[Pdns-users] Goodbye DNS, Goodbye PowerDNS!

[bert hubert via Pdns-users]

Goodbye DNS, Goodbye PowerDNS!

Please read the whole post on 
https://blog.powerdns.com/2020/11/27/goodbye-dns-goodbye-powerdns/
which also has clickable links.

But the gist is:

After over 20 years of DNS and PowerDNS, I am moving on.  Separate from this
page, I am releasing a series of three huge posts on the history of
PowerDNS, so I won’t dwell too much on that here.

This is not an easy story to write.  I don’t like to grandstand, but when
the founder of a project decides to leave after two decades, people do
expect some form of an explanation.

It is also customary to describe such an exit in upbeat terms, sometimes to
the point that you wonder that if things were so great, why is this person
leaving?

But the reality is, I got bored and wanted to do new things.  PowerDNS and
the wonderful people who I met along the way have taught me so much –
software development, operations, marketing, sales, business development,
community building, writing internet standards & much more.  It has been a
wonderful ride.

But now it appears DNS and I are somewhat at the end of our relationship
(even though I will remain a minor PowerDNS shareholder).  Formally I leave
on December 31st.

Helping build PowerDNS to what it is today – a flourishing department of
Open-Xchange, able to fund itself by delivering its software to paying
users, while maintaining good relations with the open source community, has
been an incredible honour.

As I leave the company, management and software development have long been
in the hands of people I am proud to call my successors.  They are doing a
better job than I ever did – the only claim I have on the current success is
that I helped recruit this next generation.  I don’t think there is much
more to aspire to when you create a company than leaving it behind in good
shape.

... please do read on at 
https://blog.powerdns.com/2020/11/27/goodbye-dns-goodbye-powerdns/

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns query wrong SOA records with ipv6 and miss the right domain this way

[bert hubert via Pdns-users]

On Tue, Oct 06, 2020 at 08:29:49PM +0200, Oliver Dzombic via Pdns-users wrote:
> SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records
> WHERE disabled=0 and type='SOA' and
> name='7.3.c.f.9.0.2.0.0.0.0.0.3.1.0.0.8.d.2.1.0.0.a.2.ip6.arpa'

Can you run that query on your database and tell us what it reports?

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Issues with PowerDNS Authoritative Server on CentOS7

[bert hubert via Pdns-users]

On Mon, Aug 17, 2020 at 09:33:17PM +, Fabio Perez via Pdns-users wrote:
> Hello,
> My name is Fabio.
> I installed 2 VMs each running PowerDNS as Authoritative servers, but for 
> whatever reason I cannot make this to work.
> When I set other VMs with the nameserver of my DNS, none of my query get 
> resolved.
> I need assistance with this.  How can I troubleshoot this?
> What information do I need to provide?

Hi Fabio,

If you tell us the IP address of your server we could send it questions and
see if it responds.

Alternatively, please show us your configuration (including network setup,
firewalls etc) and how you determined none of your queries are getting
resolved.

Also please include the full startup log of PowerDNS, which will show on
which IP addresses it listens.

There is nothing specific about Centos7 and your problem is likely network
related, or perhaps powerdns is not even running.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor and LUA scripting: I don't understand why preresolve answering a CNAME won't cascade to other records

[bert hubert via Pdns-users]

On Sun, May 31, 2020 at 12:08:36PM +0200, Oscar Koeroo via Pdns-users wrote:

> I’m using the following LUA script to intercept, but I don’t understand
> the results.  Why doesn’t the dig get the CNAME to got to the A record I
> have in my domain.local zone?  I expected dig to try to get the CNAME
> value of qr.domain.net and the CNAME value of that result, which seems to
> halt there.

Hi Oscar!

So firstly, a resolver is expected to provide a complete answer. If it
supplies only a CNAME, a client can assume there is nothing more. A
stub-resolver won't itself recurse.

> The expected result I was looking for was:

The good news is, we thought of this scenario, and we have this:

"CNAME chain resolution

It may be useful to return a CNAME record for Lua, and then have the
PowerDNS Recursor continue resolving that CNAME.  This can be achieved by
setting dq.followupFunction to followCNAMERecords and dq.followupDomain to
“www.powerdns.com”.  PowerDNS will do the rest.  "

https://doc.powerdns.com/recursor/lua-scripting/hooks.html#cname-chain-resolution

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SERVFAIL on all requests

[bert hubert via Pdns-users]

On Mon, May 25, 2020 at 04:46:15PM -0400, Dave Burkholder via Pdns-users wrote:
> I did wonder too if there's an issue of reaching root servers, or firewall
> modifying responses, so I did try installing unbound on the same machine,
> and it's working fine.  unbound on port 3053 always works, but pdns on
> port 2053 always FAIL.

Your network is faulty:

May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  com: Trying IP 
202.12.27.33:53, asking 'com|A' 
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  com: Got 0 answers 
from m.root-servers.net (202.12.27.33), rcode=0 (No Error), aa=0, in 6ms

If it happens to work for unbound, well, good luck there.  But as long as
someone is intercepting your traffic to the root servers and modifying it,
all bets are off.

May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  reddit.com: Trying IP 
192.58.128.30:53, asking 'reddit.com|A' 
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  reddit.com: Got 4 
answers from j.root-servers.net (192.58.128.30), rcode=0 (No Error), aa=0, in 
62ms 
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  Removing record 
'reddit.com|A|151.101.1.140' in the answer section without the AA bit set 
received from . 
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  Removing record 
'reddit.com|A|151.101.193.140' in the answer section without the AA bit set 
received from . 
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  Removing record 
'reddit.com|A|151.101.65.140' in the answer section without the AA bit set 
received from . 
May 25 16:14:04 system.cdc.lan pdns_recursor[8655]: [1]  Removing record 
'reddit.com|A|151.101.129.140' in the answer section without the AA bit set 
received from .

This is also a clear indication someone is intercepting and breaking your
traffic to root servers. The real J-root will not answer with IP addresses
for reddit.com.

Bert


> 
> Regards,
> 
> Dave
> 
> On 5/25/20 4:04 PM, bert hubert wrote:
> >On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users 
> >wrote:
> >>When I enable trace, I get lines like:
> >>
> >>May 25 15:36:44 system.cdc.lan 
pdns_recursor[16801]: [2]  bing.com: Got 3 answers from b.root-servers.net 
(199.9.14.201), rcode=0 (No Error), aa=0, in 6ms
> >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2]  Removing record 
> >>'bing.com|A|204.79.197.200' in the answer section without the AA bit set 
> >>received from .
> >>May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2]  Removing record 
> >>'bing.com|A|13.107.21.200' in the answer section without the AA bit set 
> >>received from .
> >Could you please send a complete output of trace? It appears someone is
> >intercepting and changing your DNS responses.
> >
> >Thanks!
> >
> > Bert
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SERVFAIL on all requests

[bert hubert via Pdns-users]

On Mon, May 25, 2020 at 03:57:22PM -0400, Dave Burkholder via Pdns-users wrote:
> When I enable trace, I get lines like:
> 
> May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2]  bing.com: Got 3 
> answers from b.root-servers.net (199.9.14.201), rcode=0 (No Error), aa=0, in 
> 6ms
> May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2]  Removing record 
> 'bing.com|A|204.79.197.200' in the answer section without the AA bit set 
> received from .
> May 25 15:36:44 system.cdc.lan pdns_recursor[16801]: [2]  Removing record 
> 'bing.com|A|13.107.21.200' in the answer section without the AA bit set 
> received from .

Could you please send a complete output of trace? It appears someone is
intercepting and changing your DNS responses.

Thanks!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] why CAP_CHOWN?

[bert hubert via Pdns-users]

On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users wrote:
> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and
> AmbientCapabilities= and I could not find a reason in the git history of
> that file.

Hi Michael,

We chown the UNIX domain control socket to the 'setgid' and 'setuid'
setting.

This is likely why we need CAP_CHOWN.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SERVFAIL on backend failure - is this possible?

[bert hubert via Pdns-users]

On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote:
> While trying to implement authoritative DNS server using "remote"
> backend, I've stumbled into an issue when HTTP backend is unreachable
> - PowerDNS is returning NXDOMAIN.

Can you reproduce this for us so we can check? It is not supposed to ever
happen. Please also let us know which version of PowerDNS you are using.

> What I would like to achieve is return SERVFAIL in case my HTTP
> endpoint is unavailable. Is this possible? Maybe Lua fallback backend
> could assist here?

This is what should be happening. 

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Journal Log Format for Recursor

[bert hubert]

Hello Chris,

On Sat, Dec 28, 2019 at 10:57:36PM +1100, Chris Jones wrote:
> Can someone please advise what the format of the following logs are that
> are going to journald.

Yes, but please know this format is not in any way guaranteed. In other
words, it might change from release to release. If you want to do any kind
of statistics, I urge you to look into our protobuf export which has many of
these same metrics.

> Request:
> "MESSAGE" : "3 [129/1] question for '
> brave-sync.s3.dualstack.us-west-2.amazonaws.com|A' from (client IP):9051"

3 means it was handled by operating system thread 3 within the recursor. The
numbers in square brackets have changed a bit I think, I remember the first
number being our internal query id, which increases all the time. 

> Response:
> "MESSAGE" : "3 [129/1] answer to question '
> brave-sync.s3.dualstack.us-west-2.amazonaws.com|A': 2 answers, 0
> additional, took 2 packets, 14.091 netw ms, 14.503 tot ms, 0 throttled, 0
> timeouts, 0 tcp connections, rcode=0"

> - what netw ms means

Wall clock time spent waiting on network responses.

> - what tot ms means

Wall clock time totally spent on this query. totms - netwms is a measure of
how much CPU time was spent internally.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor / dnsdist: EDNS Client Subnet

[bert hubert]

On Sun, Nov 24, 2019 at 11:50:00AM +0100, Bjoern Franke via Pdns-users wrote:
> E.g. if I use DoT with my mobile phone and come from 89.15.232.0/21 (o2
> Germany in Hamburg), usually the traffic to Akamai is routed to Akamai in
> Hamburg if I use o2's DNS, OpenDNS or 8.8.8.8. Using my dnsdist in
> Nuremberg, Akamai traffic is routed to Frankfurt.
> 
> I enabled "useClientSubnet=true" for dnsdist and several EDNS Client options
> in PowerDNS Recursor (ecs-add-for, edns-subnet-whitelist,
> use-incoming-edns-subnet) but nothing changes.

This is because Akamai will ignore your EDNS Client Subnet information.  It
will only honour ECS if you have an agreement with them, sadly. 

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Forward client request

[bert hubert]

On Tue, Nov 12, 2019 at 11:05:30AM +, mendisobal via Pdns-users wrote:
> How i can forward recursive DNS requests based on source address of the 
> client. To do this need to have ability to return address of the next NS from 
> preresove function (instead of NS-records).
> Is there any example on lua?

Hi "Mendisobal",

For this kind of forwarding we recommend using dnsdist. It is also freely
available. The PowerDNS Recursor itself has a very hard time doing stuff
like this.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS authoritative server UDP port?

[bert hubert]

On Tue, Oct 29, 2019 at 08:33:29PM -0600, Aaron D. Gifford wrote:
> root pdns_serve 40055 16 udp4   192.168.50.12:19413  *:*
> ...
> 
> Why is it listening on UDP port 19413?  I thought I'd disabled various
> subsystems that might want to listen on a TCP or UDP port.

This is likely the DNS proxy, which you might see announcing itself if you
check the startup logs. This is used if PowerDNS needs to resolve ALIAS
records.

dnsproxy.cc:  g_log

Re: [Pdns-users] Port pdns authoritative server and recursor

[bert hubert]

On Mon, Oct 07, 2019 at 06:07:28PM +, Kjell Inge Meisal wrote:
> What is the required procedure to port pdns authoritative server to a new 
> server?
> G400

Hello,

PowerDNS is a generic piece of UNIX software, and as such is moved much like
all other software.

In general we would recommend installing a fresh PowerDNS and migrating the
data.

https://doc.powerdns.com/authoritative/migration.html has some guidelines
for that.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Can I filter AAAA DNS requests for Netflix?

[bert hubert]

Hello everyone,

I used to use this script:

--[[ 
Sometimes, domains break when IPv6 is used. A common example is
Netflix via an IPv6 tunnel, which Netflix interprets as a proxying 
attempt.

This function strips IPv6 from one or more subdomains. It can be called
with a single domain, like "netflix.com", or with a domain set, which
is more efficient and scales very well.

