[Pdns-users] PDNS + MySQL results not un-escaped?

2010-01-05 Thread Michael
Hello all,

First time poster, long time SysAdmin :-) intending to convert from Bind.

I have just noticed that PDNS with GMySQL back end does not seem to un-escape 
result records.

Popular MySQL web based admin programs always escape entered data, and 
certainly I can't think of any rational not to.

However when I go and look on my slave server (running Bind) I see that some 
TXT slave records are escaped rendering them invalid.

I have searched the MySQL site and I can't find a function to unescape the 
data within the query, so as far as I can see it isn't just a simple matter 
of rewriting the queries.

Has someone else found this and if so what did they do about it?

Is this an oversight within the module or do I need to fix something?

Thanks,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PDNS + MySQL results not un-escaped?

2010-01-06 Thread Michael
On Wed, 06 Jan 2010 21:56:08 you wrote:
 Hi Michael

  When I enter a DKIM or Domain Keys record, which requires use of ';', the
  records on the secondary name server have this character escaped with
  '\', as to be expected.
 
  As this character has a special meaning in MySQL I would think the simple
  answer would be to unescape it prior to returning the RR.

 This is a common misunderstanding of web developers that escaping in MySQL
 is done by adding backslashes. Instead, escaping is done by calling
 mysql_real_escape(), which prepares the string to be save when storing it
 to the database but when fetching the string again, it will be the same as
 before calling mysql_real_escape(). Therefore, if a web application adds
 backslashes it corrupts the record and this has to be considered as bug of
 the web application.

Ok, so is there any downside to adding an unescape to the code and could this 
be done by the programmers?

I didn't write the web based SQL admin... I use the proper MySQL function in 
my own code, but I am not rewriting the web based admin...


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Power DNS 2.9.22 compile error while running 'make' command

2010-05-26 Thread Michael
On Slackware 13.0 while running Make:

I have successfully configured, compiled (and happily running) this on 2 other 
Slackware machines - one running 12.0 and the other 13.0, and I really am not 
sure what the difference between them is.

In all instances Boost 1.41 is used and configure is run as follows:
CXXFLAGS=-I/root/boost_1_41_0 \
./configure \
--sysconfdir=/usr/local/etc \
--localstatedir=/var/run \
--with-mysql=/usr/local/mysql \
--with-mysql-lib=/usr/local/lib/mysql \
--with-mysql-includes=/usr/local/include/mysql

On the problematic machine configure runs fine, but when I run Make I get the 
following error:

if 
g++ -DHAVE_CONFIG_H -I. -I. -I../../.. -I../.. -pthread   -D_GNU_SOURCE 
-I/root/boost_1_41_0 -Wall -O2 -MT 
rcpgenerator.o -MD -MP -MF .deps/rcpgenerator.Tpo -c -o rcpgenerator.o 
`test -f '../../rcpgenerator.cc' || echo './'`../../rcpgenerator.cc; \
then mv -f .deps/rcpgenerator.Tpo .deps/rcpgenerator.Po; else 
rm -f .deps/rcpgenerator.Tpo; exit 1; fi
../../rcpgenerator.cc: In member function 'void 
RecordTextReader::xfrTime(uint32_t)':
../../rcpgenerator.cc:75: error: 'sscanf' was not declared in this scope
../../rcpgenerator.cc: In member function 'void 
RecordTextWriter::xfrTime(const uint32_t)':
../../rcpgenerator.cc:363: error: 'snprintf' was not declared in this scope
../../rcpgenerator.cc: In member function 'void 
RecordTextWriter::xfrHexBlob(const std::string)':
../../rcpgenerator.cc:415: error: 'snprintf' was not declared in this scope
make[4]: *** [rcpgenerator.o] Error 1
make[4]: Leaving directory `/root/pdns-2.9.22/pdns/backends/bind'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/root/pdns-2.9.22/pdns/backends'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/pdns-2.9.22/pdns'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/pdns-2.9.22'
make: *** [all] Error 2
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Power DNS 2.9.22 compile error while running 'make' command

2010-06-01 Thread Michael
On Thu, 27 May 2010 06:05:58 you wrote:
 On Thu, May 27, 2010 at 12:41:09AM +1200, Michael wrote:
  On Slackware 13.0 while running Make:
 
  I have successfully configured, compiled (and happily running) this on 2
  other Slackware machines - one running 12.0 and the other 13.0, and I
  really am not sure what the difference between them is.

 Michael,

 The difference is the gcc version. More recent versions have changed their
 'include' hierarchy.

 Try adding #include stdio.h to the list of other includes in the file
 rcpgenerator.cc.

 The up  coming pdns 3.0 has these fixes for newer gcc's included already.

I have tried this and it's now spitting the following error:

../dnsparser.cc; \
then mv -f .deps/dnsparser.Tpo .deps/dnsparser.Po; else 
rm -f .deps/dnsparser.Tpo; exit 1; fi
../../dnsparser.cc: In member function 'virtual std::string 
UnknownRecordContent::getZoneRepresentation() const':
../../dnsparser.cc:46: error: 'snprintf' was not declared in this scope
../../dnsparser.cc: In member function 'virtual void 
UnknownRecordContent::toPacket(DNSPacketWriter)':
../../dnsparser.cc:67: error: 'sscanf' was not declared in this scope
make[4]: *** [dnsparser.o] Error 1
make[4]: Leaving directory `/root/pdns-2.9.22/pdns/backends/bind'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/root/pdns-2.9.22/pdns/backends'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/pdns-2.9.22/pdns'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/pdns-2.9.22'
make: *** [all] Error 2
r...@hostname:~/pdns-2.9.22#  
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] FIXED - Power DNS 2.9.22 compile error while running 'make' command

2010-06-02 Thread Michael
On Thu, 27 May 2010 04:59:59 David Hawthorne wrote:
 I ran into this on ubuntu as well, with all the dependencies properly
 installed tyvm.

 ../../rcpgenerator.cc: In member function ‘void
 RecordTextReader::xfrTime(uint32_t)’: ../../rcpgenerator.cc:75: error:
 ‘sscanf’ was not declared in this scope ../../rcpgenerator.cc: In member
 function ‘void RecordTextWriter::xfrTime(const uint32_t)’:
 ../../rcpgenerator.cc:363: error: ‘snprintf’ was not declared in this scope
 ../../rcpgenerator.cc: In member function ‘void
 RecordTextWriter::xfrHexBlob(const std::string)’:
 ../../rcpgenerator.cc:415: error: ‘snprintf’ was not declared in this scope

 It requires #include cstdio to fix.

 Same with:

 ../../dnsparser.cc: In member function ‘virtual std::string
 UnknownRecordContent::getZoneRepresentation() const’:
 ../../dnsparser.cc:46: error: ‘snprintf’ was not declared in this scope
 ../../dnsparser.cc: In member function ‘virtual void
 UnknownRecordContent::toPacket(DNSPacketWriter)’: ../../dnsparser.cc:67:
 error: ‘sscanf’ was not declared in this scope

 Just requires #include cstdio to fix.  I put it in dnsparser.hh.

This information was what I needed - thanks :-)
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] MySQL docs bug?

2010-06-02 Thread Michael
The following does not work:

CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains`
(`id`) ON DELETE CASCADE
http://docs.powerdns.com/generic-mypgsql-backends.html
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

2016-08-18 Thread Michael

Hi all,

I have been using pdns_recursor package on my Ubuntu 14.04 quite some  
time to resolve host names locally. That worked fine for the entire  
system.


Last week I updated to Ubuntu 16.04. So I have a new Postfix version  
(3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).


Since this update Postfix does not receive correct answers for a  
particular query anymore. Concretely, queries for A entries of  
Office365 mail servers.


For example if Postfix asks for the A entry of  
nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix  
that there does not exists a A record.
However, if I manually do this query with dig, I do get an correct  
answer. Please see the logs at the end of the mail.


Besides the queries of Office365 mail servers, the rest is working  
fine. I have no idea how to track down that issue? Is there any  
setting in pdns_recursor I have to change?


Thanks,
Michael


Postfix log
=
Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2:  
from=<m...@michi.su>, size=865, nrcpt=1 (queue active)
Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for  
nxp.com has a valid address record
Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2:  
to=<t...@nxp.com>, relay=none, delay=1492, delays=1492/0.12/0.81/0,  
dsn=4.4.3, status=deferred (Host or domain name not found. Name  
service error for name=nxp-com.mail.protection.outlook.com type=A:  
Host not found, try again)

=

pdns_recursor log after Postfix query
=
Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for  
'nxp.com.|MX' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question  
'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms, 0  
throttled, 0 timeouts, 0 tcp connections, rcode=0
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for  
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question  
'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional,  
took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp  
connections, rcode=2

=

pdns_log after dig query
=
Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for  
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question  
'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional,  
took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp  
connections, rcode=0

=

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

2016-08-18 Thread Michael

Hi,

thanks for the answer.

Since I can see the query from Postfix in the logs of PDNS_recursor, I  
assume Postfix is communicating with the recursor correctly.


Here is the content of /var/spool/postfix/etc/resolv.conf

root@mx0:~# cat /var/spool/postfix/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

Thanks,
Michael

Quoting Leen Besselink <l...@consolejunkie.net>:


Hi,

Sounds like a strange problem.

Just to make sure it's set up correctly.

Could you check that Postfix is talking to PowerDNS Recursor ?  
Because Postifx has a seperate resolv.conf (which gets updated when  
starting Postfix):


/var/spool/postfix/etc/resolv.conf

On Thu, Aug 18, 2016 at 02:20:25PM +, Michael wrote:

Hi all,

I have been using pdns_recursor package on my Ubuntu 14.04 quite
some time to resolve host names locally. That worked fine for the
entire system.

Last week I updated to Ubuntu 16.04. So I have a new Postfix version
(3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).

Since this update Postfix does not receive correct answers for a
particular query anymore. Concretely, queries for A entries of
Office365 mail servers.

For example if Postfix asks for the A entry of
nxp-com.mail.protection.outlook.com, pdns_recursor returns to
Postfix that there does not exists a A record.
However, if I manually do this query with dig, I do get an correct
answer. Please see the logs at the end of the mail.

Besides the queries of Office365 mail servers, the rest is working
fine. I have no idea how to track down that issue? Is there any
setting in pdns_recursor I have to change?

Thanks,
Michael


Postfix log
=
Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2:
from=<m...@michi.su>, size=865, nrcpt=1 (queue active)
Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for
nxp.com has a valid address record
Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2:
to=<t...@nxp.com>, relay=none, delay=1492, delays=1492/0.12/0.81/0,
dsn=4.4.3, status=deferred (Host or domain name not found. Name
service error for name=nxp-com.mail.protection.outlook.com type=A:
Host not found, try again)
=

pdns_recursor log after Postfix query
=
Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for
'nxp.com.|MX' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question
'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms,
0 throttled, 0 timeouts, 0 tcp connections, rcode=0
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question
'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional,
took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp
connections, rcode=2
=

pdns_log after dig query
=
Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question
'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional,
took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp
connections, rcode=0
=

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

2016-08-18 Thread Michael

Quoting Pieter Lexis <pieter.le...@powerdns.com>:


Hi Michael,

On Thu, 18 Aug 2016 14:20:25 +
Michael <m...@michi.su> wrote:


Last week I updated to Ubuntu 16.04. So I have a new Postfix version
(3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).

Since this update Postfix does not receive correct answers for a
particular query anymore. Concretely, queries for A entries of
Office365 mail servers.

For example if Postfix asks for the A entry of
nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix
that there does not exists a A record.
However, if I manually do this query with dig, I do get an correct
answer. Please see the logs at the end of the mail.

Besides the queries of Office365 mail servers, the rest is working
fine. I have no idea how to track down that issue? Is there any
setting in pdns_recursor I have to change?


Postfix might be asking for DNSSEC, which is finiky in the alpha  
version Ubuntu pulled in. Can you install 4.0.1 from our  
repositories[1] and try again? 4.0.1 has about 5 months more  
development time in it.


Thanks a lot!
Updating to 4.0.1 solved the problem for me.

Regards,
Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)

2006-11-18 Thread Michael Loftis



--On November 18, 2006 11:27:26 AM -0800 Richard Vernooij 
[EMAIL PROTECTED] wrote:







I thought PRT record is the same? or do i misundertand. Can you please
explain the difference? and what must i do in my case?


I am going to assume you mean PTR record.  PTR's really only occur in 
.in-addr.arpa zones.  They are for reverse DNS which is not SPF.  Many 
sites do require *VALID* reverse DNS nowadays though, which is very 
different from SPF (which I'll get to in a moment).  A *VALID* rDNS 
consists of a PTR in your providers .in-addr.arpa zone, as well as a 
matching A record that it points to (PTR means PoinTeR).


SPF is simply a specially formatted TXT record associated with the sending 
domain which states which A, MX, or IP's can send mail on behalf of that 
domain.  If you've got people denying mail because of no SPF record well 
you don't want to send mail to them anyway.  SPF is seriously broken in the 
face of *many* everyday applications, including mailing lists, and remote 
dialup users.


Now if you *have* an SPF record (which again is *NOT* a type of DNS record 
at all, it's a TXT record) and that SPF record is *wrong* I can see some 
net.kook's denying mail based on that.




In my case several people do not get any mail, because there spamfilter
blocks mail from our domains on our servers, due to Reverse or SPF
settings . This is all i can understand, form the error messages.


In my Power admin is no such thing as a SPF TYPE.  only PRT / TXT etc..


I hope it is clear enough for you guys?

Please let me know.


thanks,

Richard.

Richard Vernooij wrote:

I seem to have a problem that many messages from a webserver, or
emailserver do not arrive on certain places.

Now i found that it could be the reason, that i do not have SPF records
for reverse DNS.


SPF has _nothing_ to do with reverse DNS.


Now when i check
http://www.dnsreport.com/tools/dnsreport.ch?domain=domainname.com (after
a day with the real domain)

I still have a warning about not having a spf record.


Well, then your domain does not have an SPF record.

Did you add a record of type SPF to your domain's zone?
___




__
Sponsored Link

Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo -
Calculate new house payment




--
Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] PowerDNS Master/Slave

2007-02-09 Thread Michael Holm

Hi..
Im trying to setup a PowerDNS server, one acting as master and the other 
one acting as slave... im running debian on both computer..


the problem is that.. when i add a domain in the database on my master 
(10.1.1.248), then i expect my slave (10.1.1.249) to get a notify about 
that.. and add it right away.. but nothing happens..
when i make a lookup on the master everything works fine.. but when i 
ask the slave.. i get no return.


i hope that someone can give me some help.. or some hints of what i 
possible can do wrong.


my configuration, database and log is below:

master config:
allow-axfr-ips=10.1.1.249
config-dir=/etc/powerdns
daemon=yes
disable-axfr=yes
guardian=yes
launch=gmysql
lazy-recursion=yes
local-address=10.1.1.248
local-port=53
master=yes
module-dir=/usr/lib/powerdns
recursor=MY ISP
setgid=pdns
setuid=pdns
socket-dir=/var/run
version-string=powerdns
include=/etc/powerdns/pdns.d

mysql select * from domains;
++--+-++++-+-+-+-+
| id | fkuserid | name| master | last_check | type   
| notified_serial | account | reverse | cdatetime   |

++--+-++++-+-+-+-+
|  1 |1 | sarge.lan   | NULL   |   NULL | NATIVE 
|NULL | NULL|   0 | 2007-02-09 14:26:33 |

++--+-++++-+-+-+-+

mysql select * from records where domain_id=3;
++---+---+--+--+---+--+-+-+--+
| id | domain_id | name  | type | 
content  | ttl   | prio | change_date | 
cdatetime   | editable |

++---+---+--+--+---+--+-+-+--+
| 11 | 1 | sarge.lan | SOA  | sarge.lan [EMAIL PROTECTED]  
2007020902 | 86400 | NULL |NULL | 2007-02-09 14:26:33 |0 |
| 12 | 1 | sarge.lan | NS   | 
ns1.example.com  | 86400 | NULL |NULL | 
2007-02-09 14:26:33 |0 |
| 13 | 1 | sarge.lan | NS   | 
ns2.example.com  | 86400 | NULL |NULL | 
2007-02-09 14:26:33 |0 |
| 14 | 1 | sarge.lan | A| 
10.1.1.248   | 86400 | NULL |NULL | 
2007-02-09 14:26:33 |1 |
| 15 | 1 | ns1.sarge.lan | A| 
10.1.1.248   | 86400 | NULL |NULL | 
2007-02-09 14:26:52 |1 |
| 16 | 1 | ns2.sarge.lan | A| 
10.1.1.249   | 86400 | NULL |NULL | 
2007-02-09 14:37:02 |1 |

++---+---+--+--+---+--+-+-+--+


and the slave:

first the configuration file:
config-dir=/etc/powerdns
daemon=yes
disable-axfr=yes
guardian=yes
launch=gmysql
lazy-recursion=yes
local-address=10.1.1.249
local-port=53
module-dir=/usr/lib/powerdns
recursor=62.199.234.11
setgid=pdns
setuid=pdns
slave=yes
socket-dir=/var/run
version-string=powerdns
include=/etc/powerdns/pdns.d


mysql select * from supermasters;
++++-+-+
| id | ip | nameserver | account | cdatetime   |
++++-+-+
|  1 | 10.1.1.248 | sarge.lan  | NULL| 2007-02-09 14:20:31 |
++++-+-+
1 row in set (0.00 sec)

[EMAIL PROTECTED]:~$ host -a sarge.lan
Trying sarge.lan
Host sarge.lan not found: 3(NXDOMAIN)
Received 102 bytes from 10.1.1.249#53 in 3 ms
[EMAIL PROTECTED]:~$ cat /etc/resolv.conf
nameserver 10.1.1.249
nameserver 10.1.1.248

[EMAIL PROTECTED]:~$ host -a sarge.lan
Trying sarge.lan
;; -HEADER- opcode: QUERY, status: NOERROR, id: 5201
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sarge.lan. IN  ANY

;; ANSWER SECTION:
sarge.lan.  86400   IN  SOA sarge.lan. 
user.sarge.lan. 2007020902 10800 3600 604800 3600

sarge.lan.  86400   IN  NS  ns2.example.com.
sarge.lan.  86400   IN  NS  ns1.example.com.
sarge.lan.  86400   IN  A   10.1.1.248

Received 140 bytes from 10.1.1.248#53 in 123 ms
[EMAIL PROTECTED]:~$ cat /etc/resolv.conf
nameserver 10.1.1.248
nameserver 10.1.1.249

--
mvh
Michael Holm

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Differing (incorrect) behavior in 2.9.21 for AAAA records versus 2.9.20...

