Re: [Pdns-users] LUA script for primary server

2022-06-09 Thread Djerk Geurts via Pdns-users 
> -- nxdomain runs after no result is found.
> function nxdomain(dq)
>   dquery = newDN(dq.qname:toString())
>   pdnslog("nxdomain called for: "..dquery:toString())
>   if dq.qtype == pdns.NAPTR then
> pdnslog("Search parent wildcard record")
> if dquery:countLabels() == 12 then
>   dquery:chopOff()
> end
> if dquery:countLabels() > 9 then
>   dquery:chopOff()
> end
> cname = dquery:toString()
> pdnslog("Returning CNAME for: "..cname)
> dq.addAnswer(pdns.CNAME, cname)
> dq.rcode = 0 -- make it a normal answer
> dq.followupFunction = "followCNAMERecords"
> return true
>   end
>   return false
> end

Dumb-ass error, should use a “:”, not a “.” !

dq.addAnswer versus dq:addAnswer
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA script for primary server

2022-06-09 Thread Djerk Geurts via Pdns-users 
> What I still need to test is if this script actually works and what will 
> happen if the followupFunction also returns NXDOMAIN, if it hit the Lua 
> script again then nothing else is needed, else I’ll need to add more logic to 
> keep going with a chopOff() until the zone’s ‘root' wildcard record is found.
>> Otherwise, as you suggested yourself, dnsdist is very powerful.  (You 
>> definitely don't want to use a recursor as your authoritative server though)
>> 
I’ve since tried dnsdist and it can only spoof requests, not answers. So now 
I’m having a go at using a recursor in front of the authoritative server to see 
if I can get things working that way and this seems promising, if it weren’t 
for a weird error message I can’t make any sense of.

> Maybe if I add some examples:
> 
> 1.2.3.4.5.6.e164.arpa. NAPTR “some text with sip call routing info: AAA”
> *.4.5.6.e164.arpa. NAPTR “some different sip call routing info: BBB”
> 
> A query for 9.9.9.4.5.6.e164.arpa. will result in BBB
> A query for 1.2.3.4.5.6.e164.arpa. yields AAA
> A query for 3.3.3.4.5.6.e164.arpa. yields NXDOMAIN
> 
> The above is all according to RFC and expected PowerDNS behaviour.

My pdns-recursor Lua script:

-- nxdomain runs after no result is found.
function nxdomain(dq)
  dquery = newDN(dq.qname:toString())
  pdnslog("nxdomain called for: "..dquery:toString())
  if dq.qtype == pdns.NAPTR then
pdnslog("Search parent wildcard record")
if dquery:countLabels() == 12 then
  dquery:chopOff()
end
if dquery:countLabels() > 9 then
  dquery:chopOff()
end
cname = dquery:toString()
pdnslog("Returning CNAME for: "..cname)
dq.addAnswer(pdns.CNAME, cname)
dq.rcode = 0 -- make it a normal answer
dq.followupFunction = "followCNAMERecords"
return true
  end
  return false
end

The issue is the addAnswer line, it takes at least 2 parameters according to: 
https://doc.powerdns.com/recursor/lua-scripting/dq.html 
:addAnswer(type, content[, ttl, name])

But I keep getting this in the precursor logs, what on earth is the last line 
on about?! I can’t find anything related to this online:

Jun 10 01:19:09 web08.ixbru.ipnexia.com pdns_recursor[1662087]: nxdomain called 
for: 3.1.1.0.0.5.6.7.8.9.e164.arpa.
Jun 10 01:19:09 web08.ixbru.ipnexia.com pdns_recursor[1662087]: Search parent 
wildcard record
Jun 10 01:19:09 web08.ixbru.ipnexia.com pdns_recursor[1662087]: Returning CNAME 
for: 1.0.0.5.6.7.8.9.e164.arpa.
Jun 10 01:19:09 web08.ixbru.ipnexia.com pdns_recursor[1662087]: STL error 
(3.1.1.0.0.5.6.7.8.9.e164.arpa/NAPTR from 10.*.*.*:46622): [string "chunk"]:27: 
Unable to convert parameter from number to PN12RecursorLua411DNSQuestionE

Line 27 refers to `dq.addAnswer(pdns.CNAME, cname)`, is this a bug?___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA script for primary server

2022-06-06 Thread Djerk Geurts via Pdns-users 
> On 6 Jun 2022, at 12:44, Brian Candler  wrote:
> 
> On 06/06/2022 11:34, Djerk Geurts wrote:
>> Maybe if I add some examples:
>> 
>> 1.2.3.4.5.6.e164.arpa. NAPTR “some text with sip call routing info: AAA”
>> *.4.5.6.e164.arpa. NAPTR “some different sip call routing info: BBB”
>> 
>> A query for 9.9.9.4.5.6.e164.arpa. will result in BBB
>> A query for 1.2.3.4.5.6.e164.arpa. yields AAA
>> A query for 3.3.3.4.5.6.e164.arpa. yields NXDOMAIN
>> 
>> The above is all according to RFC and expected PowerDNS behaviour.
> Yep. Depending on your use case and how many domains you have, it might be 
> possible to implement
> 
> *.e164.arpa. LUA NAPTR "// some LUA code here"
> 
> The query name, including the part matched by the wildcard, should be 
> available in a query variable 
> .
> 
> Or there is the Lua2 backend 
>  (in the Ubuntu 
> packages it's in a separate package "pdns-backend-lua2"), or other backends 
>  like pipe and 
> remote.
> 
The issue with that is that I would have to create many LUA records, which 
defeats the point as the LUA record wouldn’t match in the same way that the 
‘parent’ wildcard NAPTR record would.

