[Pdns-users] PDNS + MySQL results not un-escaped?
Hello all, First time poster, long time SysAdmin :-) intending to convert from Bind. I have just noticed that PDNS with GMySQL back end does not seem to un-escape result records. Popular MySQL web based admin programs always escape entered data, and certainly I can't think of any rational not to. However when I go and look on my slave server (running Bind) I see that some TXT slave records are escaped rendering them invalid. I have searched the MySQL site and I can't find a function to unescape the data within the query, so as far as I can see it isn't just a simple matter of rewriting the queries. Has someone else found this and if so what did they do about it? Is this an oversight within the module or do I need to fix something? Thanks, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS + MySQL results not un-escaped?
On Wed, 06 Jan 2010 21:56:08 you wrote: Hi Michael When I enter a DKIM or Domain Keys record, which requires use of ';', the records on the secondary name server have this character escaped with '\', as to be expected. As this character has a special meaning in MySQL I would think the simple answer would be to unescape it prior to returning the RR. This is a common misunderstanding of web developers that escaping in MySQL is done by adding backslashes. Instead, escaping is done by calling mysql_real_escape(), which prepares the string to be save when storing it to the database but when fetching the string again, it will be the same as before calling mysql_real_escape(). Therefore, if a web application adds backslashes it corrupts the record and this has to be considered as bug of the web application. Ok, so is there any downside to adding an unescape to the code and could this be done by the programmers? I didn't write the web based SQL admin... I use the proper MySQL function in my own code, but I am not rewriting the web based admin... ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Power DNS 2.9.22 compile error while running 'make' command
On Slackware 13.0 while running Make: I have successfully configured, compiled (and happily running) this on 2 other Slackware machines - one running 12.0 and the other 13.0, and I really am not sure what the difference between them is. In all instances Boost 1.41 is used and configure is run as follows: CXXFLAGS=-I/root/boost_1_41_0 \ ./configure \ --sysconfdir=/usr/local/etc \ --localstatedir=/var/run \ --with-mysql=/usr/local/mysql \ --with-mysql-lib=/usr/local/lib/mysql \ --with-mysql-includes=/usr/local/include/mysql On the problematic machine configure runs fine, but when I run Make I get the following error: if g++ -DHAVE_CONFIG_H -I. -I. -I../../.. -I../.. -pthread -D_GNU_SOURCE -I/root/boost_1_41_0 -Wall -O2 -MT rcpgenerator.o -MD -MP -MF .deps/rcpgenerator.Tpo -c -o rcpgenerator.o `test -f '../../rcpgenerator.cc' || echo './'`../../rcpgenerator.cc; \ then mv -f .deps/rcpgenerator.Tpo .deps/rcpgenerator.Po; else rm -f .deps/rcpgenerator.Tpo; exit 1; fi ../../rcpgenerator.cc: In member function 'void RecordTextReader::xfrTime(uint32_t)': ../../rcpgenerator.cc:75: error: 'sscanf' was not declared in this scope ../../rcpgenerator.cc: In member function 'void RecordTextWriter::xfrTime(const uint32_t)': ../../rcpgenerator.cc:363: error: 'snprintf' was not declared in this scope ../../rcpgenerator.cc: In member function 'void RecordTextWriter::xfrHexBlob(const std::string)': ../../rcpgenerator.cc:415: error: 'snprintf' was not declared in this scope make[4]: *** [rcpgenerator.o] Error 1 make[4]: Leaving directory `/root/pdns-2.9.22/pdns/backends/bind' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/pdns-2.9.22/pdns/backends' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/root/pdns-2.9.22/pdns' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/pdns-2.9.22' make: *** [all] Error 2 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Power DNS 2.9.22 compile error while running 'make' command
On Thu, 27 May 2010 06:05:58 you wrote: On Thu, May 27, 2010 at 12:41:09AM +1200, Michael wrote: On Slackware 13.0 while running Make: I have successfully configured, compiled (and happily running) this on 2 other Slackware machines - one running 12.0 and the other 13.0, and I really am not sure what the difference between them is. Michael, The difference is the gcc version. More recent versions have changed their 'include' hierarchy. Try adding #include stdio.h to the list of other includes in the file rcpgenerator.cc. The up coming pdns 3.0 has these fixes for newer gcc's included already. I have tried this and it's now spitting the following error: ../dnsparser.cc; \ then mv -f .deps/dnsparser.Tpo .deps/dnsparser.Po; else rm -f .deps/dnsparser.Tpo; exit 1; fi ../../dnsparser.cc: In member function 'virtual std::string UnknownRecordContent::getZoneRepresentation() const': ../../dnsparser.cc:46: error: 'snprintf' was not declared in this scope ../../dnsparser.cc: In member function 'virtual void UnknownRecordContent::toPacket(DNSPacketWriter)': ../../dnsparser.cc:67: error: 'sscanf' was not declared in this scope make[4]: *** [dnsparser.o] Error 1 make[4]: Leaving directory `/root/pdns-2.9.22/pdns/backends/bind' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/pdns-2.9.22/pdns/backends' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/root/pdns-2.9.22/pdns' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/pdns-2.9.22' make: *** [all] Error 2 r...