Re: [Pdns-users] named view migration

Hi, That's certainly possible, you could also use LUA records directly in PowerDNS to decide what the reply would be. This would prevent the duplication. Frank > On 3 Aug 2022, at 10:10, lovi wrote: > > Hello, > > Thanks for this answer. > I might havent well explained : > 1 - I have a

Re: [Pdns-users] named view migration

Hi Lovi, While you're correct that PowerDNS doesn't have views, you can simulate views using dnsdist (see https://www.frank.be/implementing-bind-views-with-powerdns/) Frank > On 2 Aug 2022, at 14:46, lovi via Pdns-users > wrote: > > Hello, > > Im running a bind/named ns master, with view

Re: [Pdns-users] PowerDNS Authoritative 4.6.2, how to log served responses (i.e. NOERROR, NXDOMAIN, SERVFAIL, etc)?

Hi Dmitriy, https://doc.powerdns.com/authoritative/settings.html#log-dns-queries states that it logs "all incoming DNS queries", not the results. If you want to log the results, you'll need to either increase the loglevel,

Re: [Pdns-users] pdns-recursur 4.4: host unknown after some time with no clear reason

Jan, Best of luck with your optimisations. If the network-slow are very slow, then this could explain the issue you see. Frank > On 7 Jun 2022, at 15:34, Jan Huijsmans via Pdns-users > wrote: > > Hi Frank, > > On Wed, 1 Jun 2022 12:48:01 +0200 > "frank+p...@tembo.be" wrote: > >> Hi

Re: [Pdns-users] pdns-recursur 4.4: host unknown after some time with no clear reason

Hi Jan, I completely understand NDAs and myself (and numerous other PowerDNS Certified Consultants on this list) are happy to sign them, as part of a professional engagement. Please reach out to me off-list to discuss your options. However, this also means that on this list, we can't help you

Re: [Pdns-users] How to make Authoritative work?

Hi, The interesting parts are: - your full pdns config file (please mask passwords, but nothing besides that) - entry for that domain in the domains table - SOA / NS records in the records table for that domain - output of `pdnsutil check-zone` on that domain. That should give us a good

Re: [Pdns-users] How to make Authoritative work?

Hi, Please see my earlier reply (https://mailman.powerdns.com/pipermail/pdns-users/2022-January/027513.html) > Hi, > > Could you please paste the full configuration (pdns.conf) and the entries in > the database? > > In particular, the things to look at would be: type of domain set, backend

Re: [Pdns-users] How to make Authoritative work?

Hi, Could you please paste the full configuration (pdns.conf) and the entries in the database? In particular, the things to look at would be: type of domain set, backend config, ... On top of that, can you run `pdnsutil check-zone` on the zone and paste the output? Frank > On 9 Jan 2022,

Re: [Pdns-users] BIND-mode vs. Hybrid BIND-mode

Hi Michael, In BIND mode, a special-purpose sqlite3 database is used to store all dnssec related data. That sqlite3 database folllows a specific schema, and is not used as a "regular" backend. You'd only one backend (the BIND backend). In Hybrid-BIND mode, you'd need at least a "regular"

Re: [Pdns-users] How to configure TSIG with BIND backend

Please enable, validate and test dnssec for your backend. Then use the pdnsutil command to add the tsig keys. If that doesn't work, please share full and unedited config, so people can have a look and replicate. Frank Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be

Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, First up: tsig, DNSSEC etc way easier with a "database" backend (even a lightweight one) so you might want to reconsider your backend choice. The reason I am asking for the pdns.conf is twofold: First up, there's this message: > Unable to AXFR zone ‘zonename' from remote

Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Your pens.conf files seem to be missing and could be very relevant. Frank > On 15 Nov 2021, at 14:39, Fox, Michael E. > wrote: > > You want me to post the TSIG keys? > > Also, the DNS servers themselves are in a lab, behind a firewall. But I >

Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Can you provide full (unedited) config files please? A lot of info is missing to be able to help you fix this problem. Please see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Re: [Pdns-users] recursor: Possible bug in accepting / rejecting additional answers?

