, autoserial?

[Leen Besselink]

On 07/29/2010 11:47 PM, Jared Watkins wrote:
I’m new to pdns.. and I’ve read the docs and seen how PTR records are 
supposed to be setup but I can’t get reverse lookups to work.. nor can 
I see from the default sql queries how they would ever be found. So I 
assume I’m missing something. =]


I’m also not clear on weather the generic mysql backend supports auto 
serials (conflicting info in the docs) or how that is to be implemented.


When I attempt a reverse lookup for an internernal test IP I see the 
following queries get run against the mysql server..


select content,ttl,prio,type,domain_id,name from records where 
name='192.168.103.32'
select content,ttl,prio,type,domain_id,name from records where 
name='*.168.103.32'
select content,ttl,prio,type,domain_id,name from records where 
name='*.103.32'

select content,ttl,prio,type,domain_id,name from records where name='*.32'

I fail to see how this will ever match the format of the PTR recs I’ve 
seen suggested as name,type,content:


32.103.168.92.in-addr.arpa PTR testserver.test.net

I do have a reverse domain defined in the domains table.. but I don’t 
see that it ever gets queried.




Hi,

euh..., Jared, maybe I'm wrong, but do you know how to do a reverse lookup ?

This is normally what you would do:

dig @serverip -x 192.168.103.32

(I think Mac OS X, which you seem to be using judging by your 
e-mail-client, has the 'dig' command)


it will send a PTR-query for: 32.103.168.92.in-addr.arpa

which should result in a database-query for:

select content,ttl,prio,type,domain_id,name from records where 
name='32.103.168.92.in-addr.arpa'


Hope that helps.

Have a good day,
Leen.


What’s going sideways here?

Thanks,
Jared


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
   


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNSSEC

[Leen Besselink]

On 06/24/2010 03:08 PM, Michael Braunoeder wrote:

Hi,


Hi,

I'm currently evaluating the PowerDNSSEC implementation and found 2 
issues:




As no person which is more knowledgable answered your question, I 
thought I would answer with what I know.


-) Is it possible to disable the signing-on-demand feature? I want the 
powerdns to act as slave to a hidden-master which does the signing of 
the domain, and the powerdns should just serve the signed zone 
(without any resigning and without access to the Keys).




The disable the 'signing-on-demand'-feature has been discussed on this 
mailinglist before, the answer was: it will be optional in a future version.


-) I tried the PostgreSQL-Backend, but I allways received the 
following error message:  TCP server is unable to launch backends - 
will try again when questions come in: Undefined but needed argument: 
'gpgsql-dnssec'. What is the format of the missing 
gpgsql-dnssec'-Parameter I've to add?




I like your choose of database, but I don't have any information on the 
current state of this or any other bankend in combination with DNSSEC, 
other than I've used the 'bind-backend' (text-file). I do know that 
every database backend needs to implement some basic extra functions 
before it can work with DNSSEC.


That information can be found here:

http://wiki.powerdns.com/trac/wiki/PDNSSEC/backends

As linked from: http://wiki.powerdns.com/trac/wiki/PDNSSEC

But I did see on that page it says:

Things to be aware of Only BIND and Generic MySQL (gmysql) backend 
right now


It's also the same page that mentions:

Next

The completely live  auto-signing nature of PowerDNSSEC is not what 
everyone wants. Other DNSSEC modes will be added soon.



Best,
Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor and reverse lookup

[Leen Besselink]

On 06/16/2010 10:34 AM, Uroš Gruber wrote:

Hi,



Hello Uroš,


here is result from one of IP

[r...@host1 ~]#dig @91.185.194.202 http://91.185.194.202 118.167.130.182



I think you might have a mistake there.

The proper command with dig would be, -x is for reverse address lookup:

dig @91.185.194.202 http://91.185.194.202 -x 118.167.130.182

;  DiG 9.4.3-P2  @91.185.194.202 http://91.185.194.202 
118.167.130.182

; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;118.167.130.182. IN A



As you can see above it does an A-record query, not a PTR-record 
(reverse address) query.



;; AUTHORITY SECTION:
. 10774 IN SOA a.root-servers.net http://a.root-servers.net. 
nstld.verisign-grs.com http://nstld.verisign-grs.com. 2010061600 
1800 900 604800 86400


;; Query time: 0 msec
;; SERVER: 91.185.194.202#53(91.185.194.202)
;; WHEN: Wed Jun 16 10:31:49 2010
;; MSG SIZE  rcvd: 108

[r...@host1 ~]#dig @91.185.194.206 http://91.185.194.206 118.167.130.182

;  DiG 9.4.3-P2  @91.185.194.206 http://91.185.194.206 
118.167.130.182

; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
[r...@host1 ~]#host  118.167.130.182 91.185.194.202
Using domain server:
Name: 91.185.194.202
Address: 91.185.194.202#53
Aliases:

182.130.167.118.in-addr.arpa domain name pointer 
118-167-130-182.dynamic.hinet.net 
http://118-167-130-182.dynamic.hinet.net.

[r...@host1 ~]#host  118.167.130.182 91.185.194.206
;; connection timed out; no servers could be reached



I'm really surprised this does not work. I've never seen that happen.

Normally PowerDNS works just fine with that.

Do you made any 'forward-zones' settings ?

I would look at these settings first:

allow-from

Comma separated netmasks (both IPv4 and IPv6) that are allowed to 
use the server. The default allows access only from RFC 1918 private IP 
addresses, like 10.0.0.0/8. Due to the agressive nature of the internet 
these days, it is highly recommended to not open up the recursor for the 
entire internet. Questions from IP addresses not listed here are ignored 
and do not get an answer.

allow-from-file

Like allow-from, except reading from file. Overrides the 
'allow-from' setting. To use this feature, supply one netmask per line, 
with optional comments preceeded by a #. Available since 3.1.5.


As it seems you didn't get any answer at all.

Maybe you could send us the output of the following command:

grep -v '^#' recursor.conf | grep -v '^$'

that way we can see what settings you've used.


One thing I didn't quite understand is that bind have root.hint file 
but powerdns does not. Could this be a problem?




Their is a default root.hint built-in, you can specify 'your own' with 
the 'hint-file' option.



regards



Hope this helps,
Leen.