2007-08-11 Thread Michael Loftis
In the presence of a *.domain.com CNAME, 2.9.21, when asked for a more 
specific A record responds appropriately with the A record when an A record 
exists, and NOERROR/no answer for an MX or whatever.  However, when asked 
for an  record, it will respond with the splat/*.domain.com CNAME 
instead.  An example of this is barracuda.neit.edu, ns1.modwest.com is 
running 2.9.20, and ns2.modwest.com is running 2.9.21, ns2 responds 
incorrectly directing traffic to the wrong place.


Any idea when I can see a fix for this behavior?

--
Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] SQLite as slave backend

2009-04-22 Thread Michael Svendsen
Hi list

 

I have searched and searched, but haven't been able to find a solution,
neither to investigate myself.

 

I have PowerDNS running on master server with MySQL as backend - works like
a charm.

Now I want to setup a slave server with SQLite backend (no access to MySQL
on that server)

 

Everything is configured correctly, but on slave site I get this error when
my master server is sending NOTIFY:

 

Received NOTIFY for example.com from 123.123.123.123 for which we are not
authoritative

gsqlite3: connection to '/etc/pdns/pdns.db' succesful

Backend error: Database error trying to insert new slave 'example.com':
Error while retrieving SQLite query results

 

 

Any clues? What should I look for?

 

 

Thanks in advance

 


Regards,

Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] installating powerdns - recurse agains root servers

2009-07-21 Thread Michael Holm

Hi,

Now i have been studying the installation for hours.. and still i havent 
found a way to make a simple setup..


I would like to install pdns-recursor, and have it to recurse up against 
the root servers.. but, i just cannot find out how to configure this.


I have a running power dns service, where i have entered my ISP as 
recursor.. but they seems rather unrelayable.. so i hope someone can 
help me.. and yes i have read the documentation.. and google for hours, 
but.. i just cant make the right config :/


Best regards,

--
mvh
Michael Holm

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Master/Slave replication

2009-08-13 Thread Michael Snyder
I'm a newb, but found PowerDNS and Poweradmin very nice. I'm having a problem 
with my Master not updating my slave. I'm on Ubuntu 9.04 pdns was installed via 
apt, pa was installed via tar, latest version available on the site.

Any help would be graciously accepted.

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] PowerDNS and DNSSEC

2010-01-25 Thread Michael FROMENT
I all,

I've test DNS packet size with my pdns-resursor and it seems that I cannot
get packet size over 512bytes.
:~# dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
Tested at 2010-01-25 14:29:42 UTC
92.103.108.34 lacks EDNS, defaults to 512
92.103.108.34 DNS reply size limit is at least 490

It seems that the DNSSEC version of pdns is in developpement but what is the
planning for this release?

What is the impact on pdns-recursor with the migration of the G root server
with the dnssec protocol?

Kind regards

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] EDNS support + default buffer size

2010-03-17 Thread Michael Fincham
Hi all,

I've just tested the PowerDNS Recursor 3.2 with its out of the box
configuration against the tests outlined at
https://www.dns-oarc.net/oarc/services/replysizetest

It seems that EDNS is disabled by default, which is confirmed by the
comment attached to changeset #1430
(http://wiki.powerdns.com/trac/changeset/1430)

Looking at the source it seems in 3.2 an option disable-edns=no was
added which turns EDNS support on. A cursory test here shows that adding
this to the stock config does cause the dns-oarc reply size test to
report a reply size of 1200 vs 512 when EDNS is off.

What is the status of EDNS support? Is it safe to rely on in production
environments? What specifically does the nothing but trouble comment
on the changeset refer to?

Also, the buffer size of 1200 appears to be hard coded. Is there any
particular reason for this value? I'm guessing it has to do with
avoiding fragmentation, but it'd be nice to know for sure.

Thanks,
-- 
-Michael Fincham
System Administrator, Unleash
www.unleash.co.nz
Phone: 0800 750 250

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Possible tcp listener issue

2010-03-29 Thread Michael Presson
Hi,

Simon is off at the moment, the details of our installation are:

Debian Etch (2.6.24-etchnhalf.1-686-bigmem) and Lenny
(2.6.26-2-686-bigmem).  We have used the supplied binary version of 3.2
and are seing the TCP listener fail every few days (but not at regular
intervals).

If you need any further information please let me know.

Michael


 
 Now I don't know anything about this issue specifically, but it's customary
 to provide some extra information when reporting bugs, what OS and
 OS version are you using for example ?
 
 Did you download a Linux-distribution binary ? What kernel version are
 you using ?
 
 Or did you build from an updated BSD-ports. Did you do your own build ?
 If so, what compiler did you use ? And so on.
 
 Some information would be better then no information. :-)
 
 Just so you know.
 
 Have a nice day,
  Leen.
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 .
 


-- 
| Michael Presson  Broadband Solutions for |
| Network and Systems LeadHome  Business@ |
| Plusnet PLC www.plus.net |
| Registered in England no:3279013 |
| Registered Office:Internet House, 2 Tenter Street, Sheffield, S1 4BY |
+--- Plusnet - ISPA Best Consumer ISP 2008 +
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] PowerDNSSEC

2010-06-25 Thread Michael Braunoeder

Hi,

I'm currently evaluating the PowerDNSSEC implementation and found 2 issues:

-) Is it possible to disable the signing-on-demand feature? I want the 
powerdns to act as slave to a hidden-master which does the signing of 
the domain, and the powerdns should just serve the signed zone (without 
any resigning and without access to the Keys).


-) I tried the PostgreSQL-Backend, but I allways received the following 
error message:  TCP server is unable to launch backends - will try 
again when questions come in: Undefined but needed argument: 
'gpgsql-dnssec'. What is the format of the missing 
gpgsql-dnssec'-Parameter I've to add?


Best,
Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Hidden supermasters

2010-08-06 Thread Michael Fincham
Hi Richard,

On Fri, 2010-08-06 at 15:27 +1000, Richard McLean wrote:
 I have wondered about this. We'd love to implement a hidden supermaster type 
 setup, using AXFR, which auto-updates the 4 main name servers, but is *not* 
 in the list of name servers for a domain and is not publicly available. Is 
 the 
 restriction above able to be worked around or turned off?

I've managed to work around this by adding a config line like:

gsql-supermaster-query=select account from supermasters where ip='%s'

In this setup, only IP addresses need to be listed in the supermasters
table and the other checks are bypassed.

This might need some careful checks if the database schema / the
expected returned field list etc changes at some point in the future.

-- 
-Michael Fincham
System Administrator, Unleash
www.unleash.co.nz

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Multiple IPs per host name / round robin

2011-02-24 Thread Michael Loftis
The recursive resolver is what clients talk to locally.  AKA a
caching resolver, it's not part of your authoritative infrastructure
at all.  In fact, if you're using your authoritative nameservers as
caching resolvers, you should stop.  For most people the recursive
resolver is provided by their ISP unless they elect to run their own
(like I do) or to use an external one (like OpenDNS or Google's DNS).
What makes them recursive is that they answer queries that aren't
necessarily in their cache or known from zone files by recursing up
the tree until it finds an answer it knows (either from root hints or
previous cached lookups) then works it's way back down the tree to
the answer.

On Thu, Feb 24, 2011 at 10:25 AM, PLists jkli...@ifm-services.com wrote:
 Here's your DNS noob question for the day. (I'm not a real sysadmin. I only 
 pretend to be when backed into a corner.)

 I've been running PowerDNS (with a MySQL backend) successfully and happily 
 for a couple of years now. It's really basic stuff, one A record per host 
 name.

 Now I'm in a situation where I need to serve up two possible IP addresses for 
 a certain host name. From my treks through Google, I'm assuming the following:

 1) I simply enter multiple A records into the database, one for each IP.
 2) PowerDNS does not randomize these. [informational]
 3) Recursors are supposed to do this. [informational]

 So all I need to do, really, is enter in the multiple A records.


 What I'm confused about is the role of the recursor. Is it already installed 
 as part of PowerDNS? If not, do I need to install the recursor on my name 
 servers? Does it take over port 53? From reading about recursors, the answer 
 is, No, I think. But I'm not completely sure when one would run a recursor.

 Thanks for making something so simple and reliable. :)


 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] pdns generates records when presigned=1 is set

2011-08-09 Thread Michael Braunoeder

Hi,

I noticed a strange dnssec behavoir with pdns 3.0 (and postgresql-backend):

I have loaded a zone into the db, the zone is unsigned but the 
domainmetadata presigned is set to 1.


Everything works fine, except if I ask for a non-available record (with 
dnssec-ok flag set in the query), then I receive 2 additional NSEC-records:


Without DNSSEC-OK Query flag:

;; QUESTION SECTION:
;.unsigned.at.  IN  A

;; AUTHORITY SECTION:
unsigned.at.3600IN  SOA ns2.at43.at. 
office.enum.at. 2 1200 3600 604800 600


With DNSSEC-OK Query flag:

;; QUESTION SECTION:
;.unsigned.at.  IN  A

;; AUTHORITY SECTION:
unsigned.at.3600IN  SOA ns2.at43.at. 
office.enum.at. 2 1200 3600 604800 600
www.unsigned.at.3600IN  NSECwww.unsigned.at. A  
RRSIG NSEC
unsigned.at.3600IN  NSECwww.unsigned.at. A NS 
SOA MX  RRSIG NSEC DNSKEY


I know this setup (PRESIGNED=1 and an unsigned domain) is an 
undocumented setup, but I think it will be a good feature if PRESIGNED=1 
disables all automatic record generation and pdns serves only the 
records it has configured in its backend. So it will be possible, if I 
have a lot of slave zones, which are mixed between DNSSEC signed and 
non-signed, to configure all zones the same way (like in Bind).


Do you have any comments on this?

Best,
Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PowerDNS in an ISP environment

2011-08-16 Thread Michael Loftis
On Tue, Aug 16, 2011 at 1:38 AM, Chris Russell
chris.russ...@knowledgeit.co.uk wrote:
 Hi All,



 Quick question – is anyone on the list using PDNS in an ISP environment,
 especially for auth services ?

Up until a couple years ago I worked as Sr. SA/Ops Manager at Modwest,
we used PowerDNS then, and they still do today.  Something like 10k or
15k domains at the time, no idea how many today honestly.  As with
many the draw was a database backend.  There wasn't much else out
there at the time, and certainly nothing stable like PowerDNS.  With
10k+ domains BIND would take a very LONG time to start/restart or even
check for updates.  There was also the headaches involved in
maintaining slave and master zone configs too.  Authoritative DNS
only.  There's a cluster of BIND servers for resolver functionality.
The actual NS records point at load balanced clusters of DNS servers.
To the outside it looks like there are only a handful of
geographically diverse nameservers, in reality there's multiple
PowerDNS servers behind each IP.  Makes doing upgrades REALLY easy,
you just pull one out of the load balancer, upgrade it.  Then you can
do all the testing you want (one thing I did was to play back DNS
queries and observe/systematically check the responses, without
letting any actual traffic out) -- if it doesn't work out you can then
use whatever process you have to roll that machine back and put it
back into the cluster, or, more deeply investigate the failure.  This
was a situation though where there was a very well proven and trusted
load balancer infrastructure in place already so it absolutely made
sense to deploy externally facing DNS services behind this same setup.
 It definitely requires thought to do it that way (chicken-and-egg
scenarios come to mind, you can not have your load balancers depend on
DNS if you're going to run DNS behind them!!!) but it is reliable when
done right.

There have definitely been a few pains here and there.  Some of them
were caused by the fact that wildcard records are used.  Some of the
issues I had were caused by MySQL's sometimes flaky replication,
monitoring them was an absolute must, making sure that they were all
in sync and up to date was also absolutely required.  The benefits far
outweighed the costs at that scale for certain.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails

2011-08-22 Thread Michael Braunoeder

Hi,

I did some more DNSSEC-testing and found another bug:

My setup looks like this:

Bind accting as Master server, serving a presigned zone.
PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in 
Domainmetatable.


When querying for an undefined records, PDNS adds an additional 
NSEC3-Record into the response and the validation of the response failes.


Response from Bind:

;; QUESTION SECTION:
;notfound.nsec3test.at. IN  A

;; AUTHORITY SECTION:
nsec3test.at.   600 IN  SOA ns2.at43.at. mib.nic.at. 
3 1200 3600 604800 600
nsec3test.at.   600 IN  RRSIG   SOA 7 2 600 
20110921115504 20110822115504 54530 nsec3test.at. 
CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ 
NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 
8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4=
O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - 
NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM
O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 
600 20110921115504 20110822115504 54530 nsec3test.at. 
Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ 
Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm 
e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw=



The same query against the PDNS:

;; QUESTION SECTION:
;notfound.nsec3test.at. IN  A

;; AUTHORITY SECTION:
nsec3test.at.   600 IN  SOA ns2.at43.at. mib.nic.at. 
3 86400 3600 604800 600
nsec3test.at.   600 IN  RRSIG   SOA 7 2 600 
20110921115504 20110822115504 54530 nsec3test.at. 
CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ 
NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 
8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4=
o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 
66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM
o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 
600 20110921115504 20110822115504 54530 nsec3test.at. 
Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ 
Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm 
e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw=
76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - 
NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG



The last line is the additional NSEC3-Record.

Can you please have a look?

Thanks in advance and Best,
Michael


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Bad cache TTL with pdns-resursor

2011-12-29 Thread Michael FROMENT

Hi bert,

Thanks for the answer I've uderstand the strange ttl response when the 
answer come from the paquet cache.

Now here is a little more strange problem

;; QUESTION SECTION:
;s4.noelshack.com.  IN  A
;; ANSWER SECTION:
s4.noelshack.com.   3600IN  CNAME   noelshack.com.
noelshack.com.  3600IN  A   91.121.63.175

;; QUESTION SECTION:
;s4.noelshack.com.  IN  NS
;; ANSWER SECTION:
s4.noelshack.com.   2175IN  CNAME   noelshack.com.
noelshack.com.  85974   IN  NS  ns1.afraid.org.
noelshack.com.  85974   IN  NS  ns4.afraid.org.
noelshack.com.  85974   IN  NS  ns2.afraid.org.
noelshack.com.  85974   IN  NS  ns3.afraid.org.

;; QUESTION SECTION:
;noelshack.com. IN  SOA
;; ANSWER SECTION:
noelshack.com.  3535IN  SOA ns1.afraid.org. 
dnsadmin.afraid.org. 1110170003 86400 7200 2419200 3600





The zone noelshack.com. have moved since more than a week at 
ns-01.odysseeinteractive.com

The correct answer from another pdns_recursor :
#
;; QUESTION SECTION:
;noelshack.com. IN  SOA
;; ANSWER SECTION:
noelshack.com.  86281   IN  SOA 
ns-01.odysseeinteractive.com. noc.odysseeinteractive.com. 2011122801 
86400 7200 604800 86400

#

The ttl on this zone nerver goes to 0 and moreover after 1 hour ( the 
paquet cache duration) is sometime increased.
We have around 100 servers and half are affected by this problem... The 
only solution I've find is to wipe the cache for this dns entrie.
There is no reason to do this since 1 week as the TTL on the soa is only 
86400...


Any ideas?

Kind regards

Michael

On 12/29/2011 04:20 PM, bert hubert wrote:

Hi Michael,

The SOA will indeed probably not go to zero because it will have been
renewed in that time. PowerDNS Recursor 3.3 and later take care to decrement
the TTL when serving contents from the packet cache.

So when you don't see it going down in 3.2, that is correct, and maybe a bit
strange, but not a bug.

Bert


On Thu, Dec 29, 2011 at 10:08:53AM +0100, Michael FROMENT wrote:

Hi,

I have some strange cached TTL on my pdns-recursor ( version 3.2-4 under
debian ).
When I query my recursor the TTL doesn't decrease by 1 second. Moreover the
TTL never goes to 0 so the zone never expire in cache.
As an example:

root@BBK2NS:~# dig soa google.com @89.2.0.1
;; ANSWER SECTION:
google.com. 569 IN  SOA ns1.google.com.
dns-admin.google.com. 1472387 7200 1800 1209600 300

;; Query time: 0 msec
;; SERVER: 89.2.0.1#53(89.2.0.1)
;; WHEN: Thu Dec 29 10:02:46 2011
;; MSG SIZE  rcvd: 78

root@BBK2NS:~# dig soa google.com @89.2.0.1
;; ANSWER SECTION:
google.com. 40  IN  SOA ns1.google.com.
dns-admin.google.com. 1472388 7200 1800 1209600 300

;; Query time: 0 msec
;; SERVER: 89.2.0.1#53(89.2.0.1)
;; WHEN: Thu Dec 29 10:02:47 2011
;; MSG SIZE  rcvd: 78

root@BBK2NS:~# dig soa google.com @89.2.0.1
;; ANSWER SECTION:
google.com. 562 IN  SOA ns1.google.com.
dns-admin.google.com. 1472388 7200 1800 1209600 300

;; Query time: 0 msec
;; SERVER: 89.2.0.1#53(89.2.0.1)
;; WHEN: Thu Dec 29 10:04:08 2011
;; MSG SIZE  rcvd: 78

Is this a known bug on the recursor?

