[Pdns-users] PowerDNS Recursor 4.0.0 Alpha 2 released

[Pieter Lexis]

Hi all,

We're happy to announce the release of the PowerDNS Recursor 4.0.0 Alpha 2.

This release features many low-level performance fixes and restores 
forward-zones functionality.

Changes([1] has the changelog with clickable links) from 4.0.0-alpha1 are:

#3259, #3280 The PowerDNS Recursor now properly uses GNU autoconf and 
autotools for building and installing
OpenSSL crypto primitives are now used for DNSSEC validation
#3313 Implement the logic we need to generate EDNS MAC fields in dnsdist & 
read them in recursor
#3350 Add lowercase-outgoing feature to Recursor
#3410 Recuweb is now built-in to the daemon
#3230 API: drop JSONP, add web security headers (Christian Hofstaedtler)
#3485 Allow multiple carbon-servers
#3427, #3479, #3472 MTasker modernization (Andrew Nelless)

Bug fixes

#3444, #3442 RPZ IXFR fixes
#3448 Remove edns-subnet-whitelist whitelist pointing to powerdns.com 
(Christian Hofstaedtler)
#3293 make asynchronous UDP Lua queries work again in 4.x
#3365 Apply rcode set in UDPQueryResponse callback (Jan Broers)
#3244 Fix the forward zones in the recursor
#3135 Use 56 bits instead of 64 in EDNS Client Subnet option (Winfried 
Angele)
#3527 Make the recursor counters atomic

Improvements

#3435 Add toStringNoDot and chopOff functions to Lua
#3437 Add pdns.now timeval struct to recursor Lua
#3352 Cache improvements
#3502 Make second argument to pdnslog optional (Thiago Farina)
#3520 Reduce log level of periodic statistics to notice (Jan Broers)

The tarball is available on the download site [2], packages for various 
platforms are available from our repositories[3].

1 - https://doc.powerdns.com/md/changelog/#powerdns-recursor-400-alpha2
2 - https://downloads.powerdns.com/releases/pdns-recursor-4.0.0-alpha2.tar.bz2
3 - https://repo.powerdns.com/

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


pgpWJfVCI26Hh.pgp
Description: OpenPGP digital signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

[Bit World Computing - Michael Mertel]

Hi Pieter,

dnssec=off did the trick indeed. Hope you can fix this, because dnssec was the 
reason I went to 4.x in the first place :)

If I can be of any help here, just let me know.

Best regards.
 
> Am 09.03.2016 um 10:05 schrieb Pieter Lexis :
> 
> Hi Michael,
> 
> Please keep replies on the mailinglist (mails reproduced below).
> 
> Judging by your log and some of my testing, I think you uncovered a bug in 
> the DNSSEC implementation. Could you try this with `dnssec=off` in the 
> recursor.conf?
> 
> Best regards,
> 
> Pieter
> 
> On Wed, 9 Mar 2016 07:46:49 +0100
> Bit World Computing - Michael Mertel  wrote:
> 
>> Hello Pieter,
>> 
>> thanks for helping me out on this.
>> 
>>> Am 08.03.2016 um 18:57 schrieb Pieter Lexis :
>>> 
>>> Hello Michael,
>>> 
>>> On Tue, 8 Mar 2016 16:32:26 +0100
>>> Bit World Computing - Michael Mertel  wrote:
>>> 
 I was wondering why an apt-get update cannot resolve repo.powerdns.com, 
 but a ping is able to do so. This only happens if /etc/resolv.conf points 
 to my recursor. If I use 8.8.8.8 as nameserver everything works as 
 expected.
 
 This is somewhat strange, because 8.8.8.8 is the forwarding dns for my 
 local recursor.
>>> 
>>> Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? 
>>> When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is 
>>> needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This 
>>> will set the Recursion Desired-bit on the query sent out. Google sends 
>>> SERVFAIL to clients without the RD-bit set.
>>> 
>> I currently use this forward statements in my recursor.conf:
>> 
>> forward-zones-file=/etc/powerdns/forward-zones
>> forward-zones-recurse=.=8.8.8.8
>> 
>> The forward-zones file points to some internal nameservers, all 8.8.8.8 
>> related is done through forward-zones-recurse.
>> 
>> 
>>> If this is the case and you still have these issues, could you enable the 
>>> `trace`[3] option and query your local resolver for repo.powerdns.com and 
>>> email the traces?
>>> 
>> I attached the trace log, hope it includes everything you need. I tried to 
>> kept the noise as low as possible, but some other systems queried the 
>> recursor as well.
>> 
 Maybe it’s how the apt-get tries to resolve the name? The only thing I 
 found was, that getent is not returning the correct results.
>>> 
>>> apt, ping and getent all seem to use the getaddrinfo(3) call.
>>> 
>> I was 100% sure that a ping worked, but it do not work now, 
>> repo.powerdns.com is not resolving anywhere. repo1.powerdns.com is a 
>> different story:
>> 
>> root@dns-1:/var/log# ping repo.powerdns.com
>> ping: unknown host repo.powerdns.com
>> root@dns-1:/var/log# getent hosts repo1.poerdns.com
>> root@dns-1:/var/log# ping repo1.powerdns.com
>> PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data.
>> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 
>> time=42.9 ms
>> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 
>> time=42.9 ms
> 
> 
> On Wed, 9 Mar 2016 08:28:05 +0100
> Bit World Computing - Michael Mertel  wrote:
> 
>> Hi Pieter,
>> 
>> sorry I overlooked a typo.
>> 
>> root@dns-1:/var/log# getent  hosts repo.powerdns.com
>> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com
>> root@dns-1:/var/log# getent  hosts repo1.powerdns.com
>> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com
>> 
>> Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at 
>> all.
>> 
>> 
> -- 
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com



--
IT-Security Lösungen von DELL SonicWALL und Sophos von Ihrem zertifizierten 
Partner Bit World Computing.