Uros

On Wed, Jun 16, 2010 at 10:14 AM, bert.hub...@netherlabs.nl 
mailto:bert..hub...@netherlabs.nl bert.hub...@netherlabs.nl 
mailto:bert.hub...@netherlabs.nl wrote:


Can you show your exact dig command line and the result from
powerdns and bind?

This is all supposed to work :)

Sent from my phone.

- Reply message -
From: Uroš Gruber uros.gru...@gmail.com
mailto:uros.gru...@gmail.com
Date: Wed, Jun 16, 2010 10:01
Subject: [Pdns-users] PDNS Recursor and reverse lookup
To: pdns-users@mailman.powerdns.com
mailto:pdns-users@mailman.powerdns.com

Hi,

I've set up pdns_recursor and everything works as expected except
one thing. dig-ing reverse lookups returns nothing. With bind i
have no such problems. I've tested a bunch of IPs and I didn't get
any answers.

Is this normal and pdns_recursor does not support this or there is
a secret setting I need to enable.

I'm using latest PDNS_recursor on FreeBSD and i only set local-ip
in config.

regards

Uros



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
   


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Possible tcp listener issue

[Leen Besselink]

On 03/25/2010 05:54 PM, Laurent Papier wrote:

Le Thu, 25 Mar 2010 15:51:29 +
Simon Bedfordsbedf...@plus.net  écrit:

   

Guys,

We have upgraded our customer caching name servers to pdns recursor 3.2
(which is working very well), this has now been running for 4 days but
in the last 24 hours we have seen the tcp listener stop answering
queries on 2 seperate servers.  Our monitoring servers flag this up for
us and restarting the recursor fixes it.

Now I know tcp isn't used that much but I was wondering if anyone else
has experienced this, due to the size of the logs we would generate we
have the quiet option set to yes in the config so only get basic logging
(which showed nothing out of the ordinary).
 

Hi,
I have also upgraded to pdns recursor 3.2 yesterday. And today, I have a strange
problem on some of my systems. It seems be related to tcp DNS as the only thing
that stopped working is using tcp dns queries. The rest of the system worked
fine.

I have restarted pdns recursor and it fixes the problem.

I will do further testing if the problem happened again.

   


Hello Simon and Laurant,

Now I don't know anything about this issue specifically, but it's customary
to provide some extra information when reporting bugs, what OS and
OS version are you using for example ?

Did you download a Linux-distribution binary ? What kernel version are
you using ?

Or did you build from an updated BSD-ports. Did you do your own build ?
If so, what compiler did you use ? And so on.

Some information would be better then no information. :-)

Just so you know.

Have a nice day,
Leen.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] lazy-recursion

[Leen Besselink]

(First of all: I'm not a PowerDNS-developer, so I might be wrong)

On 03/04/2010 10:01 AM, Liong Kok Foo wrote:
Hmm...I read the docs on recursion again (which I already read a few 
times) and someone this time I got it.


I added google's dns server 8.8.8.8 into the recursor and now external 
recursion works.


There must be a reason why this is off by default. Potential security 
issues?




Because it's easier to detect mistakes if you keep it seperate.

It's just good practise to seperate your recursor and authoritive 
server, people should just learn to do that.


Performance might be an other reason. Also you remove a dependency, what 
if your recursor doesn't answer for
something, then the authoritive server doesn't answer quickly either 
(does it do CNAME lookups recursively ?).


What if something is wrong with your authoritive server, if you have 
your authoritive server in
your: /etc/resolv.conf as your recursor, you don't get any 
recursive-queries resolved either.



If this method works, why is there need for pdns's own recursor server?



1. Because people/companies don't want to depend on others (in your case 
Google).
2. Because by some accounts, it's the fastest open source recursor 
available. It's also pretty secure.



Thanks.


On 3/4/2010 4:38 PM, none wrote:

Basically it checks local data first before recursing to external
nameserver, and you should turn this off. About turning lazy-recursion
off doesn't lower amount av log enterys, actually it doesn't have any
effect at all.
You can read the docs here http://doc.powerdns.com/recursion.html


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Using root-referral

[Leen Besselink]

On 01/29/2010 03:30 PM, Joyce LAMBERT wrote:
I'am using the option send-root-referral=lean (or yes) in my powerdns 
authoritative server.




First the import question, why do you want to send a root-referral ?

send-root-referral | --send-root-referral=yes | --send-root-referral=no 
| --send-root-referral=lean


   If set, PowerDNS will send out old-fashioned root-referrals when
   queried for domains for which it is not authoritative. Wastes some
   bandwidth but may solve incoming query floods if domains are
   delegated to you for which you are not authoritative, but which are
   queried by broken recursors. Available since 2.9.19.

   Since 2.9.21, it is possible to specify 'lean' root referrals, which
   waste less bandwidth.

You usually don't need it.


This server isn't recursive.

When my server need to reply with CNAME where we are not authoritative 
for the destination, the server add root server in the authority 
section, and ip address in the additional section.


Often this reply, can't enter in a UDP packet and need a TCP reply.

When i analyse trafic with tcpdump and wireshark i can found
[Malformed Packet: DNS]

For most resolver, this is not a problem, and communication continue 
in TCP


But it look like some other resolver (or firewall) stop on this 
Malformed Packet and resolution can't finish.
But only with PowerDNS authoritative server. With other, this type of 
resolver can switch in TCP



One solution is the reduce the number of root server we send on 
authority and additional section to limit the packet size.

This can't bo done in configuration file and need to patch sources file.

Do you now this problem, and is there any other solution.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
   


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] new server, cann; t make it authoritive for some reason

[Leen Besselink]

root wrote:
 Hello all,
 

Hi,


 how can I achieve this? what do I need to set up/configure?
 

If you read question 3 in the FAQ:
http://doc.powerdns.com/pdns-users-faq.html

You mind find you don't need it.

Hope that helps.

Have a nice day,
Leen.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS DNSSEC!

[Leen Besselink]

On Thu, Jul 16, 2009 at 03:08:33AM +1000, Duane at e164 dot org wrote:
 Stephane Bortzmeyer wrote:

Hi Duane and Stephane,

  On Wed, Jul 15, 2009 at 02:59:58AM +1000,
   Duane at e164 dot org du...@e164.org wrote 
   a message of 62 lines which said:
  
  On the other hand do you know of any exciting development with DNScurve?
  
  What's the relationship? DNSSEC secures the data, DNScurve the channel
  (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for
  DNSSEC, for instance, it does not protect against a rogue resolver (or
  secondary name server).
 
