Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix
Hi, Sounds like a strange problem. Just to make sure it's set up correctly. Could you check that Postfix is talking to PowerDNS Recursor ? Because Postifx has a seperate resolv.conf (which gets updated when starting Postfix): /var/spool/postfix/etc/resolv.conf On Thu, Aug 18, 2016 at 02:20:25PM +, Michael wrote: > Hi all, > > I have been using pdns_recursor package on my Ubuntu 14.04 quite > some time to resolve host names locally. That worked fine for the > entire system. > > Last week I updated to Ubuntu 16.04. So I have a new Postfix version > (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2). > > Since this update Postfix does not receive correct answers for a > particular query anymore. Concretely, queries for A entries of > Office365 mail servers. > > For example if Postfix asks for the A entry of > nxp-com.mail.protection.outlook.com, pdns_recursor returns to > Postfix that there does not exists a A record. > However, if I manually do this query with dig, I do get an correct > answer. Please see the logs at the end of the mail. > > Besides the queries of Office365 mail servers, the rest is working > fine. I have no idea how to track down that issue? Is there any > setting in pdns_recursor I have to change? > > Thanks, > Michael > > > Postfix log > = > Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2: > from=, size=865, nrcpt=1 (queue active) > Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for > nxp.com has a valid address record > Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2: > to= , relay=none, delay=1492, delays=1492/0.12/0.81/0, > dsn=4.4.3, status=deferred (Host or domain name not found. Name > service error for name=nxp-com.mail.protection.outlook.com type=A: > Host not found, try again) > = > > pdns_recursor log after Postfix query > = > Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for > 'nxp.com.|MX' from 127.0.0.1 > Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question > 'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms, > 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 > Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for > 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1 > Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question > 'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional, > took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp > connections, rcode=2 > = > > pdns_log after dig query > = > Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for > 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1 > Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question > 'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional, > took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp > connections, rcode=0 > = > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
On Fri, May 20, 2016 at 08:10:23AM +0200, Bit World Computing - Michael Mertel wrote: > Hi Leen, > > thanks for clearing this up. My approach was a bit to naive but my recursor > is now returning whats expected. > > The +dnssec Parameter is the essential trick, and depending on dnssec=off or > =process in my recursor.conf the recursor is returning the correct > information. > > Thanks for your feedback. > I forgot to mention, when you query a recursor, the recursor can also indicate that the response is DNSSEC-validated, you need to look at the AD-bit. See the dig output here: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation You will need the ad-bit if you have an application which depends on that, but it can't really be trusted unless it's running on the same machine aka: localhost But it is also an indicator from the recursor that it did the DNSSEC-validation, so it's useful if you want to know what the recursor is doing. > —Michael > > > > Am 19.05.2016 um 17:36 schrieb Leen Besselink <l...@consolejunkie.net>: > > > > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael > > Mertel wrote: > >> Hi, > >> > > > > Hi, > > > >> I’am currently trying to get a better unterstanding of DNSSEC. But even if > >> I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC > >> related answer from it. What do I’am doing wrong here, I’am somewhat lost? > >> > >> — > >> --- direct query > >> dig @ns1.denic.de ANY www.denic.de > >> ;; ANSWER SECTION: > >> www.denic.de. 3600IN A 81.91.170.12 > >> www.denic.de. 3600IN RRSIG A 8 3 3600 > >> 2016060209 2016051909 26155 denic.de. > >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG > >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO > >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG > >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp > >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS > >> > >> ;; AUTHORITY SECTION: > >> denic.de. 3600IN NS ns2.denic.de. > >> denic.de. 3600IN NS ns3.denic.de. > >> denic.de. 3600IN NS ns1.denic.de. > >> > >> ;; ADDITIONAL SECTION: > >> ns1.denic.de. 3600IN A 81.91.170.1 > >> ns1.denic.de. 3600IN 2a02:568:121:6:2::2 > >> ns2.denic.de. 3600IN A 78.104.145.26 > >> ns3.denic.de. 3600IN A 81.91.173.19 > > > > > > DENIC can return whatever they want with an ANY-query, but that doesn't > > mean it's DNSSEC. > > > >> > >> — > >> — query through dnsdist — > >> dig @192.168.1.5 ANY www.denic.de > >> > >> ;; ANSWER SECTION: > >> www.denic.de. 2083IN A 81.91.170.12 > >> www.denic.de. 2083IN RRSIG A 8 3 3600 > >> 2016060109 2016051809 26155 denic.de. > >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 > >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 > >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm > >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z > >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa > >> > >> — > >> — query through recursor (no forwarders, dnssec=process) — > >> dig -p 5153 @192.168.1.5 ANY www.denic.de > >> > >> ;; ANSWER SECTION: > >> www.denic.de. 2724IN A 81.91.170.12 > >> > >> — > >> > >> Thanks in advance. > >> > > > > This would be the usual way to check DNSSEC. Without: > > > > $ dig @d.ns.nic.cz labs.nic.cz A > > > > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A > > ; (2 servers found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 > > ;; WARNING: recursion requested but not available > > > > ;; QUESTION SECTION: > > ;labs.nic.cz. IN A > > > > ;; ANSWER SECTION: > > labs.nic.cz.
Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael Mertel wrote: > Hi, > Hi, > I’am currently trying to get a better unterstanding of DNSSEC. But even if I > enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related > answer from it. What do I’am doing wrong here, I’am somewhat lost? > > — > --- direct query > dig @ns1.denic.de ANY www.denic.de > ;; ANSWER SECTION: > www.denic.de. 3600IN A 81.91.170.12 > www.denic.de. 3600IN RRSIG A 8 3 3600 2016060209 > 2016051909 26155 denic.de. > rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG > lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO > ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG > AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp > ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS > > ;; AUTHORITY SECTION: > denic.de. 3600IN NS ns2.denic.de. > denic.de. 3600IN NS ns3.denic.de. > denic.de. 3600IN NS ns1.denic.de. > > ;; ADDITIONAL SECTION: > ns1.denic.de. 3600IN A 81.91.170.1 > ns1.denic.de. 3600IN 2a02:568:121:6:2::2 > ns2.denic.de. 3600IN A 78.104.145.26 > ns3.denic.de. 3600IN A 81.91.173.19 DENIC can return whatever they want with an ANY-query, but that doesn't mean it's DNSSEC. > > — > — query through dnsdist — > dig @192.168.1.5 ANY www.denic.de > > ;; ANSWER SECTION: > www.denic.de. 2083IN A 81.91.170.12 > www.denic.de. 2083IN RRSIG A 8 3 3600 2016060109 > 2016051809 26155 denic.de. > CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 > oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 > n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm > YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z > RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa > > — > — query through recursor (no forwarders, dnssec=process) — > dig -p 5153 @192.168.1.5 ANY www.denic.de > > ;; ANSWER SECTION: > www.denic.de. 2724IN A 81.91.170.12 > > — > > Thanks in advance. > This would be the usual way to check DNSSEC. Without: $ dig @d.ns.nic.cz labs.nic.cz A ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;labs.nic.cz. IN A ;; ANSWER SECTION: labs.nic.cz.1800IN A 217.31.205.52 ;; AUTHORITY SECTION: nic.cz. 1800IN NS a.ns.nic.cz. nic.cz. 1800IN NS b.ns.nic.cz. nic.cz. 1800IN NS d.ns.nic.cz. ;; ADDITIONAL SECTION: a.ns.nic.cz.1800IN A 194.0.12.1 a.ns.nic.cz.1800IN 2001:678:f::1 b.ns.nic.cz.1800IN A 194.0.13.1 b.ns.nic.cz.1800IN 2001:678:10::1 d.ns.nic.cz.1800IN A 193.29.206.1 d.ns.nic.cz.1800IN 2001:678:1::1 With DNSSEC: $ dig +dnssec @d.ns.nic.cz labs.nic.cz A ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;labs.nic.cz. IN A ;; ANSWER SECTION: labs.nic.cz.1800IN A 217.31.205.52 labs.nic.cz.1800IN RRSIG A 5 3 1800 20160531125753 20160518035002 37152 nic.cz. 0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU= ;; AUTHORITY SECTION: nic.cz. 1800IN NS a.ns.nic.cz. nic.cz. 1800IN NS b.ns.nic.cz. nic.cz. 1800IN NS d.ns.nic.cz. nic.cz. 1800IN RRSIG NS 5 2 1800 20160531192914 20160518035002 37152 nic.cz. eddprYYJBlc+xmv1WAuOLJ8zek0G4dtXlOSx3cNp4KFwscwsKBKD07k7 jScwCdvHZsnD2tOjDtJ0cPyMl/JffL9s4lXp5nqh7rtrTPPHMzqER3Zy MsY+/Nl0MJV3Z15wRzgSvnG/EjXxHLJ+vRIShWceXXhdFCt+5vR2wwng evk= ;; ADDITIONAL SECTION: a.ns.nic.cz.1800IN A 194.0.12.1 a.ns.nic.cz.1800IN 2001:678:f::1 b.ns.nic.cz.1800
Re: [Pdns-users] Fwd: Power DNS recursor entered failed state
On Mon, Dec 07, 2015 at 11:23:31AM +, Federico Olivieri wrote: > Hi Guys, > > Not 100% sure if is a PDNS problem but yesterday I have upgraded it (for > mistake!) via apt-get command and now I'm running the > version 0.0.410g1cfe8b4 > > Since the Upgrade the memory allocation seems not uniform compared to before > > Also, it seems that stop to run after a while and I need to restart the > process manually > > That is the error form syslog > > Dec 07 10:54:45 T1000 kernel: pdns_recursor[30724]: segfault at 0 ip > 7ff1c8464a94 sp 7ff1bcac4830 error 4 in > pdns_recursor[7ff1c82ae000+276000] > Dec 07 10:54:45 T1000 systemd[1]: pdns-recursor.service: main process > exited, code=killed, status=11/SEGV > Dec 07 10:54:45 T1000 systemd[1]: Unit pdns-recursor.service entered failed > state. > > Also, you can see the server on Metronome with the name of t1000-gtel > > Any suggestion? Any quick way to roll-back the PDNS version installed > Sounds like you are using Debian or Ubuntu or similar flavor. Hete is how you do that with apt-get/dpkg: If you look in /var/log/apt/ you can see what the previous version was that was installed: Preparing to replace pdns-recursor old-version (using .../pdns-recursor-new-version.deb) ... Probably best to use apt-get to install the old version: apt-get install pdns-recursor=version-number If that doesn't work: You can look in /var/cache/apt/archives/ you might find the old version. Depending on the depencies, you might be able to just install the old version with: dpkg -i /var/cache/apt/archives/pdns-recursor-something.deb > Thank You > > P.S. > > I re-sent the e-mail without image attached because it was too big > > Federico > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS 3.x with PDNS 2.9.x Database Schema
On Wed, Jul 22, 2015 at 02:10:34PM +0200, Jan-Piet Mens wrote: (no need to take this off-list) the only problem is that I am doing MySQL master/slave database replication. upgrading the schema on the slave(s) will break the replication process unfortunately. You spoke of PowerDNS master and slaves from which I gathered AXFR. -JP If I remmeber correctly you should be able to upgrade the database schema of all PowerDNS servers without any problems: Q: Can 2.9.x versions read the 3.0 DNSSEC database schema? A: Yes, every database can be altered to the new schema without impact on 2.9. The new fields and tables are ignored. https://doc.powerdns.com/md/authoritative/upgrading/#database-schema ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC trouble
Hi Peter, Just had a quick look at the docs. What version are you running ? Did you see this ?: When using slaves that AXFR your signed zones, be sure that your slaves actually support serving DNSSEC. Some servers will gladly AXFR a signed zone, but not perform DNSSEC processing on it. This goes for PowerDNS 2.9.x http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP Have a good day, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC trouble
