Re: [Pdns-users] Any status on DNSSEC in Recursor?
Hello Charles, On 20 Feb 2015, at 20:08 , Charles Sprickman sp...@bway.net wrote: Sounds good. I’m itching to tell our users they’re a bit “safer”, and I have about zero interest in learning a third DNS server (unbound). The old blog post noted that you’d be leveraging another server for the key verification, is that still the case or will everything happen within pdns recursor? For various reasons, yes, it makes sense to do validation in another server/daemon/process. However, you should still expect something that’s as simple as ‘verify-dnssec=yes’ in recursor.conf. We hope :) Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename.
Why not let the process run parallely and then picked out the one which is retured firstly to the client? Regards 2015-02-23 18:28 GMT+08:00 Peter van Dijk peter.van.d...@powerdns.com: Hello, On 23 Feb 2015, at 6:09 , Hongyi Zhao hongyi.z...@gmail.com wrote: forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? It’s best to assume the process is random. For any given query, the resulting data can come from any of the IPs, and there is no guarantee from which one. So, in general, make sure your backend IPs agree on the data! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Hongyi Zhao hongyi.z...@gmail.com Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename.
Considering that the backend/forwarder IPs are always NOT owned by the authoritive servers of the queryer. It wil be difficult to ensure all of them online all the time. So, if we can let the process run parallely and then picked out the one which is retured firstly to the client. At least the query efficiency will be raised to some extent, IMO. Regards 2015-02-23 18:49 GMT+08:00 Hongyi Zhao hongyi.z...@gmail.com: Why not let the process run parallely and then picked out the one which is retured firstly to the client? Regards 2015-02-23 18:28 GMT+08:00 Peter van Dijk peter.van.d...@powerdns.com: Hello, On 23 Feb 2015, at 6:09 , Hongyi Zhao hongyi.z...@gmail.com wrote: forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? It’s best to assume the process is random. For any given query, the resulting data can come from any of the IPs, and there is no guarantee from which one. So, in general, make sure your backend IPs agree on the data! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Hongyi Zhao hongyi.z...@gmail.com Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -- Hongyi Zhao hongyi.z...@gmail.com Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename.
Hello, On 23 Feb 2015, at 11:49 , Hongyi Zhao hongyi.z...@gmail.com wrote: Why not let the process run parallely and then picked out the one which is retured firstly to the client? In general (without forward-rules), we do something better - we try the servers and remember which one was faster. That way you get the performance benefits without unnecessarily overloading the other servers. I’m not entirely sure we do this for forward rules. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename.
Which forward-rules do you meant to by saying without forward-rules? Are these forward rules can all be setted or controlled by using config file fo pdns_recurrsor? Why these rules cann't be treated combinedly into the inner optimizing algrithems for determining the maybe-best servers? Regards 2015-02-23 19:20 GMT+08:00 Peter van Dijk peter.van.d...@powerdns.com: Hello, On 23 Feb 2015, at 11:49 , Hongyi Zhao hongyi.z...@gmail.com wrote: Why not let the process run parallely and then picked out the one which is retured firstly to the client? In general (without forward-rules), we do something better - we try the servers and remember which one was faster. That way you get the performance benefits without unnecessarily overloading the other servers. I’m not entirely sure we do this for forward rules. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Hongyi Zhao hongyi.z...@gmail.com Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011!
