On Fri, 30 Jul 2021 16:32:06 +0200, Peter van Dijk via Pdns-users wrote:
> Hello Christof,
>
> On Tue, 2021-07-27 at 19:21 +0200, Christof Meerwald via Pdns-users
> wrote:
>> After adding a zone with
>>
>> pdns bind-add-zone example.com /etc/dns/example.com.dns
On Fri, 30 Jul 2021 15:48:40 +0200, Peter van Dijk via Pdns-users wrote:
> Hello Christof,
>
> On Wed, 2021-07-28 at 22:49 +0200, Christof Meerwald via Pdns-users
> wrote:
>> it seems to be impossible to return a "TXT" record that only contains
>> digits from the
Hi,
it seems to be impossible to return a "TXT" record that only contains
digits from the lua backend (something like "1234").
Any attempt results in "boost::bad_get: failed value get using
boost::get".
I guess this is a side-effect of how lua_isnumber is specified:
"Returns 1 if the value at
Hi,
just upgraded to PowerDNS 4.5.1 today and noticed that zones from the
bind backend stopped working (getting REFUSED response).
Essentially, I am using
bind-config=/etc/named.conf
which contains the list of zones to load on start up.
When adding "zone-cache-refresh-interval=0" to the
On Tue, 20 Sep 2016 19:26:01 +0200, Yves Goergen wrote:
> Thanks for the info. Strange that Ubuntu has decided to do such nonsense
> for a stable distribution. Good to check what you'll get before you get it.
The PowerDNS packages you see in Ubuntu are in "universe" which means
they are
On Mon, 29 Aug 2016 17:22:38 +0300, Aki Tuomi wrote:
> On Mon, Aug 29, 2016 at 01:18:05PM +0200, Christof Meerwald wrote:
>> so the intention is to allow AXFRs from a set of static IPs and
>> additionally from any IP with a valid TSIG signature.
[...]
> What is the point of u
Hi,
so the intention is to allow AXFRs from a set of static IPs and
additionally from any IP with a valid TSIG signature.
This seemed to work quite fine with 3.x when setting TSIG-ALLOW-AXFR
on the master for the domains affected (and no TSIG setting on the
slave as the slave would have a static
Hi,
is the "delegation-only" option still supposed to be working with
recursor 4.0.x? I have just built 4.0.1 and had problems with
resolving any .com or .net domains until I found that I still had
"delegation-only" set for .com and .net in the configuration file.
Is this option broken in 4.0.1?
Hi,
On Wed, 17 Dec 2014 03:54:24 -0300, Ciro Iriarte wrote:
[...]
You need eigen3-devel, gcc-c++, git and boost-devel. At least that's
where I'm stuck:
[root@admin metronome-master]# make
fatal: Not a git repository (or any of the parent directories): .git
g++ -Wall -O3 -ggdb -I. -I
Hi,
I just noticed that IXFRs appear to be broken when using EDIT-SOA in
3.4.0 - it looks like rfc1982LessThan(serial, sd.serial) compares
the un-edited SOA from the zone and therefore doesn't send any data
back to the client.
Another thing I noticed is that in bind-hybrid mode the
On Thu, Oct 16, 2014 at 10:42:34AM +0200, Christof Meerwald wrote:
Another thing I noticed is that in bind-hybrid mode the
ALLOW-AXFR-FROM for a zone handled by the bind backend doesn't appear
to be read from the database (because I think it only tries to get
that information from the bind
On Sun, 01 Dec 2013 18:46:10 +0100, Beagle wrote:
I'd like to try and use PowerDNS for the first time in my life, on a
BeagleBone Black [1] , which has a ARM CPU:
[...]
Please advise.. is downloading/compiling the/from source the best way to
go for me on this platform?
There is a package in
On Wed, 25 Sep 2013 10:49:39 +0200, Fredrik Roubert wrote:
My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the
version included in Ubuntu 12.04 LTS. I've already read this post, about
DNSSEC in 3.0 being explicitly deprecated:
Hi,
just noticed something strange when trying to resolve powerdns.com via
Google DNS, e.g.
$ dig +dnssec -t ns powerdns.com @8.8.8.8
; DiG 9.8.1-P1 +dnssec -t ns powerdns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 13535
;; flags: qr rd
On Mon, 20 Aug 2012 21:31:44 +0200, Peter van Dijk wrote:
On Aug 20, 2012, at 21:02 , Rickard Dahlstrand wrote:
In file included from dnsreplay.cc:44:
dnspcap.hh:15:26: error: net/if_ether.h: No such file or directory
*** Error code 1
As for dnsreplay, I would suggest:
1. checking whether
On Sun, 8 Jul 2012 21:21:59 +0300, Aki Tuomi wrote:
On Sun, Jul 08, 2012 at 09:08:45PM +0300, Aki Tuomi wrote:
On Sun, Jul 08, 2012 at 07:03:08PM +0200, Peter van Dijk wrote:
Aki Tuomi recently submitted a patch that presumably removes that limit=
ation - at least for any combination of gsql
On Sat, 7 Jul 2012 19:36:10 +0200, bert hubert wrote:
On Fri, Jul 06, 2012 at 11:21:26AM +0200, Peter Gervai wrote:
I welcome this message but reminds me of mentioning that if there's a
gathered wisdom about common pitfalls and usual possible improvements
it may be useful to share these as
On Thu, 3 May 2012 09:07:42 +0200, Peter van Dijk wrote:
[...]
