Re: [Pdns-users] How to make Authoritative work?
On 18/01/2022 15:03, jrd-p...@jrd.org wrote: Let's get back to my original question: How do I get pdns, with no recursor in the picture, to believe that it's authoritative for a zone? (Presumably by "pdns" you mean "pdns authoritative server") When I it hit with a query, I get root@f3-kong-dyndns /etc/powerdns # dig -p 5300 jrd.org soa @localhost ; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available That looks right to me. flags: aa = authoritative answer set on the reply. What do you expect to be different? If you want to avoid the "recursion requested but not available" warning, use dig +norec dig +norec -p 5300 jrd.org. soa @localhost Note that if the server wasn't authoritative for the requested zone, it would reply to the query with REFUSED. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
Ok, fair enough. I get that I'm doing something slightly outside the box, though it didn't seem to me that it was *that* far outside :) I probably am thinking of bind days, bad on me. Let's get back to my original question: How do I get pdns, with no recursor in the picture, to believe that it's authoritative for a zone? When I it hit with a query, I get root@f3-kong-dyndns /etc/powerdns # dig -p 5300 jrd.org soa @localhost ; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;jrd.org. IN SOA ;; ANSWER SECTION: jrd.org.86400 IN SOA f3-kong-dyndns.jrd.org. postmaster.jrd.org. 2022010900 10800 3600 360 86400 ;; Query time: 10 msec ;; SERVER: ::1#5300(::1) ;; WHEN: Tue Jan 18 08:54:01 EST 2022 ;; MSG SIZE rcvd: 98 I posted previously the pdns config and the stuff in the DB which pertains to jrd.org. I must be missing something that my pdns is looking for, but it's not clear to me what. From: Brian Candler Date: Tue, 18 Jan 2022 14:49:50 + On 18/01/2022 14:38, jrd-p...@jrd.org wrote: . . . but when I query direct to the pdns, it also doesn't say it's authoritative. See previous mail. Sorry, I missed that mail. Did you send a dig directly to port 5300? I didn't catch that. I probably need to go back and re-read the DNS specs. It's been years since I was deep into this, but I don't remember that a recursor always returns non-authoritative, even when wherever it got the answer was authoritative. Did that behaviour change somewhere along in there? I don't think it's changed, although bind may have performed in an odd way (e.g. returning AA for the first answer from cache, non-AA for subsequent) Even from the very oldest spec, RFC1035: AA Authoritative Answer - this bit is valid in responses, and specifies that the responding name server is an authority for the domain name in question section. A recursor is not an authority for the name. Assuming I'm simply mis-remembering how that's supposed to work, what's the recipe for setting up a local (set of) server(s) which: . Returns authoritative for some zones, for which it has local data . Recurses to other servers for other zones You Really Don't Want To Do That™. If you think you must (and continue to use powerdns), then you can look at putting dnsdist in front of pdns-auth and pdns-recursor. But really, really you don't. Just give your cache(s) their own IP addresses, and your authoritative server(s) their own IP addresses. This is how DNS is supposed to work. The only reason I can think of for not doing that is that you need to share a single public IP address between recursor and authoritative; but then you might as well just put your recursor behind NAT. Either way, it doesn't scale, and pdns is designed for ISP-scale deployments. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
On 18/01/2022 14:38, jrd-p...@jrd.org wrote: . . . but when I query direct to the pdns, it also doesn't say it's authoritative. See previous mail. Sorry, I missed that mail. Did you send a dig directly to port 5300? I didn't catch that. I probably need to go back and re-read the DNS specs. It's been years since I was deep into this, but I don't remember that a recursor always returns non-authoritative, even when wherever it got the answer was authoritative. Did that behaviour change somewhere along in there? I don't think it's changed, although bind may have performed in an odd way (e.g. returning AA for the first answer from cache, non-AA for subsequent) Even from the very oldest spec, RFC1035: AA Authoritative Answer - this bit is valid in responses, and specifies that*the responding name server is an authority for the domain name in question section*. A recursor is not an authority for the name. Assuming I'm simply mis-remembering how that's supposed to work, what's the recipe for setting up a local (set of) server(s) which: . Returns authoritative for some zones, for which it has local data . Recurses to other servers for other zones You Really Don't Want To Do That™. If you think you must (and continue to use powerdns), then you can look at putting dnsdist in front of pdns-auth and pdns-recursor. But really, really you don't. Just give your cache(s) their own IP addresses, and your authoritative server(s) their own IP addresses. This is how DNS is supposed to work. The only reason I can think of for not doing that is that you need to share a single public IP address between recursor and authoritative; but then you might as well just put your recursor behind NAT. Either way, it doesn't scale, and pdns is designed for ISP-scale deployments. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