I disregarded the Lua2 backend as I need the zone to reside in a MySQL backend, 
I doubt I can split a zone between MySQL and Lua2. Unless I have Lua2 do the 
SQL queries, but that would make things even more complex.

I’m hoping I can intercept nxdomain responses and rewrite them to a CNAME 
record answer to the client.___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA script for primary server

2022-06-06 Thread Brian Candler via Pdns-users 

On 06/06/2022 11:34, Djerk Geurts wrote:

Maybe if I add some examples:

1.2.3.4.5.6.e164.arpa. NAPTR “some text with sip call routing info: AAA”
*.4.5.6.e164.arpa. NAPTR “some different sip call routing info: BBB”

A query for 9.9.9.4.5.6.e164.arpa. will result in BBB
A query for 1.2.3.4.5.6.e164.arpa. yields AAA
A query for 3.3.3.4.5.6.e164.arpa. yields NXDOMAIN

The above is all according to RFC and expected PowerDNS behaviour.


Yep. Depending on your use case and how many domains you have, it might 
be possible to implement


*.e164.arpa. LUA NAPTR "// some LUA code here"

The query name, including the part matched by the wildcard, should be 
available in a query variable 
.


Or there is the Lua2 backend 
 (in the 
Ubuntu packages it's in a separate package "pdns-backend-lua2"), or 
other backends 
 like pipe 
and remote.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA script for primary server

2022-06-06 Thread Djerk Geurts via Pdns-users 
On 6 Jun 2022, at 11:17, Brian Candler  wrote:
> 
> On 06/06/2022 10:52, Djerk Geurts via Pdns-users wrote:
>> Jun 06 11:28:29 host.example.com  
>> pdns_server[3559402]: Fatal error: Trying to set unknown setting 
>> 'lua-dns-script’
> "lua-dns-script" is not a valid setting for pdns authoritative server. See:
> 
> https://doc.powerdns.com/authoritative/settings.html 
> 
> https://doc.powerdns.com/authoritative/lua-records/index.html 
> Thank you, 
> yeah that’s what I’ve found. Just making sure I absolutely hadn’t missed 
> something obvious.
> It's not clear what you're trying to do when catching NXDOMAIN responses, but 
> having a wildcard LUA record might achieve it.
> 
We’re using wildcard records for ENUM resolution but have found that adding a 
more specific record next to a wildcard means that the more specific 
‘subdomain’ breaks neighbouring records as they no longer match the wildcard. 
One option is to add child wildcards, but for us this means adding 3 extra 
wildcards for thousands of specific records. So I’m trying to catch these 
NXDOMAIN replies and replace them with a CNAME for a parent record (which 
hopefully will result in a query that is resolved by the wildcard record.

Maybe if I add some examples:

1.2.3.4.5.6.e164.arpa. NAPTR “some text with sip call routing info: AAA”
*.4.5.6.e164.arpa. NAPTR “some different sip call routing info: BBB”

A query for 9.9.9.4.5.6.e164.arpa. will result in BBB
A query for 1.2.3.4.5.6.e164.arpa. yields AAA
A query for 3.3.3.4.5.6.e164.arpa. yields NXDOMAIN

The above is all according to RFC and expected PowerDNS behaviour.

I’m hoping the following Lua will help change the effective behaviour to what 
we need it to be. In our case ENUM records are 12 fields long and the defined 
zones are 9 fields long:

function nxdomain(dq)
  dquery = dq.qname:toString()
  pdnslog("nxdomain called for: "..dq.qname:toString())
  if dq.qtype == pdns.NAPTR then
pdnslog("Search parent wildcard record")
if dquery:countLabels() == 12 then
  dquery = dquery:chopOff()
end
if dquery:countLabels() > 9 then
  dquery = dquery:chopOff()
end
pdnslog("Returning CNAME for: "..dquery)
dq.AddAnswer(pdns.CNAME, "*."..dquery)
dq.rcode = 0 -- make it a normal answer
dq.followupFunction = "followCNAMERecords"
return true
  end
  return false
end

What I still need to test is if this script actually works and what will happen 
if the followupFunction also returns NXDOMAIN, if it hit the Lua script again 
then nothing else is needed, else I’ll need to add more logic to keep going 
with a chopOff() until the zone’s ‘root' wildcard record is found.
> Otherwise, as you suggested yourself, dnsdist is very powerful.  (You 
> definitely don't want to use a recursor as your authoritative server though)
> 
Great, I’ll add dnsdist and apply the Lua script there. Thank you!

Thanks,
Djerk___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA script for primary server

2022-06-06 Thread Brian Candler via Pdns-users 

On 06/06/2022 10:52, Djerk Geurts via Pdns-users wrote:
Jun 06 11:28:29 host.example.com  
pdns_server[3559402]: Fatal error: Trying to set unknown setting 
'lua-dns-script’


"lua-dns-script" is not a valid setting for pdns authoritative server. See:

https://doc.powerdns.com/authoritative/settings.html

https://doc.powerdns.com/authoritative/lua-records/index.html

It's not clear what you're trying to do when catching NXDOMAIN 
responses, but having a wildcard LUA record might achieve it.


Otherwise, as you suggested yourself, dnsdist is very powerful. (You 
definitely don't want to use a recursor as your authoritative server though)
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users