On Wed, May 20, 2015 at 12:26:50PM +0200, Leen Besselink wrote: On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote: Dear experts, I'm sorry to bug you again, but I am still stuck with deploying DNSSEC for desec.io, and I'd like to ask for your help once more. I have a hidden primary which does the signing in live mode (MySQL backend), and two public nameservers ns1.desec.io and ns2.desec.io which receive the zones via AXFR (bind backend). All are using PowerDNS 3.3 from Ubuntu 14.04. After communicating my DS records to the .io registry, the DNSSEC debugger http://dnssec-debugger.verisignlabs.com/desec.io tells me the everything is fine, except that desec.io does not have RRSIG records, and my resolver says SERVAIL. Screenshot: https://www.a4a.de/_temp/DNSSEC.png (I removed the DS records again from the .io zone.) However, dig RRSIG desec.io @ns1.desec.io dig RRSIG desec.io @ns2.desec.io gives the RRSIG records. Why does the debugger not find them? Hi, Wouldn't consider myself an expert, but RRSIG isn't normally something you query for, these are the signatures which get added with DNSSEC-signed response. Judging by the image it looks like DNSSEC debugger does 3 queries: dig @ns1.desec.io +dnssec +norec desec.io DS # that worked and did include the RRSIG records # these failed: dig @ns1.desec.io +dnssec +norec desec.io DNSKEY dig @ns1.desec.io +dnssec +norec desec.io A Here is a working example with an RRSIG for the DNSKEY query: $ dig +dnssec +norec @194.171.17.10 nl. DNSKEY ; DiG 9.8.1-P1 +dnssec +norec @194.171.17.10 nl. DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 9281 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nl.IN DNSKEY ;; ANSWER SECTION: nl. 7200IN DNSKEY 256 3 8 AwEAActQKGjyxDvKZrmtecDqXu5i7hDRnkBH71kukkBWMqi7GlRVnwng tXGLg41p8cBP+HsLLDxr125ukadG0peYLfjx5gBj0CE6VMguwqRtn7MP MIym5outGSRm2uTcO7mxp1ZykusE1GnavVFDUhgoipGaXQ/q0w3Lpyij NE9GZmyH nl. 7200IN DNSKEY 257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0= nl. 7200IN RRSIG DNSKEY 8 1 7200 20150526002957 20150511201503 21362 nl. lXOt9uoPC+0NdnY2GiPVvCSwK2XeJVfMu1r8d84k47Au2sYc3rExtCGQ JT7Smx6heHQ8kWPPLJ58FTd0oht5yG/0E6Voe2qNh5xKp8htoseTEysv hejOXEevpWkxfkc3JFu7qHzYqNYAEIwKNXIWMhxmVarhwACKkKIelZXy 6o/hD2JspOHCzZO6uK5X1pRQyBFnRt2PgZ6oMWCi4h7/mMNQRAAqcR1V hFmBnYEPQuk3Twiq6geHdP3aq0FxvHnUqHXczVPz2BAf6bV4sl2XRjxP EEtmSRRAkkT8YTNOlKytU8V5bnjAMqeh3nkIHvugdJzDwrkODhrIsLKo 3ywe/A== ;; Query time: 7 msec ;; SERVER: 194.171.17.10#53(194.171.17.10) ;; WHEN: Wed May 20 12:25:14 2015 ;; MSG SIZE rcvd: 745 Hope that helps. As I mentioned, I'm no expert so I forgot to add: The DS is signed by the parent, so that is why the DS-query did work. As we can see, no RRSIG-record on your domain, my guess would be the transfered domain isn't properly signed before it's transfered: $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY ; DiG 9.8.1-P1 +dnssec +norec @ns1.desec.io desec.io DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41947 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 2800 ;; QUESTION SECTION: ;desec.io. IN DNSKEY ;; ANSWER SECTION: desec.io. 3600IN DNSKEY 257 3 8 AwEAAcw5QLr0IjC0wKbGoBPQv4qmeqHy9mvL5qGQTuaG5TSrNqEAR6b/ qvxDx6my4JmEmjUPA1JeEI9YfTUieMr2UZflu7aIbZFLw0vqiYrywCGr CHXLalOrEOmrvAxLvq4vHtuTlH7JIszzYBSes8g1vle6KG7xXiP3U5Ll 96Qiu6bZ31rlMQSPB20xbqJJh6psNSrQs41QvdcXAej+K2Hl1Wd8kPri ec4AgiBEh8sk5Pp8W9ROLQ7PcbqqttFaW2m7N/Wy4qcFU13roWKDEAst bxH5CHPoBfZSbIwK4KM6BK/uDHpSPIbiOvOCW+lvu9TAiZPc0oysY6as lO7jXv16Gws= desec.io. 3600IN DNSKEY 256 3 8 AwEAAday3UX323uVzQqtOMQ7EHQYfD5Ofv4akjQGN2zY5AgB/2jmdR/+ 1PvXFqzKCAGJv4wjABEBNWLLFm7ew1hHMDZEKVL17aml0EBKI6Dsz6Mx t6n7ScvLtHaFRKaxT4i2JxiuVhKdQR9XGMiWAPQKrRM5SLG0P+2F+TLK l3D0L/cD ;; Query time: 85 msec ;; SERVER: 54.88.76.245#53(54.88.76.245) ;; WHEN: Wed May 20 12:30:26 2015 ;; MSG SIZE rcvd: 461 I would try the same query on the hidden master first. Thanks a lot for your help, Peter -- OpenPGP Key: 0x3EF22D2F ___ Pdns-users mailing list Pdns-users
Re: [Pdns-users] DNSSEC trouble
On Wed, May 20, 2015 at 01:34:59PM +0200, Peter Thomassen wrote: Hi Leen, On 05/20/2015 12:32 PM, Leen Besselink wrote: # these failed: dig @ns1.desec.io +dnssec +norec desec.io DNSKEY dig @ns1.desec.io +dnssec +norec desec.io A Here is a working example with an RRSIG for the DNSKEY query: [...] As we can see, no RRSIG-record on your domain, my guess would be the transfered domain isn't properly signed before it's transfered: $ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY [...] I would try the same query on the hidden master first. I did try that, and when I query the hidden master, in fact I do get the RRSIG records for free. Why is that not the case for the slaves? I made the hidden master available at desec.io temporarily -- so, compare dig +dnssec +norec @desec.io desec.io A dig +dnssec +norec @ns1.desec.io desec.io A This really confuses me. Does your slave have DNSSEC enabled in the config ? Looks like BIND zone file backend needs: bind-dnssec-db: https://doc.powerdns.com/md/authoritative/backend-bind/ And maybe you need to do an extra step ?: PowerDNS needs to know if a zone should receive DNSSEC processing. To configure, run pdnssec set-presigned zone. https://doc.powerdns.com/md/authoritative/dnssec/#from-existing-dnssec-non-powerdns-setups-pre-signed Best, Peter ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)
On Fri, Jun 27, 2014 at 01:26:07AM +0200, Michael Ströder wrote: k...@rice.edu wrote: On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote: For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ? If not, the solution is to run pdnssec secure-zone ZONE in a loop on a cron script, am I right? I do not know about a SQL only solution for MySQL DNSSEC signing, but I know that there is a sample schema for Oracle that includes the needed triggers and functions and that I have a basically complete version of the same for PostgreSQL that I will be submitting to the PDNS folks once we have it vetted for production. Hmm, am I the only one who is concerned about the security of the signing process? Please don't get me wrong. But people are advocating DANE nowadays and aim to completely replace X.509 certs with that. So security of the signed RRs is crucial just like issuing X.509 certs. And yes, I know that it's hard to achieve a higher level of operational security. Ciao, Michael. Hi Michael, DNSSEC allows a domain owner to be as secure or insecure as they want to be. You can do online or offline signing. Or do part of the signing online and part of it offline, because DNSSEC allows the use of a Zone Signing Key and a Key Signing Key for your domain. Or you can choose to not use DNSSEC at all. Online signing is similar to most VPN- and SSL/TLS-deployments, like HTTPS/POP3S/IMAPS. Offline signing allows you put the key in a 24/7 guarded safe. Most Certificate Authorities do online signing too. Just look at OCSP. Pobably they only use that for their sub-CAs (that is the certificate of the intermediate you need when you deploy for HTTPS, etc.). Does that now make you less or more concerned ? Have a good weekend, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor
On Wed, Apr 23, 2014 at 01:49:17PM +0200, Johan Kooijman wrote: Hi all, I'm seeing something I cannot explain. I've setup my pdns daemon to send requests for recursions to Google DNS for now. But when I execute a host lookup, I'm seeing this: *[13:35:42 jkooijman /home/jkooijman]$ host cnn.com http://cnn.com IP* *Using domain server:* *Name: hostname* *Address: IP#53* *Aliases:* *cnn.com.jkit.nl http://cnn.com.jkit.nl mail is handled by 10 mail.jkit.nl http://mail.jkit.nl*. Now.. jkit.nl is a domain in the DNS database itself, but I don't really understand why pdns adds it to my query. It's probably based on your /etc/resolv.conf One tip: do not test with nslookup or host they are trying to be smart. Try testing with: dig it does what you ask it to do and nothing more. dig @server-ip cnn.com ( the default query is for 'A' ) My config: setuid=pdns setgid=pdns launch=gmysql gmysql-host=localhost gmysql-user=username gmysql-password=password gmysql-dbname=dns disable-axfr=no allow-axfr-ips=127.0.0.1/32 more IP's allow-recursion=127.0.0.1/32 more IP's recursor=8.8.8.8 local-address=IP loglevel=2 Am I missing something here? -- Met vriendelijke groeten / With kind regards, Johan Kooijman ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Insert foreign DNSKEY?
On Wed, Mar 05, 2014 at 03:43:02PM +0100, Gilles Massen wrote: Hello, This feels a bit like an FAQ, but I wasn't able to dig it out, so: how can I insert a 'foreign' DNSKEY record in a zone? I don't have the key material, but I want it signed by the pdns-managed keys (it is for a secure DNS operator change). What I tried is an insert into records, type=DNSKEY and content=257 3 8 public key, but that seems to be happily ignored. Any clues? Hi Gilles, The latest version of PowerDNS Authoritive server is 3.3.1. That version has an option called direct-dnskey. Which might have been available in an earlier version, but that code was still experimental. It is mentioned in the documentation here: http://doc.powerdns.com/html/dnssec-transfers.html Hope that helps. best, Gilles Have a good day, Leen. -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS on ispconfig 3
On Wed, Feb 26, 2014 at 09:27:42AM +0100, Steffan Noord wrote: Im not sure if this was sent to the list i didnt recieve the e-mail myself It did reach the list, no worries. -Oorspronkelijk bericht- Van: Steffan Noord [mailto:steffanno...@gmail.com] Verzonden: dinsdag 25 februari 2014 9:08 Aan: pdns-users@mailman.powerdns.com Onderwerp: PDNS on ispconfig 3 Hello list, Is it possible to use powerdns with the ispconfig 3 interface ? On there site it says yes but i only can find very old treads abouth it. Is there somewhere a howto i allready use pdns but want to start using ispconfig Thanxs Steffan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Installation PDNS Server auf Raspberry Pi (weezy)
On Fri, Aug 16, 2013 at 02:31:56PM +0200, abang wrote: Hi Gerald, it works on my Pi. So there must be a config failure on your side. Please try /usr/sbin/pdns_recursor --daemon=no --trace=yes on commandline and try again with dig and post us the error messages if present. I would try running dig on the Pi: dig @127.0.0.1 facebook.com A to see if it's the IP-/subnet-check. Am 16.08.2013 14:20, schrieb Gerald: Hi Marc, I have done as written in the citation below and the compilation worked with putting a lot of messages like this: Warning: swp{b} use is deprecated for this architecture The program is running, but not delivering an address: pechoc@bmeson-a:~$ dig facebook.com A @192.168.10.233 ; DiG 9.8.1-P1 facebook.com A @192.168.10.233 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 4233 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;facebook.com. IN A ;; Query time: 8 msec ;; SERVER: 192.168.10.233#53(192.168.10.233) ;; WHEN: Fri Aug 16 14:13:11 2013 ;; MSG SIZE rcvd: 30 I have a Raspberry Pi Type B with Debian Wheezy. kind regards Gerald On 2013-08-16 13:58, Marc Haber wrote: pdns-users is an english language mailing list. On Fri, Aug 16, 2013 at 10:09:44AM +0200, abang wrote: aber ich brauche eines für Debian auf Raspberry Pi. wo du ein fertiges Binary für armv6l bekommst weiß ich nicht. Aber du könntest versuchen, selbst zu kompilieren. apt-get install libboost-dev wget http://downloads.powerdns.com/releases/pdns-recursor-3.5.2.tar.bz2 tar -xjf pdns-recursor-3.5.2.tar.bz2 cd pdns-recursor-3.5.2 ./configure make all Ich versuchs auch gerade. Dauert allerdings gefühlt ewig auf dem Pi ;-) The PowerDNS recursor cannot be compiled on arm architectures. It needs a feature called swapcontext which is not available on arm. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579194 Greetings Marc ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [Pdns-dev] PowerDNS Authoritative Server 3.3 Release Candidate 1 available
Hi, * commit 496073b: Since 3.0, pdnssec secure-zone has always generated 3 keys: one KSK and two ZSK, with one ZSK active. For most, if not almost all, users, this inactive ZSK is never used. We now no longer generate this useless ZSK. The resulting smaller DNSKEY RRset improves interoperability with certain validators. Closes ticket 824. Peter, I assume this means it's still in the database and in the pdnssec output, but PowerDNS won't send it to DNS-clients ? Have a great day, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] publish SPF and TXT records?