In this post, we’d like to share our current plans for .. PowerDNS 4.x! We shared this first with the PowerDNS-development community, and after we gathered feedback, we’re now announcing it more broadly. The tl;dr: For the next few months we will be spring cleaning git master, and stable code and releases can be found in the auth-3.4 and rec-3.7 branches. We'll also be moving to C++ 2011. Please read on for the whole story. First some background. PowerDNS is a 15 year old software project, and over these 1.5 decades, we have built up some ‘technical debt’ (http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring cleaning in our code. Meanwhile, we are broadening what our code does, to include for example smart, DNS-native, load balancing and further denial of service mitigation. And of course, the major work of bringing carrier-grade DNSSEC to the recursor. Finally, we’ve fallen in love with C++ 2011, and we would like to start taking advantage of this now 4 year old revision of C++. All this means some important changes. For one, where it used to be the case that our git ‘master’ was usually fit to run in production (and people actually did this), for the coming few months please consider our master branch a ‘heavy development zone’. While we’ll try to keep things working, it might break for hours or even days at a time. Even though there will be somewhat of a wild-west aspect to development, major changes will be implemented as pull requests from separate branches that can be studied by the community. Meanwhile, PowerDNS 3.x development and maintenance will continue on separate release branches. The latest 3.x releases will remain actively supported until 4.x is more powerful, more stable, and can be compiled on Debian Stable (more about this later). Active support means more than passive maintenance, if there are pressing things that need to happen, they will happen. But the focus for new things will shift to 4.x. (as an example, we are currently gathering the patches for auth-3.4.3, see https://twitter.com/powerdns/status/569872447757025280 ) Things we will be addressing during our spring cleaning include: * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. * The PowerDNS Authoritative Server distributes queries to multiple backends inefficiently * The PowerDNS Recursor cache is both slower and less memory efficient than it could be * DNSSEC in the PowerDNS Recursor * Move our own atomic, locking and semaphore infrastructure to C++ 2011 native * The Lua APIs use an ascii based interface for domain names and IP addresses, and this could be faster One thing we are probably not going to do is change the database format, by the way. The somewhat bad news about the spring cleaning is that we’ll come out of it as a C++ 2011 project, which means that to compile PowerDNS, you’ll need GCC 4.8 (released in March 2013). Gcc 4.8 is not currently the default in Debian stable or RHEL/CentOS 6, but it is available. It is the default in RHEL7 and in what will become the next Debian stable. It also ships in Ubuntu 14. We will also be targeting clang 3.5. We have chosen C++ 2011 for a variety of reasons, many of which are described in an earlier blogpost (http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html). NOTE: PowerDNS 4.x products WILL run on older distribution releases of course! However, on older distros, compiling with the system default compiler may not work. To clarify, the 4.x branch will not fundamentally alter PowerDNS. This should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). Fundamentally we think the PowerDNS design is sound, it just needs a decent spring cleaning. This will come in especially handy when deploying our DNSSEC validation. So how long will it take until 4.x is production ready? We’ll let you know once we get there, but we are hoping to finish the cleanup in several months, after which we expect further work to iron out remaining issues. In any case, 3.x will remain supported until gcc 4.8 is widely available on currently shipping distributions. Thanks, and please again let us know your thoughts about this proposed plan. Although this is what we intend to do, we can be change our mind if there are good reasons to do so! PowerDNS ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011!
This is exciting news, Bert! Some follow-up questions/comments: - Will 3.x development end on the 3.4 track, or is there still a plan for 3.5? If 3.4 is it, what's the plan for features (such as ALIAS) that were scheduled for 3.5? Are they delayed to 4.0 (if so, sad face)? - Currently, PowerDNS Authoritative and PowerDNS Recursor share a repository (https://github.com/PowerDNS/pdns). This can make things especially confusing, since there are recursor development branches, authoritative development branches, recursor version branches, authoritative version branches, recursor release tags, and authoritative release tags all within the same repository. During all this work being done on master, can the opportunity be taken to move shared code into X repository and then have a repo for Recursor and a separate repo for Authoritative? It seems like it would be a much cleaner arrangement. Good luck in this new challenge! Nick On Mon, Feb 23, 2015 at 8:58 AM, bert hubert bert.hub...@powerdns.com wrote: In this post, we’d like to share our current plans for .. PowerDNS 4.x! We shared this first with the PowerDNS-development community, and after we gathered feedback, we’re now announcing it more broadly. The tl;dr: For the next few months we will be spring cleaning git master, and stable code and releases can be found in the auth-3.4 and rec-3.7 branches. We'll also be moving to C++ 2011. Please read on for the whole story. First some background. PowerDNS is a 15 year old software project, and over these 1.5 decades, we have built up some ‘technical debt’ (http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring cleaning in our code. Meanwhile, we are broadening what our code does, to include for example smart, DNS-native, load balancing and further denial of service mitigation. And of course, the major work of bringing carrier-grade DNSSEC to the recursor. Finally, we’ve fallen in love with C++ 2011, and we would like to start taking advantage of this now 4 year old revision of C++. All this means some important changes. For