Hi Paul, This is a design choice by PowerDNS, which is defendable: the domain is misconfigured and the RFCs don't clearly which option to take in such a case. Unfortunately, Google and Unbound toke a different option, so when the customer verifies against 8.8.8.8, it will just work. Also

Re: [Pdns-users] PowerDNS admin Configuration

Hi Adivya, This is the PowerDNS users mailing lists, for users of the PowerDNS open source products (PowerDNS Auth, PowerDNS Recursor and dnsdist). The PowerDNS Admin product you're referring to, is not a PowerDNS product (despite the name) and I guess most people on this list don't use it. I

Re: [Pdns-users] DNSSEC UDP problems

Hi Steffan, Well, it clearly responds to a request for an A record... Can you tell us a bit more about this zone? What does "pdnsutil check-zone crazyforprint.nl " say? In general, it's a very bad idea to use CNAME records at the apex of a domain. Frank > On 9 Mar

Re: [Pdns-users] DNSSEC UDP problems

Hi Steffan, Sometimes the dnsviz.net debugger is quite complete but can be overwhelming at first. The Versisign Analyser can be easier to perform basic checks. https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl. In this case, it seems the zone is not properly signed, but DS records are

Re: [Pdns-users] Powerdns server is not passing Authority parameter

Hi, Could you share the configuration of the PDNS Auth server please? Frank Louwers Certified PowerDNS Consultant @ Kiwazo.be > On 19 Jan 2021, at 10:08, Dedan Irungu via Pdns-users > mailto:pdns-users@mailman.powerdns.com>> > wrote: > > I have made the changes request as

Re: [Pdns-users] SOA Record Mismatch Server - NSLOOKUP

Hi Kevin, Indeed, there's a SOA version mismatch between ns.inta.gob.ni and ns{1,2}.enatrelpba.gob.ni for this domain. Has the 2020121016 ever existed on ns.inta.gob.ni? Could you show us the logs of both masters and servers when they did the AXFR? Kind Regards, Frank Louwers Certified

Re: [Pdns-users] Reg. PDNS recursor Ver 4.1.16

Hi Kiran, There's no obvious answer based on the info you have us. How is the server configured? Anything special? Who is using your resolver? Assuming it's a "plain and simple" resolver with good Internet connectivity, I would start to investigate which queries are slow, and why you have so

Re: [Pdns-users] Wrong A-Record is retuned for CNAME that can not be resolved to A

Hi Kevin, > ===>% === > C:\Users\kolbrich>nslookup -q=CNAME > _91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de > . 8.8.8.8 > Server: dns.google > Address: 8.8.8.8 > > Nicht

Re: [Pdns-users] Limit Returned Results from a SRV Query

Hi Shawn, You might be able to overrule the default Queries (see https://docs.powerdns.com/authoritative/backends/generic-sql.html ). Another option might be to use LUA records:

Re: [Pdns-users] Zone Transfers

Hi Curtis, > Supermaster doesn't look to be part of the RFC, so why can't it send > deletions? It's already doing it for individual records. Well no. Supermaster isn’t part of “the” (let’s not get started about the dns-camel here) RFC, but it’s not changing anything either: Supermaster is a

Re: [Pdns-users] Zone Transfers

> > powerdns >/tmp/pdns.dump.sql > > > > mysql -u root -p powerdns > mysql -u root -p powerdns > /usr/bin/pdnsutil rectify-all-zones > > > > > > pdns.sql contains. > > > > USE powerdns; > > UPDATE domains SET type = 'SLAVE'; > &

Re: [Pdns-users] Zone Transfers

Hi Thomas, A zone transfer will only include the contents of that particular zone, so I am a bit confused by your question. Could you rephrase it? (Or give an example how you would configure this in a another nameserver?) Frank Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be