On Thu, Sep 06, 2012 at 02:35:13PM +, Marc van de Geijn wrote: Thanks, Arsen, for this information. Are there any statistics on the number of mailservers/... requesting SPF records instead of TXT records? I know some of the software on our mailservers doesn't even try SPF. isc.org and ietf.org do publish both, but they seem to be the exception. hotmail.com , gmail.com , sendmail.com and many others only have TXT and no SPF. -Oorspronkelijk bericht- Van: Arsen STASIC [mailto:arsen.sta...@univie.ac.at] Verzonden: donderdag 6 september 2012 16:15 Aan: Marc van de Geijn CC: Peter van Dijk; pdns-users Users Onderwerp: Re: [Pdns-users] publish SPF and TXT records? * Marc van de Geijn m...@bhosted.nl [2012-09-05 16:14 (+)]: According to rfc's the dns server should publish both spf and txt. We now create the spf, but not the txt version of the same spf. Hi Marc, Just take into consideration the ongoing IETF discussion about obsoleting SPF RR. 12.1. The SPF DNS Record Type Per [RFC4408], the IANA assigned the Resource Record Type and Qtype from the DNS Parameters Registry for the SPF RR type with code 99. The format of this type is identical to the TXT RR [RFC1035]. The character content of the record is encoded as [US-ASCII]. Use of this record type is obsolete for SPF Version 1. IANA is requested to add an annotation to the SPF RRTYPE saying (OBSOLETE - use TXT) in the DNS Parameters registry. [NOTE TO RFC EDITOR: (to be changed to ... has added ... upon publication)] This is taken from the latest draft: https://tools.ietf.org/wg/spfbis/draft-ietf-spfbis-4408bis/draft-ietf-spfbis-4408bis-06-from-05.wdiff.html just my 2ct -arsen ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] suspend domains
On Fri, Aug 03, 2012 at 04:44:00PM -0300, Mitsue Acosta Murakami wrote: Hello, I am using powerdns 2.9.22-8 with MySQL backend on Debian Squeeze and I need to disable domains from pdns without deleting them. I followed these instructions: http://osdir.com/ml/network.dns.powerdns.user/2006-06/msg00144.html I added a field status to domains table but it doesn't work. Does anyone know where I can find instructions to do this configuration? Any help will be highly appreciated./ The one you linked to (this is more readable): http://osdir.com/ml/network.dns.powerdns.user/2006-06/msg00138.html Is actually the way to do it. Did you add the same status-column as described: char (1) ? I think you need to add it to the domains and records tables. Did you set an 'A' in each status-column ? Did you change the queries as described on the mailinglist ? / -- Mitsue ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] configuring ALSO-NOTIFY support using the domain metadata table
On 08/18/2011 05:22 PM, Bauer, Steven J. wrote: -Original Message- From: bert hubert [mailto:bert.hub...@netherlabs.nl] Sent: Thursday, August 18, 2011 9:11 AM To: Bauer, Steven J. Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] configuring ALSO-NOTIFY support using the domain metadata table On Thu, Aug 18, 2011 at 08:53:11AM -0600, Bauer, Steven J. wrote: After looking through the source it appears that dnssec queries have to be enabled to get data out of the domainMetadata table. In the code file Hi Steven, This is indeed correct. If the 'gmysql-dnssec' (or gpsql- or gsqlite3-) flag is not specified, PowerDNS can't assumes the domainmetadata table is there. The '-dnssec' flag really means 'the database has been setup for dnssec support', not 'everything is dnssec'. With this flag though it implies more functionality changes in the software doesn't it? Things like using the auth columns or am I misunderstanding the discussions that have happened over the past few weeks on the list? DNSSEC is enabled on per domain basis based on the domainmetadata-table. So if you don't enable it on any domains, everything else should stays the same. It should not look at the auth-columns. Steve Bert -- PowerDNS Website: http://www.powerdns.com/ PowerDNS Community Website: http://wiki.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC rectify-zone setuid and setgid
On 08/05/2011 06:31 AM, kim Doff wrote: Hello, Hi, Could you help me? Well, I can try and give you some information and pointers. 1. DNSSEC Master/Slave are working faultlessly. I have PowerDNS v3, PowerAdmin 2.1.5 and MySQL Database Replication With SSL Encryption. Here is my question. When I modify zone domain.com http://domain.com through PowerAdmin by adding a subdomain like test.domain.com http://test.domain.com Master/Slave are updated (SOA serial is updated) but Master/Slave do not bind test.domain.com http://test.domain.com, I have to rectify zone domain.com http://domain.com in Master to bind test.domain.com http://test.domain.com in Master/Slave # pdnssec rectify-zone domain.com http://domain.com Is there a way to do it automatically through PowerDNS? First you'll have to know where all the documentation is: http://powerdnssec.org/ http://wiki.powerdns.com/trac/wiki/PDNSSEC http://doc.powerdns.com/powerdnssec-auth.html http://wiki.powerdns.com/trac/wiki/PDNSSEC/details http://wiki.powerdns.com/trac/wiki/PDNSSEC/backends Next you should know that if you choose how PowerDNS should do the live-signing for the domain. If you choose one that does not need an ordered zone, like for example NSEC3-narrow, you can just add the right auth=TRUE to the database and it will 'just work'. Because that is all that rectify-zone does for un-ordered zones. (zone-transfers will not be signed by the way with NSEC3-narrow, if I remember correctly, if you need them you might not what to choose that) 2. When I enable setuid=pdns and setgid=pdns in pdns.conf, Master/Slave are down. Have you tried running pdns_server with --daemon=no --guardian=no --config=/your-config ? I think this should not detach from the console. If you also add something like strace -f -F than you can also see what is doing. There most be something that the pdns-user or -group does not have rights to that it needs. Why? Thanks, Kim ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On 08/16/2011 09:42 PM, Erik Weber wrote: On Tue, Aug 16, 2011 at 8:29 PM, Anthony Eden anthonye...@gmail.com wrote: On Tue, Aug 16, 2011 at 8:23 PM, Posner, Sebastian s.pos...@telekom.de wrote: Erik Weber wrote: Some other things to consider why running PDNS is better: [...] Just shooting in with a feature that I just came to remember. 6) Fancy records. 3.0 doesn't support fancy records any more. I, for one, am sad about this. We're still running PowerDNS 2.x and haven't faced this change yet. Shouldn't it be a matter of extending the records table with a column with the URL information, and just insert the record as a normal A record? Your management software and the forwarding software would have to confront the URL field, but to PowerDNS it should look like a normal record. I've never seen the need for the use of any 'special' record for redirects. I prefer simple, hopefully future prove, solutions. We used a seperate table from the start in the same database as PowerDNS uses* so the management software does not need 2 databases and can join some tables if needed. We just have the management software insert the A-record for the redirect normally. We also allow for redirects in the table which don't have a domain our DNS. Sometimes it is easier to point an external domain at your own redirect than to convince an other provider to do the redirect. It keeps our DNS clean. PowerDNS doesn't mind if there is an extra table (I think it doesn't mind extra columns as you mentioned above either). Hope that helps, Leen. * Or actually the management software works on the master database, PowerDNS and redirect use slave databases. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Pipe-backend: ABI-v3, TXT, and DNSSEC
On 08/08/2011 11:34 PM, Leen Besselink wrote: On 08/08/2011 06:57 PM, Jan-Piet Mens wrote: Hello, I was curious as to wether PowerDNS would sign records produced by the PIPE back-end, particularly since the release notes indicate it may be possible ([3] also says partial support). I set up a small test with PowerDNS 3.0.1 [1] and the example backend-v3.pl [2]. I encountered the following issues: I tried that too. I did rename mine test.net and used gpsqlite3 because I already had that setup. 0. Configuration `powerdns.conf` contains only: daemon=no launch=gmysql,pipe gmysql-dnssec gmysql-dbname=pdns gmysql-host=127.0.0.1 gmysql-port=3306 gmysql-user=pdns gmysql-password=secret cache-ttl=0 query-cache-ttl=0 log-dns-details=yes loglevel=4 pipe-command=/etc/powerdns/backend-v3.pl pipebackend-abi-version=3 1. A query of type ANY produces a SERVFAIL with the sample back-end. The console logs: Exception building answer packet (Parsing record content: Data field in DNS should start with quote () at position 3 of ' hallo allemaal!') sending out servfail Changing quotes to single quotes, or removing them altogether doesn't improve: I can't get PowerDNS to reply with a TXT RR. Seems that part works for me if I remove all quotes: print DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n; Although it does add a space at the start: $ dig +short +norec +dnssec @127.0.0.1 test.net txt TXT 8 2 3600 2011081800 2011080400 63826 test.net. fD8xqLMN9vcBK1Y0CwAJrgr9CfFQRwdc3j9OVijHXjvU5TdMDZ4s4y0g JcmUCREUFAdbmasrKmthPEzGvtrD/K41zWSdjwArMDzehmozrCswU8Vq oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g= hallo allemaal! 2. I created a zone in gmysql called example.com, type=NATIVE and signed it with `pdnssec secure-zone example.com`. (Records table for the zone is empty) Yes, it won't work without a records-table. 3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get expected results including 3 DNSKEY RR 4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and powerdns aborts with the following message on the console: Default beforeAndAfterAbsolute called! Got a signal 6, attempting to print trace ... A bug or two, surely? :-) It does work for +dnssec for webserver.$domain A or $domain SOA Which is really encouraging. But it crashes as stated above if it just doesn't find things and needs to do DNSSEC. I was using NSEC and asking for also crashes the whole thing. A normal request to the pipe-backend looks like: 24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32 24718 Sent SOA records 24718 End of data But a request just before a crash says: �/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8 24724 Sent SOA records 24724 End of data Which suggests to me something in the PowerDNS-code isn't able to handle it when there is no result from any backend in combination with DNSSEC. I forgot to add: It also seems to ask the wrong question ? Or atleast use the wrong 'realRemote' and maybe that breaks the protocol ? I didn't immediately found the cause for it. Additionally, I note that the documentation for the PIPE backend [3] has no mention of ABI version 3, nor does it describe the bits and auth returned by the example pipe backend. Could somebody explain what the `bits' are? Thanks regards, -JP [1]: http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm [2]: http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239 [3]: http://doc.powerdns.com/backends-detail.html#pipebackend ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] powerdns recursor and dns prefix
On 06/17/2011 09:30 PM, Konstantine Karosanidze wrote: Hello, Hi, I run powerdns recursor (v 3.3, from freebsd ports) as an ISP recursive dns (allmost default config I just use nxdomain lua script for not found domain to be redirected to search page). It's been working fine for a while but couple days ago I noticed that some clients have problem with resolving. Problem is following: all my clients get dns prefix from dhcp, lets say : domain.com http://domain.com and i see some requests to dns like: google.com.domain.com http://google.com.domain.com that does not resolv and it's correct that it does not resolve. I understand that it happens because windows machine ads prefix to requested domain, but is there any possibility to overcome this problem? It isn't just Windows machines, just seen the 'search'-option in resolv.conf(5) on any Unix-like system. If possible I wouldn't try to redirect the nxdomain it breaks many things, especially domains which are down for a short while. I would like to ask you don't do that. But if really think you must and what to fix it then I would change the lua script to understand that domain.com should not be redirected. I would probably also keep the ttl as low as I possible to make problems you create go away as fast as possible, as low as I think the recursors can handle (as it will obviously get a lot more queries) with a margin ofcourse. Have a nice weekend, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Updating Wiki/Posting Bugs
I tried no space a number of times and it didn't work but just tried again and... It works.. Arghhh. Thanks My guess is, this works really well against spammers too. ;-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Updating Wiki/Posting Bugs
On 06/17/2011 02:28 AM, Craig Whitmore wrote: The username/password given (anon/No Spam) doesn't seem to work on http://wiki.powerdns.com/trac It says: no space in between Thanks ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] svn access to pdns backends
On 05/26/2011 09:12 AM, Nick Milas wrote: Hi, Hi Nick, Can anyone please tell me how I can have svn access to pdns backends source tree? When I look at the http://wiki.powerdns.com/trac/ it says exactly the same thing you did. I used: svn co svn://svn.powerdns.com/pdns/trunk/pdns pdns So I did the same thing. And I got revision 2199 just like it says here: http://wiki.powerdns.com/trac/log/trunk/pdns as indicated here: http://wiki.powerdns.com/trac/wiki/HACKING but in there I only see gmysql and bind backends. I am mainly interested in LDAP and mongodb backends. I see the directories and files in pdns/modules/ (not pdns/pdns/backends !!) (Trying to probably become a hacker, now in my late days. ;-) ) Thanks, Nick Hope that helps. Have a nice day, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Small site backend recommendations