This file is meant for including, so you can call it from your 
preresolve.
Alternatively, uncomment the activation code below and you can load it
directly into your resolver with 
'lua-dns-script=strip-ipv6-from-domains.lua'.
]]--

function preventIPv6ForDomains(dq, domain)
local ds=newDS()
if(type(domain) == "string") then
ds:add{domain}
else
ds=domain
end
if(dq.qtype ~= pdns.) then return false end
if(ds:check(dq.qname)) then
dq.rcode = 0
return true
end
return false
end

-- To activate, uncomment the block below:

netflix=newDS()
netflix:add{"netflix.com"}

function preresolve(dq)
return preventIPv6ForDomains(dq, "netflix.com")
end

Perhaps useful.

Bert


On Mon, Oct 07, 2019 at 02:23:07AM -0400, Aleksandr Rogozin via Pdns-users 
wrote:
> Hi Nick,
> 
> Since your request was to filter based on specific domains for qtype 
> with custom response, I suggest looking into Response Policy Zone (RPZ) or
> LUA script.
> 
> Best Regards,
> Aleksandr
> 
> On Sat, Oct 5, 2019 at 23:10 Nicholas Williams <
> nicho...@nicholaswilliams.net> wrote:
> 
> > I’ve got a conundrum that has kind of come to a head for me. It may be
> > 2019, but Comcast is still too incompetent to provide me with
> > properly-working IPv6, so I’ve resorted to using a Hurricane Electric
> > tunnel for IPv6 access. However, Netflix blocks all Hurricane Electric and
> > similar tunnels under the assumption that you’re trying to scam their
> > location identification and access content that you don’t have geographic
> > access to and, worse, the Netflix apps prefer IPv6 over IPv4 when it’s
> > available, so Hurricane Electric users are kinda screwed.
> >
> > In the past, I’ve dealt with this by adding a black hole route for
> > Netflix’s IPv6 prefix. However, I’m now having to block THREE /48 prefixes
> > in order to keep Netflix working, and from what I can tell that means I’m
> > now blocking most of AWS’s enter CDN, so I’m losing out on IPv6 on a bunch
> > of sites.
> >
> > This solution is really like using a sledgehammer to install a picture
> > frame hanger (and having to replace the picture frame hanger every few
> > months). A better solution is to prevent Netflix from doing  lookups
> > (or somehow filter them and respond with only A results). I’m already using
> > PowerDNS Recursor for my DNS. Is there a way I can configure PowerDNS
> > Recursor so that certain domains (like Netflix) respond with only A results
> > and never return  results, so that I can remove my blackhole routes?
> >
> > Thanks,
> >
> > Nick
> >
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Only REFUSED responses after upgrade.

[bert hubert]

On Tue, May 28, 2019 at 03:06:33PM -0400, Chris wrote:
> This DNS server has been running on Debian 7 Wheezy for years without issue.
> Debian 7.11 packaged PowerDNS 2.9.22.

Since 2.9.22 PowerDNS has changed a lot. Run pdnsutil check-zone on your
zones. You are likely missing SOA records, or have defective ones, which
makes modern PowerDNS conclude the whole zone isn't there, leading to a
'Refused'.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC same key for all

[bert hubert]

On Mon, May 20, 2019 at 10:56:33AM +0200, Bart Mortelmans wrote:
> If you're using MySQL backend, then I guess you could turn the cryptokeys
> table into a view that would return the same key for every domain name. But
> in general I think that would be bad practice and creating a new KEYSET for
> every domain name at the registry would be preferable.

So as a general note, running PowerDNS on MySQL views has uncovered
performance problems, memory leaks and bugs - most likely within MySQL.

So before attempting MySQL views for PowerDNS operations, please test really
well & know that if you report problems, the first thing we'll do is ask if
you can reproduce them using our unmodified schema.

We've not heard of problems when using PostgreSQL views. I just found out
that sqlite also has views, and we've also not heard problems about those.
But I'm unsure if anyone is doing that.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS & Open Source

[bert hubert]

Hi everyone,

First, apologies for boring you with a non-technical post. But I still think
it is important.

More than three years ago we announced that PowerDNS would be shipping non
open source software, also known as the PowerDNS Platform. We hoped that you
would understand. 
https://blog.powerdns.com/2016/02/23/an-important-update-on-new-powerdns-products/
I know that some of you must have worried this would lead to neglect of our
open source offerings.

Since that time, all our products have grown and improved, with dnsdist as a
specific example - it now powers vast amounts of nameservers, protecting
them against denial of service attacks & replacing costly hardware load
balancers.

In this new post, "How PowerDNS is Open Source & a successful business, or,
why are we talking about 5G?"
https://blog.powerdns.com/2019/05/07/how-powerdns-is-open-source-a-successful-business-or-why-are-we-talking-about-5g/
we explain what we are doing these days, and why we are suddenly writing
stuff about things like 5G DNS or 'DNS over HTTPs for telcos'.

One reason why you might care is that if you love open source, you may be
aware that it is not always easy to get large companies to actually run open
source. Expensive vendors however somehow are able to convince senior
management to run their stuff - even if it is worse.

One thing we have been able to do over the past few years is to also become
good at that game. We have very good people now that are able to convince
companies to run our software. This is why we talk about "5G DNS" - everyone
does, so we do so as well, but we've tried hard to tell a story that
actually makes sense, https://www.powerdns.com/5g.html - if you offer low
latency network access, please also make sure your nameserver is fast. 

Meanwhile, what I think many of you feared, we have also managed not to turn
into a horrible corporate company you can no longer talk to. We're still
there on our IRC channel and not going anywhere.

So again, apologies for perhaps boring you with this commercial stuff, but I
do think it is important for everyone to know what we have been up to, and
how we have been able to get our open source software deployed so much more
widely.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Azure?

[bert hubert]

On Mon, Apr 29, 2019 at 10:24:11PM +, Ryan Finnesey wrote:
> Is there anyone within the group that has deployed Power DNS on Azure?  I
> am looking for some general feedback.  I am looking at using Power DNS for
> a registry and was hoping to host within Azure.

In addition to what Pieter said, it works well on Azure, but if you are running
a registry, we'd strongly recommend not putting all your nameservers in a
single AS or a single cloud.

While rare, Azure and AWS outages have been known to happen. The knock-on
effect for a registry, even if a niche one, is large.

Note that Microsoft also splits out its own DNS over different ASes.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor reply SRVFAIL from the first NS server and does not try other NS servers

[bert hubert]

On Mon, Apr 08, 2019 at 10:53:24AM +, Mohamad F. Barham wrote:
> I have pdns-recursor running on the campus, and I have issue with NS servers :

Hi Mohamad,

Before we can investigate, which exact version of the PowerDNS Recursor are
you running? Do you run with any Lua scripts?

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Remote Backend SOA Response

[bert hubert]

On Sat, Feb 23, 2019 at 08:12:40PM +1100, Chris Jones wrote:
> Thanks Bert, but I don’t understand how my backend is doing too much work?
> How does PowerDNS know what the zone is if my backend doesn’t figure it out?

Chris, please carefully read the blog post. It is in there.

"The PacketHandler can send many kinds of questions depending on the nature
of your zone.  For example, it may ask about SOA records, even for zones you
do not host in your backend.  This is because when a question comes in for
‘www.something.com’, PowerDNS must go hunt for a backend with relevant
data."

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Remote Backend SOA Response

[bert hubert]

On Sat, Feb 23, 2019 at 03:49:28PM +1100, Chris Jones wrote:
> Hi there,
> 
> I am in the process of writing a custom backend with PowerDNS 4.1.5 and I
> have a question on the expected response for SOA records.

Hi Chris Jones 44,

It looks like your backend is doing too much work.  In
https://blog.powerdns.com/2015/06/23/what-is-a-powerdns-backend-and-how-do-i-make-it-send-an-nxdomain/
we clarify what is expected of a backend - just answer questions. PowerDNS
will find out what zones exists and what don't (by asking your backend
several questions).

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursion / Forward-Zone (Strange issue)

[bert hubert]

Hi Devin,

First thing of note, you forward using
'forward-zones=*.domain.com=10.13.13.13:53'.

This is never going to work, you should remove "*.".

Can you see if that helps?

Bert


> Dear Users, I am running the latest version of PowerDNS Recursion
> software, and I had an outage this morning in Production and experienced
> some strangeness that I couldn’t explain, was hoping someone might have an
> explanation of what happened.  So the recursion configuration had a single
> domain that was listed in the forward-zones section like this:
> forward-zones=*.domain.com=10.13.13.31:53 A user added some records to the
> Authoritative domain and the Authoritative domain when queried would
> return the result, however the Recursion was returning (no records) for
> the newly added records.  As far as I know the record never was requested
> before it was added to DNS, so it should’t have been cached in the
> negative response which seems to be for a day cached by default.  It was
> resolving older records just not the new ones.  I then restarted the
> powerdns recursion daemon, and all of a sudden it stopped answering for
> all forward requests for the zone “domain.com” in my example here.  After
> some time it started resolving all domains and the new records, but I had
> to in a hurry change back to our old Bind system because it caused an
> outage.  I’m a bit worried why it completely stopped responding for a
> period of time for all records, then now appears to be happy.  I am not
> sure if it has something to do with the Caching between the Authoritative
> server and the Recursion, but something happened.  Any help would be
> greatly appreciated.  Devin Acosta

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS recursor -ECS

[bert hubert]

On Sat, Feb 09, 2019 at 10:15:21PM -0500, Rami Al-Dalky wrote:
> I have a question. Is there any cases where the recursor will send a DNS
> query with loopback IP in the client-subnet?

Yes.

https://doc.powerdns.com/recursor/settings.html?highlight=ecs#ecs-scope-zero-address
explains this behaviour. The preceeding settings are also relevant to read.

I admit this is confusing, but it is what the RFC requires.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Graphing as a service: Disappearing CPU graphs

[bert hubert]

On Wed, Jan 23, 2019 at 02:58:51PM +0100, sth...@nethelp.no wrote:
> - The User CPU% and System CPU% graphs sometimes disappear, after
> days/weeks of uptime. The *space* for the graphs (with legends for
> User CPU% blue and System CPU% red, on the right hand side) is still
> present but the graphs themselves are not shown.

Hi Steinar,

We've been corresponding a bit with you behind the scenes and "this should
not be happening". 

Your recursor reports spending the following amount of milliseconds on user
CPU time:

time_t  milliseconds
1547818832  301274008.418503
1547822864  301784302.665002
1547826896  302310096.107672
1547830928  302844638.859146
1547834960  303381189.070208
1547838992  303924399.662413
1547843024  304477529.572919
1547847056  305025750.193424
1547851088  305544141.140036
1547855120  306001630.092938
1547859152  306153010.535298
1547863184  306141696.00
1547867216  306141696.00
1547871248  306141696.00
1547875280  306141696.00
1547879312  306141696.00
1547883344  306141696.00
1547887376  306141696.00

Note that the number just stops increasing beyond 1547863184. The number 
306141696
does not appear to be magical in any kind of way.

We retrieve that number using the getrusage call which has seen some bugs on
FreeBSD. But this seems an odd bug. The ".00" is a bit suspicious
though.

So sadly, we are out of clue.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] oracle backend / DNS flag day

[bert hubert]

On Mon, Jan 21, 2019 at 02:14:47PM +, Leo Vandewoestijne wrote:
> I'm trying to upgrade a powerdns (auth) server that is using the oracle 
> backend,
> which seems not compiling anymore since 4.1.0
> This was reported at:

Hi Leo,

Providing free Oracle support is very expensive for us in terms of licensing
and time to setting up a working environment.

We therefore only fix bugs in the Oracle backend from supported
(commercial) customers.

The GitHub issue you cite has 'help-needed' attached to it, which reflects
that we are not going to fix the problem.

> In resume: I need pre-4.1.x to have oracle working but post-4.0.x to have 
> EDNS compliance.

If you are willing to attempt to fix the errors, we'd welcome your pull
requests. If you have specific questions, also please ask them and maybe we
can see what the problem is.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor: expected log entries on sendto ENOBUFS error + qname minimization

[bert hubert]

On Sun, Jan 20, 2019 at 02:35:00PM +, nusenu wrote:
> Hi,

Hello "Nusenu".

> I've been pondering with 
> "sendto failed: No buffer space available"
> errors using unbound [0].
> 
> To see how pdns-recursor behaves on the same box
> I switched from unbound to pdns-recursor
> and don't get any similar log warnings.

"  if(sendmsg(dc->d_socket, , 0) < 0 && g_logCommonErrors) 
g_log support to recursor. Is my understanding correct that this
> feature is not a priority and will unlikely be added anytime soon 
> (next 6 months)?

We're working on it.  As it stands, qname minimization requires workarounds
to make it viable.  (Re-)standardization is also still going ont.  But it
will happen eventually.