Re: [Pdns-users] bind backend and dnssec database

> On 11 Jul 2019, at 16:57, Philip Vanmontfort > wrote: > > goodday, > > we change the zone's regularly, but the zone's are generated with puppet. > > If we use a predefined key on all servers wouldn't we get into trouble with > key rollovers? for example rollover

Re: [Pdns-users] bind backend and dnssec database

Philip, Do you make make changes to your zones? If you don’t need to change the zone contents and your puppet is meant as a way to easily reinstall/add servers, it might make more sense to adapt your puppet manifests to: - load the zonefile - use pdnsutil (or the API) to add dnssec signing

Re: [Pdns-users] Broken link for Lua example script in PowerDNS documentation

Hi Steinar, Somebody just pointed out that the link you provided, is for the old 4.0 branch of the documentation, not the current 4.1 or the upcoming 4.2 releases. The corresponding version of that lua script for the 4.0 branch would be

Re: [Pdns-users] Master/Slaves in docker containers

Hi Christian, Did you take your tcpdump inside the container or outside? > On 29 May 2019, at 18:42, Christian Tardif > wrote: > > TCPDUMP for a dig: (request was dig @192.168.213.12 SOA int.servinfo.stba > > 16:33:52.289317 In f8:32:e4:8a:b7:b5

Re: [Pdns-users] Master/Slaves in docker containers

Hi Christian, > pdns master is running on host 192.168.213.11, and container ip is 172.17.0.4 > > pdns slave is running on host 192.168.213.12, and container ip is 172.17.0.3 > > both containers have gateway set to 172.17.0.1, and hosts have gateway set to > 192.168.213.1 > > Both

Re: [Pdns-users] Master/Slaves in docker containers

> On 29 May 2019, at 06:24, Christian Tardif > wrote: > > Hi, > > I'm trying to get this to work: > > I have one master pdns in a docker container with bridge networking on 1 > server, plus a slave pdns, also in a docker container with bridge networking > on another server. On the master,

Re: [Pdns-users] pdns user owned domains

| > | account | varchar(40) | YES | | NULL|| > +-+--+--+-+-++ > > not showing any domains, any clue ? > > On Tue, May 28, 2019 at 4:02 PM frank+pdns--- via Pdns-users > mailto:pdns-users@mailman.powerdns.com>> > wrote:

Re: [Pdns-users] pdns user owned domains

> > In powerdns we can see the users. users are connected to domains. Hi, Could you tell us where and how you can “see” the users? Do you use some kind of web-frontend? > > I have a user ricardo , the user ricardo has a lot of domains connected, but > he says he misses some that he can

Re: [Pdns-users] how to handle a subdomain

Hi Hanns, Thanks for the output. >> >> - pdnsutil list-zone bruecko.de > > $ORIGIN . > > list.bruecko.de 3600IN A > 88.198.91.235 > list.bruecko.de 3600IN MX 10 > mail.bruecko.de. >

Re: [Pdns-users] how to handle a subdomain

Hi Hanns, Could you show us the output of the following commands: - pdnsutil list-zone bruecko.de - pdnsutil list-zone list.bruecko.de - pdnsutil check-zone bruecko.de Thanks! Frank > On 23 May 2019, at 16:29, ha...@hannsmattes.de wrote: > > Hi, > > after nearly a decade I had to upgrade

Re: [Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains?

> On 23 May 2019, at 10:20, sandermo...@telenet.be > wrote: > > Hi Frank, > > Intercepting the NOTIFYs with a script sounds like a good idea but can this > be done with PowerDNS? > Or do you mean writing a custom script that acts a a notify proxy/filter? >

Re: [Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains?