On 05/21/2011 06:27 AM, Charles Sprickman wrote: On Thu, 12 May 2011, k...@rice.edu wrote: On Thu, May 12, 2011 at 03:37:24AM -0400, Charles Sprickman wrote: Hello, We've been using the PDNS recursor for some time now and have been quite happy with it. It replaced dnscache and has proven to perform much better. We're now looking at moving away from tinydns, mainly to get IPv6 support without patching and to get started with DNSSEC. I don't see us with more than a few thousand zones anytime soon, and we aren't looking at anything above 1000 qps (across three servers) anytime soon. I'm not sure I completely understand the PowerDNS philosophy quite yet, but it looks like BCP is to run a db server on each name server (postgres or mysql). This feels a little too heavyweight for us. What might be some interesting options? Would something like one master with a real db backend (in our case PostgreSQL) and then two slaves running SQLite work well? Is there anything lighter than SQLite that we could stick on the slaves? Is the SQLite backend well-supported? Any pointers greatly appreciated. We are committed to a database-backed DNS server (we currently have a script that dumps db data to a tinydns data file), and there do not seem to be that many actively-developed options out there... Thanks, Charles Hi Charles, The advantages to having a db for each server is redundancy. A single server can easily serve 10X you expected load on a single box. I addition using db replication to move the updates around provides for a much more real-time process across all of your systems. I do understand the general concept, but going from scp'ing a tiny .cdb file around to running a full-blown PostgreSQL instance on each nameserver just feels a little bit too heavy for us. SQLite is certainly a little simpler and less resource-intensive. I've been running through the docs again, and I'm finding there's a bit of a lack of best common practices sort of information. So what I'd really like to get some feedback on is whether the following should work properly, especially given the (comparatively) small number of queries we'll be serving: -One server as master/supermaster that is backed with gpgsql backend that will be where all records are added/deleted/changed. This may also be a hidden master at some point as we change our general provisioning setup. -Two servers as slaves using the gsqlite3 backend. If I've understood the documentation correctly this should (at least in theory) work. We add a zone on the supermaster and the slaves, even though they are running a different backend, will be notified of the new zone and fetch it via axfr. Changes in existing zones are also fetched via axfr. My only concerns after looking at the docs is whether the gsqlite3 backend is thoroughly tested and whether using traditional master/slave and axfr will lead to any issues with the servers being out of sync with each other (since it seems most pdns installations are larger and have gone with a full-blown db w/replication for each server). I find it is usually better to test for ourselfs how it works in our setup than rely on others. ;-) Personally I've never seen the gpgsql open a lot of connections which is where the overhead might be in PostgreSQL (in PowerDNS 3 it is more on purpose though). PowerDNS has 2 caches if I understand it correctly. One where the queries are cached and one where packets are cached, both for a short time. So many clients asking the same question will never go to the database more than ones. With your intended setup as long as you test everything and make sure the SOA-serial is updated when changes are made and a notify is sent to the slaves that should be fine. DNSSEC adds key material to the mix and would also need to change those keys every few weeks or months (depends on your preference) and you have to make sure the serial gets updated again as well. Thanks, Charles Cheers, Ken ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME pointing to URL forwarding record
On 03/31/2011 09:18 AM, Anthony Eden wrote: On Wed, Mar 30, 2011 at 2:28 PM, Stefan Schmidt zaph...@zaphods.net mailto:zaph...@zaphods.net wrote: Hi Anthony, On Wed, Mar 30, 2011 at 10:22 AM, Anthony Eden anthonye...@gmail.com mailto:anthonye...@gmail.com wrote: When I point a CNAME record to a URL forwarding record PowerDNS returns a SERVFAIL for the CNAME query when I go through a resolver. If I dig directly against the authoritative server it works just fine. Any suggestions on how I can fix this, other than just replacing the CNAME with another URL Actually, if you use dig and pay really close attention you should see you request www.wemakednssimple.com http://www.sunnybliss.com But it returns wemakednssimple.com. without the www. Which is wrong. A recursor will recognise this and just ignore that part of the answer (there is nothing else in the answer so you get nothing). I don't know what the cause is, but this is the result and why it doesn't work. forwarding record? Please tell us what you dig for and which server - presumably yours - you are asking. As there is no such thing as a URL forwarding record in DNS in general, is it safe to assume that you mean a URL fancy record type such as in http://doc.powerdns.com/fancy-records.html ? Working: dig @ns1.dnsimple.com http://ns1.dnsimple.com www.wemakednssimple.com http://www.sunnybliss.com Not working: dig @8.8.8.8 http://8.8.8.8 www.wemakednssimple.com http://www.sunnybliss.com And yes, by URL forwarding record I mean the URL fancy record type as described in the PowerDNS documentation. Any help would be appreciated. Thanks. Sincerely, Anthony Eden -- http://anthonyeden.com | twitter: @aeden | skype: anthonyeden ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME pointing to URL forwarding record
On 03/31/2011 11:42 AM, Anthony Eden wrote: On Thu, Mar 31, 2011 at 11:32 AM, Leen Besselink l...@consolejunkie.net mailto:l...@consolejunkie.net wrote: On 03/31/2011 09:18 AM, Anthony Eden wrote: On Wed, Mar 30, 2011 at 2:28 PM, Stefan Schmidt zaph...@zaphods.net mailto:zaph...@zaphods.net mailto:zaph...@zaphods.net mailto:zaph...@zaphods.net wrote: Hi Anthony, On Wed, Mar 30, 2011 at 10:22 AM, Anthony Eden anthonye...@gmail.com mailto:anthonye...@gmail.com mailto:anthonye...@gmail.com mailto:anthonye...@gmail.com wrote: When I point a CNAME record to a URL forwarding record PowerDNS returns a SERVFAIL for the CNAME query when I go through a resolver. If I dig directly against the authoritative server it works just fine. Any suggestions on how I can fix this, other than just replacing the CNAME with another URL Actually, if you use dig and pay really close attention you should see you request www.wemakednssimple.com http://www.wemakednssimple.com http://www.sunnybliss.com But it returns wemakednssimple.com http://wemakednssimple.com. without the www. Which is wrong. A recursor will recognise this and just ignore that part of the answer (there is nothing else in the answer so you get nothing). I don't know what the cause is, but this is the result and why it doesn't work. I wonder if setting skip-cname to yes would solve the problem and if so, what are the implications of doing so? I wouldn't know. Seems to be a bug/issue the way it is. I suggest you try it on a test-machine or something like that and try to fix it there. Maybe just change the settings of 1 server out of the 4 and drop packets from other IP-addresses other then your recursor for a few seconds, so they don't cache something which is wrong. Sincerely, Anthony Eden -- http://anthonyeden.com | twitter: @aeden | skype: anthonyeden ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns error sendto
On 02/25/2011 07:46 AM, Liong Kok Foo wrote: Hi, I have double checked and I did configured the firewall port 53 tcp/udp. Could it possible there are other port that need to be opened.? I am using APF firewall. If anyone is also using that, please share your configuration. If it's not firewall, where else can I look? What other logs? Sorry for the late reply. It is not the firewall on some network device. It is the firewall (like iptables, ipf or pf) on the machine running the PowerDNS server. Thanks. Hope that helps, if you haven't solved it already Liong Kok Foo On 2/21/2011 5:31 PM, Marc Haber wrote: On Mon, Feb 21, 2011 at 02:07:00PM +0800, Liong Kok Foo wrote: Sorry for my noobness, but could you explain on what you mean by local packet filter? Do you mean firewall? If yes, then what port do I look? FYI, I have open port 53 tcp/udp for outgoing and incoming. That should be enough, if it was done right. Greetings Marc ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] New PowerDNS Authoritative Server snapshot with DNSSEC + Release Notes
-database instead. As I've never created a sqlite3-database for powerdns before yesterday I create one without dnssec first. So I run zone2sql without the DNSSEC. I disabled/change the settings: #gsqlite3-dnssec #bind-config launch=gsqlite3 Look at the a .dump, it looks fine. Run a dig and spot an other problem: ;; ANSWER SECTION: www.test.net. 3600IN CNAME web.test.net. Just the CNAME, no A-record. This seems wrong, I think it is an ordering problem. So I add the dnssec-schema and enable: gsqlite3-dnssec Again and run: pdnssec rectify-zone test.net Now it worked: ;; ANSWER SECTION: www.test.net. 3600IN CNAME web.test.net. web.test.net. 3600IN A 10.0.0.238 But still signing does not work: $ pdnssec secure-zone test.net This should not happen, still no key! And I go to bed because it is late. :-/ This morning I tried running the bind and sqlite3 again but changed: launch=bind,gsqlite3 That did not help. Then I figured out the problem, I forgot to add to the domains-table. So I have 2 suggestions: 1. add the insert into domain line to zone2sql 2. the documentation should be changed from: $ echo 'insert into domains (name, type) values ('powerdnssec.org', 'NATIVE') | sqlite3 ./powerdns.sqlite3 to: $ echo insert into domains (name, type) values ('powerdnssec.org', 'NATIVE') | sqlite3 ./powerdns.sqlite3 So I retested, but the problem with the CNAME and sqlite3 remained when running without a DNSSEC-schema and gsqlite3-dnssec-setting. After ordering and singing and ordering the DNSSEC the CNAME problems all went away and when I run dig with +trusted-key= and everything worked. It also worked with or without the bind backend. Have a nice day, Leen Besselink. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look
On 01/06/2011 08:00 PM, bert hubert wrote: On Thu, Jan 06, 2011 at 11:55:24AM -0500, Mathew Hennessy wrote: Excellent! BTW, can PowerDNSSEC operate in the following way as one would expect: PowerDNS supermaster which has DNSSEC RRs but doesn't do DNSSEC (aka traditional PowerDNS) providing data to PowerDNS slaves. If you use the new code with a compatible backend on the slaves (such as gsqlite3), and your whois servers only point to those slaves, will it work? Almost! If you did that up till just now, you would have had to run 'pdnssec rectify-zone' on your slaves after each AXFR. However, thank you for raising this idea, this sounds like a very valid use case. It has just been implemented in changeset http://wiki.powerdns.com/trac/changeset/1819 I tested it against an ancient server, and now I have a fully operational DNSSEC zone! It works fully automatic on retrieving a zone for which we have local keying material. In this way, PowerDNSSEC can now be used to 'dnssec-ify' existing data, a bit like 'phreebird'. http://freshmeat.net/projects/phreebird Bert Hi Bert, Thank you for all your work so far, it is probably a lot of work. I was thinking what about the opposite ? A (possibly hidden) supermaster which does all the DNSSEC signing and the superslaves which only do zone-trasfers and no online DNSSEC-signing but do understand enough of the protocol to be able to serve it. I guess during the zone-transfer it would update any parts of the zone that are not yet (correctly) DNSSEC-signed ? Would that also work ? Technically/DNSSEC-wise I would expect it to work but maybe you don't have the right configuration options yet. Also judging from the current documentation it currently is not a mode of operations. I ask this because I have a feeling not everyone wants their private key material in several physical locations or do not yet want to be hindered by the the DNSSEC-performance of the current release for their public authoritive servers. Most of these requirements are already handled by the SQL-replication mode of operation. I have a hunch not atleast someone out there currently runs a supermaster/superslave operation and would like to only add DNSSEC to the supermaster and only upgrade (if needed) the slaves. __ I really like how PowerDNSSEC and Phreebird are trying to lower the administrative/operational burden. But their is one part I'm missing a way to hook up an EPP-client for sending the DS-record to the parent-zone. Because when you setup the DS-record(s) at the parent-zone, you'll eventually need to update it and the point it is time when it needs to be updated is kind of dictated by the software/crypto-algoritm. So far the only effort I've seen is a some experimental/beta code created by the OpenDNSSEC-people. Any thoughts on that yet ? Or is it just to early at this point ? Are their to many TLD's that do not have the needed EPP-extensions at this time ? Or are their to many different authentication scheme's ? Probably worse, I guess for some people they have registrars in between. And some currently have EPP, but probably not many have DNSSEC yet. Anyway, when is the new DS known to PowerDNSSEC (and in the database) so communication with all parties that are involved can be initiated and how can it be recognised. Would it be enough to run some script every day for example ? I hope this is going to be a good year for everyone, Leen Besselink. Thanks, = Matt On Jan 6, 2011, at 10:13, bert hubert wrote: Dear PowerDNS Community, With the help of many of you, we've now brought 'PowerDNSSEC' to the point where it might make sense for you to trial it on test domains. We expect to make move some of our own important domains over to PowerDNSSEC early next week. PowerDNS.COM underlies the commercial DNS hosting service 'Express', and may have to wait a bit longer. To test, head over to http://www.powerdnssec.org (which of course is powered by PowerDNSSEC). More information is on http://wiki.powerdns.com/trac/wiki/PDNSSEC - including how to get started, and how to get help. In brief, PowerDNSSEC will allow you to continue operating as normal in many cases, with only slight changes to your installation. There is no need to run signing tools, nor is there a need to rotate keys or run scripts. Particularly, if you run with Generic MySQL, Generic PostgreSQL or Generic SQLite3, you should have an easy time. A small schema update is required, plus an invocation of 'pdnssec secure-zone domain-name pdnssec rectify-zone domain-name' per domain you want to secure. And that should be it. Supported are: * NSEC * NSEC3 in ordered mode (pre-hashed records) * NSEC3 in narrow mode (unmodified records) * Zone transfers (for NSEC) * Import of 'standard' private keys from BIND/NSD * Export of 'standard' private keys * RSASHA1 * Pure PostgreSQL, SQLite3 MySQL operations * Hybrid BIND
Re: [Pdns-users] Recursor / pdns installation help
Hello Patrick, Each of my dns servers runs pdns and each has a slave copy of the master pdns mysql database and in turn each server looks up the dns locally via mysql. This has been working great for 2 years. The problem each server is running pdns which has a DOS vulnerability. which is why I am upgrading to implement recursor. n...@mydomain.com http://mydomain.com - on server 1 n...@mydomain.com http://mydomain.com - on server 2 n...@mydomain.com http://mydomain.com - on server 3 n...@mydomain.com mailto:n...@mydomain.com - on server 4 Sounds like you are trying to solve this problem the wrong way. A recursor can not act as an authoritive server for a domain, when serving domains, you need an authoritive servers like pdns (for example: bind may combine the 2 functions into one server, but it can also by default not be authoritive for domains it does not have the data for). If you are worried about mysql being to slow to handle a DOS attack, you should eliminate the database on (some of) the public servers 1. you should use something like the bind-zone file backend (files on disk, instead of database) on those servers, that should be the fastest 2. those servers would be slave servers, the server with the database is the master server I thought I could recommend superslave operation where new domains are automatically recognised and added, but it seems like that is not supported on the file backend. Bert: it looks like the option exists in the code, but it is not in the documentation on http://doc.powerdns.com/ ?: supermaster-config: Location of (part of) named.conf where pdns can write zone-statements to supermasters: List of IP-addresses of supermasters supermaster-destdir: Destination directory for newly added slave zones PS with superslaves, domains are not deleted, you should create a script for that. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor / pdns installation help