Kind Regards

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Bad cache TTL with pdns-resursor

2011-12-29 Thread Michael FROMENT

Hi David,

Thanks for the bug related link and the solution...
We will upgrade our recursor asap.
Nice to meet you on another mailing list... as you can see we were on 
the problem


Regards

Michael

On 12/29/2011 05:08 PM, GAVARRET, David wrote:

On Thu, Dec 29, 2011, Michael FROMENT wrote:

Hi bert,

Thanks for the answer I've uderstand the strange ttl response when the
answer come from the paquet cache.
Now here is a little more strange problem

The zone noelshack.com. have moved since more than a week at
ns-01.odysseeinteractive.com

Hello Michael,
(I was just reading the frnog related topic ;) )
this is a problem we already encounter here, due to a bug in version 3.2 of the 
recursor :
http://wiki.powerdns.com/trac/changeset/1548

The cache still continues using old NS informations concerning the domain (as 
the old authoritative servers still answer for it), and so the migration of the 
domain to new authoritatives servers is not seen by PowerDNS Recursor.

You should consider upgrading your version of the recursor, and if so, going 
directly to version 3.4-pre, because we also encounter another irritative bug 
in version 3.3: when an authoritative server wrongly announces itself as 
authoritative for another domain :) (especially domains hosted on ns20.ovh.net, 
that answers itself as authoritative for google.com ;) ).


Kind regards,


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Authrotative and recursive on same ip creates an open recursive server

2012-03-29 Thread Michael Loftis
The recursor only ever talks to the authoritative ersolver in this
scneario so the authoritative resolver needs further configuration to
properly restrict who is being allowed to use it recursively.
recursor.conf only affects the recursor itself.  You need to set, in
pdns.conf, allow-recursion to restrict appropriately.

Also, its usually not a good idea to have your recursors and
authoritative nameservers on the same IPs, the authoritative should
really just be serving authoritative data and never recursing.  This
helps prevent accidental (and malicious) cache poisoning of your
authoritative nameserver.

On Thu, Mar 29, 2012 at 2:27 PM, Miguel Miranda
miguel.miran...@gmail.com wrote:
 Hello to all, im migrating several of my dns server from bind to powerdns, i
 was trying the recursor only and it restricted who can use my server to the
 nets listed in allow-from-file, when i configure the authoritative and
 recursor using the recursor= 127.0.0.1, everybody can use my server for
 recursion, am i missing something or bypassing allow-from-file is the normal
 operation in this scenario?
 regards

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] problems with glue records

2013-02-10 Thread Michael Loftis
Its the CNAME - think of it like a symbolic link on a file system. It points 
all access towards the given place. For your domain to work at all you'll need 
to remove the yeetta.net CNAME.

Sent from my iPhone

On Feb 10, 2013, at 7:28, Florus Both flo...@yeetta.com wrote:

 Hi, maybe someone can shed a light on this. I have a domain (yeetta.net) and 
 i have 3 pdns server ns1..ns3.yeetta.net.
 My domain provider said that they have created the glue records. I can change 
 ns on for example yeetta.com to ns1..ns3.yeetta.net. But i can make the 
 ns1..ns3.yeetta.net change work for yeetta.net.
 Floruss-MacBook-Air:~ fb$ host -t ns yeetta.net 8.8.4.4
 
 Using domain server:
 
 Name: 8.8.4.4
 
 Address: 8.8.4.4#53
 
 Aliases: 
 
 
 
 yeetta.net is an alias for sloth.dc2.dk.
 
 Floruss-MacBook-Air:~ fb$ host -t ns yeetta.com 8.8.4.4
 
 Using domain server:
 
 Name: 8.8.4.4
 
 Address: 8.8.4.4#53
 
 Aliases: 
 
 
 
 yeetta.com name server ns2.yeetta.net.
 
 yeetta.com name server ns3.yeetta.net.
 
 yeetta.com name server ns1.yeetta.net.
 
 Floruss-MacBook-Air:~ fb$ host -t soa yeetta.net 8.8.4.4
 
 Using domain server:
 
 Name: 8.8.4.4
 
 Address: 8.8.4.4#53
 
 Aliases: 
 
 
 
 yeetta.net is an alias for sloth.dc2.dk.
 
 Floruss-MacBook-Air:~ fb$ host -t soa yeetta.net
 
 yeetta.net has SOA record ns1.yeetta.net. hostmaster.yeetta.net. 2013020916 
 86400 86400 604800 300
 
 Floruss-MacBook-Air:~ fb$ whois yeetta.net | grep -i server
 
 Whois Server Version 2.0
 
Whois Server: whois.joker.com
 
Name Server: NS1.YEETTA.NET
 
Name Server: NS2.YEETTA.NET
 
Name Server: NS3.YEETTA.NET
 
 nserver:  ns1.yeetta.net 188.40.130.134 2a01:4f8:101:2446::10
 
 nserver:  ns2.yeetta.net 213.133.100.34 2a01:4f8:a0:92a1::10
 
 nserver:  ns3.yeetta.net 199.233.228.66 2607:fc50:1:d00::10
 
 
 
 
 
 # data on master pdns:
 
 mysql select * from records where domain_id=(select id from domains where 
 name='yeetta.net') order by type;
 
 +-+---+---+---++---+--+-+---+--+
 
 | id  | domain_id | name  | type  | content   
  | ttl   | prio | change_date | 
 ordername | auth |
 
 +-+---+---+---++---+--+-+---+--+
 
 |  78 |14 | ns1.yeetta.net| A | 188.40.130.134
  |   300 |0 |  1358881107 | ns1   
 |1 |
 
 |  79 |14 | ns2.yeetta.net| A | 213.133.100.34
  |   300 |0 |  1358881107 | ns2   
 |1 |
 
 |  85 |14 | sloth.yeetta.net  | A | 213.133.100.45
  |   300 |0 |  1359117905 | sloth 
 |1 |
 
 | 104 |14 | ns3.yeetta.net| A | 199.233.228.66
  |   300 |0 |  1358938795 | ns3   
 |1 |
 
 | 110 |14 | fiji.yeetta.net   | A | 78.47.100.74  
  |   300 |0 |  1358938752 | fiji  
 |1 |
 
 | 111 |14 | guam.yeetta.net   | A | 78.47.120.205 
  |   300 |0 |  1358938772 | guam  
 |1 |
 
 | 181 |14 | palau.yeetta.net  | A | 82.145.35.117 
  |   600 |0 |  1359364715 | palau 
 |1 |
 
 | 105 |14 | ns3.yeetta.net|   | 2607:fc50:1:d00::10   
  |   300 |0 |  1358932084 | ns3   
 |1 |
 
 | 106 |14 | ns2.yeetta.net|   | 2a01:4f8:a0:92a1::10  
  |   300 |0 |  1358933489 | ns2   
 |1 |
 
 | 148 |14 | ns1.yeetta.net|   | 2a01:4f8:101:2446::10 
  |   600 |0 |  1359105247 | ns1   
 |1 |
 
 |  74 |14 | mail.yeetta.net   | CNAME | yeetta.net
  |   300 |0 |  1358881048 | mail  
 |1 |
 
 |  86 |14 | dnsapi.yeetta.net | CNAME | sloth.yeetta.net  
  | 86400 |0 |  1358881368 | 
 dnsapi|1 |
 
 | 228 |14 | yeetta.net| CNAME | sloth.dc2.dk  
  |   600 |0 |  1360346937 |   
 |1 |
 
 | 235 |14 | www.yeetta.net| CNAME | sloth.dc2.dk  
  |   600 |0 |  1360349998 | www   
 |1 |
 
 |  80 |14 | yeetta.net| 

[Pdns-users] pdns-recursor: Block domains

2013-04-26 Thread Michael Ströder
HI!

What's the simplest and hopefully efficient way to block domains from being
resolved by pdns-recursor?

I'd like to just NXDOMAIN being returned for all RRs in unwanted domains.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] pdns-recursor: Block domains

2013-04-27 Thread Michael Ströder
Peter van Dijk wrote:
 On Apr 26, 2013, at 18:57 , Michael Ströder wrote:
 
 What's the simplest and hopefully efficient way to block domains from being
 resolved by pdns-recursor?

 I'd like to just NXDOMAIN being returned for all RRs in unwanted domains.
 
 Like JP said, Lua is a very good option. The other option is using 
 local-zones or forward-zones.

Hmm, in case of forward-zones I'd need an additional DNS server generating the
NXDOMAIN. So I will try with pseudo local-zones.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] turn off all type of caching in pdns-recursor

2013-06-19 Thread Michael Ströder
Posner, Sebastian wrote:
 CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative
 nameservers' performance/availability, but that of the resolver his
 upstream provides him with, and/or get a general heatmap of the state 
 of DNS on teh intartubes.
 Whilst for monitoring _your_ zones' availability, this approach is a
 good idea, it is not feasible for domains you do not control^^

Well, this entirely depends on your recursor configuration and the domains you
control.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] turn off all type of caching in pdns-recursor

2013-06-19 Thread Michael Ströder
Michael Ströder wrote:
 Posner, Sebastian wrote:
 CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative
 nameservers' performance/availability, but that of the resolver his
 upstream provides him with, and/or get a general heatmap of the state 
 of DNS on teh intartubes.
 Whilst for monitoring _your_ zones' availability, this approach is a
 good idea, it is not feasible for domains you do not control^^
 
 Well, this entirely depends on your recursor configuration and the domains you
 control.

Sorry, I've misread your comment. Pleas ignore mine.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-23 Thread Michael Loftis
What about giving the full dig output too?  My bet is you're actually
experiencing some sort of huge delay starting up dig or resolving
localhost, use @127.0.0.1 instead and see if the time goes away.
Does your /etc/hosts contain 'localhost'?  Have you modified your
nsswitch.conf? (Assuming standard *nix like system)

On Sun, Jun 23, 2013 at 3:58 AM, Shamus Smith smithsha...@yahoo.de wrote:
 Hello Bert,

  Any ideas why it takes so long?

 Rerun with --trace enabled and check what is happening. With some study,
 it should be clear what it is waiting for.

 did that already before, but still did not found anything helpful there.
 Below is a new trace.
 btw, I am using 3.5.1 (package pdns-recursor-3.5.1-1.el6.x86_64).

 Thanks,
  Shamus

 - /etc/init.d/pdns-recursor start
 Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS recursor 3.5.1 (C)
 2001-2013 PowerDNS.COM BV (May  3 2013, 20:04:33, gcc 4.4.7 20120313 (Red
 Hat 4.4.7-3)) starting up
 Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS comes with ABSOLUTELY
 NO WARRANTY. This is free software, and you are welcome to redistribute it
 according to the terms of the GPL version 2.
 Jun 23 12:30:12 server pdns_recursor[11064]: Operating in 64 bits mode
 Jun 23 12:30:12 server pdns_recursor[11064]: Reading random entropy from
 '/dev/urandom'
 Jun 23 12:30:12 server pdns_recursor[11064]: Only allowing queries from:
 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
 172.16.0.0/12, ::1/128, fe80::/10
 Jun 23 12:30:12 server pdns_recursor[11064]: Will not send queries to:
 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
 172.16.0.0/12, ::1/128, fe80::/10, 0.0.0.0, ::
 Jun 23 12:30:12 server pdns_recursor[11064]: NOT using IPv6 for outgoing
 queries - set 'query-local-address6=::' to enable
 Jun 23 12:30:12 server pdns_recursor[11064]: Redirecting queries for zone
 '.' to: 8.8.8.8:53
 Jun 23 12:30:12 server pdns_recursor[11064]: Inserting rfc 1918 private
 space zones
 Jun 23 12:30:12 server pdns_recursor[11064]: Not decreasing socket buffer
 size from 229376 to 20
 Jun 23 12:30:12 server pdns_recursor[11064]: Listening for UDP queries on
 127.0.0.1:53
 Jun 23 12:30:12 server pdns_recursor[11064]: Enabled TCP data-ready filter
 for (slight) DoS protection
 Jun 23 12:30:12 server pdns_recursor[11064]: Listening for TCP queries on
 127.0.0.1:53
 Jun 23 12:30:12 server pdns_recursor[11064]: Calling daemonize, going to
 background
 Jun 23 12:30:12 server pdns_recursor[11065]: Set effective group id to 497
 Jun 23 12:30:12 server pdns_recursor[11065]: Set effective user id to 497
 Jun 23 12:30:12 server pdns_recursor[11065]: Launching 2 threads
 Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root
 hints
 Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root
 hints
 Jun 23 12:30:12 server pdns_recursor[11065]: Enabled 'epoll' multiplexer
 Jun 23 12:30:12 server pdns_recursor[11065]: .: No cache hit for '.|NS',
 trying to find an appropriate NS record
 Jun 23 12:30:12 server pdns_recursor[11065]: .: No cache hit for '.|NS',
 trying to find an appropriate NS record
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Cache consultations done,
 have 1 NS to contact
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Cache consultations done,
 have 1 NS to contact
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Nameservers:
 -8.8.8.8:53(0.00ms)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying to resolve NS
 '-8.8.8.8:53' (1/1)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Domain has hardcoded
 nameserver(s)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Resolved '.' NS -8.8.8.8:53
 to: 8.8.8.8
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Nameservers:
 -8.8.8.8:53(0.00ms)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying to resolve NS
 '-8.8.8.8:53' (1/1)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Domain has hardcoded
 nameserver(s)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Resolved '.' NS -8.8.8.8:53
 to: 8.8.8.8
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying IP 8.8.8.8:53, asking
 '.|NS'
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying IP 8.8.8.8:53, asking
 '.|NS'
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Got 13 answers from
 -8.8.8.8:53 (8.8.8.8), rcode=0, aa=0, in 6ms
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|d.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|l.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|c.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|g.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|h.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 

Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-23 Thread Michael Loftis
On Sunday, June 23, 2013, Shamus Smith wrote:

 Thanks for your answer. The full dig output was in the first posting.
 I have not modified nsswitch.conf and /etc/hosts contains only this:


No, only the +short is in any of your responses, when I say full output I
mean without +short - there's a hint of timing information in the full dig
output.  We have teh time it took for the entire command to execute but we
don't have the actual RTT of the DNS query.  It'll indicate the query time,
as well as whom it sent the query too IE what @localhost was resolved to
prior to dig starting it's own query - which I think it uses gethostent or
one of the other get* calls.




 127.0.0.1   localhost localhost.localdomain localhost4
 localhost4.localdomain4
 ::1 localhost localhost.localdomain localhost6
 localhost6.localdomain6

 And you were right! When using dig www.google.com @127.0.0.1 it takes
 just
 0.021 seconds. But I still do not have a clue why, do you?


My *guess* or hunch is that your internal OS stack gethostent, getaddrinfo,
etc, is failing/falling over somehow or in some form.  It shouldn't be
talking to anything in resolv.conf but if it is  then the later response
about correctly having the RD bit set or not because of the configuration
could explain the different behavior with dnsmasq.  Normally it should be
consulting your local files first, finding an answer, and immediately
returning.  But if there's something funny going on it might not be.  Other
issues can occur if you have LDAP user databases/etc, or even if you've got
some heavy swapping/paging going on it'll take a while to start up any
command that isn't already fully in cache/RAM.  All that is why I asked for
the timing information from dig, which it runs *after* any of that could
get into the way.



 When using another recursor (Dnsmasq) there is no time difference when
 using
 @localhost or @127.0.0.1.

 Thanks,
 Shamus

I don't think anything other than /etc/hosts should get involved but your
stall pretty clearly appears to be happening during the resolution of the
@localhost and not the round trip to the world and through the pdns
recursor.




 What about giving the full dig output too?  My bet is you're actually
 experiencing some sort of huge delay starting up dig or resolving
 localhost, use @127.0.0.1 instead and see if the time goes away.
 Does your /etc/hosts contain 'localhost'?  Have you modified your
 nsswitch.conf? (Assuming standard *nix like system)

 On Sun, Jun 23, 2013 at 3:58 AM, Shamus Smith smithsha...@yahoo.de
 wrote:
  Hello Bert,
 
   Any ideas why it takes so long?
 
  Rerun with --trace enabled and check what is happening. With some study,
  it should be clear what it is waiting for.
 
  did that already before, but still did not found anything helpful there.
  Below is a new trace.
  btw, I am using 3.5.1 (package pdns-recursor-3.5.1-1.el6.x86_64).
 