Hi Sander, Do you want this for a fixed set of “domain.com ” domains or for “any domain that is configured in pdns as a native domain”? If the first, have a look at the LUA-AXFR-SCRIPT functionality. You define a (lua) script that gets executed after the AXFR has been done,

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

hanks a lot for your detailed answer. We thought about iptables too, > but hoped that there is a pdns/dnsdist-only solution. Using iptables > makes that very ugly idea even worse ;-) > > > Have a good one > > -- > > tobi > > > Am 21.05.19 um 10:24 schrieb f

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

Hi Tobi, I managed an MSP for more than 15 years, we moved a lot of email as well, so I feel your pain. However, in all cases (about a hand-full that I can recall over that time) where we had real reachability issues, we routed the other AS using a different network path. In BGP speak: we

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

Hi Tobi, Nico is completely right: it sounds like the wrong solution for your problem. If your provider has issues reaching that destination, then the solution would be to have your provider fix the reachability issue. Note that the second reason you mention (src address rate limiting) won’t

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

> wonder if the following is possible somehow with pdns-recursor. Our main > recursor A sometimes has problems talking to some auth servers. In the > same time another recursor B in our network still can talk to such an > auth server. > > So we wonder if we could somehow send queries for such

Re: [Pdns-users] DNSSEC same key for all

May 2019, at 10:41, azu...@pobox.sk <mailto:azu...@pobox.sk> wrote: > > Hi Frank, > > it's mandatory for .CZ domains, so if you don't sign every domain with the > same key, you need to register a KEYSET for every domain. So this is what i'm > trying to solve. > >

Re: [Pdns-users] DNSSEC same key for all

Hi Azur, It’s possible to do so, by manipulating the database directly (see the cryptokeys table). However, let’s take a step back: what problem are you trying to solve? As far as I know, there’s not a single TLD where the use of KEYSETs is mandatory. Some offer it as an extra feature, but I

Re: [Pdns-users] DNSSEC with MySQL backend and replication

Hi Alun, > We currently edit records by way of PowerAdmin, which updates the master > database directly and so “PowerDNS Auth A” instance is not actually used or > interacted with, normally. Zone/record updates are replicated to the “edge” > Auth servers (B and C) via MySQL replication. We

Re: [Pdns-users] recursor 4.2.0-beta1 fails to resolve p4.no

Hi Brian, They do work if you specify +noedns Frank > On 8 May 2019, at 10:46, Brian Candler wrote: > > On 08/05/2019 09:07, Brian Candler wrote: >> From here (UK), that domain looks a bit broken - see the FORMERR response >> from the authoritative servers. I have tried from two different

Re: [Pdns-users] recursor 4.2.0-beta1 fails to resolve p4.no

Hi Pieter, I can confirm it does NOT work on my 4.2.0-beta1 (Debian version from the PDNS repo). Trace logs can be found here: https://gist.github.com/franklouwers/cd310d80fef603394cc2fb77d3098fb5 Kind Regards, Frank > On 8 May 2019, at 09:50, Pieter Lexis wrote: > > Hi Øystein, > > >

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

Hi Tobi, > >> HTTP ISE for "/api/v1/servers/localhost/zones/REDACTED.tld": STL >> Exception: Parsing record content (try 'pdnsutil check-zone'): Data >> field in DNS should start with quote (") at position 0 of 'v=spf1 >> -all' > It seems you’ve hit https://github.com/PowerDNS/pdns/issues/6070

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

Hi Tobi, > > is there a switch to just enable debug for api or has the debug to be > enabled globally? Will try with debug and let the list know my findings :-) Pre 4.2, this has to be done globally. See the “loglevel” parameter: https://docs.powerdns.com/authoritative/settings.html#loglevel

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

Hi Tobi, > > curl -X GET -H 'X-API-Key: MY_API' > http://127.0.0.1:8081/api/v1/servers/localhost/zones/mydomain.tld > > I get a http 500 "Internal Server Error" message. Like said it's the > only query that fails. Any other for example > > > Anyone an idea what goes wrong here? > Can I somehow

Re: [Pdns-users] VPN - Overriding master/slave ip

Hi Mike, > Ideally, what I'd want is for the hidden master and the slaves all > to have a vpn between them, with the master and slaves having a shared > private internal ip address range between them. This is easy to do with > OpenVPN. The missing part seems to be the ability to explicitly

Re: [Pdns-users] How to switch between two different "zone" files for the same domain?