Bert


> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME not advertised on A/AAAA request

[bert hubert]

On Thu, Jan 17, 2019 at 02:15:25PM +0100, Kevin Olbrich wrote:
> I don't know what I am doing wrong here:

So far I don't know either. 

> Jan 17 14:04:28 dnsmaster01.srvfarm.net pdns_server[19643]: Exception
> building answer packet for cgn01.example.com/A (Parsing record content
> (try 'pdnsutil check-zone'): unable to parse IP address) sending out
> servfail
> Jan 17 14:04:28 dnsmaster01.srvfarm.net pdns_server[19643]: Exception
> building answer packet for cgn01.example.com/ (Parsing record
> content (try 'pdnsutil check-zone'): unable to parse IP address)
> sending out servfail

This does argue there is something wrong in your database.

Can you check that first?

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What signal to tell PDNS to shut down?

[bert hubert]

On Sun, Jan 13, 2019 at 08:32:33PM +, Brian Candler wrote:
> >sends a `SIGTERM` to PID 1, waits some amount of time, and then sends
> >SIGKILL to force it to stop. It’s having to resort to SIGKILL, because
> >`pdns_server` doesn’t respond to `SIGTERM`. What is the correct signal to
> >tell PDNS to shut down?

> The problem is not with pdns, it's with docker: strange things happen if you
> run the application as pid 1. For an explanation see: 
> https://hackernoon.com/my-process-became-pid-1-and-now-signals-behave-strangely-b05c52cc551c

In addition, you could ask powerdns to stop using pdns_control. 

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] A small PowerDNS Update

[bert hubert]

Hi everyone,

From an article I just posted: 

"This is a more personal post than I usually write, and it was prompted by
several people asking what I had been up to lately.  It turns out that it is
somewhat of a story.  It is a long story too.

Since the beginning of 2018 day to day management of PowerDNS is now truly
in the hands of professionals.  I’m very proud to report that PowerDNS has
not only survived the transition to Open-Xchange but is actually thriving &
has achieved sufficient revenues & talented staff that we’ve solved the
famous open source “what if Bert gets hit by a bus“ problem.

Mind you, I’m still around, but now with a broader remit, and I get to spend
less time personally signing contracts and opining on office arrangements."

Far more on what I/we've been up to can be found here:

https://ds9a.nl/articles/posts/what-i-did-in-2018/

I wish you a happy new year, and let's make 2019 a good one for all of us,
the Internet & PowerDNS!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] configure: error: Did not find the mysql library dir in /usr/lib/mysql

[bert hubert]

On Wed, Dec 19, 2018 at 05:20:31PM -0600, Cliff Hayes wrote:
> I am trying to install authoritative server 4.0.6 on Fedora 28 and am
> getting:

Hi Jeff,

Did you install the development libraries for MySQL as well? To compile, we
need more than the client library as used by applications.

> configure: error: Did not find the mysql library dir in /usr/lib/mysql

Can you check? If that doesn't work, can you copy/paste some of the
./configure output and configure.log parts that relate to MySQL?

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS and Isilon Smartconnect Delegation

[bert hubert]

On Mon, Dec 17, 2018 at 10:51:17AM -0500, Ian Easter wrote:
> Isilon round robin issue ended up being related to network configuration
> for the guest machines.  Once I cleared that up, the PDNS Recursor Forward
> Zone configuration worked without a hitch.

Thank you so much for reporting back on the resolution of this issue,
most appreciated!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Spoof MX records

[bert hubert]

On Sat, Dec 15, 2018 at 09:42:21AM +0100, Bit World Computing - Michael Mertel 
wrote:
> Hi Aleksandr,
> 
> I’am somewhat lost, I’am able to set a rule to have the Lua function called 
> for MX requests, but how do I return a response? Spoof ist just for 
> A-records, but not for MX.
> addLuaAction(QTypeRule(dnsdist.MX), luarule)

Hi Michael,

As far as I know, dnsdist can't generate MX records, so you'll have to do
this in the PowerDNS Recursor. Sorry!

In the Recursor it is not very hard to do though, use postResolve to
override all MX records you see in responses.

This makes sure you don't invent MX records for domains that don't have
them.

Also be aware that if there is no MX record for a domain, a mail server
might decide to send email directly to the A record.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS and Isilon Smartconnect Delegation

[bert hubert]

On Thu, Dec 13, 2018 at 02:17:23PM -0500, Ian Easter wrote:
> Recently switched from BIND9.7.3 to PowerDNS and working through some
> adjustments.
> 
> We previously followed the guidelines for DNS based on the documentation:
> https://www.emc.com/collateral/hardware/white-papers/h8316-wp-smartconnect.pdf
> and everything worked without issue.

Hi Ian,

We happen to have a quorum of people with Isilon expertise present on our
IRC channel right now. Could you drop by? 
https://www.powerdns.com/opensource.html
has a link to a web client.

Thanks!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Unable to resolve domain when using DO and not AD

[bert hubert]

On Wed, Dec 12, 2018 at 05:59:20PM +0100, Luca Lesinigo wrote:
> Right now I am refraining to disclose the domain because I don’t know if
> this behavior could disclose a software/version/configuration with some
> kind of known vulnerability.

Sadly, that is where we stop reading about your problem.

Please see 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Sorry!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to understand cause of rejected notify

[bert hubert]

On Sat, Dec 01, 2018 at 08:37:16PM +, MRob wrote:
> As I have had no luck to understand why supermaster only create entry in
> Received NOTIFY for example.com from 1.1.1.1:2101 for which we are not
> authoritative (Refused)
> 
> Received unsuccessful notification report for 'example.com' from 2.2.2.2:53,
> error: Query Refused

Hi "MRob",

We can do nothing with example.com and 1.1.1.1. Please see 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

All supermaster problems I know of can be resolved by checking the
checklist:

https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves

If that doesn't work, please share real domain names & IP addresses and a
pcap of a notification that does not lead to a zonetransfer.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor: no reverse lookups

[bert hubert]

On Sun, Nov 18, 2018 at 04:10:52PM +0100, bert hubert wrote:
> On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote:
> > [root@hallo ~]# nslookup - 192.168.94.66
> > 
> > > set port=53
> > 
> > > 192.168.94.66

Ok, I see it now, try adding: serve-rfc1918=off
What you are seeing is that the powerdns recursor is answering your
192.168.in-addr.arpa queries itself.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor: no reverse lookups

[bert hubert]

On Sun, Nov 18, 2018 at 03:00:53PM +, Sig Pam wrote:
> [root@hallo ~]# nslookup - 192.168.94.66
> 
> > set port=53
> 
> > 192.168.94.66

Hi Sig,

Before delving deeper into this, can you try:

dig -x 192.168.94.66 @yourips ?

We never know what nslookup sends out, so it is hard to debug through that.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Two sqlite backends, only one getting queried

[bert hubert]

On Wed, Oct 17, 2018 at 01:52:19PM +0200, LordEidi wrote:
> PowerDNS starts and runs without an error. But when queried I only get
> answers to records which are in the first sqlite DB. The content of the
> second DB is completely ignored. No error in the logs. There is also no zone
> info when using the cli tool to check the status of pdns.

Can you show your configuration, without editing?

Additionally, check if you have a . SOA in your first database. Once
PowerDNS finds an applicable SOA in a database, it will not study secondary
ones.

> Any hints what's the problem? Is the Debian package somewhat old and this is
> a known bug which was fixed in a newer PowerDNS version? Or is there some
> trick when using multiple sqlite backends?

We have done some work to make it better. https://repo.powerdns.com has
packages you can use to test.

In general, it will work as long as there is no overlap in zones between the
two backends.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor 4.0.4 and SERVFAIL

[bert hubert]

Dear mr "Bits of Info G" (is it ok if I call you that? you do realise it is
somewhat rude to show up with an obvious fake name?)

Can you share your trace-regex setting please?  How did you set it, with
rec_control?  Can you also check your loglevel, these traces are logged at
Warning level.

Bert

On Fri, Sep 07, 2018 at 06:10:54PM -0600, bitsofinfo wrote:
> Hi,
> 
> Running pdns-recursor 4.0.4
> 
> In the web interface UI we see many "Servfail Domain" entries listed
> with counts
> 
> For some of these names/domains we have set trace-regex from the command
> line.
> 
> The issue is that we can find nothing in the logs showing any SERVFAIL
> errors, but only successful cache hits and lookups yet this number
> increments.
> 
> How can we get to the bottom of this or see the reasons and debug
> information that is generating these SERVFAILs?
> 
> thanks
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS resource usage

[bert hubert]

On Thu, Jul 26, 2018 at 03:51:32PM -0600, George wrote:
> I am going to host DNS for 2000+ domains on one PowerDNS master server and
> 3 slaves. They all will run mysql server as backend. Can you please tell me
> how many server resources(CPU, RAM) would be good for such a setup and what
> if any suggestions there are for optimizing the setup?

For most real life scenarios, a Raspberry Pi would fit your needs with 2000
"typical" domain names.

The biggest determinant in performance is if your database can fit
everything in RAM and is happy with the amount of records. Below a few
million records, "this always works".

People often get very disappointing results with databases hosted far away
on overprovisioned cheap virtual servers, try not to do that.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Override NXDOMAIN with A reply

[bert hubert]

On Wed, Jul 25, 2018 at 10:41:09AM +0200, Kevin Olbrich wrote:
> I set up two dnsdist instances against an internal authoritative DNS.
> To better support our users, I would like to install an intranet site which
> explains why a website ist not available (most likely typo).

Hi Kevin - we have a dedicated dnsdist list, but I think we can spare one
reply here.

> Is it possible to override NXDOMAIN with an A reply?

You could achieve this easily with a wilcard record on your auth server,
perhaps that is easier?

If that is not possible, you could try something like:

https://dnsdist.org/rules-actions.html?highlight=responseaction#addResponseAction

addResponseAction(RCodeRule(dnsdist.NXDOMAIN), SpoofAction("1.2.3.4", "::1"))

I have not tried this and it may not work - SpoofAction might in fact only
work when it receives queries. Can you try and let us know? (on the dnsdist
list).

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns life cycle

[bert hubert]

On Wed, Jul 25, 2018 at 08:39:11AM +, Diego Bellini wrote:
> I have tried to have  a look at the website 
> www.powerdns.com but I couldn't find the information 
> I needed
> More or less last year I installed powerdns authoritative server 4.05
> I was wondering till when it will receive security patches

Details on our 'end of life' policy can be found here:

https://doc.powerdns.com/authoritative/appendices/EOL.html

For now it says:

"PowerDNS Authoritative Server 4.0 will only receive correctness, stability and 
security updates.

PowerDNS Authoritative Server 3.x and 2.x are end of life, and will not receive 
any updates, not even security
fixes."

We are unable to provide any guarantees how long we'll take care of 4.0,
unless you are a commercially supported user when we make binding promises
to you.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Performance issues

[bert hubert]

On Tue, Jul 24, 2018 at 02:22:08PM +0200, Martijn Reening wrote:
> We are running PowerDNS 4.1.3 and have tested against MySQL 5.1.73 en
> PostgreSQL 10.4. It runs on CentOS 6.9, tested with both kernel versions
> `2.6.32-696.20.1.el6.x86_64` and `4.15.13-x86_64-linode106`.
Thanks!

>1.32192 millisecond/lookup
>Retrieved 31554 records, did 1 queries which should have no match
>Packet cache reports: 0 hits (should be 0) and 0 misses

You do around 441 DNS queries/second. A single database connection would
therefore not be able to support your needs (given DNSSEC).

Can you enable graphs as described on 
https://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/
? This will allow us to see what is going on.

>99.43% of questions answered within 32.00 msec (3.52%)
>99.52% of questions answered within 64.00 msec (0.09%)
>99.65% of questions answered within 256.00 msec (0.12%)
>99.86% of questions answered within 1024.00 msec (0.21%)

So when it works, it is great, it appears.

dnsgram may also have written a file for you with dropped queries, can you
check if anything shows up there?

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Performance issues

[bert hubert]

On Tue, Jul 24, 2018 at 01:54:53PM +0200, Martijn Reening wrote:
> We have run out of ideas where to look and what to tune. Perhaps anyone
> here could help us further?

could you tell us what database you run, what version of PowerDNS, what the
output is of 'pdnsutil bench-db', what operating system? Thanks.

Also, can you start running a tcpdump and feeding it through dnsscope and
dnsgram?

Also some sample domain names we can query would be nice, maybe we can see a
pattern.

Thanks.


Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Authoritative Server DDOS Protection

[bert hubert]

On Tue, Jul 17, 2018 at 03:24:22PM +0430, Hamed Haghshenas wrote:
> Could you please let me know how handle these large DDOS attacks?