  Thanks,
   Shamus
 
  - /etc/init.d/pdns-recursor start
  Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS recursor 3.5.1 (C)
  2001-2013 PowerDNS.COM BV (May  3 2013, 20:04:33, gcc 4.4.7 20120313 (Red
  Hat 4.4.7-3)) starting up
  Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS comes with
 ABSOLUTELY
  NO WARRANTY. This is free software, and you are welcome to redistribute
 it
  according to the terms of the GPL version 2.
  Jun 23 12:30:12 server pdns_recursor[11064]: Operating in 64 bits mode
  Jun 23 12:30:12 server pdns_recursor[11064]: Reading random entropy from
  '/dev/urandom'
  Jun 23 12:30:12 server pdns_recursor[11064]: Only allowing queries from:
  127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
  172.16.0.0/12, ::1/128, fe80::/10
  Jun 23 12:30:12 server pdns_recursor[11064]: Will not send queries to:
  127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
  172.16.0.0/12, ::1/128, fe80::/10, 0.0.0.0, ::
  Jun 23 12:30:12 server pdns_recursor[11064]: NOT using IPv6 for outgoing
  queries - set 'query-local-address6=::' to enable
  Jun 23 12:30:12 server pdns_recursor[11064]: Redirecting queries for zone
  '.' to: 8.8.8.8:53
  Jun 23 12:30:12 server pdns_recursor[11064]: Inserting rfc 1918 private
  space zones
  Jun 23 12:30:12 server pdns_recursor[11064]: Not decreasing socket buffer
  size from 229376 to 20
  Jun 23 12:30:12 server pdns_recursor[11064]: Listening for UDP queries on
  127.0.0.1:53
  Jun 23 12:30:12 server pdns_recursor[11064]: Enabled TCP data-ready
 filter
  for (slight) DoS protection
  Jun 23 12:30:12 server pdns_recursor[11064]: Listening for TCP queries on
  127.0.0.1:53
  Jun 23 12:30:12 server pdns_recursor[11064]: Calling daemonize, going to
  background
  Jun 23 12:30:12 server pdns_recursor[11065]: Set effective group id to
 497
  Jun 23 12:30:12 server pdns_recursor[11065]: Set effective user id to 497
  Jun 23 12:30:12 server pdns_recursor[11065]: Launching 2 threads
  Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root
  hints
  Jun 

Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-23 Thread Michael Loftis
On Sun, Jun 23, 2013 at 5:40 PM, Michael Loftis mlof...@wgops.com wrote:



 I don't think anything other than /etc/hosts should get involved but your
 stall pretty clearly appears to be happening during the resolution of the
 @localhost and not the round trip to the world and through the pdns
 recursor.

Which is to say I don't think that pdns-recursor is at fault for your
slow dig resolution time...your OS stack I believe is failing
elsewhere.


--

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-25 Thread Michael Loftis
On Tuesday, June 25, 2013, Shamus Smith wrote:

 Hello all,

 thanks for all your answers, but I'm still stuck. Below is the full output
 for dig for pdns and dnsmasq.
 The query time is 2 ms for the first uncached request and 0 ms for pdns
 and dnsmasq. However, the
 whole execution of the dig command takes over 1 second for pdns and below
 30 ms for dnsmasq. The
 same for nslookup.

 For the second request trace just shows: 1 question answered from packet
 cache from 127.0.0.1
 But it still takes more than 1 second.

 - /etc/pdns-recursor/recursor.conf (default-config from package plus own
 forward-zone, removed comments)
 forward-zones=.=8.8.8.8
 setgid=pdns-recursor
 setuid=pdns-recursor

 - /etc/dnsmasq.conf (default-config from package, removed comments)
 bogus-priv
 cache-size=1500
 domain-needed
 no-hosts

 - /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4
 localhost4.localdomain4
 ::1 localhost localhost.localdomain localhost6
 localhost6.localdomain6

 /etc/nsswitch.conf was not modified and there is absolutely no load on the
 machine.
 I do not have a LDAP user database, this is just a minimum install of
 CentOS 6.5.

 Any ideas?



Someone else mentioned use  forward-zones-recurse instead. Try that.
There's obviously an issue between your OS resolver and pdns-recursor. That
well be the cause.




 Thanks,
 Shamus






-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Can the zone data be edited from passing mysql queries?

2013-07-23 Thread Michael Loftis
PowerDNS is database driven. Read the docs, or even just the features.

On Monday, July 22, 2013, Manish Rane wrote:

 Hi Folks,

 Wondering if I can edit/change the static zone file as a result of certain
 bash script. Since the backend is Mysql can we really  pass mysql statement
 by which I can update the zone file?

 Well, I am trying to write a script which will monitor the server on
 certain ports and it if fails to connect to the server it will delete or
 add the entry from zone file so that traffic will be routed to another
 server, possible? I am thinking same possibility with BIND but let me know
 if this can be possible with pdns

 OR does any one aware of such solution available in open source?



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Power Dns Server As A Domain Name Registry(Parent Name Server)

2013-07-23 Thread Michael Loftis
You're making several mistakes in setting up your delegation.  First
you've included an SOA in your PowerDNS records.  Start Of Authority
is exactly that.  The etc zone needs to have only NS records and (if
necessary) A glue records inside of the delegating server. The PDNS
server is being given a record that indicates *IT* has authority for
the forum.etc zone.  Secondly you delegate to ns1.forum.etc but
forum.etc has ns1. as it's listed delegate, which would be a
zone/record that would not exist.  Either add glue, or change that to
correctly read ns1 or ns1.forum.etc. (note the trailing dot, VERY
important)  The PDNS server may also need an SOA for etc as well as
depending on the resolver/resolver lib being used you might even need
to have delegation in your PDNS for . (the root).





On Tue, Jul 23, 2013 at 5:19 PM, Önem Özgülgen onemozgul...@gmail.com wrote:
 Hello,

 Ip Address Of PowerDNS Server with MySQL Backend(Both Authoritative and
 Recursive) :

 188.132.241.151

 Ip Address Of Bind9 Server:

 188.132.250.197

 Here's the MySQL dump of domains table;

 mysql select * from domains;
 ++--++++-+-+
 | id | name | master | last_check | type   | notified_serial | account |
 ++--++++-+-+
 |  5 | etc  | yes|  1 | master |   1 | vixen   |
 ++--++++-+-+
 1 row in set (0.00 sec)


 Here's the MySQL dump of records table;

 mysql select * from records;
 ++---+---+--+-+--+--+-+
 | id | domain_id | name  | type | content | ttl  | prio |
 change_date |
 ++---+---+--+-+--+--+-+
 | 41 | 5 | forum.etc | NS   | ns1.forum.etc   |1 |1 |
 1 |
 | 43 | 5 | ns1.forum.etc | A| 188.132.250.197 |1 |1 |
 1 |
 | 39 | 5 | forum.etc | SOA  | 45325325325 |1 |1 |
 1 |
 ++---+---+--+-+--+--+-+
 3 rows in set (0.00 sec)


 Here's the records file input for the master zone of forum.etc created in
 Bind9 Server;

 $ttl 38400
 forum.etc.INSOAns1. info.forum.etc. (
 1374623190
 10800
 3600
 604800
 38400 )
 forum.etc.INNSns1.
 ns1 IN  A   188.132.250.197
 www IN  A   94.101.88.30


 After i've replaced my pc's dns server ip to PowerDns Server, here's the
 nslookup dump for both forum.etc and ns1.forum.etc;

 C:\Users\vixennslookup forum.etc
 Server:static-151-241-132-188.sadecehosting.net
 Address: 188.132.241.151

 Name: forum.etc

 C:\Users\vixennslookup ns1.forum.etc
 Server: static-151-241-132-188.sadecehosting.net
 Address: 188.132.241.151

 Name: ns1.forum.etc
 Address: 188.132.250.197

 On the web browser of my pc, when i typed http://ns1.forum.etc i'm getting
 an Apache test page of the Bind9 Server and it' ok.

 But, if i type http://www.forum.etc it can't connect to the ip address which
 i've added in zone records of Bind9 Server.

 If you need anything more, please let me know.

 Thanks.






 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Installation PDNS Server auf Raspberry Pi (weezy)

2013-08-16 Thread Michael Ströder
Marc Haber wrote:
 pdns-users is an english language mailing list.
 
 On Fri, Aug 16, 2013 at 10:09:44AM +0200, abang wrote:
 aber ich brauche eines für Debian auf Raspberry Pi.
 wo du ein fertiges Binary für armv6l bekommst weiß ich nicht. Aber
 du könntest versuchen, selbst zu kompilieren.

 apt-get install libboost-dev
 wget http://downloads.powerdns.com/releases/pdns-recursor-3.5.2.tar.bz2
 tar -xjf pdns-recursor-3.5.2.tar.bz2
 cd pdns-recursor-3.5.2
 ./configure
 make all

 Ich versuchs auch gerade. Dauert allerdings gefühlt ewig auf dem Pi ;-)
 
 The PowerDNS recursor cannot be compiled on arm architectures. It
 needs a feature called swapcontext which is not available on arm. See
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579194

Frankly I have no idea what swapcontext is but FWIW I'm running package
pdns-recursor-3.3-5.1.armv5tel found in the openSUSE snapshot build for
Raspberry Pi.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet

2013-09-25 Thread Michael Ströder
Fredrik Roubert wrote:
 My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the
 version included in Ubuntu 12.04 LTS. I've already read this post, about
 DNSSEC in 3.0 being explicitly   deprecated:
 
 http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html
 
 But seeing that my ISP's position of we'll use what's default in the
 LTS is kind of reasonable,

IMO it's nonsense to rely on a distribution package in case the upstream
developers strongly discourage a release for a certain usage. You should
really discuss this with your ISP even if you manage to work-around the
current problem.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis
So there is no A record for labisilon.lab.example.com in the pdns01 name
server? (What's the dig output when you request the A record for the
delegated domain?)
Michael,

You are correct - my typo - it is labisilon (not simply isilon).

When I do “dig @pdns01 NS labisilon.lab.example.com I get the following:

$ dig @psl-pdns01 ns pslisilon.lab.securustech.net

;  DiG 9.8.3-P1  @psl-pdns01 ns pslisilon.lab.securustech.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;labisilon.lab.example.com. IN NS

;; AUTHORITY SECTION:
labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.

;; ADDITIONAL SECTION:
lab-isilon.lab.example.com. 900 IN A x.x.x.x

;; Query time: 59 msec

I don’t believe the records are overlapping according to this output but
please correct me if I’m wrong on this.

-- 
Drew Decker
Sent with Airmail http://airmailapp.com/tracking

On December 13, 2013 at 12:35:02 AM, Michael Loftis
(mlof...@wgops.com//mlof...@wgops.com)
wrote:

Is the delegated zone isilon or labisilon? I think you need to check the A,
and NS records as you've mixed them up even in the email there. I would
delegate a completely different sub domain than I would name the A record
just to avoid such confusion, it sounds like you've got an NS and A records
for the same name, which is why you're getting the static A record from
powerdns.

In your typed example you are using labisilon as the sub domain and
lab-isilon as the A record and NS delegation...  What does dig NS
labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns
auth server ip address) you should get back two records, one NS type
pointing to lab-isilon and one A type giving the address to send UDP/TCP
queries to.

Sounds like that's where the problem is still. Your delegation shouldn't
have any overlapping A records labisilon should be just an NS which
points to lab-isilon, otherwise you get the behavior you described. Which
is a broken delegation.
On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote:

  Michael,

  I think  you only read a few posts on this thread, so I’ll give you some
 details of what had/has been done up to this point, as I read your entire
 email and from what you are saying, I’ve already done (which is why I’m
 reaching out to the community) - correct me if I’m wrong.

  I have a single zone: *lab.example.com http://lab.example.com*

  The isilon needs a delegated zone for it to use, so we simply chose 
 *isilon.lab.example.com
 http://isilon.lab.example.com*

  From a PowerDNS perspective, *lab.example.com http://lab.example.com*lives 
 on a single server
 *pdns01* and the database server runs on its own dedicated hardware
 *pdnsdb01*.

  A single zone was created - *lab.example.com http://lab.example.com*

  We added the following DNS records to PowerDNS (in the *lab.example.com
 http://lab.example.com* zone):

 labisilon.lab.example.com. 900 IN NS 
 lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x

 Once we added this, it still does not work; when we ping 
 labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, 
 which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP 
 on the Isilon, it actually takes that IP gives a random IP (depends on how 
 the Isilon is configured) back to the client.  So, in our case, we basically 
 round-robin it, so each new request to the isilon should give us a new IP, 
 until we get to the end, and then we start over.

 I just need to know if I’m missing something here, and if not, maybe it is an 
 issue with the Isilon, in this case.  I just want to make sure that I’m 
 setting up DNS delegation correctly in PowerDNS, or if I’m missing something 
 PowerDNS specific.

  Thanks for your continued input.

 --
 Drew Decker


 On December 12, 2013 at 9:32:33 PM, Michael Loftis 
 (mlof...@wgops.com//mlof...@wgops.com)
 wrote:

  The most common and obvious example of glue is when you have a TLD
 such as GOV, COM, or EDU delegate your domain, your NS records usually
 exist within your domain so glue must exist higher up, exact same
 principal applies at every level where a delegation occurs. Say
 isil.lab.example.com is served by the isilon. This is the delegated
 subdomain. lab.example.com is served by other nameservers. The A
 record you're using could be ns1.isil.lab.example.com, and so must
 exist in both the isil.lab.example.com domain, AND the lab.example.com
 domain, in two seperate nameservers.

 You must have on BOTH the lab.example.com and the isil.lab.example.com
 domains and nameservers A records for out of zone nameservers in
 subdomains are called glue. Nothing magical. Everyone has some in
 COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see
 ns1 through ns4.google.com -- those four A records exist in the COM
 zone

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis
No you definitely do not want to add an A record for
labisilon.lab.domain.com to the powerdns server, that would cause it
to always serve the A record.  From the response information I take it
the powerdns server isn't your recursive resolver (IE it's not whats
in the /etc/resolv.conf or equivalent for your platform) - but from
the output you've shown me the first half of the delegation is fine.
The second half of the delegation must also exist or BIND in
particular won't count it as valid (though the validation is lazy so
you'll sometimes get an answer, but most of the time not) -- and hte
second half is the matching NS record on the isilon, and the SOA
(though the SOA is less important) -- you'll want to do the same dig
@x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A
labisilon.lab.domain.com - this is all part of diagnosing what
actually *is* happening with this delegation. If the NS records aren't
being returned from the isilon or the A or SOA isn't I can't really
help you out there if those aren't there as I've never used the
smartconnect product though there's a small chance I can get some
information since we used their storage boxes at my present day job
years back before I started (We literally have a couple racks worth of
them sitting around after being decommissioned).


... reading a bit in...is securustech.net the actual domain?  It has
wild cards which would be causing all manner of hell for you, if the A
record you're getting back is the same as I'm seeing from the outside
- 69.43.161.163 - then that would explain your problems.  Your
recursive resolver is getting the wildcard answers from your outside
nameservers.

On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote:
 Same output -

 dig @psl-pdns01 A pslisilon.lab.securustech.net

 ;  DiG 9.8.3-P1  @pdns01 A labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN A

 ;; AUTHORITY SECTION:
 labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com.

 ;; ADDITIONAL SECTION:
 lab-isilon.lab.domain.com. 900 IN A x.x.x.x

 ;; Query time: 2 msec

 Do I need to specifically add an “A” record of labisilon.lab.domain.com -
 x.x.x.x?
 --
 Drew Decker
 Sent with Airmail

 On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com)
 wrote:

 labisilon.lab.example.com



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis
Ah...You actually *may* have hit a bug.  What version of powerdns and
what backend?  There's an issue on github, number 49, fixed in commit
number 549 according to the bug where PDNS was behaving similar to
this...if you dig for things *under* that subdomain eg
test.labisilon.lab.domain.com you get the correct response (NS and A
records w/ no AA bit indicating you must chase the delegation) -- but
when querying for the delegated domain, it returns the SOA and an AA
bit w/ NXDOMAIN indicating no such record.
https://github.com/PowerDNS/pdns/issues/49

Might actually be that bug you're seeing!  Sorry for the run around if
so, I didn't even know the bug existed until now.

This of course assumes correct records and all...which is why I had
you run all those digs...

On Fri, Dec 13, 2013 at 10:22 AM, Drew Decker drewrocksh...@gmail.com wrote:
 Michael,

 the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS
 server is actually in /etc/resolv.conf for all of the platform servers.  We
 no longer have any BIND servers in our infrastructure.

 Here are the dig outputs:

 $ dig @pdns01 NS labisilon.lab.domain.com

 ;  DiG 9.8.3-P1  @pdns01 NS labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN NS

 ;; AUTHORITY SECTION:
 lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com.
 2013073047 86400 7200 604800 3600

 ;; Query time: 1 msec

 [~]
 ddecker$ dig @pdns01 A labisilon.lab.domain.com

 ;  DiG 9.8.3-P1  @pdns01 A labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN A

 ;; AUTHORITY SECTION:
 lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com.
 2013073047 86400 7200 604800 3600

 ;; Query time: 0 msec


 --
 Drew Decker
 Sent with Airmail

 On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com)
 wrote:

 No you definitely do not want to add an A record for
 labisilon.lab.domain.com to the powerdns server, that would cause it
 to always serve the A record. From the response information I take it
 the powerdns server isn't your recursive resolver (IE it's not whats
 in the /etc/resolv.conf or equivalent for your platform) - but from
 the output you've shown me the first half of the delegation is fine.
 The second half of the delegation must also exist or BIND in
 particular won't count it as valid (though the validation is lazy so
 you'll sometimes get an answer, but most of the time not) -- and hte
 second half is the matching NS record on the isilon, and the SOA
 (though the SOA is less important) -- you'll want to do the same dig
 @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A
 labisilon.lab.domain.com - this is all part of diagnosing what
 actually *is* happening with this delegation. If the NS records aren't
 being returned from the isilon or the A or SOA isn't I can't really
 help you out there if those aren't there as I've never used the
 smartconnect product though there's a small chance I can get some
 information since we used their storage boxes at my present day job
 years back before I started (We literally have a couple racks worth of
 them sitting around after being decommissioned).