. . . but when I query direct to the pdns, it also doesn't say it's authoritative. See previous mail. I probably need to go back and re-read the DNS specs. It's been years since I was deep into this, but I don't remember that a recursor always returns non-authoritative, even when wherever it got the answer was authoritative. Did that behaviour change somewhere along in there? Assuming I'm simply mis-remembering how that's supposed to work, what's the recipe for setting up a local (set of) server(s) which: . Returns authoritative for some zones, for which it has local data . Recurses to other servers for other zones And for anything like that to work, I need my local pdns to beleive it's authoritative, which it still doesn't seem to. Any pointers to docs describing that configuration appreciated. From: Brian Candler Date: Tue, 18 Jan 2022 14:25:49 + On 18/01/2022 13:55, jrd-p...@jrd.org wrote: > Oops. Yes. Port 53 has a pdns-recursor listening on it, which is > feeding requests to pdns. Want the recursor config too? No need. You asked why the response didn't have the AA flag set, and the answer is because the response came from a recursor - it's as simple as that. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
On 18/01/2022 13:55, jrd-p...@jrd.org wrote: Oops. Yes. Port 53 has a pdns-recursor listening on it, which is feeding requests to pdns. Want the recursor config too? No need. You asked why the response didn't have the AA flag set, and the answer is because the response came from a recursor - it's as simple as that. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
Oops. Yes. Port 53 has a pdns-recursor listening on it, which is feeding requests to pdns. Want the recursor config too? dig -p 5300 jrd.org soa @localhost ; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;jrd.org. IN SOA ;; ANSWER SECTION: jrd.org.86400 IN SOA f3-kong-dyndns.jrd.org. postmaster.jrd.org. 2022010900 10800 3600 360 86400 ;; Query time: 10 msec ;; SERVER: ::1#5300(::1) ;; WHEN: Tue Jan 18 08:54:01 EST 2022 ;; MSG SIZE rcvd: 98 From: Brian Candler Date: Tue, 18 Jan 2022 13:25:11 + On 18/01/2022 12:19, jrd via Pdns-users wrote: root@f3-kong-dyndns /etc/powerdns # dig jrd.org soa @localhost ; <<>> DiG 9.16.22 <<>> jrd.org soa @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58908 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ... ;; Query time: 90 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) RD = recursion desired, RA = recursion available. Are you *sure* it's powerdns authoritative that you're talking to on localhost port 53?! Ah, digging through your config: > # local-port=53 > local-port=5300 Clearly, it isn't. Your dig query is going to something else (unspecified) which is listening on port 53. That'll be why you're not getting AA. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
On 18/01/2022 12:19, jrd via Pdns-users wrote: root@f3-kong-dyndns /etc/powerdns # dig jrd.org soa @localhost ; <<>> DiG 9.16.22 <<>> jrd.org soa @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58908 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ... ;; Query time: 90 msec *;; SERVER: 127.0.0.1#53(127.0.0.1)* RD = recursion desired, RA = recursion available. Are you *sure* it's powerdns authoritative that you're talking to on localhost port 53?! Ah, digging through your config: > # local-port=53 > local-port=5300 Clearly, it isn't. Your dig query is going to something else (unspecified) which is listening on port 53. That'll be why you're not getting AA. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