Hi Hamed,

Please take a look at 
https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup

This is specifically meant for the case of many different IP addresses
attacking you.

Good luck!

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Notify Error

[bert hubert]

On Mon, Jul 16, 2018 at 03:50:16PM -0700, shaolin wrote:
> I've recently set up a new pdns master server and I am trying to notify to
> a third party.
> 
> I am queueing up a test notify and it queues fine but results in this error
> 
> Jul  2 16:12:49  pdns[55361]: Received unsuccessful notification
> report for '' from :53, error: Not Implemented

This is a report from your slave server that it has not implemented
notifications.

> Is it something not implemented on my side or the receiver?

Receiver.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS Authoritative Server DDOS Protection

[bert hubert]

On Sat, Jul 07, 2018 at 03:49:16PM +0430, Hamed Haghshenas wrote:
> I'm using PDNS Authoritative Server 4.1.3, today I see my server not
> response and error or timeout on resolves .

Hi Hamed,

What you can best do is install dnsdist and put it in front of your
authoritative servers.

Try this dnsdist.conf, assuming your auth server will listen on 127.0.0.1
and your current auth server IP is 1.2.3.4:

newServer("127.0.0.1")
setLocal("1.2.3.4")
addAction(MaxQPSIPRule(10), DropAction())

This restricts each individual IP address to 10 queries per second. I also
recommend you setup the internal webserver which will give you a good feel
for what is going on, https://dnsdist.org/guides/webserver.html

If you don't want to drop, you can also shift traffic to TCP which stops
most attacks:

addAction(AndRule({TCPRule(false), MaxQPSIPRule(10)}), TCAction())

If this is not enough, you could use the EBPF kernel based limits as
described in https://dnsdist.org/advanced/ebpf.html

This allows you to filter like 20gbit/s of unwanted traffic if need be, but
it does require a recent kernel.

Good luck!

> 
> When check the server see to many DNS requests from some IPs from Brazil
> like DDOS attack. To fix errors and timeouts, I block the attacker subnet in
> my firewall .
> 
>  
> 
> Now could you please let me know how protect my server from DOS and DDOS
> attacks ?
> 
>  
> 
> Best Regards,
> 
>  
> 
> Hamed Haghshenas
> 
>  
> 
>  
> 

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS inconsistent behavior for SOA record

[bert hubert]

On Tue, Jun 05, 2018 at 08:57:32AM -0700, Anthony fajri wrote:
> Hi Expert,
> we are using PDNS for our 3GPP DNS Server.
> we are using PDNS 2.9.22.6 on Centos 5.

Hello Anthony,

We do support 2.9.22 in any way anymore. Please attempt to reproduce your
problem with Authoritative Server 4.1 and we can look into your problem.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] (no subject)

[bert hubert]

On Thu, May 17, 2018 at 05:34:42AM +, Mohamad F. Barham wrote:
> > I have installed pdns-recursor on a centos machine, I'm trying to resolve
> > ramallah-gis.ps , some times it can get the  A record and most of the time 
> > returns
> > ServFAIL .

Hi - I can't reproduce this problem here. Which version of PowerDNS are you
on?

while true; do rec_control wipe-cache ramallah-gis.ps ; dig -t any 
ramallah-gis.ps @127.0.0.1 -p 5300; done

This is always able to resolve ramallah-gis.ps for me.

Can you show your trace log if you are on a supported version (4.1), then we
can take a far better look.

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SOA record not resolved for my domains

[bert hubert]

On Sun, Apr 29, 2018 at 02:50:59PM +0430, Hamed Haghshenas wrote:
> I found the problem, it’s related to use wrong Schema, I update my
> database tables with Default Schema get from
> https://doc.powerdns.com/authoritative/backends/generic-mysql.html and fix
> the problem .

!متشکرم

It is always appreciated when people report back what the problem was & this
helps people finding these posts via search engines too.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SOA record not resolved for my domains

[bert hubert]

On Thu, Apr 26, 2018 at 10:42:00AM +0430, Hamed Haghshenas wrote:
> My domain is web45.ir and the nameservers are ns1.web45.ir and ns2.web45.ir

Ok, these do answer correctly, except for the SOA. Can you run pdnsutil
check-zone web45.ir?

It seems something is specifically wrong with the SOA record.

BErt
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] rec_control dump-cache not dumping to file

[bert hubert]

On Tue, Apr 24, 2018 at 07:37:11PM +, Eric Raymond wrote:
> I have found this to be not working in 4.1.X releases, and havent tried in
> any other branch.
> Perhaps I am misunderstanding the command, but it appears to do nothing
> 
> # rec_control dump-cache /tmp/cache-dump
> dumped 1970 records

Thank you for your detailed reporting! You are likely running into a systemd
feature called private tmp. Your dump is somewhere in /var/run, which is the
private tmp directory for the recursor process.

https://www.freedesktop.org/software/systemd/man/systemd.exec.html has
details.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Announcing: Lua records, GSLB

[bert hubert]

Hi everyone,

Yesterday we merged the new "LUA Records", and they have now appeared in the
master builds you can apt-get or yum from https://repo.powerdns.com (or find
the tarballs, https://builder.powerdns.com )

Here is the first part of the blogpost:

"While PowerDNS ships with a powerful geographical backend (geoip), there
 was a demand for more broader solutions that include uptime monitoring,
 which in addition could run from existing zones.

 After several trials, we have settled on “LUA” resource records, which look 
like this:

 @   IN   LUA   A   "ifportup(443, {'52.48.64.3', '45.55.10.200'})"

 When inserted in a zone with LUA records enabled, any lookups for your
 domain name will now return one of the listed IP addresses that listens on
 port 443.  If one is down, only the other gets returned.  If both are down,
 both get returned.

 But if both are up, wouldn’t it be great if we could return the ‘best’ IP 
address for that client? Say no more:

 @IN   LUA A ( "ifportup(443, {'52.48.64.3', '45.55.10.200'}, "
  "{selector='closest'})  ")"


https://blog.powerdns.com/2017/12/15/powerdns-authoritative-lua-records/ has
this and more details.  Documentation is on
https://doc.powerdns.com/authoritative/lua-records.html

This feature is already in production in some big places, so the API is
stable. However, if you find things you need that are missing, or have
problems, now is the time to let us know!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] GLSB with Health Check Mechanism

[bert hubert]

On Tue, Apr 24, 2018 at 02:22:04PM +0430, Hamed Haghshenas wrote:
> Hello Dears,

Hi! 

> Now I want add health check, for Example, before redirect 185.131.128.0/18
> requests to I.J.K.L check the health of I.J.K.L
> 
> With ping, http or . and if is OK redirect to I.J.K.L else redirect to
> default A.B.C.D .


If you want to do that, I recommend that you take a look at 
https://blog.powerdns.com/2017/12/15/powerdns-authoritative-lua-records/

We merged this into PowerDNS yesterday and it does exactly what you want.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to make Policy.NODATA response in policy zone?

[bert hubert]

On Mon, Apr 16, 2018 at 11:48:43AM +, MRob wrote:
> RPZ doxs are here
> https://doc.powerdns.com/recursor/lua-config/rpz.html
> 
> With no information how to make the policy responses in the zone file. I had

If you read the very first line of that link, it tells you this is an
implementation of "RPZ, an open standard developed by Paul Vixie (ISC and
Farsight) and Vernon Schryver (Rhyolite), to modify DNS responses based on a
policy loaded via a zonefile"

Perhaps read up about RPZ? And stop blaming us? This would point you at 
https://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt

> to spend plenty of time wandering around your docs until I find this
> examples:

A full refund is available. Or contribute some better documentation?

(this is the final reply)

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to make Policy.NODATA response in policy zone?

[bert hubert]

On Mon, Apr 16, 2018 at 11:33:17AM +, MRob wrote:
> I can make NXDOMAIN applied policy for a domain in policy zone with this:
> example.com CNAME .
> 
> But how to cause NODATA response?

Hello "MRob",

We recommend that you read the documentation we wrote for you on 
https://doc.powerdns.com/recursor/lua-scripting/index.html

It is pretty nice. 

You have made us explain a lot of stuff already, so now please head to the
documentation and figure it out yourself as we do not have the bandwidth to
hold your hand.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DDNS with ClientSubnet(EDNS) not working

[bert hubert]

Dear mr "SpamSpamsdasda",

Please email this list again when you've at least made a token effort to
take us seriously.

I do not appreciate it when people require anonymous help and blatantly
disregard that there are real human beings here trying to help, but you do
not even give them the courtesy of making up a credible fake name.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS recursor stripping AA bit from forwarded responses

[bert hubert]

On Thu, Feb 22, 2018 at 03:32:31PM -0800, Julian Mehnle wrote:
> If I set it up this way, all the responses coming back to the recursor are
> having their AA bits stripped (set to 0) (presumably by this code
> 
> when forwarded back to the client.  Is this intentional?  Would it make
> sense to leave the AA bit alone when forwarding back authoritative
> responses?  If not, why not?

Julian,

Resolvers rarely if ever send out AA=1 answers. If you literally want to
forward packets, dnsdist may be a better choice. 

Is the current behaviour causing you problems? If so can you tell us about
those problems?

Thanks.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor ask zones first to authoritative server

[bert hubert]

On Tue, Feb 20, 2018 at 11:19:39AM +0100, Davide Panarese wrote:
> i have a lot of local zones into my Authoritative server that are not
> published on the internet and it’s a big deal to specify all of them to
> recursor.conf  (forward-zone parameter), because we add local domains
> every days.

You can load the forwarded zones from an external file (forward-zones-file). 
You can reload that list with rec_control reload-zones, without restarting
the nameserver.  I really suggest you do that.

All other solutions are painful.

> What i would have is that Recursor/DNSdist ask before to Authoritative
> server to check if there is the asked domain and, if not, ask to internet
> dns root servers.

And what if a packet is dropped? Ask the rootservers anyhow? The best way
really is to provision that list of zones.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] New (in PowerDNS): ipcipher

[bert hubert]

Hi everyone,

tl;dr - today (Sunday) at 17:40 CET / 08:40 PST you can watch me present
about 'ipcipher', a method for encrypting IP addresses to enhance user
privacy, at the NDSS DNS Privacy Workshop through:
https://www.ndss-symposium.org/dns-privacy-workshop-programme/
We'd love to hear your thoughts.

Longer story:

PowerDNS has long included the 'dnswasher' tool which strips customer IP
addresses from PCAP files. The idea is that this allows operators to send us
traces we can analyse, without us seeing actual IP addresses.

A problem with 'dnswasher' however was that translating back to original IP
addresses was very hard. So let's say we did find what (stub) resolver was
causing problems, it was quite a puzzle for the owner of the data to find
out who that actually was.

In may 2017, we wrote about a solution for this problem here
https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
In short, this detailed how one can encrypt and decrypt IP addresses.

Later we found out there was more involved into how to do this correctly. We
also learned that the new EU GDPR privacy regulations specifically recommend
'pseudonyzing' user data this way before analysis. 

A subsequent specific customer request spurred the writing of the 'ipcipher'
specification which allows for interoperable encryption of IP addresses.
This specification can be found on https://powerdns.org/ipcipher/

This code has also been added to 'dnswasher', which can now be run like
this:

$ dnswasher -p "supersecret2018" in.pcap encrypted.pcap
$ dnswasher -d -p "supersecret2018" encrypted.pcap decrypted.pcap

This will reconstruct 'decrypted.pcap' which is identical to 'in.pcap'. 

I will present about 'ipcipher' today (Sunday) at 08:40 PST / 17:40 CET to
the NDSS DNS Privacy Workshop Programme, you can view this live on:
https://www.ndss-symposium.org/dns-privacy-workshop-programme/

Your comments are more than welcome!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Delegation of subdomain

[bert hubert]

Hi Jakob,

We no longer support the 'recursor=' setting because it is very tricky.

You may want to read 
https://doc.powerdns.com/authoritative/guides/recursion.html
which offers help on how to achieve your goals in other ways.

Good luck!