@hostname:~/pdns-2.9.22# ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] FIXED - Power DNS 2.9.22 compile error while running 'make' command
On Thu, 27 May 2010 04:59:59 David Hawthorne wrote: I ran into this on ubuntu as well, with all the dependencies properly installed tyvm. ../../rcpgenerator.cc: In member function ‘void RecordTextReader::xfrTime(uint32_t)’: ../../rcpgenerator.cc:75: error: ‘sscanf’ was not declared in this scope ../../rcpgenerator.cc: In member function ‘void RecordTextWriter::xfrTime(const uint32_t)’: ../../rcpgenerator.cc:363: error: ‘snprintf’ was not declared in this scope ../../rcpgenerator.cc: In member function ‘void RecordTextWriter::xfrHexBlob(const std::string)’: ../../rcpgenerator.cc:415: error: ‘snprintf’ was not declared in this scope It requires #include cstdio to fix. Same with: ../../dnsparser.cc: In member function ‘virtual std::string UnknownRecordContent::getZoneRepresentation() const’: ../../dnsparser.cc:46: error: ‘snprintf’ was not declared in this scope ../../dnsparser.cc: In member function ‘virtual void UnknownRecordContent::toPacket(DNSPacketWriter)’: ../../dnsparser.cc:67: error: ‘sscanf’ was not declared in this scope Just requires #include cstdio to fix. I put it in dnsparser.hh. This information was what I needed - thanks :-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] MySQL docs bug?
The following does not work: CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE http://docs.powerdns.com/generic-mypgsql-backends.html ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix
Hi all, I have been using pdns_recursor package on my Ubuntu 14.04 quite some time to resolve host names locally. That worked fine for the entire system. Last week I updated to Ubuntu 16.04. So I have a new Postfix version (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2). Since this update Postfix does not receive correct answers for a particular query anymore. Concretely, queries for A entries of Office365 mail servers. For example if Postfix asks for the A entry of nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix that there does not exists a A record. However, if I manually do this query with dig, I do get an correct answer. Please see the logs at the end of the mail. Besides the queries of Office365 mail servers, the rest is working fine. I have no idea how to track down that issue? Is there any setting in pdns_recursor I have to change? Thanks, Michael Postfix log = Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2: from=<m...@michi.su>, size=865, nrcpt=1 (queue active) Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for nxp.com has a valid address record Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2: to=<t...@nxp.com>, relay=none, delay=1492, delays=1492/0.12/0.81/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=nxp-com.mail.protection.outlook.com type=A: Host not found, try again) = pdns_recursor log after Postfix query = Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for 'nxp.com.|MX' from 127.0.0.1 Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question 'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1 Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question 'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional, took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp connections, rcode=2 = pdns_log after dig query = Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1 Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question 'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional, took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 = ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix
Hi, thanks for the answer. Since I can see the query from Postfix in the logs of PDNS_recursor, I assume Postfix is communicating with the recursor correctly. Here is the content of /var/spool/postfix/etc/resolv.conf root@mx0:~# cat /var/spool/postfix/etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 Thanks, Michael Quoting Leen Besselink <l...@consolejunkie.net>: Hi, Sounds like a strange problem. Just to make sure it's set up correctly. Could you check that Postfix is talking to PowerDNS Recursor ? Because Postifx has a seperate resolv.conf (which gets updated when starting Postfix): /var/spool/postfix/etc/resolv.conf On Thu, Aug 18, 2016 at 02:20:25PM +, Michael wrote: Hi all, I have been using pdns_recursor package on my Ubuntu 14.04 quite some time to resolve host names locally. That worked fine for the entire system. Last week I updated to Ubuntu 16.04. So I have a new Postfix version (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2). Since this update Postfix does not receive correct answers for a particular query anymore. Concretely, queries for A entries of Office365 mail servers. For example if Postfix asks for the A entry of nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix that there does not exists a A record. However, if I manually do this query with dig, I do get an correct answer. Please see the logs at the end of the mail. Besides the queries of Office365 mail servers, the rest is working fine. I have no idea how to track down that issue? Is there any setting in pdns_recursor I have to change? Thanks, Michael Postfix log = Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2: from=<m...@michi.su>, size=865, nrcpt=1 (queue active) Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for nxp.com has a valid address record Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2: to=<t...@nxp.com>, relay=none, delay=1492, delays=1492/0.12/0.81/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=nxp-com.mail.protection.outlook.com type=A: Host not found, try again) = pdns_recursor log after Postfix query = Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for 'nxp.com.|MX' from 127.0.0.1 Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question 'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1 Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question 'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional, took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp connections, rcode=2 = pdns_log after dig query = Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for 'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1 Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question 'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional, took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 = ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix
Quoting Pieter Lexis <pieter.le...@powerdns.com>: Hi Michael, On Thu, 18 Aug 2016 14:20:25 + Michael <m...@michi.su> wrote: Last week I updated to Ubuntu 16.04. So I have a new Postfix version (3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2). Since this update Postfix does not receive correct answers for a particular query anymore. Concretely, queries for A entries of Office365 mail servers. For example if Postfix asks for the A entry of nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix that there does not exists a A record. However, if I manually do this query with dig, I do get an correct answer. Please see the logs at the end of the mail. Besides the queries of Office365 mail servers, the rest is working fine. I have no idea how to track down that issue? Is there any setting in pdns_recursor I have to change? Postfix might be asking for DNSSEC, which is finiky in the alpha version Ubuntu pulled in. Can you install 4.0.1 from our repositories[1] and try again? 4.0.1 has about 5 months more development time in it. Thanks a lot! Updating to 4.0.1 solved the problem for me. Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)
--On November 18, 2006 11:27:26 AM -0800 Richard Vernooij [EMAIL PROTECTED] wrote: I thought PRT record is the same? or do i misundertand. Can you please explain the difference? and what must i do in my case? I am going to assume you mean PTR record. PTR's really only occur in .in-addr.arpa zones. They are for reverse DNS which is not SPF. Many sites do require *VALID* reverse DNS nowadays though, which is very different from SPF (which I'll get to in a moment). A *VALID* rDNS consists of a PTR in your providers .in-addr.arpa zone, as well as a matching A record that it points to (PTR means PoinTeR). SPF is simply a specially formatted TXT record associated with the sending domain which states which A, MX, or IP's can send mail on behalf of that domain. If you've got people denying mail because of no SPF record well you don't want to send mail to them anyway. SPF is seriously broken in the face of *many* everyday applications, including mailing lists, and remote dialup users. Now if you *have* an SPF record (which again is *NOT* a type of DNS record at all, it's a TXT record) and that SPF record is *wrong* I can see some net.kook's denying mail based on that. In my case several people do not get any mail, because there spamfilter blocks mail from our domains on our servers, due to Reverse or SPF settings . This is all i can understand, form the error messages. In my Power admin is no such thing as a