On 12/21/2010 03:03 AM, Patrick Coffin wrote: Hi, This is the first time posting to this board. If I am posting to the wrong list, sorry, and please advise where I should post this request for assistance. We are setting up a new installation of pdns and recursor. We have been running pdns for a couple years without issue. I am attempting to implement recursor and pdns to avoid a potential DOS attack and pass security compliance, which under the current version I am running will not pass. Currently we have 3 servers running pdns 2.9.22 in a Centos 5.5 environment. Each with their own mysql slave db. Al l works great except for the DOS issue. I setup a new testing server with pdns 2.9.21 and recursor 3.3 also a Centos 5.5 box and I now pass security compliance, but am not getting the expected responses on DNS queries. I setup recursor to respond on port 53 and pdns to respond on 5300. recursor.conf entries # forward-zones= forward-zones=x.x.x.x:5300 Hi, I'm not quiet sure what you are trying to do, but I think forward-zones needs 1 or more domainnames: http://doc.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS If it is just a few (or just the important) domains, that would work. If it is an ever changing 1000's. Then this is not what you are looking for. If security is your concern, it is normally not recommended to mix your recursor with your authoritive nameserver on the same IP-address anyway. So I suggest you don't. But if you really want to, you can have pdns check the database first before trying to resolve the request recursively, in that case you swap them around (pdns on port 53 and pdns-recursor on port 5300) and use these setting: recursor= allow-recursion= http://doc.powerdns.com/all-settings.html Hope that helps. Have a nice day, Leen. local-port=53 pdns.conf entries local-address=x.x.x.x local-port=5300 If I query on a domain using dig I get the following error. dig mytestdomain.com http://mytestdomain.com @ns5 -- ; DiG 9.6.0-APPLE-P2 mytestdomain.com http://mytestdomain.com @ns5 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; mytestdomain.com http://mytestdomain.com.INA ;; Query time: 6 msec ;; SERVER: 209.3.87.44#53(209.3.87.44) ;; WHEN: Mon Dec 20 17:55:34 2010 ;; MSG SIZE rcvd: 28 -- logs output - Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Resolved 'mytestdomain.com.' NS ns5.mydomain. to: xx.xx.xx.xx Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Trying IP xx.xx.xx.xx:53, asking 'mytestdomain.com.|A' Dec 20 17:43:25 xx pdns_recursor[9187]: 0 question answered from packet cache from xx.xx.xx.xx Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Got 0 answers from ns5.mydomain.net. (xx.xx.xx.xx), rcode=0, in 3ms Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: determining status after receiving this packet Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: status=noerror, other types may exist, but we are done Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Starting additional processing Dec 20 17:43:25 xx pdns_recursor[9187]: [3] mytestdomain.com http://mytestdomain.com.: Done with additional processing Dec 20 17:43:25 xx pdns_recursor[9187]: 0 [3] answer to question 'mytestdomain.com.|A': 0 answers, 0 additional, took 6 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 Dec 20 17:43:59 xx pdns_recursor[9187]: 1 question answered from packet cache from xx.xx.xx.xx It looks as if it is trying the local dns server on 53, but it is not getting a reply. Also I do not see any queries hitting the database. If any additional information is needed, LMK Any help would be appreciated. Thanks, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursor / pdns installation help
On 12/21/2010 09:09 PM, Patrick Coffin wrote: Leen, Thanks for the reply. We are hosting 1000's of dns records so entering them in the forwards is not at option. I will take your advise to split the pdns and recursor to separate servers. Should I expect that if I move the pdns to a separate server that the looks up will work correctly with the information I have given? I would move pdns back to port 53 and keep it connected to mysql for lookups. I would like it to be setup that recursor queries the pdns server and database if we are authoritative for the domain. Otherwise recursor should looks to the authoritative server for the answer. If the pdns server is authoritive for the domain, every recursor in the world will look at your pdns server when it want to ask about that domain. Because the root and TLD will point them to your pdns server. Thus so will your own recursor. I suggest you set up a few domains in your recursor to point to your pdns for the domains. The few domains you use internally (don't forget your reverse DNS blocks). Just in case you lose connectivity to the outside world and the external root/TLD-servers can't be reached. Is there another resource that I can reference for this setup? I believe I am just missing one or two pieces to get it working properly. Well, I hope the above makes sense to you. Atleast if that is the setup you want then it should not need any other configuration then what I mentioned above. I appreciate the help! Thanks, Patrick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns and Windows DNS integration
On 08/21/2010 08:30 PM, Vishal Uderani wrote: Hey , Hi Vishal, Ive managed to get a standalone installation of pdns Authoritative server up and running with a mysql backend and poweradmin interface . However , i havent found a single mention of a pdns installation integrating with a Windows DNS Server . Let me elaborate further : We have a bunch of devs who would like to create/modify/delete records and zones in our internal DNS server (Active Directory Integrated) without them having to access the server itself . so giving them an interface that does the above made sense . My pdns installation is on Linux . I came across the pdns-ldap backend but thats somehow not worked out for me . After compiling with --with-modules=ldap and making sure my pdns.conf pointed to the correct basedn , i was unable to pull down any of the zones from my Win DNS to my db . (assuming thats what it does) I would really appreciate it if anyone could provide me any info or send me along the correct track here . Awaiting your prompt response . No, that is not what it does. The LDAP-backend does, like the MySQL-backend, does not copy anything (unless it's a slave-server, in which case powerdns copies data), is a database where zones exist which are queried when a client asks for a record. I don't know if you can use these 2 backends at the same time. Normally the easiest way to deal with seperate (authoritive) nameservers is to use seperate zones. So one nameserver has a zone: company.tld and an other nameserver has a sub-zone: other.company.tld You setup the company.tld to point other.company.tld to the other nameserver(s) by creating a NS-record with the IP-address of the other nameserver. That way a 'resolving nameserver' will know it should query an other authoritive nameserver for the other zone and there is no need to copy anything. -- Regards , Vishal Uderani ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PTRs and SQL queries,, autoserial?
On 07/29/2010 11:47 PM, Jared Watkins wrote: I’m new to pdns.. and I’ve read the docs and seen how PTR records are supposed to be setup but I can’t get reverse lookups to work.. nor can I see from the default sql queries how they would ever be found. So I assume I’m missing something. =] I’m also not clear on weather the generic mysql backend supports auto serials (conflicting info in the docs) or how that is to be implemented. When I attempt a reverse lookup for an internernal test IP I see the following queries get run against the mysql server.. select content,ttl,prio,type,domain_id,name from records where name='192.168.103.32' select content,ttl,prio,type,domain_id,name from records where name='*.168.103.32' select content,ttl,prio,type,domain_id,name from records where name='*.103.32' select content,ttl,prio,type,domain_id,name from records where name='*.32' I fail to see how this will ever match the format of the PTR recs I’ve seen suggested as name,type,content: 32.103.168.92.in-addr.arpa PTR testserver.test.net I do have a reverse domain defined in the domains table.. but I don’t see that it ever gets queried. Hi, euh..., Jared, maybe I'm wrong, but do you know how to do a reverse lookup ? This is normally what you would do: dig @serverip -x 192.168.103.32 (I think Mac OS X, which you seem to be using judging by your e-mail-client, has the 'dig' command) it will send a PTR-query for: 32.103.168.92.in-addr.arpa which should result in a database-query for: select content,ttl,prio,type,domain_id,name from records where name='32.103.168.92.in-addr.arpa' Hope that helps. Have a good day, Leen. What’s going sideways here? Thanks, Jared ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNSSEC
On 06/24/2010 03:08 PM, Michael Braunoeder wrote: Hi, Hi, I'm currently evaluating the PowerDNSSEC implementation and found 2 issues: As no person which is more knowledgable answered your question, I thought I would answer with what I know. -) Is it possible to disable the signing-on-demand feature? I want the powerdns to act as slave to a hidden-master which does the signing of the domain, and the powerdns should just serve the signed zone (without any resigning and without access to the Keys). The disable the 'signing-on-demand'-feature has been discussed on this mailinglist before, the answer was: it will be optional in a future version. -) I tried the PostgreSQL-Backend, but I allways received the following error message: TCP server is unable to launch backends - will try again when questions come in: Undefined but needed argument: 'gpgsql-dnssec'. What is the format of the missing gpgsql-dnssec'-Parameter I've to add? I like your choose of database, but I don't have any information on the current state of this or any other bankend in combination with DNSSEC, other than I've used the 'bind-backend' (text-file). I do know that every database backend needs to implement some basic extra functions before it can work with DNSSEC. That information can be found here: http://wiki.powerdns.com/trac/wiki/PDNSSEC/backends As linked from: http://wiki.powerdns.com/trac/wiki/PDNSSEC But I did see on that page it says: Things to be aware of Only BIND and Generic MySQL (gmysql) backend right now It's also the same page that mentions: Next The completely live auto-signing nature of PowerDNSSEC is not what everyone wants. Other DNSSEC modes will be added soon. Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Recursor and reverse lookup
On 06/16/2010 10:34 AM, Uroš Gruber wrote: Hi, Hello Uroš, here is result from one of IP [r...@host1 ~]#dig @91.185.194.202 http://91.185.194.202 118.167.130.182 I think you might have a mistake there. The proper command with dig would be, -x is for reverse address lookup: dig @91.185.194.202 http://91.185.194.202 -x 118.167.130.182 ; DiG 9.4.3-P2 @91.185.194.202 http://91.185.194.202 118.167.130.182 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 7121 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;118.167.130.182. IN A As you can see above it does an A-record query, not a PTR-record (reverse address) query. ;; AUTHORITY SECTION: . 10774 IN SOA a.root-servers.net http://a.root-servers.net. nstld.verisign-grs.com http://nstld.verisign-grs.com. 2010061600 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 91.185.194.202#53(91.185.194.202) ;; WHEN: Wed Jun 16 10:31:49 2010 ;; MSG SIZE rcvd: 108 [r...@host1 ~]#dig @91.185.194.206 http://91.185.194.206 118.167.130.182 ; DiG 9.4.3-P2 @91.185.194.206 http://91.185.194.206 118.167.130.182 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached [r...@host1 ~]#host 118.167.130.182 91.185.194.202 Using domain server: Name: 91.185.194.202 Address: 91.185.194.202#53 Aliases: 182.130.167.118.in-addr.arpa domain name pointer 118-167-130-182.dynamic.hinet.net http://118-167-130-182.dynamic.hinet.net. [r...@host1 ~]#host 118.167.130.182 91.185.194.206 ;; connection timed out; no servers could be reached I'm really surprised this does not work. I've never seen that happen. Normally PowerDNS works just fine with that. Do you made any 'forward-zones' settings ? I would look at these settings first: allow-from Comma separated netmasks (both IPv4 and IPv6) that are allowed to use the server. The default allows access only from RFC 1918 private IP addresses, like 10.0.0.0/8. Due to the agressive nature of the internet these days, it is highly recommended to not open up the recursor for the entire internet. Questions from IP addresses not listed here are ignored and do not get an answer. allow-from-file Like allow-from, except reading from file. Overrides the 'allow-from' setting. To use this feature, supply one netmask per line, with optional comments preceeded by a #. Available since 3.1.5. As it seems you didn't get any answer at all. Maybe you could send us the output of the following command: grep -v '^#' recursor.conf | grep -v '^$' that way we can see what settings you've used. One thing I didn't quite understand is that bind have root.hint file but powerdns does not. Could this be a problem? Their is a default root.hint built-in, you can specify 'your own' with the 'hint-file' option. regards Hope this helps, Leen. Uros On Wed, Jun 16, 2010 at 10:14 AM, bert.hub...@netherlabs.nl mailto:bert..hub...@netherlabs.nl bert.hub...@netherlabs.nl mailto:bert.hub...@netherlabs.nl wrote: Can you show your exact dig command line and the result from powerdns and bind? This is all supposed to work :) Sent from my phone. - Reply message - From: Uroš Gruber uros.gru...@gmail.com mailto:uros.gru...@gmail.com Date: Wed, Jun 16, 2010 10:01 Subject: [Pdns-users] PDNS Recursor and reverse lookup To: pdns-users@mailman.powerdns.com mailto:pdns-users@mailman.powerdns.com Hi, I've set up pdns_recursor and everything works as expected except one thing. dig-ing reverse lookups returns nothing. With bind i have no such problems. I've tested a bunch of IPs and I didn't get any answers. Is this normal and pdns_recursor does not support this or there is a secret setting I need to enable. I'm using latest PDNS_recursor on FreeBSD and i only set local-ip in config. regards Uros ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Possible tcp listener issue