 ... reading a bit in...is securustech.net the actual domain? It has
 wild cards which would be causing all manner of hell for you, if the A
 record you're getting back is the same as I'm seeing from the outside
 - 69.43.161.163 - then that would explain your problems. Your
 recursive resolver is getting the wildcard answers from your outside
 nameservers.

 On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com
 wrote:
 Same output -

 dig @psl-pdns01 A pslisilon.lab.securustech.net

 ;  DiG 9.8.3-P1  @pdns01 A labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN A

 ;; AUTHORITY SECTION:
 labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com.

 ;; ADDITIONAL SECTION:
 lab-isilon.lab.domain.com. 900 IN A x.x.x.x

 ;; Query time: 2 msec

 Do I need to specifically add an “A” record of labisilon.lab.domain.com -
 x.x.x.x?
 --
 Drew Decker
 Sent with Airmail

 On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com)
 wrote:

 labisilon.lab.example.com



 --

 Genius might be described as a supreme capacity for getting its possessors
 into trouble of all kinds.
 -- Samuel Butler



-- 

Genius might be described as a supreme capacity for getting its possessors

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-16 Thread Michael Loftis
I can't replicate with 3.0.1 so I don't think its in any current code.
Barring a regression of course. Idk what he is running but it is possible
that its old and affected. Can't be sure since I can't investigate directly.
On Dec 15, 2013 11:40 PM, Peter van Dijk peter.van.d...@netherlabs.nl
wrote:

 Hello folks,

 I have not followed this thread (I saw it was full of helpful people
 already!), but I would just like to point out that that bug is actually 8
 years old -- our github migration could not copy the timestamps reliably.
 The fix was in version 2.9.20, released March 2006.

 That said, if anybody does think a bug has been found in a recent
 PowerDNS, we're happy to look into it!

 Kind regards,
 --
 Peter van Dijk
 Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

 On Dec 13, 2013, at 23:54 , Michael Loftis wrote:

  Ah...You actually *may* have hit a bug.  What version of powerdns and
  what backend?  There's an issue on github, number 49, fixed in commit
  number 549 according to the bug where PDNS was behaving similar to
  this...if you dig for things *under* that subdomain eg
  test.labisilon.lab.domain.com you get the correct response (NS and A
  records w/ no AA bit indicating you must chase the delegation) -- but
  when querying for the delegated domain, it returns the SOA and an AA
  bit w/ NXDOMAIN indicating no such record.
  https://github.com/PowerDNS/pdns/issues/49



 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] RaspPi Syslog Error

2014-02-28 Thread Michael Schaffer
Hi All

I have a version up and running on my RaspPi and it works fine.
However in the syslog I have the following error and wonder if you can
provide some direction.  The download site offers no insight:

Feb 27 22:55:12 raspbmc pdns[1152]: Recursive query for remote
192.168.15.160:3127 with internal id 8 was not answe red by
backend within timeout, reusing id

Feb 27 22:55:12 raspbmc pdns[1152]: Unable to send a packet to our
recursing backend: Invalid argument

My allow-recursion line looks like this:
allow-recursion=127.0.0.1,192.168.15.0/24,192.168.15.155
recursor=8.8.8.8

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)

2014-06-26 Thread Michael Ströder
k...@rice.edu wrote:
 On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
 For the DNSSEC part, is there a way to create the DNSSEC information just by 
 SQL ?

 If not, the solution is to run pdnssec secure-zone ZONE in a loop on a 
 cron script, am I right?
 
 I do not know about a SQL only solution for MySQL DNSSEC signing, but I
 know that there is a sample schema for Oracle that includes the needed
 triggers and functions and that I have a basically complete version of
 the same for PostgreSQL that I will be submitting to the PDNS folks once
 we have it vetted for production.

Hmm, am I the only one who is concerned about the security of the signing 
process?

Please don't get me wrong. But people are advocating DANE nowadays and aim to
completely replace X.509 certs with that. So security of the signed RRs is
crucial just like issuing X.509 certs. And yes, I know that it's hard to
achieve a higher level of operational security.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Recursion issue--SERVFAIL then NOERROR totally at random

2014-09-09 Thread Michael Loftis
On Tue, Sep 9, 2014 at 9:55 AM, Brian Menges bmen...@gogrid.com wrote:
 I’d say it’s on Toyota’s end:



Same here gslb-ns1.toyota-na.com not responding (Comcast, Seattle, WA)

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] RFE LDAP backend: Filter template

2014-10-18 Thread Michael Ströder
HI!

I know that the LDAP backend is not very high on the list of powerdns
development. But I'd like to propose a small enhancement which would make some
unusual LDAP-related setups easier.

Simple new config item 'ldap-filter-template':

Default:
ldap-filter-template = '(associatedDomain={0})'

Which could be replaced when using DHCP server with LDAP backend by:

ldap-filter-template = '((objectClass=)(dhcpAssignedHostName={0}))'

Even more nice would be a configurable filter map.
The {} syntax is inspired by Python's string formatting syntax only used as
example.

Of course I can use the pipe-backend to implement whatever is needed for LDAP
integration.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] DNSSEC with LDAP backend

2015-01-16 Thread Michael Ströder
HI!

Would it be possible to setup a authorative PowerDNS server with DNSSEC
support using the LDAP backend?

Do I have to extend some DNSSEC-related RRs in the list ldap_attrany in file
modules/ldapbackend/ldapbackend.hh ? As it seems to me the attribute name is
derived from qtype name string and not from content of ldap_attrany if qtype
is set.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] DNSSEC with LDAP backend

2015-01-17 Thread Michael Ströder
Jan-Piet Mens wrote:
 Would it be possible to setup a authorative PowerDNS server with DNSSEC
 support using the LDAP backend?
 
 The LDAP back-end doesn't support DNSSEC.

I'm aware that the LDAP back-end is not fully supported.

Let me be more precise:

I don't need auto-signing or support by other PowerDNS tools.

I'd implement generating DNSSEC related RRs with own custom scripts writing
LDAP entries.

All I need is that powerdns delivers the RRs needed for DNSSEC read from LDAP
entries. Is that possible?

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Currently using distro packages, want to update

2015-02-12 Thread Michael Ströder
Nick Williams wrote:
 I try to always use software packages from my distro package managers 
 (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it 
 resolves all my dependencies for me.
 
 But my distro

Which is your distro? Vendor and exact version number?

For openSUSE I'm trying to keep up with powerdns releases and my submissions
most times end up here pretty soon:

https://build.opensuse.org/package/show/server:dns/pdns
(currently pdns-3.4.2)

https://build.opensuse.org/package/show/server:dns/pdns-recursor
(currently pdns-recursor-3.6.2, 3.7.1 is in my home project but not built yet)

Sooner or later this will be passed downstream in openSUSE Factory for the
next openSUSE release.

You can see here which platforms are enabled for default builds:
https://build.opensuse.org/project/repositories/server:dns

There you will also find the direct download links to zypper repo for your
openSUSE version.  In my OBS home project I'm also building openSUSE
Factory_ARM for running the packages on rasperry pi.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Why was content length increased?

2015-02-19 Thread Michael Loftis
DNSSEC and DKIM.

On Thursday, February 19, 2015, Nick Williams nicho...@nicholaswilliams.net
wrote:

 I'm upgrading to authoritative 3.4 and noticed that the records.content
 column has been increased from 255 characters to 64000 characters. Because
 my table is UTF-8, I get the following error:

 mysql ALTER TABLE records MODIFY content VARCHAR(64000);
 ERROR 1074 (42000): Column length too big for column 'content' (max =
 21845); use BLOB or TEXT instead

 I know I can use latin1, but I tend to avoid any non-Unicode character
 sets completely, and would prefer to stick with UTF-8. Given that:

 - What changed that required the increase from 255 to 64,000 characters?
 - Is there any reason that I couldn't just use VARCHAR(21845)?
 - Are there any performance implications to using TEXT instead of
 VARCHAR(64000)?

 Thanks,

 Nick
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com javascript:;
 http://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Configure private subdomain

2015-03-28 Thread Michael Ströder

Nikolaos Milas wrote:

If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend)
for the Linux-Tage, could you please post this work here or a link to a page
where it is available?


Basically it boils down to this ACL:

access to
  dn.subtree=cn=pdns,ou=services,ou=infra-dir
  filter=(objectClass=dNSDomain2)
by set=user/memberOf  this/seeAlso read
by * none

Attribute 'seeAlso' contains DN(s) of group entries of service accounts of 
powerdns instances.


Could not extensively test it though due to time constraints.

And a nicer schema for not (ab)using attribute 'seeAlso' would be better.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Slave DNSKeys

2015-03-02 Thread Michael Ströder
Peter van Dijk wrote:
 (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we
 recommend increasing the size of the ‘content’ column in the records table
 (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/
 )

(Sigh!) I really wonder why the LDAP backend is not improved to support
DNSSEC. It's so much easier to setup a LDAP server with multi-master and
two-tier replication than a mySQL server. And attributes are of variable
length by default.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Configure private subdomain

2015-03-04 Thread Michael Ströder
Nikolaos Milas wrote:
 On 3/3/2015 2:44 μμ, Nikolaos Milas wrote:
 
 Ideally, we would like pdns to be configured to reply to requests *for
 particular names* (under a specific subdomain, say internal.example.com) by
 only providing  records (if available, otherwise no results) and hide A
 records.

 This way we could specify (for names under a specific domain), A records
 which will contain a Private IP Address, so as to  not be visible to the
 Internet but only locally.
 
 Corrections/Clarifications:
 
 Ideally, we would like pdns to be configured to reply to requests *for
 particular names* (under a specific subdomain, say internal.example.com) by
 only providing  records (if available, otherwise no results) and hide A
 records to all requests, except to those from our own networks (as would be
 configured), to which full replies would be provided.
 
 This way we could specify (for names under a specific domain), A records
 which will contain a Private IP Address, so as to  not be visible to the
 Internet but only locally (to our own networks, which would be specified
 explicitly).

This sounds a bit like a special case for split horizon DNS.

I promised to configure a demo using powerdns with LDAP backend for this based
on OpenLDAP ACLs and several powerdns instances using different LDAP identities.

Feel free to come here and ask whether I managed to get it working in time:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)

2015-02-23 Thread Michael Ströder
bert hubert wrote:
 In this post, we’d like to share our current plans for .. PowerDNS 4.x!

Glad to read all your plans.

* We treat DNS names as ASCII strings, which we escape and unescape
  repeatedly.  DNS names are not ascii strings, and we keep finding
  issues related to us treating them like strings.

Unfortunately the term string is used in many different ways.
Could you please elaborate on what that means exactly?
E.g. will this affect the way NON-ASCII DNS names are stored in backend files?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] ANY+Reflection Attacks?

2015-02-25 Thread Michael Ströder
Ciro Iriarte wrote:
 2015-02-24 17:49 GMT-03:00 Ciro Iriarte cyru...@gmail.com:
 
 Hi!, I'm seeing a lot of messages of type Timeout from remote TCP client
 10.XXX.XXX.XXX, it seems to be an attack given we have any-to-tcp = yes.

 Is this usual?, is there anyway to identify the attackers?. The service is
 working fine and we have in our roadmap constant packed capture for data
 mining but I find this behaviour new/interesting today :)

 Any comments?

 Regards,
 
 Well, never mind. After all, those are legitimate clients and there seems
 to be a firewall with connection tracking issues. What's unexpected to me
 is having TCP requests, I was expecting only UDP traffic from end users.

DNSSEC used?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-24 Thread Michael Ströder

HI!

We're currently testing DNSSEC validation with libunbound 1.5.3 with all 
the RRs

retrieved through a pdns-recursor (also tested 3.7.2).

It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype 
ANY).

   (Explicitly requesting RRSIG works.)

= validation in libunbound fails

Did anybody else try such a setup before? Did it work?

Most people doing DNSSEC validation simply use bind9 or unbound for 
recursing
and as validating resolver but for now that's likely not an option in 
this

infrastructure.

Any hint is appreciated. Thanks in advance.

Ciao, Michael.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-25 Thread Michael Ströder

l...@consolejunkie.net wrote:

On 2015-04-24 21:35, Michael Ströder wrote:

Michael Ströder wrote:

We're currently testing DNSSEC validation with libunbound 1.5.3 with all
the RRs
retrieved through a pdns-recursor (also tested 3.7.2).

It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype ANY).
(Explicitly requesting RRSIG works.)

= validation in libunbound fails


Did further testing with python-unbound (thin wrapper module on top
of libunbound) with simple script almost equal to this:

http://www.unbound.net/documentation/pyunbound/examples/example4.html

Looking at PCAP dumps with Wireshark the requests sent by libunbound
contain the D0 bit:

1...    = DO bit: Accepts DNSSEC security RRs

It seems to me that unbound and Google's 8.8.8.8 therefore return
RRSIG RRs while pdns-recursor does not.

I have to admit that looking at [1] rather confuses me. ;-)

Sniffing the out-going requests sent by pdns-recursor the D0 bit is
missing. Obviously the DNS servers then do not respond with RRSIG RRs.

Ciao, Michael.

[1] http://tools.ietf.org/html/rfc4035#section-3.2.1


It's to bad nobody replied to you yet.


Given my last posting was late in the evening your response is pretty quick. :-)


Let me tell how it is:

The DO-bit in the request to the recursor means: please include DNSSEC
information.


Yes.


Then if the recursor you are requesting it from does validation and it fails
it will return an error similar to domain not found.


Actually I'm using python-unbound (mainly libunbound) for the validation but 
would like to use the existing pdns-recursor for simply retrieving the RRs.


But since the D0 bit is not forwarded it does not get the RRSIG RRs back and 
returns the result with validation status bogus.



http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/

If I understand correctly the PowerDNS developers have put in some of the time
to add DNSSEC to their recursor but it isn't done yet.


Already saw this blog article before. I'm looking forward to pdns-recursor 4.x 
because I like its logging more than that of other recursors.



In the past I've requested from the PowerDNS developers, would it be possible
to at least include the DNSSEC-information so Unbound do the validation.

I told them you can leave the validation out of PowerDNS-recursor, I care less
about that.

The answer I got was:

The validation is in comparison the easy part, changing the recursor to return
the DNSSEC-information is more work.


Hmm, but if explicitly requested in the query pdns-recursor does actually 
retrieve the RRSIG RRs.


Wouldn't it be possible to also send the D0 bit in the out-going query if the 
incoming query had it set?


Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-24 Thread Michael Ströder

Michael Ströder wrote:

We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs
retrieved through a pdns-recursor (also tested 3.7.2).

It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype ANY).
(Explicitly requesting RRSIG works.)

= validation in libunbound fails


Did further testing with python-unbound (thin wrapper module on top of 
libunbound) with simple script almost equal to this:


http://www.unbound.net/documentation/pyunbound/examples/example4.html

Looking at PCAP dumps with Wireshark the requests sent by libunbound contain 
the D0 bit:


1...    = DO bit: Accepts DNSSEC security RRs

It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs 
while pdns-recursor does not.


I have to admit that looking at [1] rather confuses me. ;-)

Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. 
Obviously the DNS servers then do not respond with RRSIG RRs.


Ciao, Michael.

[1] http://tools.ietf.org/html/rfc4035#section-3.2.1



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] LargeScaleDNSSECBCP / versions

2015-04-16 Thread Michael Ströder

HI!

It seems this wiki page mentions rather old pdns versions:

http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP

Are there more recent insight to consider regarding versions?
Especially when thinking about pdns upgrade 3.3.x - 3.4.1 for DNSSEC?

Ciao, Michael.

--
Michael Ströder
E-Mail: mich...@stroeder.com
http://www.stroeder.com



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-03 Thread Michael Loftis
Two people have answered your question and told you what you're missing.
I'm not going to try to guess at whatever misconfiguration or
misunderstanding resulted in you getting (or seemingly getting) recursive
results from bind when you were attempting to disable them. PowerDNS fully
and completely separates all authoritative functionality from recursive
 functionality (and any associated caches). This is in contrast to bind
which merges all such functionality.