 DNSSEC doesn't provide privacy, DNScurve is supposed to provide both
 verifiection and privacy, but since there is no implementation there has
 been little discussion on it which is unfortunate.
 
 Just like there is a lot of reasons for privacy of web sessions the
 powers that be don't want to offer users the same privacy for their DNS
 requests.
 
 Reasons for not wanting to offer privacy included acknowledging that
 various governments would oppose it and DNSSEC specifically has no
 potential for privacy in the specs.
 
 That said since DNSSEC does involves crypto for signing, the same tech
 could in theory be used for privacy, and that annoys/scares what ever
 govt agencies and one potential reason why any sort of DNS crypto has
 taken this long to get to this point.
 

My guess is, that would be the US-government ? I know the other governments
also had something else to complain about, the signing of the root and the
agency that is allowed to do so.

Because alternative roots are not (easily) possible with DNSSEC I presume.

I guess you could only make a signed copy or unsigned alt. root.

 -- 
 
 Best regards,
  Duane
 
 http://www.freeauth.org - Enterprise Two Factor Authentication
 http://www.nodedb.com - Think globally, network locally
 http://www.sydneywireless.com - Telecommunications Freedom
 http://e164.org - Global Communication for the 21st Century
 
 In the long run the pessimist may be proved right,
 but the optimist has a better time on the trip.
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

_
New things are always on the horizon.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Multiple IP?

[Leen Besselink]

SoloUnAltroNick wrote:
 Hi,
 
 on my server i have 2 network interfaces.
 
 With the default option:
 
 local-address=0.0.0.0
 
 Server doesn't respond. And in the documentation, it's written that this
 value so configured make PDNS listening on all interfaces.
 
 If i set it with my 2 IP (so all interfaces) it works.
 
 Any idea?
 
 Thankyou
 
 

Hi SoloUnAltroNick,

It actually says for the authoritive nameserver:

local-address=...

Local IP address to which we bind. You can specify multiple addresses separated 
by commas or whitespace.

It is highly advised to bind to specific interfaces and not use the default 
'bind to any'. This causes
big problems if you have multiple IP addresses. Unix does not provide a way of 
figuring out what IP
address a packet was sent to when binding to any.

http://docs.powerdns.com/all-settings.html

So my guess is the default IP-address (default gateway) works, but the otherone 
doesn't if you use 0.0.0.0.

If you are using the recursor, I guess the same thing applies and maybe the 
documentation should be enhanched.

Hope that answers your question

 
 
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Recursor compile errors on g++ 4.4.0

[Leen Besselink]

Roger Libiez wrote:
 pdns_recursor.cc: In function void startDoResolve(void*):
 pdns_recursor.cc:669: error: reference to exception is ambiguous
 /usr/include/boost/exception/exception.hpp:177: error: candidates are:
 class boost::exception
 /usr/lib/gcc/x86_64-redhat-linux/4.4.0/../../../../include/c++/4.4.0/exception:60:
 error: class std::exception
 pdns_recursor.cc:669: error: expected type-specifier before exception
 pdns_recursor.cc:669: error: expected ) before  token
 pdns_recursor.cc:669: error: expected { before  token
 pdns_recursor.cc:669: error: e was not declared in this scope
 pdns_recursor.cc:669: error: expected ; before ) token
 pdns_recursor.cc:672: error: expected primary-expression before catch
 pdns_recursor.cc:672: error: expected ; before catch
 
 The above is displayed when attempting to compile on a server where g++
 4.4.0 is the only available compiler. Downgrading the compiler is not an
 option. What's the correct fix for these? There are quite a few of them
 in various different spots in that module.
 

Hi Roger,

What version of PowerDNS-recursor and what version of Boost are you using ?:

I'm no expert, but I wouldn't be surprised if a newer Boost library solved the 
problem.

Atleast that's what my gut instinct told me, a quick Google search was much 
more useful.

I think you might need to add:

#include cstdio

to misc.hh

http://cvs.fedora.redhat.com/viewvc/devel/pdns-recursor/pdns-recursor-gcc44.patch?revision=1.1view=markup

Hope that helps.

Have a nice day,
Leen Besselink.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Difficulty changing nameservers on domain registar's site

[Leen Besselink]

On Thu, Jul 02, 2009 at 06:15:44PM +0300, Jani Karlsson wrote:
 Hi,
 
 Your problem is with SOA DNS-record:
 The given nameservers return different SOA entries.
 
 So either your SOA serial, data or TTL differs between servers. Or it 
 just that other server doesn't respond to SOA request that is making the 
 SOA check fail, even though the problem is not with SOA but in that the 
 nameserver isn't responding (common GoDaddy error), blaims SOA missing 
 or faulty when actually the problem is that the nameserver isn't responding.
 
 I hope this clears things a bit.
 

Hi SashaB,

If you want to lookup the SOA-record of a domain, you could use the 'dig'
command:

dig @nameserver domain.tld SOA

But if those are not the same, maybe the domain-zone is not a copy of the
zone on the other nameserver, which is asking for trouble if it's not just
a version difference.

 Cheers,
 
 Jani Karlsson
 
 
 SashaB wrote:
 Ken,
 
 I'm not sure what you mean. For example, so we didn't have to enter 
 different NS for 50 domains, I registered a domain name specifically for 
 use with NS (that is their sole purpose) and I've set up NS for multiple 
 website domain names that are identical--kinda like a webhosting company 
 does? There are four NS on two different servers at two datacenters in 
 different parts of a region (for which I haven't mirrored or set up 
 round-robin yet, though I intend to do so--and research shows I can on 
 pdns). Actually, two of the NS point to the same IP address as does the 
 one in question and several other NS point to that IP, too. All server 
 diffent content--blogs, websites, web interfaces for pdns, web guis for 
 various applications, webmail servers--just fine.
 
 This works, in part, because the actual content is served, in most 
 cases, though not all, from an entirely different IP addresses from the 
 NS IP addresses (and the virtual host settings on apache reflect that). 
 Yet, we have no problem reaching any of that content, even where the NS 
 IP address are shared with content-serving hostnames rather than 
 dedicated only to doing NS resolution like other IP addresses. Again, 
 domain resolution isn't only about the nameservers--it's about the hosts 
 and host.conf files, as well as whatever backends we use, too. (There 
 are some other factors, like resolvers, but you get my point.)
 