On 03/25/2010 05:54 PM, Laurent Papier wrote: Le Thu, 25 Mar 2010 15:51:29 + Simon Bedfordsbedf...@plus.net écrit: Guys, We have upgraded our customer caching name servers to pdns recursor 3.2 (which is working very well), this has now been running for 4 days but in the last 24 hours we have seen the tcp listener stop answering queries on 2 seperate servers. Our monitoring servers flag this up for us and restarting the recursor fixes it. Now I know tcp isn't used that much but I was wondering if anyone else has experienced this, due to the size of the logs we would generate we have the quiet option set to yes in the config so only get basic logging (which showed nothing out of the ordinary). Hi, I have also upgraded to pdns recursor 3.2 yesterday. And today, I have a strange problem on some of my systems. It seems be related to tcp DNS as the only thing that stopped working is using tcp dns queries. The rest of the system worked fine. I have restarted pdns recursor and it fixes the problem. I will do further testing if the problem happened again. Hello Simon and Laurant, Now I don't know anything about this issue specifically, but it's customary to provide some extra information when reporting bugs, what OS and OS version are you using for example ? Did you download a Linux-distribution binary ? What kernel version are you using ? Or did you build from an updated BSD-ports. Did you do your own build ? If so, what compiler did you use ? And so on. Some information would be better then no information. :-) Just so you know. Have a nice day, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] lazy-recursion
(First of all: I'm not a PowerDNS-developer, so I might be wrong) On 03/04/2010 10:01 AM, Liong Kok Foo wrote: Hmm...I read the docs on recursion again (which I already read a few times) and someone this time I got it. I added google's dns server 8.8.8.8 into the recursor and now external recursion works. There must be a reason why this is off by default. Potential security issues? Because it's easier to detect mistakes if you keep it seperate. It's just good practise to seperate your recursor and authoritive server, people should just learn to do that. Performance might be an other reason. Also you remove a dependency, what if your recursor doesn't answer for something, then the authoritive server doesn't answer quickly either (does it do CNAME lookups recursively ?). What if something is wrong with your authoritive server, if you have your authoritive server in your: /etc/resolv.conf as your recursor, you don't get any recursive-queries resolved either. If this method works, why is there need for pdns's own recursor server? 1. Because people/companies don't want to depend on others (in your case Google). 2. Because by some accounts, it's the fastest open source recursor available. It's also pretty secure. Thanks. On 3/4/2010 4:38 PM, none wrote: Basically it checks local data first before recursing to external nameserver, and you should turn this off. About turning lazy-recursion off doesn't lower amount av log enterys, actually it doesn't have any effect at all. You can read the docs here http://doc.powerdns.com/recursion.html ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Using root-referral
On 01/29/2010 03:30 PM, Joyce LAMBERT wrote: I'am using the option send-root-referral=lean (or yes) in my powerdns authoritative server. First the import question, why do you want to send a root-referral ? send-root-referral | --send-root-referral=yes | --send-root-referral=no | --send-root-referral=lean If set, PowerDNS will send out old-fashioned root-referrals when queried for domains for which it is not authoritative. Wastes some bandwidth but may solve incoming query floods if domains are delegated to you for which you are not authoritative, but which are queried by broken recursors. Available since 2.9.19. Since 2.9.21, it is possible to specify 'lean' root referrals, which waste less bandwidth. You usually don't need it. This server isn't recursive. When my server need to reply with CNAME where we are not authoritative for the destination, the server add root server in the authority section, and ip address in the additional section. Often this reply, can't enter in a UDP packet and need a TCP reply. When i analyse trafic with tcpdump and wireshark i can found [Malformed Packet: DNS] For most resolver, this is not a problem, and communication continue in TCP But it look like some other resolver (or firewall) stop on this Malformed Packet and resolution can't finish. But only with PowerDNS authoritative server. With other, this type of resolver can switch in TCP One solution is the reduce the number of root server we send on authority and additional section to limit the packet size. This can't bo done in configuration file and need to patch sources file. Do you now this problem, and is there any other solution. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] new server, cann; t make it authoritive for some reason
root wrote: Hello all, Hi, how can I achieve this? what do I need to set up/configure? If you read question 3 in the FAQ: http://doc.powerdns.com/pdns-users-faq.html You mind find you don't need it. Hope that helps. Have a nice day, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS DNSSEC!
On Thu, Jul 16, 2009 at 03:08:33AM +1000, Duane at e164 dot org wrote: Stephane Bortzmeyer wrote: Hi Duane and Stephane, On Wed, Jul 15, 2009 at 02:59:58AM +1000, Duane at e164 dot org du...@e164.org wrote a message of 62 lines which said: On the other hand do you know of any exciting development with DNScurve? What's the relationship? DNSSEC secures the data, DNScurve the channel (like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for DNSSEC, for instance, it does not protect against a rogue resolver (or secondary name server). DNSSEC doesn't provide privacy, DNScurve is supposed to provide both verifiection and privacy, but since there is no implementation there has been little discussion on it which is unfortunate. Just like there is a lot of reasons for privacy of web sessions the powers that be don't want to offer users the same privacy for their DNS requests. Reasons for not wanting to offer privacy included acknowledging that various governments would oppose it and DNSSEC specifically has no potential for privacy in the specs. That said since DNSSEC does involves crypto for signing, the same tech could in theory be used for privacy, and that annoys/scares what ever govt agencies and one potential reason why any sort of DNS crypto has taken this long to get to this point. My guess is, that would be the US-government ? I know the other governments also had something else to complain about, the signing of the root and the agency that is allowed to do so. Because alternative roots are not (easily) possible with DNSSEC I presume. I guess you could only make a signed copy or unsigned alt. root. -- Best regards, Duane http://www.freeauth.org - Enterprise Two Factor Authentication http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Global Communication for the 21st Century In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users _ New things are always on the horizon. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Multiple IP?
SoloUnAltroNick wrote: Hi, on my server i have 2 network interfaces. With the default option: local-address=0.0.0.0 Server doesn't respond. And in the documentation, it's written that this value so configured make PDNS listening on all interfaces. If i set it with my 2 IP (so all interfaces) it works. Any idea? Thankyou Hi SoloUnAltroNick, It actually says for the authoritive nameserver: local-address=... Local IP address to which we bind. You can specify multiple addresses separated by commas or whitespace. It is highly advised to bind to specific interfaces and not use the default 'bind to any'. This causes big problems if you have multiple IP addresses. Unix does not provide a way of figuring out what IP address a packet was sent to when binding to any. http://docs.powerdns.com/all-settings.html So my guess is the default IP-address (default gateway) works, but the otherone doesn't if you use 0.0.0.0. If you are using the recursor, I guess the same thing applies and maybe the documentation should be enhanched. Hope that answers your question ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS Recursor compile errors on g++ 4.4.0
Roger Libiez wrote: pdns_recursor.cc: In function void startDoResolve(void*): pdns_recursor.cc:669: error: reference to exception is ambiguous /usr/include/boost/exception/exception.hpp:177: error: candidates are: class boost::exception /usr/lib/gcc/x86_64-redhat-linux/4.4.0/../../../../include/c++/4.4.0/exception:60: error: class std::exception pdns_recursor.cc:669: error: expected type-specifier before exception pdns_recursor.cc:669: error: expected ) before token pdns_recursor.cc:669: error: expected { before token pdns_recursor.cc:669: error: e was not declared in this scope pdns_recursor.cc:669: error: expected ; before ) token pdns_recursor.cc:672: error: expected primary-expression before catch pdns_recursor.cc:672: error: expected ; before catch The above is displayed when attempting to compile on a server where g++ 4.4.0 is the only available compiler. Downgrading the compiler is not an option. What's the correct fix for these? There are quite a few of them in various different spots in that module. Hi Roger, What version of PowerDNS-recursor and what version of Boost are you using ?: I'm no expert, but I wouldn't be surprised if a newer Boost library solved the problem. Atleast that's what my gut instinct told me, a quick Google search was much more useful. I think you might need to add: #include cstdio to misc.hh http://cvs.fedora.redhat.com/viewvc/devel/pdns-recursor/pdns-recursor-gcc44.patch?revision=1.1view=markup Hope that helps. Have a nice day, Leen Besselink. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Difficulty changing nameservers on domain registar's site
On Thu, Jul 02, 2009 at 06:15:44PM +0300, Jani Karlsson wrote: Hi, Your problem is with SOA DNS-record: The given nameservers return different SOA entries. So either your SOA serial, data or TTL differs between servers. Or it just that other server doesn't respond to SOA request that is making the SOA check fail, even though the problem is not with SOA but in that the nameserver isn't responding (common GoDaddy error), blaims SOA missing or faulty when actually the problem is that the nameserver isn't responding. I hope this clears things a bit. Hi SashaB, If you want to lookup the SOA-record of a domain, you could use the 'dig' command: dig @nameserver domain.tld SOA But if those are not the same, maybe the domain-zone is not a copy of the zone on the other nameserver, which is asking for trouble if it's not just a version difference. Cheers, Jani Karlsson SashaB wrote: Ken, I'm not sure what you mean. For example, so we didn't have to enter different NS for 50 domains, I registered a domain name specifically for use with NS (that is their sole purpose) and I've set up NS for multiple website domain names that are identical--kinda like a webhosting company does? There are four NS on two different servers at two datacenters in different parts of a region (for which I haven't mirrored or set up round-robin yet, though I intend to do so--and research shows I can on pdns). Actually, two of the NS point to the same IP address as does the one in question and several other NS point to that IP, too. All server diffent content--blogs, websites, web interfaces for pdns, web guis for various applications, webmail servers--just fine. This works, in part, because the actual content is served, in most cases, though not all, from an entirely different IP addresses from the NS IP addresses (and the virtual host settings on apache reflect that). Yet, we have no problem reaching any of that content, even where the NS IP address are shared with content-serving hostnames rather than dedicated only to doing NS resolution like other IP addresses. Again, domain resolution isn't only about the nameservers--it's about the hosts and host.conf files, as well as whatever backends we use, too. (There are some other factors, like resolvers, but you get my point.) So, as I explained, my mail/webmail NS are on different IP addresses under its domain name from the content the webmail server and mail server 'serves'. All DNS records for the domain are contained on its master server, including both NS, which point back to those IP addresses. The secondary NS has it's own master record on the server where it's located and contains only its IP address, since pdns doesn't use pointer records, relying instead on it's native ability to resolve properly configured DNS. Since I've created an A record for those IP addresses from which actual content is served in the DNS records on our registrar's site (and have properly configured the vhosts in apache), when we enter either our webmail server IP address or its hostname, my webmail server software admin page loads--just like it should. When I load up the gui interface for our mailserver under either the hostname, which is something like mailservertype.maildomain.eu, it loads perfectly. This stuff's fairly idiot proof because apache, mysql and pdns all let you know when you've misconfigured stuff by not working right--or at all. Therefore, I don't know how your answer relates to my problem and it doesn't address the issue of the registrar not being able to reach the secondary NS, which is on an entirely different server and has a separate IP address. This doesn't appear, as you suggested when I posted my last question about how PDNS works differently from BIND and again in this post, as my lack of understanding DNS. I'm new to PDNS, not to DNS. I couldn't have set this system up if I didn't have DNS understanding and the registrar for my other domain names seems to have no problem adding our changed NS to their system, so, our NS configuration aren't the problem. If anyone else has any suggestions--especially those in the EU where this seems to be an issue--at least when I bing(.com) it, I would greatly appreciate your help. Sasha On Thu, Jul 2, 2009 at 9:40 AM, Kenneth Marshall k...@rice.edu mailto:k...@rice.edu wrote: On Thu, Jul 02, 2009 at 09:15:03AM -0400, SashaB wrote: Hello all, This is a long post with a lot of info since I thought you should know as much as possible about these NS before (a) having to ask the obvious questions and (b) so you can offer suggestions. Here's the situation. I have set up the NS for our domains (on four servers) and nearly all resolving properly to the domains to which they point. (For those few that are not, I have figured out
Re: [Pdns-users] Bindings
