Re: [Pdns-users] Hidden supermasters
On 06/08/2010, at 3:54 PM, Ton van Rosmalen wrote: No, this is not a restriction. In our setup we've added the ip address in the supermasters-table like this: +---++--+ | ip| nameserver | account | +---++--+ | xx.xx.xx.xx | name of primary server in public NS list | internal | Ah, OK, nice. Is it intentional that that works? cheers, Richard ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Hidden supermasters
On 06 Aug 2010 wk 31, at 09:56, Richard McLean wrote: On 06/08/2010, at 3:54 PM, Ton van Rosmalen wrote: No, this is not a restriction. In our setup we've added the ip address in the supermasters-table like this: +---++--+ | ip| nameserver | account | +---++--+ | xx.xx.xx.xx | name of primary server in public NS list | internal | Ah, OK, nice. Is it intentional that that works? I hope so, because we rely on it :) We have quite a few customers that have a VPS or dedicated server with us, run some sort of control panel on it (plesk, da, cpanel, ...) and do their dns config in the controlpanel. We have them all configured as hidden masters so the customer can use our distributed and stable ns'es automatically. Regards, Frank Louwers Openminds bvba ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Hidden supermasters
Hi Richard, On Fri, 2010-08-06 at 15:27 +1000, Richard McLean wrote: I have wondered about this. We'd love to implement a hidden supermaster type setup, using AXFR, which auto-updates the 4 main name servers, but is *not* in the list of name servers for a domain and is not publicly available. Is the restriction above able to be worked around or turned off? I've managed to work around this by adding a config line like: gsql-supermaster-query=select account from supermasters where ip='%s' In this setup, only IP addresses need to be listed in the supermasters table and the other checks are bypassed. This might need some careful checks if the database schema / the expected returned field list etc changes at some point in the future. -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
Hi, I forgot to CC the list, here you find my latest answer to Stefan. It still seems the configuration is OK, but that the PowerDNS master does not start to notify my slaves on startup of new domains. Domain: X.63.215.95.in-addr.arpa I'm quite sure those settings are correct. I present the dig here: ; DiG 9.6-ESV-R1 @ns1.sologigabit.com ns 63.215.95.in-addr.arpa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41825 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;63.215.95.in-addr.arpa.IN NS ;; ANSWER SECTION: 63.215.95.in-addr.arpa. 86400 IN NS ns1.sologigabit.com. 63.215.95.in-addr.arpa. 86400 IN NS ns2.sologigabit.com. ;; Query time: 1 msec ;; SERVER: 95.215.63.212#53(95.215.63.212) ;; WHEN: Thu Aug 5 17:53:58 2010 ;; MSG SIZE rcvd: 91 Regards, Pierre With kind regards / Met vriendelijke groet, Pierre van den Oord LikeFiction Kleyn Proffijtlaan 49 2343 DB Oegstgeest The Netherlands T +31 (0)85 7850699 (Mo-Fr 10-17, GMT +1) T +31 (0)6 12469791 (Mobile) M i...@likefiction.com W www.LikeFiction.com --- Please include the original message when you reply! --- Op 5-8-2010 17:49, Stefan Schmidt schreef: On Thu, Aug 05, 2010 at 05:17:03PM +0200, LikeFiction wrote: Hi Stefan, Hey erm LikeFiction, ;) I also need to know the domain name which you configured on your master server. But you can just check it yourself: The name of the nameserver that corresponds to the IP of your master nameserver in the supermasters table needs to be one of the names of nameservers you specified as nameservers for the domain on the master server. Hence a dig @masterip ns domain.tld should give you the same name you specified in the supermasters table in one of the NS records. Stefan Thanks for your reply. The IP addresses are correct in my post, you can dig them both. The nameservers are ns1.solo**gigabit.com and ns2.solo**gigabit.com, please remove the **. The NS records of the domains do include the ns2 server. Also, manual notification is working fine. I don't know why powerDNS, on a fresh start, does not try to AXFR zones to the slave. Do I have to wait for TTL value? I would not expect that. I hope you can dig the nameserver, you will find is list correctly all domains. See for example this /24 subnet for PTR records: webserver:/var/www/sologigabit.com/web/poweradmin# dig -x 95.215.63.213 webserver:/var/www/sologigabit.com/web/poweradmin# dig -x 95.215.63.213 @ns1.sologigabit.com ; DiG 9.6-ESV-R1 -x 95.215.63.213 @ns1.solo**gigabit.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 12733 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;213.63.215.95.in-addr.arpa.IN PTR ;; ANSWER SECTION: 213.63.215.95.in-addr.arpa. 86400 INPTR customerpanel.es. ;; Query time: 0 msec ;; SERVER: 95.215.63.212#53(95.215.63.212) ;; WHEN: Thu Aug 5 17:14:52 2010 ;; MSG SIZE rcvd: 74 On NS2, no record is coming back, as the domain is not transferred by PowerDNS. With kind regards / Met vriendelijke groet, Pierre van den Oord LikeFiction Kleyn Proffijtlaan 49 2343 DB Oegstgeest The Netherlands T +31 (0)85 7850699 (Mo-Fr 10-17, GMT +1) T +31 (0)6 12469791 (Mobile) M i...