one, where it used to be the case that our git ‘master’ was usually fit to run in production (and people actually did this), for the coming few months please consider our master branch a ‘heavy development zone’. While we’ll try to keep things working, it might break for hours or even days at a time. Even though there will be somewhat of a wild-west aspect to development, major changes will be implemented as pull requests from separate branches that can be studied by the community. Meanwhile, PowerDNS 3.x development and maintenance will continue on separate release branches. The latest 3.x releases will remain actively supported until 4.x is more powerful, more stable, and can be compiled on Debian Stable (more about this later). Active support means more than passive maintenance, if there are pressing things that need to happen, they will happen. But the focus for new things will shift to 4.x. (as an example, we are currently gathering the patches for auth-3.4.3, see https://twitter.com/powerdns/status/569872447757025280 ) Things we will be addressing during our spring cleaning include: * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. * The PowerDNS Authoritative Server distributes queries to multiple backends inefficiently * The PowerDNS Recursor cache is both slower and less memory efficient than it could be * DNSSEC in the PowerDNS Recursor * Move our own atomic, locking and semaphore infrastructure to C++ 2011 native * The Lua APIs use an ascii based interface for domain names and IP addresses, and this could be faster One thing we are probably not going to do is change the database format, by the way. The somewhat bad news about the spring cleaning is that we’ll come out of it as a C++ 2011 project, which means that to compile PowerDNS, you’ll need GCC 4.8 (released in March 2013). Gcc 4.8 is not currently the default in Debian stable or RHEL/CentOS 6, but it is available. It is the default in RHEL7 and in what will become the next Debian stable. It also ships in Ubuntu 14. We will also be targeting clang 3.5. We have chosen C++ 2011 for a variety of reasons, many of which are described in an earlier blogpost ( http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html ). NOTE: PowerDNS 4.x products WILL run on older distribution releases of course! However, on older distros, compiling with the system default compiler may not work. To clarify, the 4.x branch will not fundamentally alter PowerDNS. This should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). Fundamentally we think the PowerDNS design is sound, it just needs a decent spring cleaning.
Re: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename.
Hello, On 23 Feb 2015, at 6:09 , Hongyi Zhao hongyi.z...@gmail.com wrote: forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? It’s best to assume the process is random. For any given query, the resulting data can come from any of the IPs, and there is no guarantee from which one. So, in general, make sure your backend IPs agree on the data! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Multiple Entries in the Content field of NAPTR records.
Hello Jonathan, On 20 Feb 2015, at 18:28 , Jonathan Hunter hunter...@hotmail.com wrote: Is it possible when implementing NAPTR records in the records table to add multiple entries within the content field of a record? Im just trying to reduce the number of entries in the database, so wondered if I could have more than one content entry, and if so how do you split them up? So for example I have; select * from records; ++---+---+---+-+---+--+-+ | id | domain_id | name | type | content | ttl | prio | change_date | ++---+---+---+-+---+--+-+ | 27 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 U E2U+sip !^(.*)$!sip:\\1@195.219.240.46!. | 120 | NULL |NULL | | 26 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 U E2U+sip !^(.*)$!sip:\\1@195.219.240.50!. | 120 | NULL |NULL | Can I add both 2 10 U E2U+sip !^(.*)$!sip:\\1@195.219.240.46!. and 2 10 U E2U+sip !^(.*)$!sip:\\1@195.219.240.50!. into the content of id 27 without breaking a query? No, this will not work. One database row is one DNS record, there are no exceptions to this. What problem are you trying to solve by combining the records? Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)
bert hubert wrote: In this post, we’d like to share our current plans for .. PowerDNS 4.x! Glad to read all your plans. * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. Unfortunately the term string is used in many different ways. Could you please elaborate on what that means exactly? E.g. will this affect the way NON-ASCII DNS names are stored in backend files? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Reply-To Change?
On Mon, Feb 23, 2015 at 12:48:49PM -0600, Nicholas Williams wrote: This frequently trips me up a lot, and I end up replying directly to people and not sending to the list. I don't see any good reason for not having a list reply-to. Also, IIRC, the list software PowerDNS is using supports having a list reply-to. Oddly enough, the lists we are on do it 'our' way. We rather have it err to your reply being more private than you intended than being more public than you intended. Can we get this change implemented? Probably not - this has been the setting for 15 years, we've not heard more complaints. Sorry! Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)
On Mon, Feb 23, 2015 at 12:44:54PM -0600, Nicholas Williams wrote: I'm also very interested in finding out more about the change around ASCII names. I can recommend our ever growing set of test cases: https://github.com/ahupowerdns/pdns/blob/dnsname/pdns/test-dnsname_cc.cc DNS, surprisingly, is 8-bit clean. You can put any stream of octets in DNS (up to a certain length). However, this is not how we print it. http://www.ietf.org/rfc/rfc4343.txt has some words on this. Unfortunately the term string is used in many different ways. Could you please elaborate on what that means exactly? E.g. will this affect the way NON-ASCII DNS names are stored in backend files? No, it is not intended to make any changes, except for where we got it wrong. Wr internally have loads of places where we convert to and from (un)escaped versions, add dots, remove dots etc. We get it wrong in some places now. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users