Bert

On Wed, Feb 07, 2018 at 11:54:13AM +0100, Jakob Lenfers wrote:
> Hi,
> 
> I'm trying to delegate a subdomain to another DNS server, in my case a
> samba4 AD. My pdns runs as authorative server on  0.0.0.0:53, the
> recursor runs on 127.0.0.1:5300 and is included via
> 'recursor=127.0.0.1:5300' in pdns' config.
> 
> I have the following entries set:
> | bss.example.com. 3600 IN  NS  barva.example.com.
> | barva.example.com. 3600 IN A  10.20.30.40
> 
> And in the recursor config I've set:
> "forward-zones=bss.example.com=10.20.30.40"
> 
> But only when I query the recursor directly (example below), I'm getting
> the expected answer. When I query the master on :53, I only get a
> pointer to the new authorative NS.
> 
> | # dig -t SRV _gc._tcp.bss.example.com @localhost
> |
> | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t SRV _gc._tcp.bss.example.com
> @localhost
> | ;; global options: +cmd
> | ;; Got answer:
> | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49362
> | ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
> | ;; WARNING: recursion requested but not available
> |
> | ;; OPT PSEUDOSECTION:
> | ; EDNS: version: 0, flags:; udp: 1680
> | ;; QUESTION SECTION:
> | ;_gc._tcp.bss.example.com.IN SRV
> |
> | ;; AUTHORITY SECTION:
> | bss.example.com. 3600 IN  NS  barva.example.com.
> |
> | ;; ADDITIONAL SECTION:
> | barva.example.com. 3600 IN A  10.20.30.40
> 
> 
> | # dig -p 5300 -t SRV _gc._tcp.bss.example.com @localhost
> | ; <<>> DiG 9.10.3-P4-Ubuntu <<>> -p 5300 -t SRV
> _gc._tcp.bss.example.com @localhost
> | ;; global options: +cmd
> | ;; Got answer:
> | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43772
> | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> |
> | ;; OPT PSEUDOSECTION:
> | ; EDNS: version: 0, flags:; udp: 4096
> | ;; QUESTION SECTION:
> | ;_gc._tcp.bss.example.com.IN SRV
> |
> | ;; ANSWER SECTION:
> | _gc._tcp.bss.example.com. 26 IN SRV 0 100 3268 barva.bss.example.com.
> 
> Any ideas how to solve this?
> 
> Thanks in advance,
> Jakob
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] RE ignoring non-query opcode 6

[bert hubert]

On Tue, Feb 06, 2018 at 07:37:16PM -0800, Jake Hansen wrote:
> Hello kind gents,

Hello Jake!  We have women here too, by the way!  I think so, at least.

> Someone turned me on to pdns_recursor and i'm trying to deploy it.  I have
> a pair of A-10 Load balancers front ending and now the logs are spamming
> 
> Ignoring non-query opcode 6 from xx.xx.xx.xx on server socket!

I checked, we indeed log this unconditionally, which is a bit sad.

> I was googling around and found that sometime ago, a patch was added to
> drop non zero opcodes.  I suspect that the opcodes are some sort of keep
> alive check by the load balancers.  Should I be worried about this?

Well, I think you should be worried that your A-10 is somehow sending
nonsense DNS packets to check liveness. Opcode 6 is not defined. 
https://www.iana.org/assignments/dns-parameters/dns-parameters.xml#dns-parameters-5

We'll make sure you can mute this warning with 'log-common-errors=no' in the
future.

For now, if this warning upsets you, you may want to ponder either putting
dnsdist in front of your recursor to filter out opcode=6 queries, or (and
this is likely better), replace the whole A-10 load balancer with dnsdist.

Sorry we can't be more helpful, I checked, no one knows why the A-10 is
sending queries with this opcode, or how you can stop it. Might want to ask
A-10.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS at FOSDEM this weekend!

[bert hubert]

Hi everyone,

PowerDNS is present in force at FOSDEM tomorrow and Sunday!

Peter van Dijk, Pieter Lexis, Andrea Tosatto and me of the PowerDNS company
are there, plus certified consultants Chris Hofstaedtler & Kees Monshouwer.
We've also heard from many other users they will be attending.

On Sunday you can find us in the DNS Room, 
https://fosdem.org/2018/schedule/track/dns/
where you can enjoy presentations from CZ.NIC, ISC, NLNetLabs, AFNIC, DENIC
& others.

As a reminder, FOSDEM is a free event and there is no need to register, so
you can still decide to come to Brussels! See https://fosdem.org/ for
details.

We hope to see you there!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Intermittent recursion failure due to timeout

[bert hubert]

Hi Brian,

On Tue, Jan 23, 2018 at 02:00:58PM -0700, Brian T wrote:
> My recursor config has 'network-timeout' set to 5500ms (instead of the
> default 1500ms), so I can understand the "timeout resolving after
> 5535.35msec" message, but I was surprised by the timestamps of the messages
> all being the same.  Are these messages flushed to syslog all at once or is
> the timeout really happening immediately?

This is exactly why we note the 'observed' time passed in the log line. 
When running with trace=servfail, we indeed buffer the log with one single
timestamp.

> leading up to the timeout that look suspicious?  This has been happening
> about 10-15 times per day and started happening on Jan 18th.  I see similar
> timeouts to 3 other sites, but this one most frequently.

91.189.95.68 is the host causing timeouts.  It answers very reliably for me
from here, but it is close to me (London).  It may be that this address
isn't very well served to you somehow.

> Lastly, is there any way to retry here?  I'd rather lower the network
> timeout and attempt a retry if possible.

"Jan 23 05:47:55 n422 pdns_recursor[8739]: [414333] 
 
nova.clouds.archive.ubuntu.com: Cache consultations done, have 1 NS to  

contact"

Usually domains have at least two nameservers.  That generates two attempts,
which should really be enough.

For domains with only a single nameserver with a single IP address, we might
indeed consider trying twice. But there is no way to make that happen right
now from the configuration.

For now, I think you are mostly observing a somewhat unreliably hosted
domain name. 

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS is looking for a contractor for work in the UK

[bert hubert]

Hi everyone,

PowerDNS is urgently looking for a contractor!

This is not a direct PowerDNS vacancy, but it does involve working with the
PowerDNS team.  A large scale PowerDNS user based in the UK (England, but
not in London) is looking for a contractor to help with a major DNS rollout
project.  PowerDNS is helping recruit that contractor from its network.  We
will also help on-board the candidate to the project.

This project is expected to run for 6 to 9 months.  Frequent and regular
on-site presence is required, but work can partially be performed remotely. 
Daily rate is attractive and competitive.

We are looking for somone with:

 * Legal ability to work as a contractor in the UK (England, but not London)
 * Experience with several, but not necessarily all, of the following:
   * Linux large scale administration
   * DNS, possibly PowerDNS
   * Databases (PostgreSQL, Redis)
   * Ansible
   * Grafana
   * Migrations
   * Contracting

There is a preference for candidates with a visible open source history
(contribution to projects in the form of patches, good tickets, answering
questions). If we know you already from the PowerDNS community this is of
course extra wonderful.

If you feel you might be a fit, or if you wonder if you might be a fit,
please contact us on powerdns.care...@powerdns.com. When in doubt please
feel free to contact us!

The contracting position is also described at: 
https://www.powerdns.com/careers.html#contractor

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Meltdown impact on PowerDNS/dnsdist

[bert hubert]

Hi everybody,

We have done some very tentative measurements on the Linux Meltdown
workaround & impact on DNS performance.

Based on very early measurements we see around a 10% impact in queries per
second for a UDP heavy workload. 

In addition, one largescale user of PowerDNS Authoritative Server on
PostgreSQL suspects the performance problems they see coincided with the
rollout of Meltdown workarounds, but we're still investigating.

Finally, we did a writeup what Meltdown and specifically Spectre actually
are, which you can find on https://ds9a.nl/articles/posts/spectre-meltdown/

We will keep you posted as we learn more!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS End-of-Year post

[bert hubert]

HTML version with clickable links:
https://blog.powerdns.com/2017/12/29/powerdns-end-of-year-post-thank-you/

Greetings!

2017 has been a great year for PowerDNS and Open-Xchange.  In this post, we
want to thank everyone that contributed, and highlight some specific things
we are happy about.

 * HackerOne bug bounty program

After some initial problems with over-reporting of non-issues, our
experience with HackerOne is awesome right now.  We are very happy we have a
clean process for receiving and rewarding security bugs.  Various PowerDNS
security releases this year have originated as HackerOne reports.

 * Our community

PowerDNS continues to be a vibrant community.  Our IRC channel has around
240 members, our mailing lists have 1225 subscribers.  Even though we are
now tougher in enforcing our ‘support, out in the open‘ policies, we
continue to see many user queries being resolved every day, often leading to
improvements in PowerDNS.

As in earlier years, 2017 has seen huge contributions from the community,
not only in terms of small patches or constructive bug reports, but also in
the revamping of whole subsystems.  Specifically Kees Monshouwer was so
important for Authoritative Server 4.1 that we would not have been able to
do it without him.  We hope to continue as a healthy community in 2018!

 * Facebook bug bounty program

PowerDNS is an active participant in keeping the internet secure.  As part
of our work we found a potential security problem in an important Facebook
product which we reported to the their bug bounty program.  The bug was
fixed quickly, and led to an award of $1500, with the option to turn that
into a $3000 charitable donation.  We have done so and supported Doctors
without Borders in their work.

 * Our Open Source DNS friends

The DNS community is tight, and it has to be: all our software has to
interoperate.  New standards are developed cooperatively and problems are
discussed together.  We love the friendly competition that we have with our
friends of CZNIC (Knot, Knot Resolver), ISC (BIND), NLNetLabs (NSD, Unbound,
libraries) and others.

To a huge extent, DNS is exclusively Open Source software, sometimes
repackaged and rebadged by commercial companies that close down that Open
Source software again.

PowerDNS is proud to be part of the open DNS community, and we are grateful
for the smooth & fun cooperation we experienced in 2017!

 * Open-Xchange

Since 2015, PowerDNS has been part of Open-Xchange, previously mostly known
for the OX AppSuite email platform.  The famous Dovecot IMAP project also
joined Open-Xchange in 2015.  The goal of these mergers was to allow us to
focus on technology, while getting the legal, sales and marketing support to
get our software out there.

In 2017 we have truly started to harvest the fruits of the merger, by
simultaneously delivering important software releases as well as satisfying
the needs of some very large new deployments.

We are very happy that PowerDNS not only survived the merger, but is now an
important part of Open-Xchange, where we contribute to the mission of
keeping the internet open.

 * Our users

Even without or before contributing codes, operators can improve PowerDNS
through great bug reports.  We specifically want to thank Quad9 (a
collaboration of Packet Clearing House, IBM and the Global Cyber Alliance)
for taking a year long journey with us with dnsdist and Recursor “straight
from GitHub”.  Deployments sharing their experiences and problems with the
PowerDNS community are vital to creating quality reliable software.  Thanks!

 * Mattermost, the Open Source private Slack Alternative

As PowerDNS grows, we could no longer rely solely on IRC as our
communication channel with developers, users and customers.  Instead of
moving to a third party cloud service that admits to datamining
communications, we are very happy to host our own Mattermost instance.  And
because of PowerDNS user & contributor @42Wim, we can continue our IRC habit
with matterircd

 * 4.1 evolution, dnsdist

In 2016 we released the 4.0 versions of the PowerDNS Authoritative Server
and Recursor.  As you may recall, the 4.0 releases represented a giant
cleanup from the decade old frameworks found in 3.x.  The 4.0 versions were
a step ahead in functionality and sometimes performance, but the true gains
of the new fresher codebase have now been realized in the 4.1 releases.

4.1 represents a big overhaul in caching (both Recursor and Authoritative)
and DNSSEC processing (mostly Recursor).  Both of these overhauls have been
tested over the year by large PowerDNS deployments, and the huge amount of
feedback has delivered a near flawless “battle tested” 4.1 release.

Specifically xs4all and two huge European incumbent operators have been
instrumental in maturing dnsdist and our 4.1-era DNSSEC and EDNS Client
Subnet implementations.

* On to 2018!

In 2018 we hope to continue to improve our software and the state of the
internet.  See you there!

Re: [Pdns-users] Could not retrieve security status update / spamhaus.org unable to query

[bert hubert]

On Fri, Dec 29, 2017 at 12:02:13AM +0100, Sophie Loewenthal wrote:
> Hi everyone,

good morning!

> I had this message in my logs in a new installation with a new VPS provider, 
> and wonder if this is them or pdns_resolver blocking,
> Dec 28 22:42:11 mx10 pdns_recursor[7093]: Could not retrieve security status 
> update for '4.0.4-1+deb9u3.Debian' on 
> 'recursor-4.0.4-1_deb9u3.Debian.security-status.secpoll.powerdns.com', RCODE 
> = Non-Existent domain

This is a mistake by us, and we'll rectify it. We should list this version
as safe or not, apologies.