Fixing this involves touching all DNSSEC-supporting modules and changing some
interfaces.
Therefor, we cannot do this for the 3.1 release.
3.1 will be released with a big warning about this specific setup; we intend
to do a
Hi,
[ moving to pdns-users mailing list ]
On Wed, May 02, 2012 at 08:53:48PM +0200, Christof Meerwald wrote:
After migrating the DNSSEC keys to a separate db for the bind backend,
it now works fine with 3.1-rc3.
Actually, no - that doesn't fully work either.
After removing the key material
On Wed, 2 May 2012 21:23:21 +0200, Christof Meerwald wrote:
BTW, I can't remove the gsqlite3 backend as I am using that for slave
zones - only the primary zones are using the bind backend.
I am currently using:
launch=gsqlite3,bind
Swapping the order to bind,gsqlite3 would make DNSSEC work
On Fri, 28 Oct 2011 18:15:28 +0200, Thomas Mieslinger wrote:
are IPv6 Addresses allowed in the domain tables master column? It could
be interessting to allow hidden primaries to be v6 only, so that they do
not consume a v4 address.
Yes, works fine (with PDNS 3.0).
Christof
--
On Thu, 22 Sep 2011 07:36:42 +0300, Aki Tuomi wrote:
Please see http://wiki.powerdns.com/trac/ticket/333
for wiping the packet cache.
But as far as I can see that patch will only wipe a single (random)
packet cache (and not the packet cache for each thread)?
Christof
--
http://cmeerw.org
On Thu, 22 Sep 2011 09:20:46 +0300, Aki Tuomi wrote:
But as far as I can see that patch will only wipe a single (random)
packet cache (and not the packet cache for each thread)?
Well, actually it wipes a name from packet cache. Not just random cache.
Sorry, I think I misread the patch - I
On Sat, 11 Jun 2011 19:00:55 +0200, Christof Meerwald wrote:
I have updated my patch (http://wiki.powerdns.com/trac/ticket/369) to
also look at the NSEC3 records for the opt-out flag - this should at
least work with a PowerDNS master, but will not work if the flags do
differ
Hi,
guess I have found another bug - this time related to signing of the
SOA record when using SOA-EDIT.
In packethandler.cc the SOA record is first signed and then edited
according to the SOA-EDIT policy - this order needs to be changed to
ensure that the correct SOA record is signed.
On Fri, 10 Jun 2011 23:12:36 +0200, Christof Meerwald wrote:
On Thu, 09 Jun 2011 11:54:53 +1200, Craig Whitmore wrote:
Is there anyway to make presigned-zones on slaves the default.
It shouldn't be too difficult to detect a DNSSEC zone during the zone
transfer and set the presigned flag
On Sat, 11 Jun 2011 22:11:57 +1200, Craig Whitmore wrote:
[...]
And testing if everything worked out.. Except it sets the options
differently that if I typed pdnssec set-nsec3 spam.co.nz I have no idea
what the difference is but it still passes the dig tests I do...
I have to say that I am a
On Sat, 11 Jun 2011 15:16:14 +0200, Christof Meerwald wrote:
On Sat, 11 Jun 2011 22:11:57 +1200, Craig Whitmore wrote:
[...]
And testing if everything worked out.. Except it sets the options
differently that if I typed pdnssec set-nsec3 spam.co.nz I have no idea
what the difference
On Sat, 11 Jun 2011 22:11:57 +1200, Craig Whitmore wrote:
Ok.. Can similar be done with TSIGS . As domains are not transferred
securely without TSIG (as far as I know) I have to enter the TSIG stuff in
after it has transferred which kind of defeats the purpose of unattended
slaves .
But you
On Sun, 12 Jun 2011 10:23:15 +1200, Craig Whitmore wrote:
But you should be able to add the TSIG stuff just after creating the
domain entry (and before it gets transferred) - you might even be able
to use a database trigger to do it...
Yes on the master and that¹s fine.. What about the slave? I
On Thu, 09 Jun 2011 11:54:53 +1200, Craig Whitmore wrote:
Is there anyway to make presigned-zones on slaves the default.
It shouldn't be too difficult to detect a DNSSEC zone during the zone
transfer and set the presigned flag (and the NSEC3PARAM) for the
zone...
Christof
--
On Wed, 8 Jun 2011 23:28:11 +0200, Christof Meerwald wrote:
It looks like when using TSIG PowerDNS doesn't return any RRSIG
records for a SOA request. This then results in the RRSIG mismatch
message.
Ok, I have done some debugging now and this is why:
PowerDNS expects the OPT RR
On Wed, 08 Jun 2011 18:21:14 +1200, Craig Whitmore wrote:
[...]