@likefiction.com W www.LikeFiction.com --- Please include the original message when you reply! --- Op 5-8-2010 16:55, Stefan Schmidt schreef: On Thu, Aug 05, 2010 at 03:55:24PM +0200, LikeFiction wrote: and one row on supermasters table on slave: ip: 95.215.63.212 nameserver: ns2..com (refers to slave itself) Please read section 13.2.1. of http://doc.powerdns.com/slave.html#SUPERMASTER very slowly and carefully. I would suspect that your problem is in the third bulletin point The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table Yes, it should work right after restart of the master server. I would not go so far as to say that it usually does work right after configuration as many people struggle with exactly that point. ;) As always with DNS, not giving out the actual domain name prevents us from looking at the actual data and hinting you at possible typos or delegation problems. Stefan !DSPAM:4c5ad60e40311804284693! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
Hi, LikeFiction schreef: Hi, I forgot to CC the list, here you find my latest answer to Stefan. It still seems the configuration is OK, but that the PowerDNS master does not start to notify my slaves on startup of new domains. snip In my experience new domains added to the master need a 'pdns_control notify domain' to start the notification to the slave(s). At least our systems always does this after adding a new domain. Regards, Ton ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
Good to have found someone with the same problem. Indeed a notify works, but this is not what I want. I could automate it with a cronjob script, but I think it might just be some bug in PowerDNS. With kind regards / Met vriendelijke groet, Pierre van den Oord LikeFiction Kleyn Proffijtlaan 49 2343 DB Oegstgeest The Netherlands T +31 (0)85 7850699 (Mo-Fr 10-17, GMT +1) T +31 (0)6 12469791 (Mobile) M i...@likefiction.com W www.LikeFiction.com --- Please include the original message when you reply! --- Op 6-8-2010 15:17, Ton van Rosmalen schreef: Hi, LikeFiction schreef: Hi, I forgot to CC the list, here you find my latest answer to Stefan. It still seems the configuration is OK, but that the PowerDNS master does not start to notify my slaves on startup of new domains. snip In my experience new domains added to the master need a 'pdns_control notifydomain' to start the notification to the slave(s). At least our systems always does this after adding a new domain. Regards, Ton ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
On Aug 6, 2010, at 15:21 , LikeFiction wrote: Good to have found someone with the same problem. Indeed a notify works, but this is not what I want. I could automate it with a cronjob script, but I think it might just be some bug in PowerDNS. Really that shouldn't be necessary. Can you show us whats in your database? I mean the entries in the domains, records and supermasters tables corresponding to the zone, and if it's too big just the apex from the records table. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
On Aug 6, 2010, at 15:52 , LikeFiction wrote: Stefan: As there is no sensitive information inside the tables, I have opened up http://ns1.sologigabit.com/phpmyadmin with user help and password help. You can browse all PDNS tables easily that way. For the mailing list archive, I also present the data for one domain here: While i can not find anything that looks obviously wrong to me, you might try the following: - setting domains.notified_serial to 0 or 1. - providing a full set of ttls in the SOA record such as ns1.sologigabit.com. info.sologigabit.com. 2010080500 10800 3600 604800 3600 Also what does your daemon.log - or wherever pdns logs to - say about this? Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
While i can not find anything that looks obviously wrong to me, you might try the following: - setting domains.notified_serial to 0 or 1. - providing a full set of ttls in the SOA record such as ns1.sologigabit.com. info.sologigabit.com. 2010080500 10800 3600 604800 3600 After stopping Pdns, setting notified serial to 0, and starting powerdns in monitor mode, I immediately see an AXFR for this domain come up, and it gets transferred indeed. Other solution I found: Lower the first digit of the SOA field, then start Powerdns. I changed it from 2010080500 to 1010080500. Now also a transfer took place. Adding the 10800 3600 604800 3600 expire values does not seem to do anything (except after also lowering the first number). Or do I have to wait (long) for that? That would not be right, if it was the case. However, why does PowerDNS notifies my slave if I lower either the first SOA number, or set the notified serial to 0? Daemon.log shows: Aug 6 16:37:21 webserver pdns[29052]: Listening on controlsocket in '/var/run/pdns.controlsocket' Aug 6 16:37:21 webserver pdns[29054]: Guardian is launching an instance Aug 6 16:37:21 webserver pdns[29054]: This is module gmysqlbackend.so reporting Aug 6 16:37:21 webserver pdns[29054]: This is a guarded instance of pdns Aug 6 16:37:21 webserver pdns[29054]: UDP server bound to 95.215.63.212:53 Aug 6 16:37:21 webserver pdns[29054]: TCP server bound to 95.215.63.212:53 Aug 6 16:37:21 webserver pdns[29054]: PowerDNS 2.9.21.2 (C) 2001-2008 PowerDNS.COM BV (Nov 25 2008, 22:40:57, gcc 4.3.2) starting up Aug 6 16:37:21 webserver pdns[29054]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according t$ Aug 6 16:37:21 webserver pdns[29054]: Creating backend connection for TCP Aug 6 16:37:21 webserver pdns[29054]: Master/slave communicator launching Aug 6 16:37:21 webserver pdns[29054]: gmysql Connection succesful Aug 6 16:37:21 webserver pdns[29054]: All slave domains are fresh Aug 6 16:37:21 webserver pdns[29054]: gmysql Connection succesful Aug 6 16:37:21 webserver pdns[29054]: About to create 3 backend threads for UDP Aug 6 16:37:21 webserver pdns[29054]: gmysql Connection succesful Aug 6 16:37:21 webserver pdns[29054]: No master domains need notifications Aug 6 16:37:21 webserver pdns[29054]: gmysql Connection succesful Aug 6 16:37:21 webserver pdns[29054]: gmysql Connection succesful With kind regards / Met vriendelijke groet, Pierre van den Oord LikeFiction Kleyn Proffijtlaan 49 2343 DB Oegstgeest The Netherlands T +31 (0)85 7850699 (Mo-Fr 10-17, GMT +1) T +31 (0)6 12469791 (Mobile) M i...@likefiction.com W www.LikeFiction.com --- Please include the original message when you reply! --- Op 6-8-2010 16:11, Stefan Schmidt schreef: On Aug 6, 2010, at 15:52 , LikeFiction wrote: Stefan: As there is no sensitive information inside the tables, I have opened up http://ns1.sologigabit.com/phpmyadmin with user help and password help. You can browse all PDNS tables easily that way. For the mailing list archive, I also present the data for one domain here: While i can not find anything that looks obviously wrong to me, you might try the following: - setting domains.notified_serial to 0 or 1. - providing a full set of ttls in the SOA record such as ns1.sologigabit.com. info.sologigabit.com. 2010080500 10800 3600 604800 3600 Also what does your daemon.log - or wherever pdns logs to - say about this? Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
On Aug 6, 2010, at 17:00 , LikeFiction wrote: Ok, I think I found the problem. It's quite simple too. My zones are not changing very often. So, after my re-setup of NS2, and restart master-powerdns, the notified-serial and the first digit serial of SOA where the same. If notified-serial is smaller than SOA, only then PowerDNS will do an AXFR. So, indeed, after setting up a new/extra nameserver, to start the transfer, one should just run SQL: UPDATE domains set notified_serial=0 and make sure that every SOA record is NOT 0. Then, PowerDNS will start notifying slaves. I got put off by thinking you were provisioning a new zone and thus assuming that notified-seriel would be set to 0 or NULL by default. Alright then. Case solved. ;) I think it might be a good idea for future versions of PowerDNS, to force updating all slaves when PowerDNS is started. At first i thought this were a good feature request, but on second though this might not be what people with huge numbers of zones would want. upon restart the would have to deal with increased load in both master and slaves due to them checking their database for out-of-date zones, hence i'm doubtful if Bert would implement it this way. Also iirc there is a slow-start mechanism in place to prevent exactly this behaviour. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] anual AXFR works, automatic does not (txt-version)
Need to add one thing: I got put off by thinking you were provisioning a new zone and thus assuming that notified-seriel would be set to 0 or NULL by default. You where in fact for a part correct. By using Poweradmin (some time ago), I created a new zone. Poweradmin however makes a soa with a default value of 0, if I remember correctly. I'm not sure if everyone uses a NULL field als notified_serial, but if this notified_serial is 0 (or maybe if PowerDNS thinks that NULL == 0), then the new zone (without any records) will not be updated untill records are added. I also read that PowerDNS is not automatically changing the SOA record to a yymmddxx value since some version. So, in this case it could be that, for a domain where PowerAdmin did not raise the SOA field 0, the domain is not transferred to the slave. And PowerAdmin is correct, because in the documentation of PowerDNS (some threat on Poweradmin refers to that) it is stated that PowerDNS automatically set's the correct SOA. Bottom line: this bug should be fixed some day, but is not likely to occur often. With kind regards / Met vriendelijke groet, Pierre van den Oord LikeFiction Kleyn Proffijtlaan 49 2343 DB Oegstgeest The Netherlands T +31 (0)85 7850699 (Mo-Fr 10-17, GMT +1) T +31 (0)6 12469791 (Mobile) M i...@likefiction.com W www.LikeFiction.com --- Please include the original message when you reply! --- Op 6-8-2010 17:06, Stefan Schmidt schreef: I got put off by thinking you were provisioning a new zone and thus assuming that notified-seriel would be set to 0 or NULL by default. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