 So, as I explained, my mail/webmail NS are on different IP addresses 
 under its domain name from the content the webmail server and mail 
 server 'serves'. All DNS records for the domain are contained on its 
 master server, including both NS, which point back to those IP 
 addresses. The secondary NS has it's own master record on the server 
 where it's located and contains only its IP address, since pdns doesn't 
 use pointer records, relying instead on it's native ability to resolve 
 properly configured DNS.
 
 Since I've created an A record for those IP addresses from which 
 actual content is served in the DNS records on our registrar's site (and 
 have properly configured the vhosts in apache), when we enter either our 
 webmail server IP address or its hostname, my webmail server software 
 admin page loads--just like it should.
 
 When I load up the gui interface for our mailserver under either the 
 hostname, which is something like mailservertype.maildomain.eu, it 
 loads perfectly. This stuff's fairly idiot proof because apache, mysql 
 and pdns all let you know when you've misconfigured stuff by not working 
 right--or at all.
 
 Therefore, I don't know how your answer relates to my problem and it 
 doesn't address the issue of the registrar not being able to reach the 
 secondary NS, which is on an entirely different server and has a 
 separate IP address. This doesn't appear, as you suggested when I posted 
 my last question about how PDNS works differently from BIND and again in 
 this post, as my lack of understanding DNS. I'm new to PDNS, not to DNS. 
 I couldn't have set this system up if I didn't have DNS understanding 
 and the registrar for my other domain names seems to have no problem 
 adding our changed NS to their system, so, our NS configuration aren't 
 the problem.
 
 If anyone else has any suggestions--especially those in the EU where 
 this seems to be an issue--at least when I bing(.com) it, I would 
 greatly appreciate your help.
 
 Sasha
 
 On Thu, Jul 2, 2009 at 9:40 AM, Kenneth Marshall k...@rice.edu 
 mailto:k...@rice.edu wrote:
 
 On Thu, Jul 02, 2009 at 09:15:03AM -0400, SashaB wrote:
   Hello all,
  
   This is a long post with a lot of info since I thought you should
 know as
   much as possible about these NS before (a) having to ask the obvious
   questions and (b) so you can offer suggestions.
  
   Here's the situation. I have set up the NS for our domains (on
 four servers)
   and nearly all resolving properly to the domains to which they
 point. (For
   those few that are not, I have figured out 

Re: [Pdns-users] Bindings

[Leen Besselink]

Doug Hall wrote:
 Is it possible to bind the Powerdns service to two IP addresses on the
 same box?? I have two nics...
 
  
 

Hi,

On my machine I have:

/etc/powerdns/recursor.conf

local-address=127.0.0.1, XXX.XXX.XXX.XXX

It looks like /etc/powerdns/pdns.conf has the same kind of setting:

local-address=...

Local IP address to which we bind. You can specify multiple addresses 
separated by commas or whitespace.
It is highly advised to bind to specific interfaces and not use the default 
'bind to any'. This causes big
problems if you have multiple IP addresses. Unix does not provide a way of 
figuring out what IP address a
packet was sent to when binding to any.

http://docs.powerdns.com/all-settings.html

Have a nice day,
Leen.

 
  
 
  
 
 
 
 
 
 *Doug Hall *
 IT Operations Manager
 
 *Dir **
 **Fax ***
 
 *Mobile**
 **Email** * 
 
   
 
 +44 (0)1179 303 420
 +44 (0)1179 259 954
 
 +44 (0)7966 343 084
 dh...@com2com.com mailto:dh...@com2com.com
 
  
 
   
 
  
 
 *Committed 2 Communications Ltd** *
 7^th Floor, Whitefriars. Lewins Mead. Bristol. BS1 2NT. UK
 
  
 
   
 
  
 
 *General **
 **Web *
 
   
 
 +44 (0)1179 303 450
 http://www.com2com.com http://www.com2com.com/
 
  
 
  
 
 
 
 NTT Fundraising is a trading name of Committed 2 Communications Ltd, a
 UK company offering specialist services to the charity sector in
 telephone fundraising, as well as recruitment, donor relationship
 management, direct debit and BACs Bureau services - to name a few. For
 more information visit www.nttfundraising.co.uk.
 
 Unless expressly stated otherwise, this message is confidential and may
 be privileged. It is intended for the addressee(s) only. Access to this
 e-mail by anyone else is unauthorised. If you are not an addressee, any
 disclosure or copying of the contents of this e-mail or any action taken
 (or not taken) in reliance on it is unauthorised and may be unlawful. If
 you are not an addressee, please inform the sender immediately. You
 should carry out your own virus checks before opening any attachment.
 
 Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT,
 United Kingdom
 
 Registered In England, Registered Trading Number: 06458746
 
 
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question on setting up PDNS

[Leen Besselink]

Nicholas Orr wrote:
 You'd need to setup a sub-domain and have your primary domain give out
 NS for where the sub-domain is hosted.
 
 I remember doing this ages ago with Windows Server DNS, was pretty
 straight forward.
 

hmmm.

 Sorry I'm not much more help :/

Anyway, it's called '(DNS) delegation', now you have something you can lookup
in a book or search engine, whatever.

Hope that helps.

 
 2009/3/18 npere...@videotron.ca mailto:npere...@videotron.ca
 
 Hello, I am trying to setup PDNS for enum NAPTR...
  
 I have a domain, example.com http://example.com which is taken car
 by our current DNS.
  
 I need to add a pointer for e164.example.com
 http://e164.example.com to send the request to a specific server,
 which is the on running the PDNS, yet the query I am doing is not
 being sent to the PDNS and I dont know what I'm doing wrong...
  
 My query via nslookup is :
 nslookup 0.0.1.e164.example.com http://0.0.1.e164.example.com
  
 Fails no response
  
 if on the PDNS (linux) server and I do a Dig, it works fine.
 dig 0.0.1.e164.example.com http://0.0.1.e164.example.com
  
 What should my Primary DNS have to send the query they get to the
 specific server IP of PDNS ?
 
 Regards,
 
 Nelson Pereira
 Http://www.npereira.com
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com mailto:Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 
 
 
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] STL error

[Leen Besselink]

Johan Kooijman wrote:
 Hi,
 
 Thank you for your reply.
 
 Hmm, I'm no expert, but looking at the error and code, I would say,
 your TCP-connection to the PowerDNS died.
 
 My guess too.
 
 TCP is different from the normal UDP-packets used by DNS.