Can someone help why the slave is failing=8A
I think one of the DNSSEC records is being truncated on the slave as
it exceeds 256 bytes - you might need to update the database schema on
the slave to allow for longer records.
I
Hi,
just tried adding some TSIG stuff for AXFRs to my PowerDNS
configuration and now my slave PowerDNS keeps saying (every hour):
Domain cmeerw.priv.at is fresh, but RRSIGS differ, so DNSSEC stale
It looks like when using TSIG PowerDNS doesn't return any RRSIG
records for a SOA request. This
On Thu, 12 May 2011 17:30:36 +0200, fredrik danerklint wrote:
Not yet since it only can handle the minimal (ie: no slave, master or
dnssec) or would you like to have this at this stage with just the bare
minimal ? If so, no problem. I do need some help to be able to understand
what cause it
On Sun, Mar 27, 2011 at 10:38:32PM +0200, bert hubert wrote:
You can set SOA-EDIT to either 'INCEPTION', in which case the SOA serial
number will be replaced by MMDD01 of the currently issued RRSIG
inception, the one that rolls over each Thursday at midnight GMT.
I am not too sure how
On Tue, 22 Mar 2011 21:38:30 +0100, bert hubert wrote:
The big 3.0 release is coming real close, and it is going to be a big one.
For the 'work in progress' release notes, please see
http://doc.powerdns.com/changelog.html#changelog-auth-3-0
Just wanted to check what the status is on having a
On Mon, Feb 07, 2011 at 08:40:56PM +0100, Christof Meerwald wrote:
On Mon, 7 Feb 2011 17:17:52 +0100, bert hubert wrote:
On Mon, Feb 07, 2011 at 02:39:56PM +0100, bert.hub...@netherlabs.nl wrote:
Thanks for reporting, we are on the case! The issue has been confirmed.
This has been fixed
Hi,
I kind of expected this to happen today - the master (ns.cmeerw.net)
with the keying material has now updated the RRSIG records, but the
slave (ns2.cmeerw.net, no keying material) still returns the old RRSIG
records:
; DiG 9.7.1-P2 +dnssec -t soa cmeerw.priv.at @ns.cmeerw.net
;; ANSWER
On Sat, 29 Jan 2011 00:38:12 +0100, Christof Meerwald wrote:
That's really excellent news - I have just migrated my 2 nameservers
to SVN revision 1928 and signed one of the zones (btw, the setup is:
master using bind backend for the zone data and gsqlite3 for the key
data - slave is using
On Sat, 29 Jan 2011 15:42:56 +0100, Christof Meerwald wrote:
[...]
ns.cmeerw.net reads the zone data for cmeerw.priv.at from the bind
backend and has the keying information in the db:
Just noticed - does the order of the backends specified in launch=
make a difference? Just noticed that I had
On Sat, 29 Jan 2011 16:01:47 +0100, Christof Meerwald wrote:
On Sat, 29 Jan 2011 15:42:56 +0100, Christof Meerwald wrote:
[...]
ns.cmeerw.net reads the zone data for cmeerw.priv.at from the bind
backend and has the keying information in the db:
Just noticed - does the order of the backends
On Sat, 29 Jan 2011 16:45:29 +0100, Christof Meerwald wrote:
So I guess with that change it's mostly working now, except that
ns2.cmeerw.net doesn't return a RRSIG record when requesting the DNSKEY:
Hmm, seems to be working now... Not sure what could have changed...
Christof
--
http
On Tue, 1 Jun 2010 16:12:45 -0500, Naked Short-Selling wrote:
I read your post regarding multithreaded epoll_wait behavior on lkml a
couple of months ago:
http://lkml.org/lkml/2010/3/3/441
My understanding is that using EPOLLET would be the right approach - and
particularly for UDP sockets
Hi,
since about Friday late evening I am seeing lots of pdns errors in my syslog
like:
Not authoritative for '', sending servfail to 76.9.31.42 (recursion was
desired)
Over in comp.protocols.dns.bind there is already some discussion about these
DNS requests (which apparently use a spoofed
On Tue, 18 Nov 2008 20:48:31 +0100, bert hubert wrote:
Download from:
http://downloads.powerdns.com/releases/pdns-2.9.22-rc1.tar.gz
http://downloads.powerdns.com/releases/deb/stable/pdns-static_2.9.22-rc1-1_i386.deb
On Tue, 29 Jul 2008 23:13:07 +0200, Leen Besselink wrote:
Wouldn't simple UDP forwarding be sufficient in this case? (but you would
still need to find a program to do the UDP forwarding)
Yes, I guess that is possible. You'd lose source port randomisation,
all the rage these days and caching.
On Thu, 20 Sep 2007 15:28:48 -0700, Stephen Manchester wrote:
Here is the output of pmap. It's showing the problem as a series of
10MB allocations. I chopped out a big section that was completely
redundant.
[...]
8f1cb000 4 - 8f1cb000 000:0 [ anon ]
8f1cc000
48 matches
Mail list logo