On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> No because in bind, when you turn off recursive resolution it resolves. I
> can't figure out the missing part to have the same behavior.
> Le 3 janv. 2016 2:39 PM, "Michael Loftis" <mlof...@wgops.com
> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit :
>
>> Again not a resolver. Sorry but you're the one misunderstanding. If you
>> want answers for data not present you need a recursive resolver.
>>
>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>> luis.daniel.lu...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote:
>>
>>> Host command does not do that as well. It off on the sample output
>>> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi> a écrit :
>>>
>>>> That is because dig is not a resolver.
>>>>
>>>>
>>>>
>>>> ---
>>>> Aki Tuomi
>>>>
>>>>
>>>>  Original message 
>>>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com>
>>>> Date: 03/01/2016 20:56 (GMT+02:00)
>>>> To: Michael Loftis <mlof...@wgops.com>
>>>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi>,
>>>> pdns-users@mailman.powerdns.com
>>>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative?
>>>>
>>>> You don't pay attention.
>>>> My question is why the resolver doesn't continue the iterative query.
>>>> It just stops when it gets the ns answer
>>>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com> a
>>>> écrit :
>>>>
>>>>> Then quit asking it for information it doesn't have. Responding with
>>>>> the root NS set is correct when you're asking for Google.com which it 
>>>>> knows
>>>>> nothing about.
>>>>>
>>>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>>>>> luis.daniel.lu...@gmail.com> wrote:
>>>>>
>>>>>> Thanks. But that's the way u don't want to use. I know how.
>>>>>>
>>>>>> I need to make it work in non recursive mode.
>>>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a
>>>>>> écrit :
>>>>>>
>>>>>>> If you want to use auth as recursor, you need to configure
>>>>>>>
>>>>>>> recursor=
>>>>>>> allow-recursion=
>>>>>>>
>>>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote:
>>>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does
>>>>>>> > authoritative which is your problem here.
>>>>>>> >
>>>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
>>>>>>> > luis.daniel.lu...@gmail.com> wrote:
>>>>>>> >
>>>>>>> > > Hello
>>>>>>> > >
>>>>>>> > > Wat am I missing? I have this:
>>>>>>> > > launch=pipe,bind
>>>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin
>>>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
>>>>>>> > > bind-config=/etc/named.pdns.conf
>>>>>>> > > bind-check-interval=300
>>>>>>> > > bind-ignore-broken-records=no
>>>>>>> > > send-root-referral=lean
>>>>>>> > > allow-recursion=192.168.7.0/24
>>>>>>> > >
>>>>>>> > > /etc/named.pdns.conf looks like this
>>>>>>> > > zone "mylocaldomain.net" IN {
>>>>>>> > >type master;
>>>>>>> > >file "/var/named/data/mylocaldomain.net";
>>>>&g

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-02 Thread Michael Loftis
PowerDNS is not the same as PowerDNS Recursor. The former only does
authoritative which is your problem here.

On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> Hello
>
> Wat am I missing? I have this:
> launch=pipe,bind
> pipe-command=/usr/local/libexec/latency.pdns.plugin
> pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
> bind-config=/etc/named.pdns.conf
> bind-check-interval=300
> bind-ignore-broken-records=no
> send-root-referral=lean
> allow-recursion=192.168.7.0/24
>
> /etc/named.pdns.conf looks like this
> zone "mylocaldomain.net" IN {
>type master;
>file "/var/named/data/mylocaldomain.net";
> };
>
> zone "root-servers.net" IN {
>type master;
>file "/var/named/data/named.ca";
> };
>
>
> when I do a dig, or a host, i get this:
>
> dig google.com @PUBLICIP
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;.  IN  A
>
> ;; AUTHORITY SECTION:
> .   518400  IN  NS  a.root-servers.net.
> .   518400  IN  NS  b.root-servers.net.
> .   518400  IN  NS  c.root-servers.net.
> .   518400  IN  NS  d.root-servers.net.
> .   518400  IN  NS  e.root-servers.net.
> .   518400  IN  NS  f.root-servers.net.
> .   518400  IN  NS  g.root-servers.net.
> .   518400  IN  NS  h.root-servers.net.
> .   518400  IN  NS  i.root-servers.net.
> .   518400  IN  NS  j.root-servers.net.
> .   518400  IN  NS  k.root-servers.net.
> .   518400  IN  NS  l.root-servers.net.
> .   518400  IN  NS  m.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 360 IN  A   198.41.0.4
> a.root-servers.net. 360 IN  2001:503:ba3e::2:30
> b.root-servers.net. 360 IN  A   192.228.79.201
> c.root-servers.net. 360 IN  A   192.33.4.12
> d.root-servers.net. 360 IN  A   199.7.91.13
> d.root-servers.net. 360 IN  2001:500:2d::d
> e.root-servers.net. 360 IN  A   192.203.230.10
> f.root-servers.net. 360 IN  A   192.5.5.241
> f.root-servers.net. 360 IN  2001:500:2f::f
> g.root-servers.net. 360 IN  A   192.112.36.4
> h.root-servers.net. 360 IN  A   128.63.2.53
> h.root-servers.net. 360 IN  2001:500:1::803f:235
> i.root-servers.net. 360 IN  A   192.36.148.17
>
> ;; Query time: 24 msec
> ;;
> ;; WHEN: Sun Jan  3 05:10:27 2016
> ;; MSG SIZE  rcvd: 484
>
>
> or
>
> host google.com PUBLICIP
> Using domain server:
> Name: PUBLICIP
> Address: PUBLICIP#53
> Aliases:
>
>
> As you see, there is no answer. I only get the root NS servers.
>
> --
> Luis Daniel Lucio Quiroz
> CISSP, CISM, CISA
> Linux, VoIP and much more fun
> www.okay.com.mx
>
> Need LCR? Check out LCR for FusionPBX with FreeSWITCH
> Need Billing? Check out Billing for FusionPBX with FreeSWITCH
>


-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-03 Thread Michael Loftis
Again not a resolver. Sorry but you're the one misunderstanding. If you
want answers for data not present you need a recursive resolver.

On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> Host command does not do that as well. It off on the sample output
> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi
> <javascript:_e(%7B%7D,'cvml','cmo...@cmouse.fi');>> a écrit :
>
>> That is because dig is not a resolver.
>>
>>
>>
>> ---
>> Aki Tuomi
>>
>>
>>  Original message 
>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>>
>> Date: 03/01/2016 20:56 (GMT+02:00)
>> To: Michael Loftis <mlof...@wgops.com
>> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>>
>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi
>> <javascript:_e(%7B%7D,'cvml','cmo...@youzen.ext.b2.fi');>>,
>> pdns-users@mailman.powerdns.com
>> <javascript:_e(%7B%7D,'cvml','pdns-users@mailman.powerdns.com');>
>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative?
>>
>> You don't pay attention.
>> My question is why the resolver doesn't continue the iterative query.
>> It just stops when it gets the ns answer
>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com
>> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit :
>>
>>> Then quit asking it for information it doesn't have. Responding with the
>>> root NS set is correct when you're asking for Google.com which it knows
>>> nothing about.
>>>
>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>>> luis.daniel.lu...@gmail.com
>>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote:
>>>
>>>> Thanks. But that's the way u don't want to use. I know how.
>>>>
>>>> I need to make it work in non recursive mode.
>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a
>>>> écrit :
>>>>
>>>>> If you want to use auth as recursor, you need to configure
>>>>>
>>>>> recursor=
>>>>> allow-recursion=
>>>>>
>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote:
>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does
>>>>> > authoritative which is your problem here.
>>>>> >
>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
>>>>> > luis.daniel.lu...@gmail.com> wrote:
>>>>> >
>>>>> > > Hello
>>>>> > >
>>>>> > > Wat am I missing? I have this:
>>>>> > > launch=pipe,bind
>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin
>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
>>>>> > > bind-config=/etc/named.pdns.conf
>>>>> > > bind-check-interval=300
>>>>> > > bind-ignore-broken-records=no
>>>>> > > send-root-referral=lean
>>>>> > > allow-recursion=192.168.7.0/24
>>>>> > >
>>>>> > > /etc/named.pdns.conf looks like this
>>>>> > > zone "mylocaldomain.net" IN {
>>>>> > >type master;
>>>>> > >file "/var/named/data/mylocaldomain.net";
>>>>> > > };
>>>>> > >
>>>>> > > zone "root-servers.net" IN {
>>>>> > >type master;
>>>>> > >file "/var/named/data/named.ca";
>>>>> > > };
>>>>> > >
>>>>> > >
>>>>> > > when I do a dig, or a host, i get this:
>>>>> > >
>>>>> > > dig google.com @PUBLICIP
>>>>> > >
>>>>> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP
>>>>> > > ;; global options: +cmd
>>>>> > > ;; Got answer:
>>>>> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059
>>>>> > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
>>>>> > > ;; WARNING: recursion requested but not available
>>>>> &g

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread Michael Loftis
(inline)

On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
 wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
>
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)


>
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick

-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] [Pdns-announce] PowerDNS Authoritative Server 4.0.0 released

2016-07-11 Thread Michael Ströder
Pieter Lexis wrote:
>  * A revived and supported LDAP backend (ldap).

Thanks! :-)

CIao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] pdns-ldap <-> Rudder-ldap

2016-11-15 Thread Michael Ströder
StanC wrote:
> Is there a method of translating the ldap schema that Rudder uses for
> its node inventory and using this in a pdns ldap backend?

More or less you're asking for same feature like me:

https://github.com/PowerDNS/pdns/issues/1832

> I had this fantasy that one could connect to Rudder's ldap server from
> psdn and use it directly as a backend, but I cannot imagine that the
> schemas could possible align 

For tight integration with my Æ-DIR I plan to use the remote-backend:

https://doc.powerdns.com/md/authoritative/backend-remote/

http://jpmens.net/2015/11/03/powerdns-with-the-remote-back-end-and-dnssec/

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] GUI with LDAP backend ?

2017-05-15 Thread Michael Ströder
r0m5 wrote:
> So here is my question : what do you think would be a convenient way to 
> manage zone and
> records using the LDAP backend ? How do you guys proceed ?

For managing DNS zones in a pdns LDAP backend I've added some plugin classes to 
my own
client: https://web2ldap.de/
Be warned it's still not an ideal DNS UI. But once you get used to it it's IMHO 
not much
worse than poweradmin. (You can contact me off-list if you have issues 
installing/using it.)

Hmm, so far I did not see an intuitive DNS management UI anyway. I guess it's 
the generic
flexibility of DNS RRs which put so much burden on the UI.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Question about logging changes

2017-11-28 Thread Michael Ströder
Dirk Bartley wrote:
> You could log the who of who is logged into the database, but if the database
> connection is done from a front end, it would always be the users the front 
> end
> connects to the database as.  But if you have a front end, just manage it by 
> who
> is logged into the Front end.

Depends on the frontend. If it lets the user impersonate as personal
user account on the DB connection you get the real who.

It would be nice if the PowerDNS API would have a config option like
"connect-as-user" to avoid using a hard-coded API password/key. In this
case you could also let the database backend enforce access control even
for API requests.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Question about logging changes

2017-11-28 Thread Michael Ströder
Dirk Bartley wrote:
> I have been asked to look at some options for assisting my employer to
> alter the way our internal dns is served.  One of the features being
> requested is the ability to log the who, what and when of all changes
> to the data that dns is serving.  Of course when I search for change
> logging, I get the change logs of the code.  Would there be a better
> phrase than "change log" to search for.  Is this the kind of feature
> that already exists, or is this the kind of feature that would be
> better accomplished by writing a front end that we would force everyone
> here to use that does the update.  We are considering using LDAP as a
> backend for the dns service.

How do you plan to maintain the data?

E.g. if you're using LDAP server as backend *and* you're going to
maintain the data via LDAP it more boils down how to audit write
operations on the LDAP server. And this depends on the features of the
LDAP server you're planning to use. Personally I love accesslog overlay
(originally implemented for delta-replication) in OpenLDAP because it
automatigally gives you a perfect audit trail in a separate database.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Meltdown impact on PowerDNS/dnsdist

2018-01-06 Thread Michael Ströder
bert hubert wrote:
> We have done some very tentative measurements on the Linux Meltdown
> workaround & impact on DNS performance.

Besides the performance impact of the "fixes" doesn't this mean that
people should stop doing DNSSEC signing on-the-fly on the authorative
server and move DNSSEC signing to isolated systems?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] BIND-Zonefiles: @ vs blank

2019-08-08 Thread Michael Loftis
On Thu, Aug 8, 2019 at 07:01 Bjoern Franke  wrote:

> Hi,
>
> we have a zonefile which got recently added TXT entries for SPF and DMARC:
>
> _dmarc  IN  TXT "v=DMARC1; p=none; rua=mailto:foo;
> IN  MX  10 mx.domain.tld.
> IN  TXT "v=spf1 include:spf1.domain.tld ?all"
>
> Since then, requests for the MX record were not answered any more,
> adding a @ fixed it.
>
> I'm wondering now why this happens, as in other zonefiles without TXT
> records the blank substitution works.


I've always had the understanding that blank meant "reuse last" so by
adding the _dmarc TXT record ahead of the blank records you inadvertently
moved them to be _dmarc.ZONE

I could certainly be wrong because I haven't looked at the man page for
bind zone files in the last decade.



>
> Kind regards
> Bjoern
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Log all zone changes

2019-09-27 Thread Michael Ströder
On 9/27/19 8:30 PM, Vitali Quiering via Pdns-users wrote:
> I just started using PowerDNS Authoritative Server recently and got
> to the point where I need all changes logged. Is there an option I
> missed? If there is none: How do you log your changes?
Probably not exactly the answer you're looking for:

I'm using PowerDNS with LDAP backend and write operations to OpenLDAP
server(s) are logged with accesslog overlay. My personal setup is very
small but the components should easily scale up.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Contents of Pdns-users digest

2019-11-13 Thread Michael Chisina
I think  load balancer  is the best option and configure the policy(ies) on
it.

Michael Chisina

On Wed, Nov 13, 2019, 2:00 PM 
wrote:

> Send Pdns-users mailing list submissions to
> pdns-users@mailman.powerdns.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
> pdns-users-requ...@mailman.powerdns.com
>
> You can reach the person managing the list at
> pdns-users-ow...@mailman.powerdns.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
>
>
> Today's Topics:
>
>1. Re: Forward client request (Thomas Mieslinger)
>
>
> --
>
> Message: 1
> Date: Tue, 12 Nov 2019 15:37:32 +0100
> From: Thomas Mieslinger 
> To: pdns-users@mailman.powerdns.com
> Subject: Re: [Pdns-users] Forward client request
> Message-ID: <78ad5583-6f4e-a150-86c0-eece65eee...@mail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> If you are familiar with policy based routing or multiple vrfs and
> running multiple pdns_recursor instances you could create two (or more)
> pdns_recursor services and configure the routing to send the dns
> requests to the desired recursor.
>
> On 11/12/19 12:05 PM, mendisobal via Pdns-users wrote:
> > How i can forward recursive DNS requests based on source address of the
> > client. To do this need to have ability to return address of the next NS
> > from preresove function (instead of NS-records).
> > Is there any example on lua?
> >
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
>
>
> --
>
> Subject: Digest Footer
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> --
>
> End of Pdns-users Digest, Vol 202, Issue 7
> **
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] pdns-recursor Permissions Error

2020-01-07 Thread Michael Ströder
On 1/7/20 3:00 PM, Sharone Bakara wrote:
> On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
>> On 1/7/20 2:41 PM, Sharone wrote:
>>> '/var/run/pdns-recursor': Permission denied"*
>> I'm not sure of what your SNMP setup is, but it looks like the user
>> invoking rec_control does not have the rights to create a new file in
>> /var/run/pdns-recursor. What happens if you invoke the rec_control
>> command directly as the 'pdns' user?
>
> I get the same error as when I run it root.

Whenever "permissions denied" happens while running an action as root
I'd check whether SELinux or AppArmor blocks some access.
=> check your audit log (assuming you're running auditd)

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Debugging

2006-08-26 Thread Michael C. Gates
Hi Bert,

I get about 3 different types of crashes. There is no rhyme or reason to
them. I watch the command prompt log to see if it crashes on the same type
of action, and it doesn't. I was hoping setting up the service to restart
after a failure would fix the problem, but it seems that the program is
still running, just not answering. I have been trying to figure out why 1
server works fine, and 2 others don't. There is no rhyme or reason to them
either.

Is there an older build of the windows version that is more stable? I don't
need bells and whistles, just simple A, CNAME, MX, SOA records, etc. And I
don't need primary and slave servers because I simply use replication in my
MS SQL DB so if I update one, they all get updated.

Thanks for your help.

Michael C. Gates

-Original Message-
From: bert hubert [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 26, 2006 4:53 AM
To: Michael C. Gates
Cc: pdns-users@mailman.powerdns.com
Subject: Re: [Pdns-users] Debugging


On Fri, Aug 25, 2006 at 07:08:43PM -0400, Michael C. Gates wrote:
 Any way to create a program log so I can figure out why mine is 
 crashing every once in a while? If I download the source, can I open 
 it in Visual Studio 2005? Or was it written in something else? I know 
 C#, but not much of
 C++. I wouldn't mind figuring it out if it solved the crashing 
 C++problem.

The PowerDNS Recursor compiles in Visual Studio 2005, the authoritative
server doesn't. The currently last released version of the PowerDNS
Authoritative server is known to have many, many bugs.

Can you let us know more about your specific problem?

Thanks.

-- 
http://www.PowerDNS.com  Open source, database driven DNS Software 
http://netherlabs.nl  Open and Closed source services

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] problem with slave domains odbc backend w2000

2006-11-03 Thread Michael C. Gates
What would sponsor mean? I would be glad to depending on what is involved. I
would actually love to have a C# version of this for windows users... But
that is probably a huge task...

Let me know... I didn't get the email about it.

Best regards,

Michael C. Gates
GatesHosting.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of bert hubert
Sent: Friday, November 03, 2006 3:18 AM
To: Adam Bazylczyk
Cc: pdns-users@mailman.powerdns.com
Subject: Re: [Pdns-users] problem with slave domains odbc backend w2000


On Fri, Nov 03, 2006 at 06:17:44AM +0100, Adam Bazylczyk wrote:
 I am using odbc backedn on Windows with MS Access database file. 
 Master domains working very good with AXFR but when I input any slave 
 domain in domains table, everytime is error and pdns service stop. Can 
 anybody help me, I can find any idea where is problem. My system is 
 W2000. I have over 500 master domains and can't work with slave now :(

The windows version of PowerDNS is very old and stale. We'd love to ship a
new version, but it is a lot of work. We've asked a few windows users if
they would consider sponsoring a new Windows release, but nobody was
interested.