Michael Mertel
Inhaber / company owner


Bit World Computing e.K.
Wredestraße 18
97082 Wuerzburg
Deutschland / Germany

Fon: +49 (0)931 45335-0
Fax: +49 (0)931 45335-99

E-Mail: michael.mer...@bwc.de 
GoogleTalk / Skype: bwc.michael
Web: http://www.bwc.de 

Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065
Geschäftsführer / company owner: Michael Mertel


BWC ... one bit ahead ... since 1993




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

[Pieter Lexis]

Hi Michael,

Please keep replies on the mailinglist (mails reproduced below).

Judging by your log and some of my testing, I think you uncovered a bug in the 
DNSSEC implementation. Could you try this with `dnssec=off` in the 
recursor.conf?

Best regards,

Pieter

On Wed, 9 Mar 2016 07:46:49 +0100
Bit World Computing - Michael Mertel  wrote:

> Hello Pieter,
> 
> thanks for helping me out on this.
> 
> > Am 08.03.2016 um 18:57 schrieb Pieter Lexis :
> > 
> > Hello Michael,
> > 
> > On Tue, 8 Mar 2016 16:32:26 +0100
> > Bit World Computing - Michael Mertel  wrote:
> > 
> >> I was wondering why an apt-get update cannot resolve repo.powerdns.com, 
> >> but a ping is able to do so. This only happens if /etc/resolv.conf points 
> >> to my recursor. If I use 8.8.8.8 as nameserver everything works as 
> >> expected.
> >> 
> >> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my 
> >> local recursor.
> > 
> > Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? 
> > When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is 
> > needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This 
> > will set the Recursion Desired-bit on the query sent out. Google sends 
> > SERVFAIL to clients without the RD-bit set.
> > 
> I currently use this forward statements in my recursor.conf:
> 
> forward-zones-file=/etc/powerdns/forward-zones
> forward-zones-recurse=.=8.8.8.8
> 
> The forward-zones file points to some internal nameservers, all 8.8.8.8 
> related is done through forward-zones-recurse.
> 
> 
> > If this is the case and you still have these issues, could you enable the 
> > `trace`[3] option and query your local resolver for repo.powerdns.com and 
> > email the traces?
> > 
> I attached the trace log, hope it includes everything you need. I tried to 
> kept the noise as low as possible, but some other systems queried the 
> recursor as well.
> 
> >> Maybe it’s how the apt-get tries to resolve the name? The only thing I 
> >> found was, that getent is not returning the correct results.
> > 
> > apt, ping and getent all seem to use the getaddrinfo(3) call.
> > 
> I was 100% sure that a ping worked, but it do not work now, repo.powerdns.com 
> is not resolving anywhere. repo1.powerdns.com is a different story:
> 
> root@dns-1:/var/log# ping repo.powerdns.com
> ping: unknown host repo.powerdns.com
> root@dns-1:/var/log# getent hosts repo1.poerdns.com
> root@dns-1:/var/log# ping repo1.powerdns.com
> PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data.
> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 
> time=42.9 ms
> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 
> time=42.9 ms


On Wed, 9 Mar 2016 08:28:05 +0100
Bit World Computing - Michael Mertel  wrote:

> Hi Pieter,
> 
> sorry I overlooked a typo.
> 
> root@dns-1:/var/log# getent  hosts repo.powerdns.com
> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com
> root@dns-1:/var/log# getent  hosts repo1.powerdns.com
> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com
> 
> Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at 
> all.
> 
> 
-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns ddns Performance

[Ruben d'Arco]

Thanks for the update! It makes sense. I've logged this as ticket 3528, so 
somebody could have a look at that subzone query behaviour a bit better.


On Tue, Mar 08, 2016 at 09:40:57PM +0100, Thomas Mieslinger wrote:
> Hi,
> 
> maybe you remember my message regarding suboptimal ddns update performance.
> A colleague helped me to identify the list_subzone_query as the performance
> killer.
> 
> The original where clause is
> 
>  disabled=0 and (name='%s' OR name like '%s') and domain_id='%d'
> 
> with
> 
> %.
> 
> as second argument.
> 
> When like is used with a search argument that starts with a wildcard the
> index can not be used.
> 
> Because I know that my records to update have no subzones I short circuit
> query with
> 
> SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
> disabled=0 and (name='%s' OR 'x'='%s') and domain_id='%d'
> 
> Cheers
> 
> Thomas
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] powerdns authoritative 4.0.0 alpha stops working from time to time

[Chris]

Hi,

I too have ran into this issue today. I can reproduce it easily.

Running 4.0.0~alpha2-1pdns.jessie with the MySQL backend. I restart the 
MySQL server. After it is done restarting any queries to PowerDNS return 
a SERVFAIL with this line logged first:


Backend reported condition which prevented lookup (GSQLBackend lookup 
query: Could not execute mysql statement: SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and type=? and name=?: Lost connection to MySQL server during 
query) sending out servfail


Subsequent queries then log:

Backend reported condition which prevented lookup (GSQLBackend lookup 
query: Attempt to bind more parameters than query has: SELECT 
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE 
disabled=0 and type=? and name=?) sending out servfail


Restarting PowerDNS fixes it.

Thanks
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users