 If this is a new installation, you are possible setting it up in an
 environment where you might not need a firewall on that server,
 could you disable it and test it again ? It looks like PowerDNS
 is not able to push any packets out to your dig-client. If I were
 to guess, I would say PowerDNS is not receiving the TCP-ACK-packets.
 
 That's the strange thing: there is no firewall running on this
 machine. I tried adding the listen-address option in pdns.conf, no
 luck. I did a tcpdump on it's interface when I did the dig, result is
 here: http://pastebin.com/m746248ae
 

The last line is a reset packet from client to server, I wouldn't
expect to see a reset packet. I tried a working installation as a
test and I didn't see a reset packet.

I don't know why the client-side does this, but it's not the usual
way.

Also I noticed there were no packets with F (for finished) so that
would mean the server wasn't done sending.

Maybe first try from localhost on the PowerDNS-server ?

 Any other suggestions?
 
 Met vriendelijke groet / With kind regards,
 
 Johan Kooijman
 JK IT - Communication at the speed of life
 
 jkooij...@jkit.nl
 http://www.jkit.nl
 
 Tel.: +31 (0)76 - 71 10 271
 Fax : +31 (0)76 - 20 11 179
 Mob: +31 (0)6 - 43 44 45 27
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] STL error

[Leen Besselink]

Johan Kooijman wrote:
 The last line is a reset packet from client to server, I wouldn't
 expect to see a reset packet. I tried a working installation as a
 test and I didn't see a reset packet.

 I don't know why the client-side does this, but it's not the usual
 way.

 Also I noticed there were no packets with F (for finished) so that
 would mean the server wasn't done sending.

 Maybe first try from localhost on the PowerDNS-server ?
 
 Unfortunately.. same result.

Now that is interresting.

Can I suggest creating a pcap-file and looking at with wireshark ?

ifconfig lo | grep MTU

tcpdump -s $MTU -w $PATH/lo.tcp.domain.pcap -npti lo tcp port domain

I don't really know what could be the cause, but my guess is PowerDNS
is sending something dig doesn't understand ?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] [ignore] mailinglist test-message

[Leen Besselink]

I'm sorry, I'm having some odd problems with changing addresses, this is a 
test-message please ignore.

Have a good weekend ! :-)
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Handling packet flood from one client.

[Leen Besselink]

Ton van Rosmalen wrote:

Leen Besselink schreef:

On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
  

Obviously; but that's being reactive; I was looking for something more
proactive.  --Augie




I've not tested it, but I understand the u32 option is available on 
Debian/Linux for example:

http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/

That might do what you want.

  
How about rate limiting using iptables? You'd have to determine some 
sort general usage rule or manually add ip addresses to he list that's 
limited.


I didn't know iptables had an easy way to do this per source-address in 
iptables. But I've looked around and possible the recent-iptables-module 
would be able to do so:


http://www.debian-administration.org/articles/187

OpenBSD's PF would probably be able to though:

http://www.openbsd.org/faq/pf/filter.html#stateopts

I just had a list of IP-addresses and only return a small packet for the 
rest, but I'm definitly still considering changing it, because there are 
a few new ones every few days.


Although someone on the NANOG-mailinglist I read sends an update each 
time, I most say, that's convenient too. :-)


I don't particularly like rate-limiting something important as DNS for 
were I work.


PS You were probably not aware of it but please don't send HTML-only 
e-mails to mailinglists some people don't like it. Thunderbird does 
supports it I think.


Regards,

Ton


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Handling packet flood from one client.

[Leen Besselink]

On Wed, Jan 28, 2009 at 11:07:53AM -0800, Augie Schwer wrote:
 We discussed this on #powerdns a bit as it came up on the
 dns-operations list; the conclusion was that dropping the request was
 worse because it opened up spoofing attacks.  Thanks for the
 suggestion though.  --Augie
 

Yes, that is the other problem. It's also a reason why I only drop
queries from those few IP's at work.

There is obviously an other problem with that which Paul Vixie already
mentioned on the NANOG mailinglist, which is if the targetted IP's are
actually resolvers, they wouldn't be able to query our nameservers.

Altough it's not really all that bad, first of all, the connection of
that IP-address is probably flooded, because of all the answers going
to that IP-address.

If that didn't happen and it really was a recursor, I think it would
be really easy to move the outgoing address to an other IP-address.

Because the people running that recursor very well know there are
people helping them, by blocking those questions.

All in all I think blocking just a few addresses isn't all that bad.

Beter is nagging your transit provider about it, because the source
network should do proper filtering.

That's something I started doing today, because it has been going on
for weeks now (it started in december somewhere). Someone should 
have noticed that traffic leaving some of these networks and fixing
it.

If not, they should atleast be notified.

Well that was my reasoning. :-)
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Handling packet flood from one client.

[Leen Besselink]

On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
 Obviously; but that's being reactive; I was looking for something more
 proactive.  --Augie
 

I've not tested it, but I understand the u32 option is available on 
Debian/Linux for example:

http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/

That might do what you want.

 2009/1/27 Jeroen Wunnink jer...@easyhosting.nl:
  Just firewall the IP ?
 
  Augie Schwer wrote:
 
  Does anyone have other solutions?
 
 
 
 
  --
 
  Met vriendelijke groet,
 
  Jeroen Wunnink,
  EasyHosting B.V. Systeembeheerder
  systeembeh...@easyhosting.nl
 
  telefoon:+31 (035) 6285455  Postbus 48
  fax: +31 (035) 6838242  3755 ZG Eemnes
 
  http://www.easyhosting.nl
  http://www.easycolocate.nl
 
 
 
 
 
 
 -- 
 Augie Schwer-au...@schwer.us-http://schwer.us
 Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DDos Reflector

[Leen Besselink]

Christof Meerwald wrote:

Hi,

since about Friday late evening I am seeing lots of pdns errors in my syslog
like:

  Not authoritative for '', sending servfail to 76.9.31.42 (recursion was
  desired)

Over in comp.protocols.dns.bind there is already some discussion about these
DNS requests (which apparently use a spoofed source IP address).

Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS
reflector, like rate-limiting SERVFAILs per IP address? What's the general
opinion?



The idea of the DOS-attack is to try and get the authoritive or public 
recursive nameserver to send a larger amount of packets or size then the 
original request. PowerDNS (atleast the installations I checked) doesn't

do that, it just sends a ServFail of the pretty much the same size.