So I'm afraid we can't really help you with this old version of PowerDNS..

Bert

-- 
http://www.PowerDNS.com  Open source, database driven DNS Software 
http://netherlabs.nl  Open and Closed source services
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)

2006-11-19 Thread Michael C. Gates
Make sure your server has a host name. And make sure it is set up correctly.
If your DNS name is mail.gateshosting.com, make sure your server name is
mail, and your suffix is gateshosting.com for a full name of
mail.gateshosting.com. Also just make sure you HAVE a dns record for that
ip, and a rDns record for that ip.
 
Here is a tool I use to check my mail server: www.dnsreport.com - Just check
your domain name, like gateshosting.com and it will actually let you know
if you have any errors in DNS.
 
Also, I see in one of the headers, the ip address is 127.0.0.1. You probably
should have a public ip address. Otherwise some servers will deny your
connection.
 
Hope this helps,
 
Michael C. Gates

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
Vernooij
Sent: Sunday, November 19, 2006 3:33 AM
To: pdns-users@mailman.powerdns.com
Subject: Fw: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)


Ok. For me it is clear that my problem has to do with reverse DNS, and not
with SPF.
 
Can someone tell me how to setup right configuration for Reverse DNS for the
example i gave? Here is also an emailheader from a mail that is bounced:
 
Received: from dedicated ([127.0.0.1]) by dedicated.domain.com with
Microsoft SMTPSVC(6.0.3790.1830);
  Sat, 18 Nov 2006 09:55:21 +0100
Date: Sat, 18 Nov 2006 09:55:21 +0100
Subject: Order 12564
From: Companyname [EMAIL PROTECTED]
To: Kevin Chin [EMAIL PROTECTED]
MIME-Version: 1.0
X-Mailer: osCommerce Mailer
Content-Type: multipart/alternative;
 boundary==_0546849bb7db32079db89f7fa0271de5
Return-Path: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
X-OriginalArrivalTime: 18 Nov 2006 08:55:21.0578 (UTC)
FILETIME=[4776D4A0:01C70AEF]
 
The message i receive back: 
 
Reporting-MTA: dns;[EMAIL PROTECTED]
Received-From-MTA: dns;dedicated
Arrival-Date: Sat, 18 Nov 2006 09:55:21 +0100
Final-Recipient: rfc822;[EMAIL PROTECTED]
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 Spam refused:  is a silly name for a mail server
or server has no name.

I also get many messages with other error codes: 
 
Action: failed
Status: 5.4.0  ( most often message ) 
 
Action: failed
Status: 4.4.7

I hope someone can tell me what to do with my DNS settings here, or if it is
not my DNS, please tell me where to look. 
 
Thanks.
 
Richard.
 
 
- Forwarded Message 
From: Alex van den Bogaerdt [EMAIL PROTECTED]
To: pdns-users@mailman.powerdns.com
Sent: Saturday, November 18, 2006 10:40:37 PM
Subject: Re: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)


On Sat, Nov 18, 2006 at 12:49:44PM -0700, Michael Loftis wrote:

 Now if you *have* an SPF record (which again is *NOT* a type of DNS record

 at all, it's a TXT record)

Please be aware that there is an official SPF resource record.
http://www.iana.org/assignments/dns-parameters

But do publish TXT records for your SPF rules as well.  The RR is brand
new and isn't used that much yet.  Eventually only the SPF resource record
is going to be used.  This will take time.

Let's not discuss SPF here.  If you want to know why it is the user's
fault and not the SPF record's fault, let's meet on the spf-discuss
mailing list.

Alex
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


  _  

Everyone is raving about the
http://us.rd.yahoo.com/evt=42297/*http://advision.webevents.yahoo.com/mailb
eta all-new Yahoo! Mail beta.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Suse Linux and MS SQL

2007-01-04 Thread Michael C. Gates
I have Suse Linux on one box, and MS SQL on another. Is it possible (And how
hard would it be) to install PDNS on the Suse box, and then use MS SQL as
the backend?
 
Thanks,
 
  _  

Michael C. Gates
Ph/717.798.8142 Fx/954.252.4193
gateshosting.com http://www.gateshosting.com/ 
  http://www.gateshosting.com/ 


GatesHosting.com http://www.gateshosting.com/  |  BIGmail(tm) - Email
Large  http://www.gateshosting.com/aboutbigmail/ Files |  Web Hosting
http://www.gateshosting.com/web-hosting/  |  Email
http://www.gateshosting.com/ Protection |  Custom Web
http://www.gateshosting.com/web-sites/ Sites
GatesHosting.com has been Hosting, developing custom designed Web Sites and
writing Custom Programs since 1997.



 


logo.gif
Description: GIF image
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Suse Linux and MS SQL

2007-01-04 Thread Michael C. Gates
Great, I will try it out. So Suse Linux will work fine for PDNS? The problem
I am having is it is crashing every 15 minutes in windows. I wrote a routine
to restart it every half hour, but it is getting out of hand now. It was
only crashing 3 to 4 times a day, but now it is all the time. It is becoming
a problem, and I definitely do not want to go back to MS DNS.
 
Thanks,
 
Michael C. Gates

-Original Message-
From: Marius Parescius [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 04, 2007 11:06 AM
To: Michael C. Gates
Subject: Re: [Pdns-users] Suse Linux and MS SQL



Hello Michael,




Thursday, January 4, 2007, 5:49:28 PM, you wrote:







I have Suse Linux on one box, and MS SQL on another. Is it possible (And how
hard would it be) to install PDNS on the Suse box, and then use MS SQL as
the backend?




Some time ago we used sybase client drivers to access mssql db and it works.










  (o)(o)

--  --ooo--(__)--ooo--




Best regards,

 Marius Parescius  mailto:[EMAIL PROTECTED]

 Elektronine prekyba

 Paneriu 51,

 Vilnius, Lithuania

 mob: +370 686 77781

 tel: +370 5 2104330

 fax: +370 5 2104329 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Suse Linux and MS SQL

2007-01-04 Thread Michael C. Gates
I guess there is no type of ODBC driver for Suse Linux? That would be fine
for me. I just can't deal with the windows problems anymore. Obviously, I am
not a Unix/Linux pro...

Best regards,

Michael C. Gates

-Original Message-
From: bert hubert [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 04, 2007 12:54 PM
To: Michael C. Gates
Cc: pdns-users@mailman.powerdns.com
Subject: Re: [Pdns-users] Suse Linux and MS SQL


On Thu, Jan 04, 2007 at 11:13:50AM -0500, Michael C. Gates wrote:
 Great, I will try it out. So Suse Linux will work fine for PDNS? The 
 problem I am having is it is crashing every 15 minutes in windows. I 
 wrote a routine to restart it every half hour, but it is getting out 
 of hand now. It was

I don't think SQL Server support under Unix/Linux is actually working out of
the box.

It did work in the past but we never released the code, and it has since
become outdated.

It looks like it would take a few days to revive the UNIX based SQL Server
support, but we are very sure it will work great as we've done work with SQL
server from linux before.

Sadly, we don't get a lot of requests for SQL Server based PowerDNS, so it
is not very high on our agenda.

(btw, the windows version has an easier time as it accesses sqlserver
through the generic ODBC backend, but the windows version has other
problems).

Bert

-- 
http://www.PowerDNS.com  Open source, database driven DNS Software 
http://netherlabs.nl  Open and Closed source services

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Suse Linux and MS SQL

2007-01-04 Thread Michael C. Gates
Well, it would depend on how much it costs, and also compared to sponsoring
a windows version upgrade.

Either one would work. Of course, Suse Linux is a lot cheaper, but I am more
familiar with windows, and already have 20+ windows servers running...

Let me know, I may be interested,

Best regards,

Michael C. Gates

-Original Message-
From: bert hubert [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 04, 2007 1:13 PM
To: Michael C. Gates
Subject: Re: [Pdns-users] Suse Linux and MS SQL


On Thu, Jan 04, 2007 at 01:05:08PM -0500, Michael C. Gates wrote:
 I guess there is no type of ODBC driver for Suse Linux? That would be 
 fine for me. I just can't deal with the windows problems anymore. 
 Obviously, I am not a Unix/Linux pro...

There is a commercial ODBC driver for Unix, but we don't really like it. It
comes with agressive salespeople.

What we could do is expedite the development of the SQL Server backend, if
you would sponsor this development. Sponsorship allows us to dedicate a
developer to implementing a desired feature, because we can in good
concience use a developer that is doing billable work. For purely open
source work we always have to justify this.

We like to do public sponsorship, which means you get credited prominently
in the release notes as the sponsor of SQL Server/Sybase support.

In the past, Register.com has been a notable sponsor, they enabled us to add
Oracle support.

Let us know if this would work for you. We also offer free support to go
with the sponsored feature for 6 months, so you can be sure it really works.

Bert


 
 Best regards,
 
 Michael C. Gates
 
 -Original Message-
 From: bert hubert [mailto:[EMAIL PROTECTED]
 Sent: Thursday, January 04, 2007 12:54 PM
 To: Michael C. Gates
 Cc: pdns-users@mailman.powerdns.com
 Subject: Re: [Pdns-users] Suse Linux and MS SQL
 
 
 On Thu, Jan 04, 2007 at 11:13:50AM -0500, Michael C. Gates wrote:
  Great, I will try it out. So Suse Linux will work fine for PDNS? The
  problem I am having is it is crashing every 15 minutes in windows. I 
  wrote a routine to restart it every half hour, but it is getting out 
  of hand now. It was
 
 I don't think SQL Server support under Unix/Linux is actually working 
 out of the box.
 
 It did work in the past but we never released the code, and it has 
 since become outdated.
 
 It looks like it would take a few days to revive the UNIX based SQL 
 Server support, but we are very sure it will work great as we've done 
 work with SQL server from linux before.
 
 Sadly, we don't get a lot of requests for SQL Server based PowerDNS, 
 so it is not very high on our agenda.
 
 (btw, the windows version has an easier time as it accesses sqlserver 
 through the generic ODBC backend, but the windows version has other 
 problems).
 
   Bert
 
 -- 
 http://www.PowerDNS.com  Open source, database driven DNS Software 
 http://netherlabs.nl  Open and Closed source services
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com 
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 
 
 !DSPAM:459d415b282181277382813!

-- 
http://www.PowerDNS.com  Open source, database driven DNS Software 
http://netherlabs.nl  Open and Closed source services

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Suse Linux and MS SQL

2007-01-04 Thread Michael C. Gates
Great, I will power up the server later this week... Oh shoot, it already is
later! I guess I am behind... Well, I will set it up in the next couple of
days, and see where I get.

Thanks for all your help,

Michael C. Gates

-Original Message-
From: Norbert Sendetzky [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 04, 2007 4:52 PM
To: pdns-users@mailman.powerdns.com
Cc: Michael C. Gates
Subject: Re: [Pdns-users] Suse Linux and MS SQL


Hi Michael

 I have Suse Linux on one box, and MS SQL on another. Is it possible 
 (And how hard would it be) to install PDNS on the Suse box, and then 
 use MS SQL as the backend?

You can use the PDNS OpenDBX backend and FreeTDS to connect to your MS SQL 
server. This setup worked very well for another member of this list.

The servers officially supported by the OpenDBX backend are:
- MySQL
- PostgreSQL
- SQLite 2 and 3
- MS SQL Server

Supported but not extensively tested yet:
- Oracle 8i to 10g
- Sybase ASE
- Firebird 2


Norbert
-- 
OpenPGP public key http://www.linuxnetworks.de/norbert.pubkey.asc


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


RE: [Pdns-users] Supported databases of the OpenDBX backend

2007-01-26 Thread Michael C. Gates
Is this a new version of PDNS, or a program used to connect Linux to
different DB's? Will this combination work with Suse Linux and MS SQL?

Best regards,

Michael C. Gates

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Norbert
Sendetzky
Sent: Friday, January 26, 2007 12:00 PM
To: pdns-users@mailman.powerdns.com
Subject: [Pdns-users] Supported databases of the OpenDBX backend


Hi all

After having released the next stable series of OpenDBX (1.2.x), I would
like 
to give you an update about the supported and tested databases in
combination 
with the OpenDBX backend.

These databases are tested and officially supported:
- MySQL
- PostgreSQL
- SQLite 2 and 3
- MS SQL Server
- Sybase ASE
- Oracle

The new Firebird 2.0 database wasn't tested up to now but should also work.

Speed tests done a while ago have shown that the OpenDBX backend not only 
offers more high-end features than the other backends shipped with PowerDNS 
but also higher performance. This is at least true for the gmysql backend 
I've used for comparison as it is probably the backend used most often in 
installations.

Links:
http://wiki.linuxnetworks.de/index.php/OpenDBX
http://wiki.linuxnetworks.de/index.php/PowerDNS_OpenDBX_Backend
http://wiki.linuxnetworks.de/index.php/PowerDNS_OpenDBX_Backend_-_Comparison

Feel free to test PowerDNS with your favorite database now :-)


Norbert
-- 
OpenPGP public key http://www.linuxnetworks.de/norbert.pubkey.asc


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] RRSet

2018-04-23 Thread Michael Van Der Beek
Hi All,

I have a question.
In PDNS Server, there is an option no-shuffle which if turned on records with 
multiple records always return in order.
For example.
A.test.com  A 192.168.1.1
A.test.com  A 192.168.1.2

If queried for A.test.com it returns in order of records as stored in the DB ( 
I am using mysql).

Now, my question, is it possible to do this on specific URL basis vs global.

In named, there is a rrset-order(A.test.com) in which only A.test.com returns 
in order and the rest of the records return in random order.

How can I achieve something similar to this with pdns-server?

Thanks for your time.

I've research the mailing list way back 8+  years ago. There was a discussion 
on this. But the links to the solution no longer exists.
Can anyway tell me if there is a new solution?

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Question about PDNS SOA presentation.

2019-03-05 Thread Michael Van Der Beek
Hi All,

I'm a bit confused about my SOA record.
When I query it.
dig @server1.cyber-mage.com SOA cyber-mage.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @server1.cyber-mage.com SOA 
cyber-mage.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5232
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;cyber-mage.com.IN  SOA

;; ANSWER SECTION:
cyber-mage.com. 86400   IN  SOA ns1.linode.com. 
hostmaster.cyber-mage.com. 2019033066 28800 7200 1209600 86400

;; Query time: 219 msec
;; SERVER: 72.14.187.43#53(72.14.187.43)
;; WHEN: Wed Mar 06 14:49:45 +08 2019
;; MSG SIZE  rcvd: 101

But my mysql records are:
MariaDB [powerdns]> select * from records where type="SOA";
++---++--+--+---+--+-+--+--+--+
| id | domain_id | name   | type | content  
| ttl   | prio | change_date | 
disabled | ordername| auth |
++---++--+--+---+--+-+--+--+--+
|  1 | 1 | cyber-mage.com | SOA  | ns1.linode.com 
hostmaster.cyber-mage.com 2019030501 28800 7200 1209600 86400 | 86400 |0 |  
  NULL |0 | rvms80ecrvpfkr7n6a3ksp4tc5f2g9bk |1 |
| 23 | 2 | 187.14.72.in-addr.arpa | SOA  | ns1.linode.com 
hostmaster.cyber-mage.com 2019022501 28800 7200 1209600 86400 | 86400 |0 |  
  NULL |0 |  |1 |
++---++--+--+---+--+-+--+--+--+

And
MariaDB [powerdns]> select * from domains;
++++++-+-+
| id | name   | master | last_check | type   | notified_serial 
| account |
++++++-+-+
|  1 | cyber-mage.com | NULL   |   NULL | MASTER |  2019030501 
| NULL|
|  2 | 187.14.72.in-addr.arpa | NULL   |   NULL | MASTER |  2019022501 
| NULL|
++++++-+-+

How come the values are different? What am I doing wrong?


Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Question about PDNS SOA presentation.

2019-03-05 Thread Michael Van Der Beek
Forgot to mention I am running.

rpm -qa | grep pdns
pdns-4.0.6-1pdns.el7.x86_64
dnsdist-1.1.0-1pdns.el7.x86_64
pdns-recursor-4.0.9-1pdns.el7.x86_64
pdns-backend-mysql-4.0.6-1pdns.el7.x86_64

And
MariaDB-server-10.1.38-1.el7.centos.x86_64

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] MariaDB-server-10.1.38-1.el7.centos.x86_64

2019-03-05 Thread Michael Van Der Beek
Opps wrong thread.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] PDNS recursor dnssec settings

2019-03-05 Thread Michael Van Der Beek
Forgot to mention I am running.

rpm -qa | grep pdns
pdns-4.0.6-1pdns.el7.x86_64
dnsdist-1.1.0-1pdns.el7.x86_64
pdns-recursor-4.0.9-1pdns.el7.x86_64
pdns-backend-mysql-4.0.6-1pdns.el7.x86_64

And
MariaDB-server-10.1.38-1.el7.centos.x86_64


Thanks

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Question about PDNS SOA presentation.

2019-03-05 Thread Michael Van Der Beek
Opps wrong thread.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Question about PDNS SOA presentation.

2019-03-06 Thread Michael Van Der Beek
Hi Frank,

Currently not using dnsdist.. just installed that in case I want to try special 
splitting of traffic.

Currently
Pdns Auth (72.14.187.43:53) -> Recursor (127.0.0.1:53)

Yes I know, I know eventually need to change config so that Auth is standalone 
and not forward recursion traffic to recursor. Traffic is not high so not 
really urgent at the moment.

So currently querying my server is direct to PdnsAuth not going through the 
recursor (which is for recursion traffic).