> Also, I noticed that spamhaus.org was not resolving, which was quite strange. 
> All other queries to RNSBLs work e.g spamcop.
> Dec 28 21:04:38 10 pdns_recursor[2667]: [1225] 
> 102.77.50.178.xbl.spamhaus.org: timeout resolving after 2503.31msec
> Dec 28 21:04:38 10 pdns_recursor[2667]: [1225] 
> 102.77.50.178.xbl.spamhaus.org: Trying IP 178.209.52.139:53, asking 
> '102.77.50.178.xbl.spamhaus.org|'
> Dec 28 21:04:38 10 pdns_recursor[2667]: 1 [1225/2] answer to question 
> '102.77.50.178.xbl.spamhaus.org|': 0 answers, 0 additional, took 4 
> packets, 7515.07 ms, 2 throttled, 3 timeouts, 0 tcp connections, rcode=2

This is likely exactly what it says, that 178.209.52.139 is not listening to
you. Spamhaus is known to limit queries if they exceed a certain rate.

It looks like you deleted some log lines so we can't really tell what is
going on.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [Pdns-announce] PowerDNS Lua/GSLB records: we need your feedback

[bert hubert]

On Fri, Dec 15, 2017 at 04:43:20PM +0100, Marco Davids (Private) wrote:
> >  We are happy to share a new development with you, one that we hinted
> >  at over a year ago: Lua resource records.
> 
> Great stuff!

Thanks!

> > In this post, we ask for your help: did
> > we get the feature right?  Are we missing important things?
> 
> I was wondering; would it be useful if LUA was able to influence the TTL
> of the DNS-answer? I believe that is not possible at the moment?

It is not possible now. The TTL is retrieved from the zonefile. Since there
is typically not that much room in a zonefile, we like to use the parts that
are there already.

If someone has a usecase, it could be done of course.

> Maybe this also applies to other parts of the synthesized LUA reply.
> Fiddling with RCODE comes to mind:

One of the reasons the LUA record type is rather simple is because it does
not change the existence of a record. This makes sure NXDOMAIN, NOERROR,
NSEC(3) bitmaps operate correctly. So you can't make a LUA record vanish.

So for full flexibility, we do offer the Lua backend: 
https://doc.powerdns.com/authoritative/

This has more power, but it also involves more typing.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Lua/GSLB records: we need your feedback

[bert hubert]

Hi everyone,

I just posted information about our new Lua records on
https://blog.powerdns.com/2017/12/15/powerdns-authoritative-lua-records/ and
we really need your feedback to get this right, as we plan to release this
feature in January.

These Lua records power our 'powerdns.org' information records like
whoami-ecs.lua.powerdns.org, whoami.ipv4.powerdns.org,
whoami.ipv6.powerdns.log and perhaps the most fun, 'dig -t loc
latlon.lua.powerdns.org'.

From the post:

 We are happy to share a new development with you, one that we hinted at over
 a year ago: Lua resource records.  In this post, we ask for your help: did
 we get the feature right?  Are we missing important things?  The goal is to
 release Lua records in January 2018, but we can only make that with your
 testing and feedback!  At the end of this post you will find exact
 instructions how to test the new LUA records.

 While PowerDNS ships with a powerful geographical backend (geoip), there was
 a demand for more broader solutions that include uptime monitoring, which in
 addition could run from existing zones.

 After several trials, we have settled on “LUA” resource records, which look 
like this:

 @   IN   LUA   A   "ifportup(443, {'52.48.64.3', '45.55.10.200'})"
 
 When inserted in a zone with LUA records enabled, any lookups for your
 domain name will now return one of the listed IP addresses that listens on
 port 443.  If one is down, only the other gets returned.  If both are down,
 both get returned.

 But if both are up, wouldn’t it be great if we could return the ‘best’ IP 
address for that client? Say no more:

 @IN   LUA A ( "ifportup(443, {'52.48.64.3', '45.55.10.200'}, "
   "{selector='closest'}  ")

Please head to 
https://blog.powerdns.com/2017/12/15/powerdns-authoritative-lua-records/
to learn more, and please let us know your thoughts!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns ver 4

[bert hubert]

On Thu, Dec 14, 2017 at 11:43:48PM +, Donald Jayawardena wrote:
> Can someone please show me where we can download powerdns version 4 from? 
> Currently Centos 7 has only version 3.4.11.

Try https://repo.powerdns.com, it has repositories for Centos 7.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Speeding up the slave request

[bert hubert]

On Thu, Dec 14, 2017 at 08:02:36AM -0700, bloat list wrote:
> Hi,
> 
> Where else can I get help if not this list?

Well, "bloat list", or may I call you bloat?

We often provide help, but we do prioritise between people trying hard to
hide who they are and people that do not take this precaution.

> The slave finally updated itself but I see these in the master logs.
> (I have to hide the domain name since I don't have permission to post it in 
> public)

You may want to read 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdnsutil secure-zone algorithm 5 or 8

[bert hubert]

On Thu, Nov 30, 2017 at 08:28:10PM +0100, Daniel Eriksson wrote:
> Hi all!
> 
> pdnsutil secure-zone is creating algorithm 13.
> 
> How can I do to make it to create algorithm 5 or 8 instead?

Daniel,

Can I please ask you to read the documentation. We spent a lot of time
writing it. You send us messages off list too where we point you to sections
in the documentation.

So here as a final gift, 
https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

and

https://doc.powerdns.com/authoritative/settings.html?highlight=default#default-ksk-algorithm

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Run powerdns with pre-signed dnssec zones

[bert hubert]

On Thu, Nov 30, 2017 at 02:43:40PM +0100, Daniel Eriksson wrote:
> How can I run powerdns with pre-signed dnssec zones, without the need to
> sign every single zone v4.0?

You don't need to sign all zones. In fact, you must tell PowerDNS which ones
to sign. It will not autosign all of them.

> Do i need afxr transfer to slaves, or can I use my current mysql
> replication?

If they run more or less the same version of PowerDNS, you can just
replicate.

> I can't find any info on this or what to change in the config.

https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html may be
useful.

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Bind config file includes

[bert hubert]

On Wed, Nov 15, 2017 at 11:31:09AM -0800, Tim Traver wrote:
> When I try and start pdns, I get the following error in the logs :
> 
> Nov 15 11:25:06 pdns_server: Unable to open './reverse/1.conf': No such file 
> or directory

Hi Tim,

It may be that we use different methods to determine relative directories
than the actual BIND does. There is an item in named.conf where you can set
a 'directory', perhaps you can tweak that one to see if that fixes it for
you. I know we honour that directive.

Please let us know!

BErt
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Are stub zones supported by PowerDNS recursor?

[bert hubert]

On Thu, Oct 19, 2017 at 11:39:00AM +0200, Marco Pizzoli wrote:
> Hi all,
> I am new to PowerDNS and to this mailing list as well.

Welcome!

> I am looking for stub zone support in PowerDNS but failing to see it
> referenced  in the documentation.

Some of the things that stub zones we can do, we can do as well. So you can
define customer NS records for a zone, for example, or you can override an
entire zone from a zone file.

To forward a whole zone, use forward-zones, forward-zones-file or
forward-zones-recurse. This is the equivalent of setting custom NS records
in a stub zone.

To override specific domains, use auth-zones.

If you have a need not covered by this, please let us know. 

Bert

> 
> In comparison. they are expressily documented in unbound[1], so I guess
> they are not supported in PowerDNS.
> 
> Please correct me if I am wrong and in case please provide the
> documentation link.
> 
> Thank you in advance for your help
> Marco
> 
> [1] https://www.unbound.net/documentation/unbound.conf.html

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Statistics

[bert hubert]

On Sun, Sep 24, 2017 at 03:12:49PM -0300, Thiago Farina wrote:
> Hi,
> 
> I would like to know how many queries pdns has answered so far.
> 
> How can I get this information?

By reading the fine documentation, for example 
https://doc.powerdns.com/authoritative/performance.html?highlight=metrics#metricnames
or https://doc.powerdns.com/recursor/metrics.html?highlight=metrics
or https://dnsdist.org/reference/config.html?highlight=stats#dumpStats

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Performance drop after upgrade from auth 3.4.11 to 4.0.4

[bert hubert]

On Tue, Sep 19, 2017 at 08:46:18PM +0200, Klaus Darilion wrote:
> Hi!
> 
> Setup: PowerDNS with gqgsql backend, several 100.000 zones (type=NATIVE)
> on a 4 CPU VM with 8GB Ram

Klaus,

Can you redo your measurements against 4.1rc1? We fixed a lot in there.
Would be interesting to know if 4.1 is already better.

Thanks!

> Any ideas where there is a drop in q/s when doing A queries? Where can I
> debug to find the issue? Any changed default settings in 4.0.4? I know
> Master should be faster then 4.0.4, but I would like to use a stable
> version.

It is unlikely we will work on fixing the 4.0 performance if 4.1 fixes it
already.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Couple of (maybe) oddities . . .

[bert hubert]

On Fri, Sep 01, 2017 at 01:13:32PM +, Rob Dawson wrote:
> First Oddity - For each inbound call, the active SBC sends a query to both
> servers simultaneously.  I can see the queries hitting port 53 via
> tcpdump, the odd thing is that only one server will send a reply i.e.  if
> server A replies, server B does not and vice versa.  This is causing the
> SBC some concern and it is alarming that an ENUM server is out of service.

Please double check the queries are arriving on both servers. What we have
seen in production is mediocre firewalls getting confused keeping track of
multiple identical questions.

> Second Oddity –
> Whichever server replies, appears to be sending 3 responses. See below:
> 
> 22:40:00.778687 IP X.X.X.X.blackjack > BS-VM-M75-1.domain:  13136+ NAPTR? 
> 0.0.0.2.7.7.5.1.0.3.e164.arpa. (47)
> 22:40:00.779173 IP BS-VM-M75-1.domain > X.X.X.X.blackjack:  13136* 1/0/0 (107)
> 22:40:00.779177 IP BS-VM-M75-1.domain > X.X.X.X.blackjack:  13136* 1/0/0 (107)
> 22:40:00.779178 IP BS-VM-M75-1.domain > X.X.X.X.blackjack:  13136* 1/0/0 (107)

Again, measure on server A and B directly if you haven't yet. This behaviour
again correlates with a bad firewall if you are measuring on the SBC side.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CAA records again

[bert hubert]

On Mon, Aug 14, 2017 at 03:41:45PM -0400, Curtis Maurand wrote:
> Yesterday, I had caa records working.  At least the server was returning
> something.  In my work to get dnssec working, I've managed bread CAA
> support somehow.  Now,even though the record exists, the server does not
> return a response.

Please at all times state which exact version of PowerDNS you are running.

Can you also show the output of pdnsutil check-zone xyonet.com ?

Thanks!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Job opening: Solution Engineer

[bert hubert]

One thing I forgot to mention: if you want to know more about this vacancy,
or would like to work for us in general, please contact either me off-list
or powerdns.care...@powerdns.com

Thanks!

Bert

On Wed, Aug 09, 2017 at 01:37:36PM +0200, bert hubert wrote:
> Hi everyone,
> 
> PowerDNS is again looking for great people! With the increasing number of
> rollouts going on, we are looking for a "Solution Engineer". As you are the
> biggest PowerDNS experts we know of, we hope some of you would be interested
> in working with us:
> 
> In brief, the Solution Engineer vacancy:
> 
> * What you would be doing
> 
> Daily activities alternate between working on customer issues and actual
> Professional Services for customer implementations (both on-site and
> off-site).  As Solution Engineer (with a focus on PowerDNS) you will work
> closely with the PowerDNS development team, as well as with other parts of
> Open-Xchange and Dovecot development, sales, and Product Management teams
> from within a European Services team.
> 
> * Your personal chance
> 
> We think Support & Implementation is a great step into a promising career. 
> We are specifically looking for employees willing to learn quickly while
> delivering great support and service.  Keeping an eye towards growing within
> the Global Services department or into different roles in the larger
> Open-Xchange organisation.  In other words, this position is a great
> opportunity for your personal development.  There will be a close and
> intimate cooperation between PowerDNS and OX Professional Services regarding
> the  support, implementation and development roles.
> 
> Full details are on:
> 
> http://tinyurl.com/powerdns-job-1
> 
> Please also keep an eye on https://www.powerdns.com/careers.html !
> 
> Thanks.
> 
>   Bert
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Job opening: Solution Engineer

[bert hubert]

Hi everyone,

PowerDNS is again looking for great people! With the increasing number of
rollouts going on, we are looking for a "Solution Engineer". As you are the
biggest PowerDNS experts we know of, we hope some of you would be interested
in working with us:

In brief, the Solution Engineer vacancy:

* What you would be doing

Daily activities alternate between working on customer issues and actual
Professional Services for customer implementations (both on-site and
off-site).  As Solution Engineer (with a focus on PowerDNS) you will work
closely with the PowerDNS development team, as well as with other parts of
Open-Xchange and Dovecot development, sales, and Product Management teams
from within a European Services team.