Other then dropping the packet with a firewall-rule as I have (that 
IP-address specifically, I actually will remove it after it has stopped 
!) I don't think there is a lot you could do. Maybe someone could 
implement some kind of rules in PowerDNS to, again not answer this

query specifically. But well, that would just be wrong and make it
easier to make a DNS cache poisoning attack at some recursor more effective.

Only other thing I can think about is, that maybe a rate limiter
could be kinda useful.

As I've mentioned in other fora, people should just filter their
egress traffic from spoofed addresses, that would get rid of the
whole problem.



Christof



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DDos Reflector

[Leen Besselink]

Leen Besselink wrote:

Christof Meerwald wrote:

Hi,

since about Friday late evening I am seeing lots of pdns errors in my 
syslog

like:

  Not authoritative for '', sending servfail to 76.9.31.42 (recursion was
  desired)

Over in comp.protocols.dns.bind there is already some discussion about 
these

DNS requests (which apparently use a spoofed source IP address).

Is there anything a DNS server/PowerDNS can do to avoid being used as 
a DDoS
reflector, like rate-limiting SERVFAILs per IP address? What's the 
general

opinion?



The idea of the DOS-attack is to try and get the authoritive or public 
recursive nameserver to send a larger amount of packets or size then the 
original request. PowerDNS (atleast the installations I checked) doesn't

do that, it just sends a ServFail of the pretty much the same size.

Other then dropping the packet with a firewall-rule as I have (that 
IP-address specifically, I actually will remove it after it has stopped 
!) I don't think there is a lot you could do. Maybe someone could 
implement some kind of rules in PowerDNS to, again not answer this

query specifically. But well, that would just be wrong and make it
easier to make a DNS cache poisoning attack at some recursor more 
effective.


Only other thing I can think about is, that maybe a rate limiter
could be kinda useful.

As I've mentioned in other fora, people should just filter their
egress traffic from spoofed addresses, that would get rid of the
whole problem.



Maybe there is a way to find the badguys, because I did notice one
thing, the TTL is pretty much always the same and they are all arriving 
from the same Transit-provider. So that means it's probably just a very 
small number of badguys, fairly close together.


The TTL I have here is 56 or 57:

# tcpdump -c 10 -vvntpi XXX host 76.9.31.42
tcpdump: listening on XXX, link-type XXX
76.9.31.42.39499  XXX.XXX.XX.XXX.53: [udp sum ok] 47478+ NS? . (17) 
(ttl 57, id 28226, len 45)
76.9.31.42.35973  XXX.XXX.XX.XXX.53: [udp sum ok] 31418+ NS? . (17) 
(ttl 56, id 40252, len 45)
76.9.31.42.10658  XXX.XXX.XX.XXX.53: [udp sum ok] 47176+ NS? . (17) 
(ttl 56, id 23872, len 45)
76.9.31.42.41104  XXX.XXX.XX.XXX.53: [udp sum ok] 20777+ NS? . (17) 
(ttl 57, id 6198, len 45)
76.9.31.42.25856  XXX.XXX.XX.XXX.53: [udp sum ok] 12812+ NS? . (17) 
(ttl 57, id 32978, len 45)
76.9.31.42.61992  XXX.XXX.XX.XXX.53: [udp sum ok] 8502+ NS? . (17) (ttl 
56, id 7053, len 45)
76.9.31.42.28488  XXX.XXX.XX.XXX.53: [udp sum ok] 64677+ NS? . (17) 
(ttl 56, id 38187, len 45)
76.9.31.42.32527  XXX.XXX.XX.XXX.53: [udp sum ok] 49277+ NS? . (17) 
(ttl 56, id 59157, len 45)
76.9.31.42.25435  XXX.XXX.XX.XXX.53: [udp sum ok] 719+ NS? . (17) (ttl 
56, id 27208, len 45)
76.9.31.42.3991  XXX.XXX.XX.XXX.53: [udp sum ok] 14463+ NS? . (17) (ttl 
57, id 12013, len 45)


The Transit provider in my case is AboveNet.

If people with a higher TTL would give some information where they think 
it's arriving from maybe we would be able to find pinpoint them.




Christof



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error While loading shared libraries: libpq.so.5: Cannot open shared object

[Leen Besselink]

On Sun, Nov 16, 2008 at 11:50:53AM +0700, BORIN HY/WiCAM wrote:
 Dear All,
 

Hi you,

 I just download the latest release of power dns rpm and install it on my the 
 Fedora core 9.
 
 When I do the try to start power dns, I got the following error.
 
 $/etc/init.d/pdns start
 Starting PowerDNS authoritative nameserver: /usr/sbin/pdns_server: error 
 while loading shared libraries: libpq.so.5: cannot open shared object file: 
 No such file or directory
 
 Please advice what should I do in order to fix this problem.
 

I know pretty much nothing about any other distribution except for Debian 
(based), but libpq.so.5 is a PostgreSQL-client library.

This is what I have on my Ubuntu-desktop-machine:

[EMAIL PROTECTED]:~$ dpkg -S libpq.so.5
libpq5: /usr/lib/libpq.so.5
libpq5: /usr/lib/libpq.so.5.1
[EMAIL PROTECTED]:~$ dpkg -s libpq5
Package: libpq5
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 872
Maintainer: Martin Pitt [EMAIL PROTECTED]
Architecture: i386
Source: postgresql-8.3
Version: 8.3.4-2.2
Depends: libc6 (= 2.4), libcomerr2 (= 1.01), libkrb53 (= 1.6.dfsg.2), 
libldap-2.4-2 (= 2.4.7), libssl0.9.8 (= 0.9.8f-5)
Description: PostgreSQL C client library
 libpq is a C library that enables user programs to communicate with
 the PostgreSQL database server.  The server can be on another machine
 and accessed through TCP/IP.  This version of libpq is compatible
 with servers from PostgreSQL 8.2 or later.
 .
 This package contains the run-time library, needed by packages using
 libpq.
 .
 PostgreSQL is an object-relational SQL database management system.
Original-Maintainer: Martin Pitt [EMAIL PROTECTED]

I hope this helps.

If you know what package you needed to install to get it work, post it here so 
it's saved in the archives and people don't need to ask about it again.

Have a nice day,
Leen Besselink.

 Thanks  regards,
 Borin
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS-Recursor Not Providing DNS Lookups?

