Re: [Pdns-users] configuring ALSO-NOTIFY support using the domain metadata table
On 08/18/2011 05:22 PM, Bauer, Steven J. wrote: -Original Message- From: bert hubert [mailto:bert.hub...@netherlabs.nl] Sent: Thursday, August 18, 2011 9:11 AM To: Bauer, Steven J. Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] configuring ALSO-NOTIFY support using the domain metadata table On Thu, Aug 18, 2011 at 08:53:11AM -0600, Bauer, Steven J. wrote: After looking through the source it appears that dnssec queries have to be enabled to get data out of the domainMetadata table. In the code file Hi Steven, This is indeed correct. If the 'gmysql-dnssec' (or gpsql- or gsqlite3-) flag is not specified, PowerDNS can't assumes the domainmetadata table is there. The '-dnssec' flag really means 'the database has been setup for dnssec support', not 'everything is dnssec'. With this flag though it implies more functionality changes in the software doesn't it? Things like using the auth columns or am I misunderstanding the discussions that have happened over the past few weeks on the list? DNSSEC is enabled on per domain basis based on the domainmetadata-table. So if you don't enable it on any domains, everything else should stays the same. It should not look at the auth-columns. Steve Bert -- PowerDNS Website: http://www.powerdns.com/ PowerDNS Community Website: http://wiki.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS and multiple backends
Hi, now we have verified our setup with version 2.9.22 and it starts in 2 seconds. 3.0 takes 30 seconds! Since this is a very long time we think this could be a bug in 3.0 and we filed a ticket: http://wiki.powerdns.com/trac/ticket/383 Winfried Am 19.08.2011 09:33, schrieb abang: Hi, I'm trying to setup PowerDNS Authoritativ Server 3.0 with three backends: launch=gmysql,bind,pipe It seems all works as expected. But every time I reload or start PowerDNS, my syslog shows for each bind zone (we have 791) which is loaded these two lines: ...gmysql Connection successful ...Backend launched with banner: OK Hispool backend firing up This means mysql connection and pipe backend are starting 791 times! Is this behavior normal? Winfried ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS and multiple backends
On Fri, Aug 19, 2011 at 09:33:24AM +0200, abang wrote: It seems all works as expected. But every time I reload or start PowerDNS, my syslog shows for each bind zone (we have 791) which is loaded these two lines: This means mysql connection and pipe backend are starting 791 times! Is this behavior normal? no, and I saw your bug report, thanks! Working on it. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
Hi, I did some more DNSSEC-testing and found another bug: My setup looks like this: Bind accting as Master server, serving a presigned zone. PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in Domainmetatable. When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. Response from Bind: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= The same query against the PDNS: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG The last line is the additional NSEC3-Record. Can you please have a look? Thanks in advance and Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
On Mon, Aug 22, 2011 at 03:41:57PM +0200, Michael Braunoeder wrote: I did some more DNSSEC-testing and found another bug: I was starting to worry that too little bugs were being found ;-) When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. Also, the NSEC3 records don't match. The one PowerDNS includes is different from the one BIND emitted. Response from Bind: ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM The same query against the PDNS: ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM This one is different from the BIND one. 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG Note that the TTL of the additional o8ivn one is wrong too. Can you please have a look? As a starting point, could you supply your nsec3test.at zone? That would help me reproduce your exact issue. Thanks. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Cannot turn off webserver and bind.version
Is it just me or option 'webserver=no' has no effect at all in latest stable authoritative version ? I am running multiple vhost instances and the port 8081 keeps conflicting. Running pdns_server --webserver=no also is of no use! Also, the 'version-string=anonymous' doesn't send a servfail unlike to what mentioned in the docs. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users