Doug Hall wrote: Is it possible to bind the Powerdns service to two IP addresses on the same box?? I have two nics... Hi, On my machine I have: /etc/powerdns/recursor.conf local-address=127.0.0.1, XXX.XXX.XXX.XXX It looks like /etc/powerdns/pdns.conf has the same kind of setting: local-address=... Local IP address to which we bind. You can specify multiple addresses separated by commas or whitespace. It is highly advised to bind to specific interfaces and not use the default 'bind to any'. This causes big problems if you have multiple IP addresses. Unix does not provide a way of figuring out what IP address a packet was sent to when binding to any. http://docs.powerdns.com/all-settings.html Have a nice day, Leen. *Doug Hall * IT Operations Manager *Dir ** **Fax *** *Mobile** **Email** * +44 (0)1179 303 420 +44 (0)1179 259 954 +44 (0)7966 343 084 dh...@com2com.com mailto:dh...@com2com.com *Committed 2 Communications Ltd** * 7^th Floor, Whitefriars. Lewins Mead. Bristol. BS1 2NT. UK *General ** **Web * +44 (0)1179 303 450 http://www.com2com.com http://www.com2com.com/ NTT Fundraising is a trading name of Committed 2 Communications Ltd, a UK company offering specialist services to the charity sector in telephone fundraising, as well as recruitment, donor relationship management, direct debit and BACs Bureau services - to name a few. For more information visit www.nttfundraising.co.uk. Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not an addressee, any disclosure or copying of the contents of this e-mail or any action taken (or not taken) in reliance on it is unauthorised and may be unlawful. If you are not an addressee, please inform the sender immediately. You should carry out your own virus checks before opening any attachment. Registered Office: 7th Floor, Whitefriars, Lewins Mead, Bristol BS1 2NT, United Kingdom Registered In England, Registered Trading Number: 06458746 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question on setting up PDNS
Nicholas Orr wrote: You'd need to setup a sub-domain and have your primary domain give out NS for where the sub-domain is hosted. I remember doing this ages ago with Windows Server DNS, was pretty straight forward. hmmm. Sorry I'm not much more help :/ Anyway, it's called '(DNS) delegation', now you have something you can lookup in a book or search engine, whatever. Hope that helps. 2009/3/18 npere...@videotron.ca mailto:npere...@videotron.ca Hello, I am trying to setup PDNS for enum NAPTR... I have a domain, example.com http://example.com which is taken car by our current DNS. I need to add a pointer for e164.example.com http://e164.example.com to send the request to a specific server, which is the on running the PDNS, yet the query I am doing is not being sent to the PDNS and I dont know what I'm doing wrong... My query via nslookup is : nslookup 0.0.1.e164.example.com http://0.0.1.e164.example.com Fails no response if on the PDNS (linux) server and I do a Dig, it works fine. dig 0.0.1.e164.example.com http://0.0.1.e164.example.com What should my Primary DNS have to send the query they get to the specific server IP of PDNS ? Regards, Nelson Pereira Http://www.npereira.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com mailto:Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] STL error
Johan Kooijman wrote: Hi, Thank you for your reply. Hmm, I'm no expert, but looking at the error and code, I would say, your TCP-connection to the PowerDNS died. My guess too. TCP is different from the normal UDP-packets used by DNS. If this is a new installation, you are possible setting it up in an environment where you might not need a firewall on that server, could you disable it and test it again ? It looks like PowerDNS is not able to push any packets out to your dig-client. If I were to guess, I would say PowerDNS is not receiving the TCP-ACK-packets. That's the strange thing: there is no firewall running on this machine. I tried adding the listen-address option in pdns.conf, no luck. I did a tcpdump on it's interface when I did the dig, result is here: http://pastebin.com/m746248ae The last line is a reset packet from client to server, I wouldn't expect to see a reset packet. I tried a working installation as a test and I didn't see a reset packet. I don't know why the client-side does this, but it's not the usual way. Also I noticed there were no packets with F (for finished) so that would mean the server wasn't done sending. Maybe first try from localhost on the PowerDNS-server ? Any other suggestions? Met vriendelijke groet / With kind regards, Johan Kooijman JK IT - Communication at the speed of life jkooij...@jkit.nl http://www.jkit.nl Tel.: +31 (0)76 - 71 10 271 Fax : +31 (0)76 - 20 11 179 Mob: +31 (0)6 - 43 44 45 27 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] STL error
Johan Kooijman wrote: The last line is a reset packet from client to server, I wouldn't expect to see a reset packet. I tried a working installation as a test and I didn't see a reset packet. I don't know why the client-side does this, but it's not the usual way. Also I noticed there were no packets with F (for finished) so that would mean the server wasn't done sending. Maybe first try from localhost on the PowerDNS-server ? Unfortunately.. same result. Now that is interresting. Can I suggest creating a pcap-file and looking at with wireshark ? ifconfig lo | grep MTU tcpdump -s $MTU -w $PATH/lo.tcp.domain.pcap -npti lo tcp port domain I don't really know what could be the cause, but my guess is PowerDNS is sending something dig doesn't understand ? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] [ignore] mailinglist test-message
I'm sorry, I'm having some odd problems with changing addresses, this is a test-message please ignore. Have a good weekend ! :-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
Ton van Rosmalen wrote: Leen Besselink schreef: On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote: Obviously; but that's being reactive; I was looking for something more proactive. --Augie I've not tested it, but I understand the u32 option is available on Debian/Linux for example: http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ That might do what you want. How about rate limiting using iptables? You'd have to determine some sort general usage rule or manually add ip addresses to he list that's limited. I didn't know iptables had an easy way to do this per source-address in iptables. But I've looked around and possible the recent-iptables-module would be able to do so: http://www.debian-administration.org/articles/187 OpenBSD's PF would probably be able to though: http://www.openbsd.org/faq/pf/filter.html#stateopts I just had a list of IP-addresses and only return a small packet for the rest, but I'm definitly still considering changing it, because there are a few new ones every few days. Although someone on the NANOG-mailinglist I read sends an update each time, I most say, that's convenient too. :-) I don't particularly like rate-limiting something important as DNS for were I work. PS You were probably not aware of it but please don't send HTML-only e-mails to mailinglists some people don't like it. Thunderbird does supports it I think. Regards, Ton ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
On Wed, Jan 28, 2009 at 11:07:53AM -0800, Augie Schwer wrote: We discussed this on #powerdns a bit as it came up on the dns-operations list; the conclusion was that dropping the request was worse because it opened up spoofing attacks. Thanks for the suggestion though. --Augie Yes, that is the other problem. It's also a reason why I only drop queries from those few IP's at work. There is obviously an other problem with that which Paul Vixie already mentioned on the NANOG mailinglist, which is if the targetted IP's are actually resolvers, they wouldn't be able to query our nameservers. Altough it's not really all that bad, first of all, the connection of that IP-address is probably flooded, because of all the answers going to that IP-address. If that didn't happen and it really was a recursor, I think it would be really easy to move the outgoing address to an other IP-address. Because the people running that recursor very well know there are people helping them, by blocking those questions. All in all I think blocking just a few addresses isn't all that bad. Beter is nagging your transit provider about it, because the source network should do proper filtering. That's something I started doing today, because it has been going on for weeks now (it started in december somewhere). Someone should have noticed that traffic leaving some of these networks and fixing it. If not, they should atleast be notified. Well that was my reasoning. :-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote: Obviously; but that's being reactive; I was looking for something more proactive. --Augie I've not tested it, but I understand the u32 option is available on Debian/Linux for example: http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ That might do what you want. 2009/1/27 Jeroen Wunnink jer...@easyhosting.nl: Just firewall the IP ? Augie Schwer wrote: Does anyone have other solutions? -- Met vriendelijke groet, Jeroen Wunnink, EasyHosting B.V. Systeembeheerder systeembeh...@easyhosting.nl telefoon:+31 (035) 6285455 Postbus 48 fax: +31 (035) 6838242 3755 ZG Eemnes http://www.easyhosting.nl http://www.easycolocate.nl -- Augie Schwer-au...@schwer.us-http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DDos Reflector
Christof Meerwald wrote: Hi, since about Friday late evening I am seeing lots of pdns errors in my syslog like: Not authoritative for '', sending servfail to 76.9.31.42 (recursion was desired) Over in comp.protocols.dns.bind there is already some discussion about these DNS requests (which apparently use a spoofed source IP address). Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS reflector, like rate-limiting SERVFAILs per IP address? What's the general opinion? The idea of the DOS-attack is to try and get the authoritive or public recursive nameserver to send a larger amount of packets or size then the original request. PowerDNS (atleast the installations I checked) doesn't do that, it just sends a ServFail of the pretty much the same size. Other then dropping the packet with a firewall-rule as I have (that IP-address specifically, I actually will remove it after it has stopped !) I don't think there is a lot you could do. Maybe someone could implement some kind of rules in PowerDNS to, again not answer this query specifically. But well, that would just be wrong and make it easier to make a DNS cache poisoning attack at some recursor more effective. Only other thing I can think about is, that maybe a rate limiter could be kinda useful. As I've mentioned in other fora, people should just filter their egress traffic from spoofed addresses, that would get rid of the whole problem. Christof ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DDos Reflector
Leen Besselink wrote: Christof Meerwald wrote: Hi, since about Friday late evening I am seeing lots of pdns errors in my syslog like: Not authoritative for '', sending servfail to 76.9.31.42 (recursion was desired) Over in comp.protocols.dns.bind there is already some discussion about these DNS requests (which apparently use a spoofed source IP address). Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS reflector, like rate-limiting SERVFAILs per IP address? What's the general opinion? The idea of the DOS-attack is to try and get the authoritive or public recursive nameserver to send a larger amount of packets or size then the original request. PowerDNS (atleast the installations I checked) doesn't do that, it just sends a ServFail of the pretty much the same size. Other then dropping the packet with a firewall-rule as I have (that IP-address specifically, I actually will remove it after it has stopped !) I don't think there is a lot you could do. Maybe someone could implement some kind of rules in PowerDNS to, again not answer this query specifically. But well, that would just be wrong and make it easier to make a DNS cache poisoning attack at some recursor more effective. Only other thing I can think about is, that maybe a rate limiter could be kinda useful. As I've mentioned in other fora, people should just filter their egress traffic from spoofed addresses, that would get rid of the whole problem. Maybe there is a way to find the badguys, because I did notice one thing, the TTL is pretty much always the same and they are all arriving from the same Transit-provider. So that means it's probably just a very small number of badguys, fairly close together. The TTL I have here is 56 or 57: # tcpdump -c 10 -vvntpi XXX host 76.9.31.42 tcpdump: listening on XXX, link-type XXX 76.9.31.42.39499 XXX.XXX.XX.XXX.53: [udp sum ok] 47478+ NS? . (17) (ttl 57, id 28226, len 45) 76.9.31.42.35973 XXX.XXX.XX.XXX.53: [udp sum ok] 31418+ NS? . (17) (ttl 56, id 40252, len 45) 76.9.31.42.10658 XXX.XXX.XX.XXX.53: [udp sum ok] 47176+ NS? . (17) (ttl 56, id 23872, len 45) 76.9.31.42.41104 XXX.XXX.XX.XXX.53: [udp sum ok] 20777+ NS? . (17) (ttl 57, id 6198, len 45) 76.9.31.42.25856 XXX.XXX.XX.XXX.53: [udp sum ok] 12812+ NS? . (17) (ttl 57, id 32978, len 45) 76.9.31.42.61992 XXX.XXX.XX.XXX.53: [udp sum ok] 8502+ NS? . (17) (ttl 56, id 7053, len 45) 76.9.31.42.28488 XXX.XXX.XX.XXX.53: [udp sum ok] 64677+ NS? . (17) (ttl 56, id 38187, len 45) 76.9.31.42.32527 XXX.XXX.XX.XXX.53: [udp sum ok] 49277+ NS? . (17) (ttl 56, id 59157, len 45) 76.9.31.42.25435 XXX.XXX.XX.XXX.53: [udp sum ok] 719+ NS? . (17) (ttl 56, id 27208, len 45) 76.9.31.42.3991 XXX.XXX.XX.XXX.53: [udp sum ok] 14463+ NS? . (17) (ttl 57, id 12013, len 45) The Transit provider in my case is AboveNet. If people with a higher TTL would give some information where they think it's arriving from maybe we would be able to find pinpoint them. Christof ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Error While loading shared libraries: libpq.so.5: Cannot open shared object
On Sun, Nov 16, 2008 at 11:50:53AM +0700, BORIN HY/WiCAM wrote: Dear All, Hi you, I just download the latest release of power dns rpm and install it on my the Fedora core 9. When I do the try to start power dns, I got the following error. $/etc/init.d/pdns start Starting PowerDNS authoritative nameserver: /usr/sbin/pdns_server: error while loading shared libraries: libpq.so.5: cannot open shared object file: No such file or directory Please advice what should I do in order to fix this problem. I know pretty much nothing about any other distribution except for Debian (based), but libpq.so.5 is a PostgreSQL-client library. This is what I have on my Ubuntu-desktop-machine: [EMAIL PROTECTED]:~$ dpkg -S libpq.so.5 libpq5: /usr/lib/libpq.so.5 libpq5: /usr/lib/libpq.so.5.1 [EMAIL PROTECTED]:~$ dpkg -s libpq5 Package: libpq5 Status: install ok installed Priority: optional Section: libs Installed-Size: 872 Maintainer: Martin Pitt [EMAIL PROTECTED] Architecture: i386 Source: postgresql-8.3 Version: 8.3.4-2.2 Depends: libc6 (= 2.4), libcomerr2 (= 1.01), libkrb53 (= 1.6.dfsg.2), libldap-2.4-2 (= 2.4.7), libssl0.9.8 (= 0.9.8f-5) Description: PostgreSQL C client library libpq is a C library that enables user programs to communicate with the PostgreSQL database server. The server can be on another machine and accessed through TCP/IP. This version of libpq is compatible with servers from PostgreSQL 8.2 or later. . This package contains the run-time library, needed by packages using libpq. . PostgreSQL is an object-relational SQL database management system. Original-Maintainer: Martin Pitt [EMAIL PROTECTED] I hope this helps. If you know what package you needed to install to get it work, post it here so it's saved in the archives and people don't need to ask about it again. Have a nice day, Leen Besselink. Thanks regards, Borin ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS-Recursor Not Providing DNS Lookups?