Eventually, when traffic goes high, will use dnsdist to load balance multiple 
Auths and recursors.
That is why I installed dnsdist as an eventual progression.

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Question about PDNS SOA presentation.

2019-03-07 Thread Michael Van Der Beek
Hi Frank,

After removing the recursor option in pdns.conf

 dig @72.14.187.43 cyber-mage.com SOA

; <<>> DiG 9.2.4 <<>> @72.14.187.43 cyber-mage.com SOA
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22124
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cyber-mage.com.IN  SOA

;; ANSWER SECTION:
cyber-mage.com. 86400   IN  SOA ns1.linode.com. 
hostmaster.cyber-mage.com. 2019033067 28800 7200 1209600 86400

;; Query time: 200 msec
;; SERVER: 72.14.187.43#53(72.14.187.43)
;; WHEN: Thu Mar  7 16:16:19 2019
;; MSG SIZE  rcvd: 90


It still wrong.
Read in this mailing list that somebody complained about the pdnsutils increase 
soa record time also results in a random last 4 digits instead of increasing it 
sequentially. But nobody replied to him. His version was 4.1.x. I presume that 
in his case the first setup was correct. Maybe it was partially fixed from 
4.0.6 to 4.1.x


Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Question about PDNS SOA presentation.

2019-03-07 Thread Michael Van Der Beek
Hi Peter,

That's interesting. My pdns.conf did not have default-soa-edit line.
Also didn't even know about that option. Don't have any domain specific soa 
meta configs in the mysql database.

Looking into the database I found.

MariaDB [powerdns]> select * from domainmetadata
-> ;
++---++-+
| id | domain_id | kind   | CONTENT |
++---++-+
|  1 | 1 | NSEC3PARAM | 1 0 1 ab|
|  2 | 1 | SOA-EDIT   | INCREMENT-WEEKS |
++---++-+
2 rows in set (0.00 sec)

Didn't setup the fields. Either it was when I signed the domain. No matter..
Setting the SOA-EDIT to "" I get back the correct values.

Thanks Peter!
Been scratching my head about this for a while.

Regards,

Michael




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Re: pdns-recursor 4.0.0alpha1 crashes at startup

2016-01-30 Thread Bit World Computing - Michael Mertel
Hello Pieter,

thanks for the clarification, the master branch fixed the problem indeed, but 
it crashes very often. 

For some odd reason I’am not able to do a wget from 
http://download.powerdns.com, it complains about not being able to resolve the 
name, but a 'host download.powerdns.com' returns successfully. I changed my dns 
from local recursor to 8.8.8.8 in /etc/resolv.conf and the problem with wget 
went away.

Meanwhile I returned to 3.7.3, but I will give it another shot later because of 
the DNSSEC functionality.

—Michael


smime.p7s
Description: S/MIME cryptographic signature
___
Pdns-users mailing list
pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/listinfo/pdns-users@mailman.powerdns.com


Re: [Pdns-users] pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

2016-03-09 Thread Bit World Computing - Michael Mertel
Hi Pieter,

dnssec=off did the trick indeed. Hope you can fix this, because dnssec was the 
reason I went to 4.x in the first place :)

If I can be of any help here, just let me know.

Best regards.
 
> Am 09.03.2016 um 10:05 schrieb Pieter Lexis <pieter.le...@powerdns.com>:
> 
> Hi Michael,
> 
> Please keep replies on the mailinglist (mails reproduced below).
> 
> Judging by your log and some of my testing, I think you uncovered a bug in 
> the DNSSEC implementation. Could you try this with `dnssec=off` in the 
> recursor.conf?
> 
> Best regards,
> 
> Pieter
> 
> On Wed, 9 Mar 2016 07:46:49 +0100
> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote:
> 
>> Hello Pieter,
>> 
>> thanks for helping me out on this.
>> 
>>> Am 08.03.2016 um 18:57 schrieb Pieter Lexis <pieter.le...@powerdns.com>:
>>> 
>>> Hello Michael,
>>> 
>>> On Tue, 8 Mar 2016 16:32:26 +0100
>>> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote:
>>> 
>>>> I was wondering why an apt-get update cannot resolve repo.powerdns.com, 
>>>> but a ping is able to do so. This only happens if /etc/resolv.conf points 
>>>> to my recursor. If I use 8.8.8.8 as nameserver everything works as 
>>>> expected.
>>>> 
>>>> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my 
>>>> local recursor.
>>> 
>>> Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? 
>>> When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is 
>>> needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This 
>>> will set the Recursion Desired-bit on the query sent out. Google sends 
>>> SERVFAIL to clients without the RD-bit set.
>>> 
>> I currently use this forward statements in my recursor.conf:
>> 
>> forward-zones-file=/etc/powerdns/forward-zones
>> forward-zones-recurse=.=8.8.8.8
>> 
>> The forward-zones file points to some internal nameservers, all 8.8.8.8 
>> related is done through forward-zones-recurse.
>> 
>> 
>>> If this is the case and you still have these issues, could you enable the 
>>> `trace`[3] option and query your local resolver for repo.powerdns.com and 
>>> email the traces?
>>> 
>> I attached the trace log, hope it includes everything you need. I tried to 
>> kept the noise as low as possible, but some other systems queried the 
>> recursor as well.
>> 
>>>> Maybe it’s how the apt-get tries to resolve the name? The only thing I 
>>>> found was, that getent is not returning the correct results.
>>> 
>>> apt, ping and getent all seem to use the getaddrinfo(3) call.
>>> 
>> I was 100% sure that a ping worked, but it do not work now, 
>> repo.powerdns.com is not resolving anywhere. repo1.powerdns.com is a 
>> different story:
>> 
>> root@dns-1:/var/log# ping repo.powerdns.com
>> ping: unknown host repo.powerdns.com
>> root@dns-1:/var/log# getent hosts repo1.poerdns.com
>> root@dns-1:/var/log# ping repo1.powerdns.com
>> PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data.
>> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 
>> time=42.9 ms
>> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 
>> time=42.9 ms
> 
> 
> On Wed, 9 Mar 2016 08:28:05 +0100
> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote:
> 
>> Hi Pieter,
>> 
>> sorry I overlooked a typo.
>> 
>> root@dns-1:/var/log# getent  hosts repo.powerdns.com
>> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com
>> root@dns-1:/var/log# getent  hosts repo1.powerdns.com
>> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com
>> 
>> Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at 
>> all.
>> 
>> 
> -- 
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com



--
IT-Security Lösungen von DELL SonicWALL und Sophos von Ihrem zertifizierten 
Partner Bit World Computing.





Michael Mertel
Inhaber / company owner


Bit World Computing e.K.
Wredestraße 18
97082 Wuerzburg
Deutschland / Germany

Fon: +49 (0)931 45335-0
Fax: +49 (0)931 45335-99

E-Mail: michael.mer...@bwc.de <mailto:michael.mer...@bwc.de>
GoogleTalk / Skype: bwc.michael
Web: http://www.bwc.de <http://www.bwc.de/>

Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065
Geschäftsführer / company owner: Michael Mertel


BWC ... one bit ahead ... since 1993




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-20 Thread Bit World Computing - Michael Mertel
Hi Leen,

thanks for clearing this up. My approach was a bit to naive but my recursor is 
now returning whats expected.

The +dnssec Parameter is the essential trick, and depending on dnssec=off or 
=process in my recursor.conf the recursor is returning the correct information.

Thanks for your feedback.

—Michael


> Am 19.05.2016 um 17:36 schrieb Leen Besselink <l...@consolejunkie.net>:
> 
> On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael 
> Mertel wrote:
>> Hi,
>> 
> 
> Hi,
> 
>> I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
>> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
>> answer from it. What do I’am doing wrong here, I’am somewhat lost?
>> 
>> —
>> --- direct query 
>> dig @ns1.denic.de ANY www.denic.de
>> ;; ANSWER SECTION:
>> www.denic.de.3600IN  A   81.91.170.12
>> www.denic.de.3600IN  RRSIG   A 8 3 3600 
>> 2016060209 2016051909 26155 denic.de. 
>> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
>> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
>> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
>> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
>> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
>> 
>> ;; AUTHORITY SECTION:
>> denic.de.3600IN  NS  ns2.denic.de.
>> denic.de.3600IN  NS  ns3.denic.de.
>> denic.de.3600IN  NS  ns1.denic.de.
>> 
>> ;; ADDITIONAL SECTION:
>> ns1.denic.de.3600IN  A   81.91.170.1
>> ns1.denic.de.3600IN  2a02:568:121:6:2::2
>> ns2.denic.de.3600IN  A   78.104.145.26
>> ns3.denic.de.3600IN  A   81.91.173.19
> 
> 
> DENIC can return whatever they want with an ANY-query, but that doesn't mean 
> it's DNSSEC.
> 
>> 
>> —
>> — query through dnsdist —
>> dig @192.168.1.5 ANY www.denic.de
>> 
>> ;; ANSWER SECTION:
>> www.denic.de.2083IN  A   81.91.170.12
>> www.denic.de.2083IN  RRSIG   A 8 3 3600 
>> 2016060109 2016051809 26155 denic.de. 
>> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
>> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
>> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
>> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
>> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
>> 
>> —
>> — query through recursor (no forwarders, dnssec=process) —
>> dig -p 5153 @192.168.1.5 ANY www.denic.de
>> 
>> ;; ANSWER SECTION:
>> www.denic.de.2724IN  A   81.91.170.12
>> 
>> —
>> 
>> Thanks in advance.
>> 
> 
> This would be the usual way to check DNSSEC. Without:
> 
> $ dig @d.ns.nic.cz labs.nic.cz A
> 
> ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;labs.nic.cz.   IN  A
> 
> ;; ANSWER SECTION:
> labs.nic.cz.1800IN  A   217.31.205.52
> 
> ;; AUTHORITY SECTION:
> nic.cz. 1800IN  NS  a.ns.nic.cz.
> nic.cz. 1800IN  NS  b.ns.nic.cz.
> nic.cz. 1800IN  NS  d.ns.nic.cz.
> 
> ;; ADDITIONAL SECTION:
> a.ns.nic.cz.1800IN  A   194.0.12.1
> a.ns.nic.cz.1800IN  2001:678:f::1
> b.ns.nic.cz.1800IN  A   194.0.13.1
> b.ns.nic.cz.1800IN  2001:678:10::1
> d.ns.nic.cz.1800IN  A   193.29.206.1
> d.ns.nic.cz.1800IN  2001:678:1::1
> 
> With DNSSEC:
> 
> $ dig +dnssec @d.ns.nic.cz labs.nic.cz A
> 
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
> ;; WARNING: recursio

[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-19 Thread Bit World Computing - Michael Mertel
Hi,

I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
answer from it. What do I’am doing wrong here, I’am somewhat lost?

—
--- direct query 
dig @ns1.denic.de ANY www.denic.de
;; ANSWER SECTION:
www.denic.de.   3600IN  A   81.91.170.12
www.denic.de.   3600IN  RRSIG   A 8 3 3600 2016060209 
2016051909 26155 denic.de. 
rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS

;; AUTHORITY SECTION:
denic.de.   3600IN  NS  ns2.denic.de.
denic.de.   3600IN  NS  ns3.denic.de.
denic.de.   3600IN  NS  ns1.denic.de.

;; ADDITIONAL SECTION:
ns1.denic.de.   3600IN  A   81.91.170.1
ns1.denic.de.   3600IN  2a02:568:121:6:2::2
ns2.denic.de.   3600IN  A   78.104.145.26
ns3.denic.de.   3600IN  A   81.91.173.19

—
— query through dnsdist —
dig @192.168.1.5 ANY www.denic.de

;; ANSWER SECTION:
www.denic.de.   2083IN  A   81.91.170.12
www.denic.de.   2083IN  RRSIG   A 8 3 3600 2016060109 
2016051809 26155 denic.de. 
CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa

—
— query through recursor (no forwarders, dnssec=process) —
dig -p 5153 @192.168.1.5 ANY www.denic.de

;; ANSWER SECTION:
www.denic.de.   2724IN  A   81.91.170.12

—

Thanks in advance.

—Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


[Pdns-users] Spoof MX records

2018-12-13 Thread Bit World Computing - Michael Mertel
Hi,

I’am looking for the most efficent way to spoof the answer of a MX query. I 
need to redirect outgoing e-mails (specific domains only) to a smtp gateway for 
further processing before it leaves the local network. I cannot use any kind of 
transport tables at the MTA, so my approach was to use dns therefore.

The number of zones to spoof is currently not defined, could be dozens if not 
hundreds.

I would usually do this kind of stuff with dnsdist (which I love), but would 
the recursor a better choice here?

Thanks for any advice.

—Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Spoof MX records

2018-12-15 Thread Bit World Computing - Michael Mertel
Hi Aleksandr,

I’am somewhat lost, I’am able to set a rule to have the Lua function called for 
MX requests, but how do I return a response? Spoof ist just for A-records, but 
not for MX.
addLuaAction(QTypeRule(dnsdist.MX), luarule)

Do I have to generate an Answer, but how? Is it possible to use 
dq::addAnswer(), which I have found in the recursor documentation, is this 
valid for dnsdist too?

Best regards.


> Am 14.12.2018 um 17:16 schrieb Aleksandr Rogozin :
> 
> Hi Michael,
> 
> You should be able to load the file (if the list of zones is large enough and 
> warrants a file) or initialize array of subzones (if there are few zones you 
> want to test) once, when the process starts and loads the Lua script. Loading 
> the file on every request would definitely become a performance issue.
> 
> Best Regards,
> 
> On Fri, Dec 14, 2018 at 10:50 AM Bit World Computing - Michael Mertel 
> mailto:michael.mer...@bwc.de>> wrote:
> Hi Aleksandr,
> 
> ja Lua was the way I’m planning to go. But just wasn’t sure to use dnsdist or 
> recursor, but probably does not matter in that case.
> 
> Does the file gets loaded for every request with io.open and could this 
> become a performance issue in your opinion? All DNS requests from a fairly 
> good used mail gateway would be sent to this resolver.
> 
> I think I’ll give it a try with dnsdist and see what happens.
> 
> Best regards.
> 
> 
> 
>> Am 14.12.2018 um 12:55 schrieb Aleksandr Rogozin > <mailto:arogo...@squarespace.com>>:
>> 
>> Hi Michael,
>> 
>> I recommend using Lua to intercept the DNS queries. Both dnsdist and 
>> recursor should be able to support it. In Lua you can check for query type 
>> to be MX and load a list of domains from a file using ‘io.open’. Provide 
>> necessary DNS response if the query matches your list of zones. 
>> Additionally, you might want to limit this operation to specific networks 
>> with NetMask or NetMaskGroup.
>> 
>> 
>> On Fri, Dec 14, 2018 at 01:53 Bit World Computing - Michael Mertel 
>> mailto:michael.mer...@bwc.de>> wrote:
>> Hi,
>> 
>> I’am looking for the most efficent way to spoof the answer of a MX query. I 
>> need to redirect outgoing e-mails (specific domains only) to a smtp gateway 
>> for further processing before it leaves the local network. I cannot use any 
>> kind of transport tables at the MTA, so my approach was to use dns therefore.
>> 
>> The number of zones to spoof is currently not defined, could be dozens if 
>> not hundreds.
>> 
>> I would usually do this kind of stuff with dnsdist (which I love), but would 
>> the recursor a better choice here?
>> 
>> Thanks for any advice.
>> 
>> —Michael
>> 
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>


—
IT-Security und Infrastruktur-Lösungen optimal für Ihre Umgebung


Befine / bintec elmeg / Deepnet Security / DELL / Hewlett Packard / Microsoft
Mikrotik / NAKIVO / SonicWall / SOPHOS / STARFACE / VMware / ZyXEL
sowie das Beste der Open-Source-Welt (NGiNX, PowerDNS, phpIPAM, Postfix, 
ZABBIX, zimbra)


Michael Mertel
Inhaber / company owner


Bit World Computing e.K.
Wredestr. 18
97082 Wuerzburg
Deutschland / Germany

Fon: +49 (0)931 45335-0
Fax: +49 (0)931 45335-99

E-Mail: michael.mer...@bwc.de <mailto:michael.mer...@bwc.de>
Skype: bwc.michael
Web: http://www.bwc.de <http://www.bwc.de/>

Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065
Inhaber / company owner: Michael Mertel


BWC ... one bit ahead ... since 1993

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


Re: [Pdns-users] Spoof MX records

2018-12-15 Thread Bit World Computing - Michael Mertel

> Am 15.12.2018 um 09:50 schrieb bert hubert :
> 
> On Sat, Dec 15, 2018 at 09:42:21AM +0100, Bit World Computing - Michael 
> Mertel wrote:
>> Hi Aleksandr,
>> 
>> I’am somewhat lost, I’am able to set a rule to have the Lua function called 
>> for MX requests, but how do I return a response? Spoof ist just for 
>> A-records, but not for MX.
>> addLuaAction(QTypeRule(dnsdist.MX), luarule)
> 
> Hi Michael,
> 
> As far as I know, dnsdist can't generate MX records, so you'll have to do
> this in the PowerDNS Recursor. Sorry!
> 
> In the Recursor it is not very hard to do though, use postResolve to
> override all MX records you see in responses.
> 
> This makes sure you don't invent MX records for domains that don't have
> them.
> 
> Also be aware that if there is no MX record for a domain, a mail server
> might decide to send email directly to the A record.
> 
> Good luck!
> 
>   Bert

Thanks Bert you saved my day, will switch over to recursor.

—Michael___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


  1   2   >