Re: [Pdns-users] Slave DNSKeys
Peter van Dijk wrote: (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we recommend increasing the size of the ‘content’ column in the records table (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/ ) (Sigh!) I really wonder why the LDAP backend is not improved to support DNSSEC. It's so much easier to setup a LDAP server with multi-master and two-tier replication than a mySQL server. And attributes are of variable length by default. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] AXFR Crashses
Hello Mark, On 28 Feb 2015, at 0:09 , Mark Moseley moseleym...@gmail.com wrote: It's actually more likely I'm an idiot. I forgot to remove a custom 'gmysql-list-query' query from when I was trying to make pdns 3.4 work with the 2.9.x schema (and gave up -- but forgot to remove the query from the config at the time). Removing it makes AXFRs work just fine. Amazing that no matter how long you look for, it never fails that you find the answer right after you post to a public forum :) There's got to be some sort of sysadmin law for that, a la Murphy's Law. Thank you for owning up on this ;) Even though this was a misconfiguration, I feel PowerDNS should not die as terribly as it did. Do you think you can file a ticket with reproduction information? Thanks! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Do I need to run pdnssec something when removing a zone?
Hello Nick, On 27 Feb 2015, at 19:27 , Nick Williams nicho...@nicholaswilliams.net wrote: I've recently enabled DNSSEC with the MySQL backend. I'm using the MySQL Backend for everything (including storage of zones/records). If I remove a zone completely from the MySQL domains/records tables (all data deleted), do I need to also A) Run pdnssec something, B) delete anything else from MySQL, or C) both? You could (A) use pdnssec to remove the keys, unset nsec3, etc., but it would be tedious yet non-exhaustive. Instead, if you’re doing DELETEs in MySQL anyway, clean out domainmetadata and cryptokeys based on the domain_id - and while you’re at it, perhaps clean up in the comments table as well. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Slave DNSKeys
Hoi Maurice, On 27 Feb 2015, at 9:44 , Maurice Sienema msien...@unet.nl wrote: We are testing with DNSSEC on our PowerDNS setup, everything seems to be working except the slave server isn't using the DNSKEY set from the master, am I missing the concept and should I register both keys at the parrent zone, or is the slave capable of using the key set from the master? see here what is going wrong: http://dnsviz.net/d/uned.nl/dnssec/ Some details about the setup: Both servers running PowerDNS version 3.1 ( standard Debian wheezy package ) Both servers are running gmysql back-end connected to a local database NS1 is a supermaster for NS2, zones updates are done by NOTIFY/AXFR (1) when using DNSSEC, we strongly recommend upgrading PowerDNS to a 3.4.x release. Packages are available at https://www.powerdns.com/downloads.html (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we recommend increasing the size of the ‘content’ column in the records table (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/ ) Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS Authoritative Server 3.4.3 released
Hi everybody, We're pleased to announce the immediate availability of the PowerDNS Authoritative Server version 3.4.3. This release is an iteration over 3.4.2, mainly fixing small issues, correcting wrong behavior in tools and adding work to the experimental API. One major change is the fact we now send REFUSED AA=0 instead of NOERROR AA=1 for domains that we have no knowledge of. Read the blog[1] for more information. Tar.gz and packages are available on: * https://downloads.powerdns.com/releases/ * Soon: https://www.monshouwer.eu/download/3rd_party/pdns/ (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer). The changelog with clickable links can also be found at the usual spot[2]. Bug fixes: * pdns_control: exit 1 on unknown command (Ruben Kerkhof) * evaluate KSK ZSK pairs per algorithm (Kees Monshouwer) * always set di.notified_serial in getAllDomains (Kees Monshouwer) * pdns_control: don't open socket in /tmp (Ruben Kerkhof) New features: * Limit who can send us AXFR notify queries (Ruben Kerkhof) Improvements: * respond REFUSED instead of NOERROR for unknown zone situations * Check for Lua 5.3 (Ruben Kerkhof) * Check compiler for relro support instead of linker (Ruben Kerkhof) * Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler) * PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler) * fix building with GCC 5 1 - http://blog.powerdns.com/2015/03/02/from-noerror-to-refused/ 2 - https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-343 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Authoritative Server 3.4.3 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everybody, With this message, I'd like to congratulate our newest employee Pieter for doing a PowerDNS release on his first day of work! Even though the trains failed massively this morning in The Netherlands, it all worked out. Welcome to the team Pieter! We introduced him in our recent blogpost http://blog.powerdns.com/2015/02/12/new-powerdns-employee-the-importance-of-testing-rcs-skipping-3-7-0-world-hosting-days-2015/ Pieter wrote a paper and software on DANE under our mentorship while at the OS3 program at the University of Amsterdam, and later did an amazing job converting our documentation to the splendor you can now find on http://doc.powerdns.com/ Based on this work, we offered Pieter a job and we’re very happy he accepted! Pieter (not to be confused with existing employee Peter) will focus on helping customers, improving our code infrastructure, fixing bugs and working on internet standards relevant for DNS. Bert On Mon, Mar 02, 2015 at 04:02:53PM +0100, Pieter Lexis wrote: Hi everybody, We're pleased to announce the immediate availability of the PowerDNS Authoritative Server version 3.4.3. This release is an iteration over 3.4.2, mainly fixing small issues, correcting wrong behavior in tools and adding work to the experimental API. One major change is the fact we now send REFUSED AA=0 instead of NOERROR AA=1 for domains that we have no knowledge of. Read the blog[1] for more information. Tar.gz and packages are available on: * https://downloads.powerdns.com/releases/ * Soon: https://www.monshouwer.eu/download/3rd_party/pdns/ (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer). The changelog with clickable links can also be found at the usual spot[2]. Bug fixes: * pdns_control: exit 1 on unknown command (Ruben Kerkhof) * evaluate KSK ZSK pairs per algorithm (Kees Monshouwer) * always set di.notified_serial in getAllDomains (Kees Monshouwer) * pdns_control: don't open socket in /tmp (Ruben Kerkhof) New features: * Limit who can send us AXFR notify queries (Ruben Kerkhof) Improvements: * respond REFUSED instead of NOERROR for unknown zone situations * Check for Lua 5.3 (Ruben Kerkhof) * Check compiler for relro support instead of linker (Ruben Kerkhof) * Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler) * PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler) * fix building with GCC 5 1 - http://blog.powerdns.com/2015/03/02/from-noerror-to-refused/ 2 - https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-343 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlT0fTgACgkQHF7pkNLnFXXR8QCdH7HJexrDi6du4iOOfpFwMEDk LhoAoLpBiZJ5yCBsxdO3Be2PJOjAuNgY =Mh7X -END PGP SIGNATURE- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Naming hosts with public IPv6 and Private IPv4 addresses
Hello, I would like to ask for your experience and advice on the following situation: When we use a private IPv4 subnet (e.g. 10.10.10.0/24) with NAT (to access the Internet) and at the same time (i.e. on the same LAN or VLAN) we use a public IPv6 address space, what should be the naming policy for hosts with dual stack, i.e. with a private IPv4 address and a public IPv6 address? Naming using public IPv6 addresses leads to public names (e.g. example.com), while naming using private IPv4 addresses leads to private names (e.g. example.local). What is the best way to reconcile the two? I feel that hosts should not be meant to have double names (in order to avoid management and dns havoc). A (single) name should be an easy way to address a host, regardless whether it is using IPv6 or IPv4; this idea is largely defeated if we need to address/recognize (in the local network) a host using a different name in IPv6 and in IPv4. Thanks in advance for your advice and thoughts. Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users