* Your personal chance

We think Support & Implementation is a great step into a promising career. 
We are specifically looking for employees willing to learn quickly while
delivering great support and service.  Keeping an eye towards growing within
the Global Services department or into different roles in the larger
Open-Xchange organisation.  In other words, this position is a great
opportunity for your personal development.  There will be a close and
intimate cooperation between PowerDNS and OX Professional Services regarding
the  support, implementation and development roles.

Full details are on:

http://tinyurl.com/powerdns-job-1

Please also keep an eye on https://www.powerdns.com/careers.html !

Thanks.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns recursor edns-client-subnet caching problems

[bert hubert]

On Wed, Aug 02, 2017 at 05:52:26AM +, Shawn Zhou wrote:
> Hi,
> I am trying out pdns recursor 4.0.6 on Ubuntu Xenial and cache lookup for 
> same record with and without client subnet give me the same result which is 
> not expected. I expect [3] to return a different value as the cache should 
> have different value based on client subnet. I wonder if that's bug with 
> edns-client-subnet implementation with pdns or I miss something in the 
> configuration file.
> Also, I noticed dig doesn't show "CLIENT-SUBNET: 52.57.28.138/32/16" when I 
> dig against pdns but I get that when I dig it against the authoritative 
> directly. see [4].

Hi Shawn,

We did a lot of work on EDNS Client Subnet in 4.1, for which a trial release
can be found in 
https://blog.powerdns.com/2017/07/18/powerdns-recursor-4-1-0-alpha1-released/

Before we analyse your issue to deeply, can you check what 4.1 does in your
case?

Have you set use-incoming-edns-subnet?

Good luck!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursive server failing

[bert hubert]

On Sat, Jul 29, 2017 at 12:19:11AM -0400, Charles Sprickman wrote:
> Here’s a few things I’ve tried:
> 
> - Verify with DNSVIZ: http://dnsviz.net/d/dot.nyc.gov/dnssec/
> - Update PowerDNS to powerdns-recursor-4.0.6
> - Remove “scrub” rules from pf configuration
> - Change pf rules to be stateless
> - Look for denied traffic by running tcpdump against pflog device while 
> performing query
> - Checked record by querying BIND on same host
> - Checked record elsewhere (successful)

Thank you for specifying this in so much detail, very appreciated.

> 
> Any ideas where to start with this?  Anyone else seeing the same issue with 
> this record?

We have not heard of this. What we recommend is to enable 'trace' or if that
is too much, 'trace-regex' for dot.nyc.gov. This will give a ton of detail
on what is going on.

We can then find out the problem for you, or perhaps you see it already.

Good luck and let us know!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS/Open-Xchange conferences & events

[bert hubert]

Hi everyone,

As we are working on the 4.1 & 1.2 releases, please know you can also meet
us in real life!  We are just back from IETF in Prague, here is a list of
other places where we will be present:

 * August 4th-8th: SHA 2017, Zeewolde, The Netherlabds
The famous 4-yearly Dutch hacker conference. Almost sold out. I will present
on DNA (not DNS!) on Saturday:
https://sha2017.org/blog/talk-highlight-dna-the-code-of-life-human-body-as-an-electric-io-system
https://program.sha2017.org/events/31.html

 * September 8th, Amsterdam, The Netherlands: NLNOG Day 2017
NLNOG is is always fun and educational, and sponsored by PowerDNS too. 

 * September 12, Sheffield, UK: UKNOF38
Will feature a discussion on DNS-based internet filtering in the UK, both
filtering on request and government mandated. We'll be sure to chime in with
our technical findings.

 * October 12-13, Brussels:OX Summit in Bruxelles
We kindly invite you to join us with Delegates from Hosting, Telco, Mobile
and Cable carriers for the 9th annual OX Summit to exchange the business
intelligence and technology standards changing the Internet.

We will delve deep into the technology, products and business advantages
that OX ecosystem partners are experiencing.  During both industry and
product sessions, Open-Xchange leaders and Delegates will expose the
opportunities transforming our industry and mutual success.

For full agenda and free registration, please visit

https://www.open-xchange.com/summit/ox17-bruxelles/

Hope to meet you there!

Bert & Team
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Presentations at RIPE and DNS-OARC

[bert hubert]

Hi everyone,

Over the last week, PowerDNS attended RIPE in Budapest, ICANN & DNS-OARC in
Madrid.  Peter, Pieter and I presented on various subjects, some of which
may interest you.  

Here are links to the presentations (video and slides):

RIPE: Pieter Lexis on dnsdist: 
Video: https://ripe74.ripe.net/archives/video/162/ 
Slides: https://ripe74.ripe.net/presentations/122-PLexis-dnsdist-lightning.pdf

DNS-OARC: Peter van Dijk on his standard for a new DNS feature called ANAME
(which was part of the 'Whitehouse' blog post a few months ago,
http://rrsoft.co/2016/07/09/making-dnssec-work-for-an-aws-hosted-saas/):
Video: https://youtu.be/hr_ziislx74?t=30623
Slides: 
https://indico.dns-oarc.net/event/26/session/8/contribution/34/material/slides/0.pdf
 

DNS-OARC: Pieter Lexis reflecting on two years of dnsdist:
Video: https://youtu.be/hr_ziislx74?t=31253
Slides: 
https://indico.dns-oarc.net/event/26/session/8/contribution/35/material/slides/0.pdf

DNS-OARC: Bert on HyperLogLog inspired three-minute scan of DNSSEC
delegations worldwide,
Video: https://www.youtube.com/watch?v=w3TmWk8iAbA=youtu.be=10180 
Slides: 
https://indico.dns-oarc.net/event/26/session/2/contribution/6/material/slides/0.pdf
 

If you enjoy DNS, all other DNS-OARC presentations can be found through
https://indico.dns-oarc.net/event/26/

Good luck!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SRV records - wow, hounded for payment already?

[bert hubert]

> I'll either go back to BIND if I will continuously be told such things
> when asking for basic help or I'll find one of our devs who knows the
> product.  I just wanted to get some hands on time with it first.

Please go to BIND. I'm sure you'll find volunteers there willing to help you
based on censored and incomplete data.

Good luck! 

Bert
PowerDNS
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] The world can't see me... yet

[bert hubert]

On Fri, Mar 03, 2017 at 05:55:21PM -0700, NoBloat wrote:
> Nothing is getting in or out. The world is not seeing the dns server/s, the 
> dns servers aren't seeing each other. 
> What am I missing here?

"NoBloat",

Please specify your real IP addresses and domain names so we can try.

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.1 plans

[bert hubert]

Hi everyone,

In this message, we ask you to look at our intended PowerDNS Recursor 4.1
development plan.  The 4.0 release train has been very successful and
reliable for a major '.0' release and is seeing wide production use,
including DNSSEC validation for millions of clients.

However, we have found some things that need improving for the 4.1 release. 
This the focus for 4.1: general improvement of quality, rounding out of
features, and adding a few specific new features.

We ask you to take a REAL good look at what we intend to do. It is entirely
possible that you are running into issues and challenges you are sure we
know about already, when we in fact don't.  So if the PowerDNS Recursor is
somehow not making you happy, and what ails you is not in the list below, we
would LOVE to hear from you!

We are aiming for a June release of Recursor 4.1, but depending on
developments this might be earlier or later, and possibly not with all
features communicated below. This email is not a roadmap you can rely on. 
If you need to rely on certain features appearing by a certain time, please
head to https://www.powerdns.com/contactform.html - for commercially
supported customers we regularly commit to dates & features. 

Already addressed since last 4.0 release, so no need to ask for this:

https://github.com/PowerDNS/pdns/issues/

#4988 - Add `use-incoming-edns-subnet` to process and pass along ECS
#4990 - Native SNMP support for Recursor
#5058 - Faster RPZ updates
#4873 - Ed25519 algorithm support
#4972 - 2017 root KSK added
#4924 - EDNS Client Subnet tuning & length configuration

All issues scheduled for 4.1 can be viewed on the rec-4.1.0 milestone on
GitHub https://github.com/PowerDNS/pdns/milestone/7

Important highlights:

Improvements:
#5077 - DNSSEC validation is in need of a refactor (ongoing)
#4000 - And other tickets: more love & performance for RPZ

New features:
#5079 - EDNS Client Subnet port number
#5076 - RPZ persistency
#440  - DNS prefetching
#4662 - Continue serving expired cache data if all auths are down 

If you want to help, please check out the full milestone listing
https://github.com/PowerDNS/pdns/milestone/7 and see if (your) older issues
might have been addressed by now.

Also, if you have an opinion on certain fixes, features or improvements,
please add them to the GitHub issues so we learn about your concerns!

Thanks!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

[bert hubert]

On Fri, Feb 17, 2017 at 02:33:37PM +0100, Peter van Dijk wrote:
> >Call me confused, but it happened every day this week.
> 
> Because OVH put those records in the .net zone. OVH did this. OVH needs to
> fix this. There is no ‘security issue’, there is no ‘CVE needed’. There is
> just OVH that needs to fix these records.

And to really finalise this discussion, PowerDNS could of course utilize a
split cache to segregate glue from actual data.  This would however likely
again break other things, and we'd be doing that to benefit operators
putting wrong data in DNS.

In this case, the .NET servers told us about data in .NET and we believed
the .NET servers. That data was put in the .NET zone by OVH and as a result
OVH email delivery stopped working. 

Way back when in January 1980, Jon Postel wrote in RFC791:

"In general, an implementation should be conservative in its sending
 behavior, and liberal in its receiving behavior."

This sentence has guided a lot of resolver development where BIND, Unbound,
Knot resolver and PowerDNS etc accept a Lot of broken stuff in the interest
of keeping the internet working. 

Less frequently quoted is the second part of that paragraph from RFC 791:

"That is, it should be careful to send well-formed datagrams, but should
 accept any datagram that it can interpret (e.g., not object to technical
 errors where the meaning is still clear)."

This looks decidedly worse. This does not look like decent design. In the
OVH case, I'm not even sure that "the meaning is still clear" if you publish
two different IP addresses for a name. Which is right?

In 2015, Martin Thomson wrote an Internet Draft "The Harmful
Consequences of Postel's Maxim".  In this draft, he argues that the
'robustness principle' actually causes protocol decay:

"An implementation that reacts to variations in the manner advised by
 Postel sets up a feedback cycle:

   o  Over time, implementations progressively add new code to constrain
  how data is transmitted, or to permit variations what is received.

   o  Errors in implementations, or confusion about semantics can
  thereby be masked.

   o  As a result, errors can become entrenched, forcing other
  implementations to be tolerant of those errors."

[https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00]

What you are doing in your emails is asking us to do take further steps in
this protocol decay, to benefit the people sending wrong data.

And for now, we have better things to do. 

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

[bert hubert]

On Fri, Feb 17, 2017 at 10:49:08AM +0100, Thomas Mieslinger wrote:
> ovh changed its MX A records and now my employers Mail relays can't send
> email to ovh.

Have you attempted to talk to OVH about their misconfiguration?

I ask this because the DNS Resolver community keeps getting asked to solve
problems which are not ours. But it is easier to ask us to change.

We (BIND, Unbound) keep running into broken F5 configurations for example,
and yes, we can fix those with some special casing. But people always ask us
because we are easier to talk to than the operators of the F5 machines.

And so the code in resolvers becomes ever more a set of exceptions and
workarounds. And please know, every workaround breaks something else. 

So please ask OVH to fix their stuff. 

> Many many domains are wrongly delegated with wrong glue records in the tld
> zone. 

Let us not encourage broken things to work well. Some pain is quite
motivational to clean this up.

> I understand that this must have a performance impact but having the choice
> between 1000s of customer calls a day "I can't send emails to ovh and it is
> your fault" and buying some more recursor boxes, I clearly want more
> recursor boxes and less disappointed customers.

The disappointed customers may want to ask OVH why it is publishing the
wrong IP addresses?

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Jobs, 4.1.x planning, research

[bert hubert]

Hi everyone,

In this post, we want to mention a few things: PowerDNS Jobs, 4.1 plans &
some DNSSEC research.

First, PowerDNS is growing rapidly as more and more large scale service
providers displace closed DNS systems by PowerDNS, especially for security
enhanced DNS and "parental control". More on this can be found here
https://www.open-xchange.com/portfolio/ox-powerdns/ and here
https://www.powerdns.com/platform.html

We therefore have two job openings currently. Full details are on
https://www.powerdns.com/careers.html , brief descriptions:

* Solution Engineer
Daily activities alternate between working on customer issues and actual
Professional Services for customer implementations (both on-site and
off-site).  As Solution Engineer (with a focus on PowerDNS) you will work
closely with the PowerDNS development team, as well as with other parts of
Open-Xchange and Dovecot development, sales, and Product Management teams
from within a European Services team.