Hi Lucky, > > The backend is going to determine what can be done and I am not seeing that > below. There are many option depending on how complex the changes are in > that zone in the DR site. If you have a similar IP subnet scheme in a /23 or > /24 with the same 4th octet and the backend

Re: [Pdns-users] How to create new zone on the API?

Hi Corey, Please note the syntax is incorrect for recent versions of PowerDNS. When defining a zone, the records are passed using either the “zone” or the “rrsets” paramater. See https://docs.powerdns.com/authoritative/http-api/zone.html#objects

Re: [Pdns-users] Pdns-users Digest, Vol 194, Issue 16

> On 13 Mar 2019, at 13:11, 姜伯洋 <1513...@163.com > > wrote: > > MariaDB [powerdns]> select * from domains; > ++--+---++---+-+-+ > | id | name | master| last_check | type | notified_serial |

Re: [Pdns-users] Synchronization error from the node

Hi, As I asked you yesterday: Could you do a "dig AXFR test.org @10.3.2.15 -p 5300” and also show us the record from the `domains` table on your slave for test.org ? Frank Louwers PowerDNS Consultant > On 13 Mar 2019, at 02:59, 姜伯洋 <1513...@163.com

Re: [Pdns-users] Pdns-users Digest, Vol 194, Issue 13

Hi, Ah, your master is running on 5300? Could you do a "dig AXFR test.org @10.3.2.15 -p 5300” and also show us the record from the `domains` table on your slave for test.org ? Frank Louwers PowerDNS Consultant > On 12 Mar 2019, at 13:18, 姜伯洋

Re: [Pdns-users] Impact of DNSSEC with Sub Domain Zones

Hi Asanka, > Hi All, > > Just want to give you all an update on how this went as I ran into issues > with this implementation. > > What I did first: > Enabled DNSSEC on primary domain (domain.com ) > Added DS Records to domain registrar. > What worked: All DNS records under

Re: [Pdns-users] Question about PDNS SOA presentation.

Hi Michael, > On 7 Mar 2019, at 04:48, Michael Van Der Beek > wrote: > > Hi Frank, > > Currently not using dnsdist.. just installed that in case I want to try > special splitting of traffic. > > Currently > Pdns Auth (72.14.187.43:53) -> Recursor

Re: [Pdns-users] Question about PDNS SOA presentation.

Hi Michael, It seems you have pdns-auth, pdns-recursor and dnsdist installed. Could you tell us a bit more about your configuration? What’s listening on port 53, and how is it configured? Regards, Frank Louwers PowerDNS Certified Consultant > On 6 Mar 2019, at 08:06, Michael Van Der Beek

Re: [Pdns-users] What signal to tell PDNS to shut down?

Hi Bert and Nick, Docker will issue a SIGTERM, and assumes an app responds to that. It is up to the container to “do what’s needed” upon receiving a SIGTERM. So it’s best practice to make sure SIGTERM does the right thing…. When using Docker, you should expect your container to be started,

Re: [Pdns-users] How to log mysql query details

Hi Cliff, The question-marks are not “obfuscation” by PowerDNS, but are what MySQL calls “prepared statements”. If you want to know the exact queries that got executed, I recommend you enable query-logging on the MySQL side. Frank > On 21 Dec 2018, at 19:51, Cliff Hayes wrote: > > I have

Re: [Pdns-users] errno - 128 with mysql

Hi Cliff, Besides the question about 4.0 vs 4.1 that Remi brought up, MySQL errno 128 can mean a few things. Could you try to issues those MySQL queries by hand, when connecting with the exact same user/password that PowerDNS uses to connect? Frank Louwers Certified PowerDNS Consultant > On