[Leen Besselink]

On Fri, Aug 22, 2008 at 01:40:05PM -0500, Kenneth Marshall wrote:
 On Fri, Aug 22, 2008 at 07:42:31PM +0200, bert hubert wrote:
  On Fri, Aug 22, 2008 at 12:30:36PM -0400, Steve Chapman wrote:
   I'm working in an environment that uses split DNS (some parentcompany.com
   servers we want resolved from corporate DNS servers, others from Internet
   DNS servers).  I've installed the pdns-recursor RPM (3.1.7-1) on my RHEL 5
   bind DNS server and configured the recursor, all defaults except:
  
  Very good!
  
   If I run an nslookup Server2.parentcompany.com IP of Corporate DNS
   server, I get a valid IP address, and then if I subsequently re-run the
   nslookup against the PDNS Recursor, it provides the answer from then on.
   Why isn't it providing the answer initially?  Any ideas would be helpful.
  
  The reason is that PowerDNS is expecting you to forward queries to an
  authoritative server.
  
  It appears you are forwarding them to a server that is not authoritative for
  Server2.parentcompany.com, but is in itself a caching resolver.
  
  PowerDNS is sending so called 'non-recursion desired' questions to your
  internal nameserver, and this internal server is therefore not recursing for
  your questions.
  
  Once you've triggered the internal server to look the question up, it keeps
  the answer in the cache.
  
  The second time PowerDNS asks, no recursion is needed, since the answer is
  there already.
  
  I'm not sure what to do now - it might be good for PowerDNS to set the 'rd'
  bit in forwarded queries.
  
  Any ideas?
  
 I vote for setting the 'rd' bit in the forwarded queries. That certainly
 best fits the behavior that I was expecting to see.
 
 
Maybe add a seperate option like this ?:

forward-zones-with-rdbit= ?
recurse-forward-zones= ?

 Regards,
 Ken
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: Can pdns-recursor forward . ? / Re: [Pdns-users] Where can I download Windows binaries?

[Leen Besselink]

On Tue, Jul 29, 2008 at 12:53:04PM +0200, bert hubert wrote:
 On Tue, Jul 29, 2008 at 12:49:24PM +0200, Leen Besselink wrote:
  I have an other reason I might want a windows binary. In this case
  for PowerDNS-recursor.
 
 You can compile the powerdns recursor on windows if you are reasonably
 windows savvy. It takes me around two days to get it working usually.
 
 But I really hope someone else will do this, and I'd love to help!
 
  And Windows XP doesn't support DNS over IPv6, installing a local
  forwarding IPv6-enabled PowerDNS-recursor might a be solution to
  that ? Can I forward . ? I've never tried it.
 
 It might, unsure. Bit of an odd construction :-)
 

I tried setting forwarding for ., just to see what happends, but to be
honest it's not a good idea.

First of all it does want to sent the right questions, but they are flagged
as no-recurse (RD-bit not set).

Which is obviously not appropriate and did not work in my setup.

   Bert
 
 -- 
 http://www.PowerDNS.com  Open source, database driven DNS Software 
 http://netherlabs.nl  Open and Closed source services
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor performance

[Leen Besselink]

On Tue, Aug 05, 2008 at 12:30:25AM -0700, Brad Dameron wrote:
 And you will see your response times drop from 1-2 seconds to milliseconds. I 
 did a lot of testing of this and pdns-recursor is definitely the best out 
 there.
  
 Brad 
 

Hi Brad,

Did you also test Unbound ( www.unbound.net ) ?

They say they are faster, they are a fairly new player in this field (version 
1.0.0 released May 20, 2008).

I can't find the graph. The graph I've seen shows PowerDNS and bind pretty
close together. Which I found a bit strange.

Even if they are faster, atleast they are keeping the title in the Netherlands
(PowerDNS and NLNetlabs are both dutch organisations). :-)

I've not used/tested it.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor performance

[Leen Besselink]

On Tue, Aug 05, 2008 at 10:29:14AM +0200, Leen Besselink wrote:
 On Tue, Aug 05, 2008 at 12:30:25AM -0700, Brad Dameron wrote:
  And you will see your response times drop from 1-2 seconds to milliseconds. 
  I did a lot of testing of this and pdns-recursor is definitely the best out 
  there.
   
  Brad 
  
 
 Hi Brad,
 
 Did you also test Unbound ( www.unbound.net ) ?
 
 They say they are faster, they are a fairly new player in this field (version 
 1.0.0 released May 20, 2008).
 
 I can't find the graph. The graph I've seen shows PowerDNS and bind pretty
 close together. Which I found a bit strange.
 

I did find the graphs:

http://www.unbound.net/documentation/ripe56_unbound_02.pdf

 Even if they are faster, atleast they are keeping the title in the Netherlands
 (PowerDNS and NLNetlabs are both dutch organisations). :-)
 
 I've not used/tested it.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Can pdns-recursor forward . ? / Re: [Pdns-users] Where can I download Windows binaries?

[Leen Besselink]

I have an other reason I might want a windows binary. In this case
for PowerDNS-recursor.

When I'm going to deploy IPv6, I would really like to have an
IPv6-only network behind the (currently NAT) firewall.

And Windows XP doesn't support DNS over IPv6, installing a local
forwarding IPv6-enabled PowerDNS-recursor might a be solution to
that ? Can I forward . ? I've never tried it.

Hmm, maybe there is an easier way to do this ?

On Tue, Jul 29, 2008 at 12:24:36PM +0200, Rick Jansen wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I think there would be a lot more interest from Windows Server users, if
 recent download packages would be available. And Windows users, I think,
 are often more commercial users, with money. Money to make PowerDNS better.

 So instead of:

 Wait for interest - create package

 Isn't this better:

 create packages - see an increase in interest - increase in support
 contracts ?

 Kind regards,

 Rick Jansen

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: Can pdns-recursor forward . ? / Re: [Pdns-users] Where can I download Windows binaries?

[Leen Besselink]

On Tue, Jul 29, 2008 at 12:53:04PM +0200, bert hubert wrote:
 On Tue, Jul 29, 2008 at 12:49:24PM +0200, Leen Besselink wrote:
  I have an other reason I might want a windows binary. In this case
  for PowerDNS-recursor.
 
 You can compile the powerdns recursor on windows if you are reasonably
 windows savvy. It takes me around two days to get it working usually.
 
 But I really hope someone else will do this, and I'd love to help!
 