Incoming data dump: --- # Autogenerated configuration file template # # ignore-unknown-settings Configuration settings to ignore if they are unknown # # ignore-unknown-settings= # # 8bit-dns Allow 8bit dns queries # # 8bit-dns=no # # allow-axfr-ipsAllow zonetransfers only to these subnets # # allow-axfr-ips=127.0.0.0/8,::1 # # allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # # allow-dnsupdate-from=127.0.0.0/8,::1 # # allow-notify-from Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies. # # allow-notify-from=0.0.0.0/0,::/0 allow-notify-from= # # allow-unsigned-autoprimaryAllow autoprimaries to create zones without TSIG signed NOTIFY # # allow-unsigned-autoprimary=yes # # allow-unsigned-notify Allow unsigned notifications for TSIG secured zones # # allow-unsigned-notify=yes # # allow-unsigned-supermasterAllow supermasters to create zones without TSIG signed NOTIFY # # allow-unsigned-supermaster=yes # # also-notify When notifying a zone, also notify these nameservers # # also-notify= # # any-to-tcpAnswer ANY queries with tc=1, shunting to TCP # # any-to-tcp=yes any-to-tcp=yes # # api Enable/disable the REST API (including HTTP listener) # # api=no # # api-key Static pre-shared authentication key for access to the REST API # # api-key= # # autosecondary Act as an autosecondary (formerly superslave) # # autosecondary=no # # axfr-fetch-timeoutMaximum time in seconds for inbound AXFR to start or be idle after starting # # axfr-fetch-timeout=10 # # axfr-lower-serial Also AXFR a zone from a master with a lower serial # # axfr-lower-serial=no # # cache-ttl Seconds to store packets in the PacketCache # # cache-ttl=20 # # carbon-instance If set overwrites the the instance name default # # carbon-instance=auth # # carbon-interval Number of seconds between carbon (graphite) updates # # carbon-interval=30 # # carbon-namespace If set overwrites the first part of the carbon string # # carbon-namespace=pdns # # carbon-ournameIf set, overrides our reported hostname for carbon stats # # carbon-ourname= # # carbon-server If set, send metrics in carbon (graphite) format to this server IP address # # carbon-server= # # chrootIf set, chroot to this directory for more security # # chroot= # # config-dirLocation of configuration directory (pdns.conf) # # config-dir=/etc/powerdns # # config-name Name of this virtual configuration - will rename the binary image # # config-name= # # consistent-backends Assume individual domains are not divided over backends. Send only ANY lookup operations to the backend to reduce the number of lookups # # consistent-backends=no # # control-console Debugging switch - don't use # # control-console=no # # daemonOperate as a daemon # # daemon=no # # default-api-rectify Default API-RECTIFY value for zones # # default-api-rectify=yes # # default-ksk-algorithm Default KSK algorithm # # default-ksk-algorithm=ecdsa256 # # default-ksk-size Default KSK size (0 means default) # # default-ksk-size=0 # # default-publish-cdnskey Default value for PUBLISH-CDNSKEY # # default-publish-cdnskey= # # default-publish-cds Default value for PUBLISH-CDS # # default-publish-cds= # # default-soa-content Default SOA content # # default-soa-content=a.misconfigured.dns.server.invalid hostmaster.@ 0 10800 3600 604800 3600 # # default-soa-edit Default SOA-EDIT value # # default-soa-edit= # # default-soa-edit-signed Default SOA-EDIT value for signed zones # # default-soa-edit-signed= # # default-ttl Seconds a result is valid if not set otherwise # # default-ttl=3600 # # default-zsk-algorithm Default
Re: [Pdns-users] How to make Authoritative work?
Hi, The interesting parts are: - your full pdns config file (please mask passwords, but nothing besides that) - entry for that domain in the domains table - SOA / NS records in the records table for that domain - output of `pdnsutil check-zone` on that domain. That should give us a good starting point, we'll see from there... Cheers! Frank > On 17 Jan 2022, at 16:51, jrd-p...@jrd.org wrote: > > D'oh, my bad. That must have fallen into my spam trap and I missed > it. > > Do you want the entire contents of the DB for that zone, or just a > subset like the SOA and records talking about that host? Do you want > it in sql format or zone format? > > What I'm hoping for is a recipe: "pdns looks for a valid SOA naming > the local host, and A record for itself, and [fill in the blank]. If > those conditions are met, it will conlude that it's authoritative". > > I'll collect that stuff up. Thanks! > > >From: frank+p...@tembo.be >Date: Mon, 17 Jan 2022 14:20:50 +0100 > >Hi, > >Please see my earlier reply ( >https://mailman.powerdns.com/pipermail/pdns-users/2022-January/027513.html) > >> Hi, >> >> Could you please paste the full configuration (pdns.conf) and the entries in >the database? >> >> In particular, the things to look at would be: type of domain set, backend >config, ... >> >> On top of that, can you run `pdnsutil check-zone` on the zone and paste the >output? >> >> Frank > >On 17 Jan 2022, at 14:01, jrd via Pdns-users < >pdns-users@mailman.powerdns.com> wrote: > >Bump. Anybody? > >If it's in the docs and I missed it, please point me in the right >direction. TIA . . . > > From: jrd-p...@jrd.org > Date: Sun, 9 Jan 2022 17:23:40 -0500 > > Hi all. I know this is a bit of a newbie question, but it seems to > be > stumping me. > > I've just set up a new pdns server. pdns 4.5.1. I populated its DB > with a bunch of test records. I gave it an SOA saying it's the > authority for my zone. Made sure the hostname and IP address match > the local configuration of the machine. > > When I query it with (for instance) dig, it returns all the correct > data, for the SOA or any other of my test records, but it doesn't > set > the AA bit. > > What are the criteria which have to be met, in order for pdns to say > "Yep, I'm the authority for this domain" ? > > TIA . . . >___ >Pdns-users mailing list >Pdns-users@mailman.powerdns.com >https://mailman.powerdns.com/mailman/listinfo/pdns-users > >Frank Louwers >PowerDNS Certified Consultant @ Kiwazo.be > Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