We think Support & Implementation is a great step into a promising career.
We are specifically looking for employees willing to learn quickly while
delivering great support and service, while keeping an eye towards growing
within the Global Services department or into different roles in the larger
Open-Xchange organisation.

* Versatile frontend developer with moderate middleware skills
We are looking for people with any or more of the following skills:

 - Modern web development (key words are AngularJS, JSON, RESTful, D3.js,
   Backbone and other frameworks that aren't TOO hip)
 - Django
 - Ability to enhance middleware in Python
 - Ability to propose changes to core C++ code and make small additions
 - Automated UI testing

For more information, please head to https://www.powerdns.com/careers.html

* 4.1 plans

We have started the process of 4.1 release planning. We have identified a
number of areas that need to be addressed, but your input is most welcome.
The 4.0 roadmap process was rather successful, but only because users
vocally reminded us of what was missing.

So please let us know: what are we simply not talking about that you think
is vital for PowerDNS. If we are not doing something, it is probably because
we don't know that you need it! So please let us know whatever you are
missing on powerdns-id...@powerdns.com.

* DNSSEC research
We wrote some perhaps interesting stuff on DNSSEC here:
https://ds9a.nl/hypernsec3/

With this technique, we've been able to measure the DNSSEC penetration on
all top level domains (including co.uk and com.br). The list is here:
https://powerdns.org/dnssec-stats/

All in all we have found there are around 7.4 million signed DNSSEC domains.
Given what we know of the zones involved (.se, .nl, .de, .be), it looks like
the majority of these are signed and mostly served by PowerDNS. 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Year 2016 in review

[bert hubert]

Hi everyone,

We just posted "PowerDNS: 2016 in review" in our blog, 
https://blog.powerdns.com/2016/12/27/powerdns-2016-in-review/

Text version, which lacks clickable links, is below. But for best results, try 
the blog!

As 2016 draws to a close, we’d like to share a few words on what has been
achieved over the past year, our second year within Open-Xchange.  This post
will cover both our technical and commercial efforts, including the PowerDNS
Platform which provides per-subscriber malware filtering & parental control. 
And, we are hiring!

At the end of 2015, we released ‘Technology Preview Releases’ of PowerDNS
Authoritative Server 4, PowerDNS Recursor 4 and dnsdist 1.0.  This was done
to somewhat keep our promise of releasing those versions in 2015, but fell
short of what we had hoped to achieve.

Now at the end of 2016 the news is a lot better. The actual 4.0 and 1.0
(dnsdist) releases have happened and are being deployed far faster than we’d
been hoping for.  This is probably due to some of the exciting new features:

* RPZ for security & DNS filtering purposes (including IXFR)
* dnsdist for reliability, flexibility and DoS protection
* pdnsutil edit-zone for a pretty awesome way to edit DNS zones
* DNSSEC validation in Recursor
* Vastly more powerful Lua engines
* ALIAS record type that now powers many of the .GOV search engines DNSSEC 
(including the White House!)

A notable DNSSEC deployment is over at our friends of xs4all who not only
sign all their customer domains with the PowerDNS Authoritative Server, but
recently have also turned on validation on their PowerDNS Recursors for
their large userbase.

4.0 and dnsdist were both part of a ‘spring cleaning’ exercise. It is good
to realize how rare it is for a software project to go through such an
exercise.  4.0 and dnsdist are based on a much cleaned up and improved
codebase.

We are also very grateful for our community that stepped up to contribute to
4.x in the form of code, great bug reports, design ideas, documentation and
actual bug fixes.  Our meagre offering of ‘PowerDNS Crew’ mugs is the least
we could do!

Some stats that bear out the community involvement: In 2016, our Github
repository was forked over a 100 times, yielding almost a 1000 Pull Requests
most of which were merged, for a total of over 2500 new commits.  These
commits closed 1300 issue tickets.

As you may recall, since 2015 PowerDNS is part of OX, together with our
cousins from Dovecot.  When we announced the merger, some voiced fear about
what this would mean for PowerDNS.  We can now safely say that the state of
the PowerDNS source in 2016 is way stronger than it was in 2015.

Besides finishing the spring cleaning of our open source products, 2016 also
saw the release of the PowerDNS Platform which, unusually for us, is not
fully open source.  We explained this in our blog post as follows:

"Putting it more strongly: we have learned that many organizations simply no
 longer have the time or desire to assemble all the technologies themselves
 around our Open Source products.

 We will therefore be marketing the additional functionalities we have been
 delivering to our customers as a product tentatively called the “PowerDNS
 Platform”

 The “PowerDNS Platform” as we ship it consists of our core unmodified Open
 Source products, plus loads of other open source technologies, combined with
 a management shell that is not an Open Source product that we’ll in fact
 sell."

The PowerDNS Platform is described here. Feedback on the move to supply the
Platform has been good, both from our commercial users and from the PowerDNS
development and wider DNS community, for which we are grateful.

Now at the end of 2016 we can report that the PowerDNS Platform has been
selected to provide a malware & parental control enabled DNS solution for
over 10 million Internet subscribers in Europe.  We will be displacing a
fully closed solution, which is a win for an open internet.

In addition, this commercial progress provides a healthy & sustainable basis
on which to continue to develop the PowerDNS nameservers and dnsdist.

POWERDNS.ORG

We have regained control over powerdns.org. As outlined in our blogpost:

"Recently we decided it was time to get the .org back anyhow and after
negotiating for a few days we finally paid up, and shortly after that we
were back in control of powerdns.org, at a cost of $1000."

This personally left me with a bad aftertaste since effectively we have paid a 
chain of people that specialise in taking over domains for ransom purposes.

To compensate for all this, we’ve decided to donate €1000 to the Doctors 
without Borders charity."

MUGS

We have shipped close to 500 PowerDNS Release mugs to contributors, friends
and conference visitors.  If you missed out on our giveaway, you can order
PowerDNS mugs online from our friends over at Mugbug, who have been an
absolute joy to work with.

ROOT-SERVER SPEEDUP

We also had a good time working with the fine people of 

Re: [Pdns-users] PDNS 4 0 0-alpha2 Hit and Miss

[bert hubert]

On Mon, Dec 19, 2016 at 12:11:58PM -, Palm Internet wrote:
> Hi Guys
> 
> Ubuntu server 16.04 64 bit 
> 
> I have tried to locate version 4.0.0 but Ubuntu keeps installing the alpha
> version

Then this is the bug we should solve. We can't do any support on
4.0.0-alpha2.

> Any ideas please. I am trying to upgrade my systems but cannot put them live
> until they work correctly

Do the instructions on https://repo.powerdns.com/ work for you? See if you
can install the actual 4.0.x release.

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Authority not refreshing stale mysql connections?

[bert hubert]

On Thu, Nov 24, 2016 at 01:19:03PM -0800, MRob wrote:
> I'm sorry I left that out. I installed using apt-get on Ubuntu. Package is
> called:
> pdns-server 4.0.0~alpha2-3build1

Thanks!

> Since you have heard reports of this before, do you know if the problem only
> happens on lightly used systems? In other words, if I move it to production
> where queries happen on a regular basis, will the DB connection not go
> stale?

Yes, this does not happen on busier servers. Secondly, alpha2 was known
to suffer from this. You could try a package from https://repo.powerdns.com
for your Ubuntu and it probably will solve the issue for quiet servers as
well.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Authority not refreshing stale mysql connections?

[bert hubert]

MRob,

It is tremendously helpful if you let us know which version of PowerDNS you
are running and on which platform. 

We are aware of some versions of PowerDNS having this issue but we need to
know what you are running.

Thanks.

Bert

On Thu, Nov 24, 2016 at 12:46:42PM -0800, MRob wrote:
> I have a mysql-backed authority set up locally serving the internal LAN
> domain on a test platform (very lightly used at the moment). It appears that
> after some time (hours), the DB connection goes stale and queries return
> with dig reporting status SERVFAIL. If I wait (not sure how long, but I
> think more than 5 minutes, if not a lot longer), the queries will start
> working normally again (status NOERROR).
> 
> It appears I can cause the same problem prematurely by restarting the mysql
> service, which is what leads me to believe PDNS is not refreshing stale
> database connections right away (though eventually it does).
> 
> Restarting the authority of course fixes the problem, but I'm looking for a
> better solution.
> 
> Help?
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] smart failover: Lua record experiments

[bert hubert]

Hi everyone,

Recently it has been noted that some DNS hosters have rolled out proprietary
features which are pretty nice - DNS based failover for example. 

Given the big DNS outages a few weeks ago, it appears there is a case to
standardise such DNS based failover so domain owners are able to migrate
away from a DNS provider that is under attack.

To this end, we've been playing around with dynamic records that enable
smart and easy load balancing straight from your database.

To clarify, this is extremely experimental as we figure out how this should
work and what the syntax should look like. If we've settled on this we can
attempt to get these features standardised.

In short, in the current testing version, you can do:

timeIN  LUA TXT "return os.date('%c')"

Which when queried will return the current date and time. This also works
from our SQL databases, and also supports DNSSEC by the way.

Or, more usefully:

www IN  LUA A   "return 
ifurlup('http://www.lua.org/about.html', {'148.251.24.173', '52.48.64.3'})"

Which will return one of the two IP addresses (as normal A records) if the
given URL loads correctly from them.

Or with some Amazon Route53 like load balancing features:

www4IN  LUA A   (
 " return ifurlup('http://www.ds9a.nl/status',  
 " 
 " {'148.251.24.173','52.48.64.3'}, 
 "
 " {stringmatch='UP', follow='true', 
interval='10s'})"
)

This will attempt to retrieve that URL from both IP addresses, and declare
them up if the URL returns the word 'UP' somewhere.

For some more background, please see
https://gist.github.com/ahupowerdns/1e8bfbba95a277a4fac09cb3654eb2ac 

At this stage, your thoughts are very welcome on how we should develop this.
Especially if you think you could be rolling this out to your users in some
way let us know your ideas.

Discussion is also going on our IRC channel which can be found through
https://www.powerdns.com/opensource.html

Thanks!


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor v3 to v4

[bert hubert]

On Thu, Oct 06, 2016 at 04:50:09PM -0300, Ciro Iriarte wrote:
> Hi!, are there any guidelines to migrate a v3 recursor to v4?, I'm
> particularly interested in any LUA scripting changes...

Hi Ciro,

We haven't written a specific porting guide. However, you'll probably find
that 50% of your 3.x-era script will disappear after reading
https://doc.powerdns.com/md/recursor/scripting/

A lot of tedious domain processing has now gone 'native', which should make
things a lot simpler.

Good luck!

Bert

> 
> Regards,
> 
> -- 
> Ciro Iriarte
> http://iriarte.it
> --
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Several small PowerDNS things: NFV version, OX Summit, Mugs

[bert hubert]

Hi everybody,

We try not to spam you too much, so a few combined updates: 1) Mugs, 2) OX 
Summit,
3) Thoughts on NFV. 

1) To clarify the recent mug update, this was for the people that applied
for the PowerDNS 4.0.0 Release Giveaway.  If you did not apply, or do not
qualify, but still want a mug, you can order one here:

http://www.mugbug.co.uk/mug/power-dns-mug/5305/ (8 pounds, excluding
shipping. We do not make any money on this. Mugbug is an excellent company
though).

Or check here
https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/ if you
qualify for a free mug, and apply for one as described in the post. We'll
probably be ending the free mug offer quite soon.

2)  This week is the OX Summit (PowerDNS is part of Open-Xchange, together
with Dovecot).  The summit is in Frankfurt on Thursday and Friday and you
can still register (for free!) here:
http://www.cvent.com/events/oxs16-frankfurt/event-summary-99a3ababacd24dea9fe68a07720ba283.aspx

Find out more here:
http://summit.open-xchange.com/oxs16-frankfurt.html

The PowerDNS session is Friday, where we will speak about how to do malware
filtering as an opt-in or opt-out on a per-dynamic-ip-address-user-basis.

We'll also demo the whole setup.

In Thursday there are also drinks, so feel free to register and drop by!

3) We are speccing up the PowerDNS 'NFV' product, Network Function
Virtualization. If your organization cares about NFV and you have
expectations of what a PowerDNS NFV product should look like, please contact
us on powerdns.id...@powerdns.com. This is about orchestration,
virtualization, containerization, auto-scaling, and IP address delivery
('SDN'). We'd love to hear about your requirements & hopes.

Thanks!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Mug vouchers have been sent

[bert hubert]

Hi everybody,

Yesterday you should have received your PowerDNS 4.0.0 Release Mug vouchers.

If you haven't, please complain to powerdns-4.0-contribut...@powerdns.com !

Apologies for the delays, but the mugs are pretty nice. Please show them off
:-)

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users