On Fri, Aug 22, 2008 at 01:40:05PM -0500, Kenneth Marshall wrote: On Fri, Aug 22, 2008 at 07:42:31PM +0200, bert hubert wrote: On Fri, Aug 22, 2008 at 12:30:36PM -0400, Steve Chapman wrote: I'm working in an environment that uses split DNS (some parentcompany.com servers we want resolved from corporate DNS servers, others from Internet DNS servers). I've installed the pdns-recursor RPM (3.1.7-1) on my RHEL 5 bind DNS server and configured the recursor, all defaults except: Very good! If I run an nslookup Server2.parentcompany.com IP of Corporate DNS server, I get a valid IP address, and then if I subsequently re-run the nslookup against the PDNS Recursor, it provides the answer from then on. Why isn't it providing the answer initially? Any ideas would be helpful. The reason is that PowerDNS is expecting you to forward queries to an authoritative server. It appears you are forwarding them to a server that is not authoritative for Server2.parentcompany.com, but is in itself a caching resolver. PowerDNS is sending so called 'non-recursion desired' questions to your internal nameserver, and this internal server is therefore not recursing for your questions. Once you've triggered the internal server to look the question up, it keeps the answer in the cache. The second time PowerDNS asks, no recursion is needed, since the answer is there already. I'm not sure what to do now - it might be good for PowerDNS to set the 'rd' bit in forwarded queries. Any ideas? I vote for setting the 'rd' bit in the forwarded queries. That certainly best fits the behavior that I was expecting to see. Maybe add a seperate option like this ?: forward-zones-with-rdbit= ? recurse-forward-zones= ? Regards, Ken ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: Can pdns-recursor forward . ? / Re: [Pdns-users] Where can I download Windows binaries?
On Tue, Jul 29, 2008 at 12:53:04PM +0200, bert hubert wrote: On Tue, Jul 29, 2008 at 12:49:24PM +0200, Leen Besselink wrote: I have an other reason I might want a windows binary. In this case for PowerDNS-recursor. You can compile the powerdns recursor on windows if you are reasonably windows savvy. It takes me around two days to get it working usually. But I really hope someone else will do this, and I'd love to help! And Windows XP doesn't support DNS over IPv6, installing a local forwarding IPv6-enabled PowerDNS-recursor might a be solution to that ? Can I forward . ? I've never tried it. It might, unsure. Bit of an odd construction :-) I tried setting forwarding for ., just to see what happends, but to be honest it's not a good idea. First of all it does want to sent the right questions, but they are flagged as no-recurse (RD-bit not set). Which is obviously not appropriate and did not work in my setup. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor performance
On Tue, Aug 05, 2008 at 12:30:25AM -0700, Brad Dameron wrote: And you will see your response times drop from 1-2 seconds to milliseconds. I did a lot of testing of this and pdns-recursor is definitely the best out there. Brad Hi Brad, Did you also test Unbound ( www.unbound.net ) ? They say they are faster, they are a fairly new player in this field (version 1.0.0 released May 20, 2008). I can't find the graph. The graph I've seen shows PowerDNS and bind pretty close together. Which I found a bit strange. Even if they are faster, atleast they are keeping the title in the Netherlands (PowerDNS and NLNetlabs are both dutch organisations). :-) I've not used/tested it. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor performance
On Tue, Aug 05, 2008 at 10:29:14AM +0200, Leen Besselink wrote: On Tue, Aug 05, 2008 at 12:30:25AM -0700, Brad Dameron wrote: And you will see your response times drop from 1-2 seconds to milliseconds. I did a lot of testing of this and pdns-recursor is definitely the best out there. Brad Hi Brad, Did you also test Unbound ( www.unbound.net ) ? They say they are faster, they are a fairly new player in this field (version 1.0.0 released May 20, 2008). I can't find the graph. The graph I've seen shows PowerDNS and bind pretty close together. Which I found a bit strange. I did find the graphs: http://www.unbound.net/documentation/ripe56_unbound_02.pdf Even if they are faster, atleast they are keeping the title in the Netherlands (PowerDNS and NLNetlabs are both dutch organisations). :-) I've not used/tested it. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Can pdns-recursor forward . ? / Re: [Pdns-users] Where can I download Windows binaries?
I have an other reason I might want a windows binary. In this case for PowerDNS-recursor. When I'm going to deploy IPv6, I would really like to have an IPv6-only network behind the (currently NAT) firewall. And Windows XP doesn't support DNS over IPv6, installing a local forwarding IPv6-enabled PowerDNS-recursor might a be solution to that ? Can I forward . ? I've never tried it. Hmm, maybe there is an easier way to do this ? On Tue, Jul 29, 2008 at 12:24:36PM +0200, Rick Jansen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think there would be a lot more interest from Windows Server users, if recent download packages would be available. And Windows users, I think, are often more commercial users, with money. Money to make PowerDNS better. So instead of: Wait for interest - create package Isn't this better: create packages - see an increase in interest - increase in support contracts ? Kind regards, Rick Jansen ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: Can pdns-recursor forward . ? / Re: [Pdns-users] Where can I download Windows binaries?
On Tue, Jul 29, 2008 at 12:53:04PM +0200, bert hubert wrote: On Tue, Jul 29, 2008 at 12:49:24PM +0200, Leen Besselink wrote: I have an other reason I might want a windows binary. In this case for PowerDNS-recursor. You can compile the powerdns recursor on windows if you are reasonably windows savvy. It takes me around two days to get it working usually. But I really hope someone else will do this, and I'd love to help! Is it a Visual Studio or something like cygwin you use to compile it ? I have VS6 at work, possible newer as well. There is a fairly-free-edition as I understand it, I guess it should be made to work on that (if VS is used). But as with most people, my problem is not so much with will-power, but with time. And Windows XP doesn't support DNS over IPv6, installing a local forwarding IPv6-enabled PowerDNS-recursor might a be solution to that ? Can I forward . ? I've never tried it. It might, unsure. Bit of an odd construction :-) Yes, I agree. If it doesn't work, it's probably because at startup it updates the nameservers for . But maybe adding one extra check could solve that. I'm not saying bind is a good example, but bind does support this mode of operation. Who said adding features was a bad idea (if it doesn't complicate the code) ? ;-) Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Re: Can pdns-recursor forward . ? / Re: Where can I download Windows binaries?
On Tue, Jul 29, 2008 at 11:25:58PM +0200, Christof Meerwald wrote: On Tue, 29 Jul 2008 23:13:07 +0200, Leen Besselink wrote: Wouldn't simple UDP forwarding be sufficient in this case? (but you would still need to find a program to do the UDP forwarding) Yes, I guess that is possible. You'd lose source port randomisation, all the rage these days and caching. I guess it depends how the UDP forwarder is implemented - there is no reason why the forwarder wouldn't be able to use similarly randomised source ports (but you would lose caching, of course) I agree, but I've never seen one. Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] coordinated patch
On Wed, Jul 09, 2008 at 08:26:47AM +0200, bert hubert wrote: On Wed, Jul 09, 2008 at 07:47:45AM +0200, Leen Besselink wrote: So now the question becomes did anyone inform Bert and/or PowerDNS too ? I knew about this stuff from the very beginning (February I think), even before CERT was involved. I was even supposed to go to the famous meeting at microsoft, but the imminent birth of my son Maurits made me decide not to. When CERT started to coordinate, nobody told me since there was nothing to coordinate - PowerDNS was not vulnerable. After a while a PowerDNS user asked CERT to keep me in the loop anyhow, and I was able to add some small details to the advisory. Like a link to http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience ! From your blog I knew you were writing that draft, but it had only sank in that it's the same thing later this morning. It was a bit late last night. And I see now that the draft has been publically announced on the namedroppers list a little over a week ago also. Your blog-entry about the draft is from: 01/12/2007, that means before Dan Kaminsky found the problem ? In his podcast he talks about a year. If so it means you probably had a chuckle at the DNS Crypto lunch as well. [0] I'm still wondering what happend there. [0] http://blog.netherlabs.nl/articles/2007/02/21/dns-crypto-power-lunch Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Re: PowerDNS interview on Dutch national radio tonight
On Wed, Jul 09, 2008 at 09:03:57AM +0200, Stephane Bortzmeyer wrote: On Tue, Jul 08, 2008 at 06:13:04PM +0200, Stephane Bortzmeyer [EMAIL PROTECTED] wrote a message of 13 lines which said: Microsoft will be releasing more details tonight, Apparently done: http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx As mentioned off-line, this is an old one, the new one is: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx For BIND : http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php Seems I never got this thread from Wirehub, euh Easynet, otherwise I would have worded my e-mail('s) differently and I missed the radio program. Thank god for podcasts. ;-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] coordinated patch
This sounds pretty scary, it seems to concerns recursors and resolver-libraries. The way to solve it, is to use port randomization, which shouldn't be a big suprise to the PowerDNS-using community. Massive, Coordinated Patch To the DNS Released [0] tkrabec alerts us to a CERT advisory announcing a massive [1], multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC [2]). Here is the executive overview (PDF [3]) to the CERT advisory ??? text reproduced at the link above. There's a podcast [4] interview with Dan Kaminsky too. His site has a DNS checker tool [5] on the top page. The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible. So now the question becomes did anyone inform Bert and/or PowerDNS too ? I did find in the DOC [2]: Name: PowerDNS Status: Not Vulnerable Date Notified: 2008-05-13 11:35:05 Statement: PowerDNS Vendor Statement - Since version 3.0, released in April 2006, the PowerDNS Recursor resolving nameserver has implemented measures that protect against the vulnerability described in CVE-2008-1447. Source ports are randomized, and 'near misses', indicating a spoofing attempt in progress, are detected, and the query is dropped. ___ I guess no patching for us (for our DNS-servers atleast) ? Thank you Bert (and DJB) ! ;-) [0] http://it.slashdot.org/it/08/07/08/195225.shtml [1] http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/ [2] http://securosis.com/publications/CERT%20Advisory.doc [3] http://securosis.com/publications/DNS-Executive-Overview.pdf [4] http://media.libsyn.com/media/mckeay/nsp-070808-ep111.mp3 [5] http://www.doxpara.com/ _ New things are always on the horizon. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users