D'oh, my bad. That must have fallen into my spam trap and I missed it. Do you want the entire contents of the DB for that zone, or just a subset like the SOA and records talking about that host? Do you want it in sql format or zone format? What I'm hoping for is a recipe: "pdns looks for a valid SOA naming the local host, and A record for itself, and [fill in the blank]. If those conditions are met, it will conlude that it's authoritative". I'll collect that stuff up. Thanks! From: frank+p...@tembo.be Date: Mon, 17 Jan 2022 14:20:50 +0100 Hi, Please see my earlier reply ( https://mailman.powerdns.com/pipermail/pdns-users/2022-January/027513.html) > Hi, > > Could you please paste the full configuration (pdns.conf) and the entries in the database? > > In particular, the things to look at would be: type of domain set, backend config, ... > > On top of that, can you run `pdnsutil check-zone` on the zone and paste the output? > > Frank On 17 Jan 2022, at 14:01, jrd via Pdns-users < pdns-users@mailman.powerdns.com> wrote: Bump. Anybody? If it's in the docs and I missed it, please point me in the right direction. TIA . . . From: jrd-p...@jrd.org Date: Sun, 9 Jan 2022 17:23:40 -0500 Hi all. I know this is a bit of a newbie question, but it seems to be stumping me. I've just set up a new pdns server. pdns 4.5.1. I populated its DB with a bunch of test records. I gave it an SOA saying it's the authority for my zone. Made sure the hostname and IP address match the local configuration of the machine. When I query it with (for instance) dig, it returns all the correct data, for the SOA or any other of my test records, but it doesn't set the AA bit. What are the criteria which have to be met, in order for pdns to say "Yep, I'm the authority for this domain" ? TIA . . . ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
Hi, Please see my earlier reply (https://mailman.powerdns.com/pipermail/pdns-users/2022-January/027513.html) > Hi, > > Could you please paste the full configuration (pdns.conf) and the entries in > the database? > > In particular, the things to look at would be: type of domain set, backend > config, ... > > On top of that, can you run `pdnsutil check-zone` on the zone and paste the > output? > > Frank > On 17 Jan 2022, at 14:01, jrd via Pdns-users > wrote: > > Bump. Anybody? > > If it's in the docs and I missed it, please point me in the right > direction. TIA . . . > >From: jrd-p...@jrd.org >Date: Sun, 9 Jan 2022 17:23:40 -0500 > >Hi all. I know this is a bit of a newbie question, but it seems to be >stumping me. > >I've just set up a new pdns server. pdns 4.5.1. I populated its DB >with a bunch of test records. I gave it an SOA saying it's the >authority for my zone. Made sure the hostname and IP address match >the local configuration of the machine. > >When I query it with (for instance) dig, it returns all the correct >data, for the SOA or any other of my test records, but it doesn't set >the AA bit. > >What are the criteria which have to be met, in order for pdns to say >"Yep, I'm the authority for this domain" ? > >TIA . . . > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Authoritative work?
Hi, Could you please paste the full configuration (pdns.conf) and the entries in the database? In particular, the things to look at would be: type of domain set, backend config, ... On top of that, can you run `pdnsutil check-zone` on the zone and paste the output? Frank > On 9 Jan 2022, at 23:23, jrd via Pdns-users > wrote: > > Hi all. I know this is a bit of a newbie question, but it seems to be > stumping me. > > I've just set up a new pdns server. pdns 4.5.1. I populated its DB > with a bunch of test records. I gave it an SOA saying it's the > authority for my zone. Made sure the hostname and IP address match > the local configuration of the machine. > > When I query it with (for instance) dig, it returns all the correct > data, for the SOA or any other of my test records, but it doesn't set > the AA bit. > > What are the criteria which have to be met, in order for pdns to say > "Yep, I'm the authority for this domain" ? > > TIA . . . > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users