Is it a Visual Studio or something like cygwin you use to compile it ?

I have VS6 at work, possible newer as well.

There is a fairly-free-edition as I understand it, I guess it should be
made to work on that (if VS is used).

But as with most people, my problem is not so much with will-power, but
with time.

  And Windows XP doesn't support DNS over IPv6, installing a local
  forwarding IPv6-enabled PowerDNS-recursor might a be solution to
  that ? Can I forward . ? I've never tried it.
 
 It might, unsure. Bit of an odd construction :-)
 

Yes, I agree.

If it doesn't work, it's probably because at startup it updates the
nameservers for .

But maybe adding one extra check could solve that.

I'm not saying bind is a good example, but bind does support this
mode of operation.

Who said adding features was a bad idea (if it doesn't complicate
the code) ? ;-)

   Bert
 
 -- 
 http://www.PowerDNS.com  Open source, database driven DNS Software 
 http://netherlabs.nl  Open and Closed source services
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Can pdns-recursor forward . ? / Re: Where can I download Windows binaries?

[Leen Besselink]

On Tue, Jul 29, 2008 at 11:25:58PM +0200, Christof Meerwald wrote:
 On Tue, 29 Jul 2008 23:13:07 +0200, Leen Besselink wrote:
  Wouldn't simple UDP forwarding be sufficient in this case? (but you would
  still need to find a program to do the UDP forwarding)
  Yes, I guess that is possible. You'd lose source port randomisation,
  all the rage these days and caching.
 
 I guess it depends how the UDP forwarder is implemented - there is no reason
 why the forwarder wouldn't be able to use similarly randomised source ports
 (but you would lose caching, of course)
 

I agree, but I've never seen one.

 
 Christof
 
 -- 
 
 http://cmeerw.org  sip:cmeerw at cmeerw.org
 mailto:cmeerw at cmeerw.org   xmpp:cmeerw at cmeerw.org
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] coordinated patch

[Leen Besselink]

On Wed, Jul 09, 2008 at 08:26:47AM +0200, bert hubert wrote:
 On Wed, Jul 09, 2008 at 07:47:45AM +0200, Leen Besselink wrote:
  So now the question becomes did anyone inform Bert and/or PowerDNS too ?
 
 I knew about this stuff from the very beginning (February I think), even
 before CERT was involved. I was even supposed to go to the famous meeting
 at microsoft, but the imminent birth of my son Maurits made me decide not
 to.
 
 When CERT started to coordinate, nobody told me since there was nothing to
 coordinate - PowerDNS was not vulnerable.
 
 After a while a PowerDNS user asked CERT to keep me in the loop anyhow, and
 I was able to add some small details to the advisory.
 
 Like a link to
 http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience !
 

From your blog I knew you were writing that draft, but it had only sank in
that it's the same thing later this morning. It was a bit late last night.

And I see now that the draft has been publically announced on the namedroppers
list a little over a week ago also.

Your blog-entry about the draft is from: 01/12/2007, that means before Dan
Kaminsky found the problem ? In his podcast he talks about a year.

If so it means you probably had a chuckle at the DNS  Crypto lunch as well. [0]

I'm still wondering what happend there.

[0] http://blog.netherlabs.nl/articles/2007/02/21/dns-crypto-power-lunch

   Bert
 
 -- 
 http://www.PowerDNS.com  Open source, database driven DNS Software 
 http://netherlabs.nl  Open and Closed source services
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Re: PowerDNS interview on Dutch national radio tonight

[Leen Besselink]

On Wed, Jul 09, 2008 at 09:03:57AM +0200, Stephane Bortzmeyer wrote:
 On Tue, Jul 08, 2008 at 06:13:04PM +0200,
  Stephane Bortzmeyer [EMAIL PROTECTED] wrote 
  a message of 13 lines which said:
 
   Microsoft will be releasing more details tonight, 
  
  Apparently done:
  
  http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx
 
 As mentioned off-line, this is an old one, the new one is:
 
 http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
 
 For BIND :
 
 http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
 

Seems I never got this thread from Wirehub, euh Easynet, otherwise
I would have worded my e-mail('s) differently and I missed the radio
program. Thank god for podcasts. ;-)
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] coordinated patch

[Leen Besselink]

This sounds pretty scary, it seems to concerns recursors and 
resolver-libraries. The way to solve it, is to use port randomization, which 
shouldn't be a big suprise to the PowerDNS-using community.

Massive, Coordinated Patch To the DNS Released [0]

tkrabec alerts us to a CERT advisory announcing a massive [1], multi-vendor DNS 
patch released today. Early this year, researcher Dan Kaminsky discovered a 
basic flaw in the DNS that could allow attackers easily to compromise any name 
server; it also affects clients. Kaminsky has been working in secret with a 
large group of vendors on a coordinated patch. Eighty-one vendors are listed in 
the CERT advisory (DOC [2]). Here is the executive overview (PDF [3]) to the 
CERT advisory ??? text reproduced at the link above. There's a podcast [4] 
interview with Dan Kaminsky too. His site has a DNS checker tool [5] on the top 
page. The issue is extremely serious, and all name servers should be patched 
as soon as possible. Updates are also being released for a variety of other 
platforms since this is a problem with the DNS protocol itself, not a specific 
implementation. The good news is this is a really strange situation where the 
fix does not immediate reveal the vulnerability and reverse engineering isn't 
directly possible.

So now the question becomes did anyone inform Bert and/or PowerDNS too ?

I did find in the DOC [2]:

Name: PowerDNS
Status: Not Vulnerable
Date Notified: 2008-05-13 11:35:05
Statement:
PowerDNS Vendor Statement
-
Since version 3.0, released in April 2006, the PowerDNS Recursor
resolving nameserver has implemented measures that protect against
the vulnerability described in CVE-2008-1447. Source ports are
randomized, and 'near misses', indicating a spoofing attempt in
progress, are detected, and the query is dropped.
___

I guess no patching for us (for our DNS-servers atleast) ?

Thank you Bert (and DJB) ! ;-)

[0] http://it.slashdot.org/it/08/07/08/195225.shtml
[1] 
http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/
[2] http://securosis.com/publications/CERT%20Advisory.doc
[3] http://securosis.com/publications/DNS-Executive-Overview.pdf
[4] http://media.libsyn.com/media/mckeay/nsp-070808-ep111.mp3
[5] http://www.doxpara.com/

_
New things are always on the horizon.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users