SPF TYPE. only PRT / TXT etc.. I hope it is clear enough for you guys? Please let me know. thanks, Richard. Richard Vernooij wrote: I seem to have a problem that many messages from a webserver, or emailserver do not arrive on certain places. Now i found that it could be the reason, that i do not have SPF records for reverse DNS. SPF has _nothing_ to do with reverse DNS. Now when i check http://www.dnsreport.com/tools/dnsreport.ch?domain=domainname.com (after a day with the real domain) I still have a warning about not having a spf record. Well, then your domain does not have an SPF record. Did you add a record of type SPF to your domain's zone? ___ __ Sponsored Link Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate new house payment -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS Master/Slave
Hi.. Im trying to setup a PowerDNS server, one acting as master and the other one acting as slave... im running debian on both computer.. the problem is that.. when i add a domain in the database on my master (10.1.1.248), then i expect my slave (10.1.1.249) to get a notify about that.. and add it right away.. but nothing happens.. when i make a lookup on the master everything works fine.. but when i ask the slave.. i get no return. i hope that someone can give me some help.. or some hints of what i possible can do wrong. my configuration, database and log is below: master config: allow-axfr-ips=10.1.1.249 config-dir=/etc/powerdns daemon=yes disable-axfr=yes guardian=yes launch=gmysql lazy-recursion=yes local-address=10.1.1.248 local-port=53 master=yes module-dir=/usr/lib/powerdns recursor=MY ISP setgid=pdns setuid=pdns socket-dir=/var/run version-string=powerdns include=/etc/powerdns/pdns.d mysql select * from domains; ++--+-++++-+-+-+-+ | id | fkuserid | name| master | last_check | type | notified_serial | account | reverse | cdatetime | ++--+-++++-+-+-+-+ | 1 |1 | sarge.lan | NULL | NULL | NATIVE |NULL | NULL| 0 | 2007-02-09 14:26:33 | ++--+-++++-+-+-+-+ mysql select * from records where domain_id=3; ++---+---+--+--+---+--+-+-+--+ | id | domain_id | name | type | content | ttl | prio | change_date | cdatetime | editable | ++---+---+--+--+---+--+-+-+--+ | 11 | 1 | sarge.lan | SOA | sarge.lan [EMAIL PROTECTED] 2007020902 | 86400 | NULL |NULL | 2007-02-09 14:26:33 |0 | | 12 | 1 | sarge.lan | NS | ns1.example.com | 86400 | NULL |NULL | 2007-02-09 14:26:33 |0 | | 13 | 1 | sarge.lan | NS | ns2.example.com | 86400 | NULL |NULL | 2007-02-09 14:26:33 |0 | | 14 | 1 | sarge.lan | A| 10.1.1.248 | 86400 | NULL |NULL | 2007-02-09 14:26:33 |1 | | 15 | 1 | ns1.sarge.lan | A| 10.1.1.248 | 86400 | NULL |NULL | 2007-02-09 14:26:52 |1 | | 16 | 1 | ns2.sarge.lan | A| 10.1.1.249 | 86400 | NULL |NULL | 2007-02-09 14:37:02 |1 | ++---+---+--+--+---+--+-+-+--+ and the slave: first the configuration file: config-dir=/etc/powerdns daemon=yes disable-axfr=yes guardian=yes launch=gmysql lazy-recursion=yes local-address=10.1.1.249 local-port=53 module-dir=/usr/lib/powerdns recursor=62.199.234.11 setgid=pdns setuid=pdns slave=yes socket-dir=/var/run version-string=powerdns include=/etc/powerdns/pdns.d mysql select * from supermasters; ++++-+-+ | id | ip | nameserver | account | cdatetime | ++++-+-+ | 1 | 10.1.1.248 | sarge.lan | NULL| 2007-02-09 14:20:31 | ++++-+-+ 1 row in set (0.00 sec) [EMAIL PROTECTED]:~$ host -a sarge.lan Trying sarge.lan Host sarge.lan not found: 3(NXDOMAIN) Received 102 bytes from 10.1.1.249#53 in 3 ms [EMAIL PROTECTED]:~$ cat /etc/resolv.conf nameserver 10.1.1.249 nameserver 10.1.1.248 [EMAIL PROTECTED]:~$ host -a sarge.lan Trying sarge.lan ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5201 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sarge.lan. IN ANY ;; ANSWER SECTION: sarge.lan. 86400 IN SOA sarge.lan. user.sarge.lan. 2007020902 10800 3600 604800 3600 sarge.lan. 86400 IN NS ns2.example.com. sarge.lan. 86400 IN NS ns1.example.com. sarge.lan. 86400 IN A 10.1.1.248 Received 140 bytes from 10.1.1.248#53 in 123 ms [EMAIL PROTECTED]:~$ cat /etc/resolv.conf nameserver 10.1.1.248 nameserver 10.1.1.249 -- mvh Michael Holm ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Differing (incorrect) behavior in 2.9.21 for AAAA records versus 2.9.20...
In the presence of a *.domain.com CNAME, 2.9.21, when asked for a more specific A record responds appropriately with the A record when an A record exists, and NOERROR/no answer for an MX or whatever. However, when asked for an record, it will respond with the splat/*.domain.com CNAME instead. An example of this is barracuda.neit.edu, ns1.modwest.com is running 2.9.20, and ns2.modwest.com is running 2.9.21, ns2 responds incorrectly directing traffic to the wrong place. Any idea when I can see a fix for this behavior? -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] SQLite as slave backend
Hi list I have searched and searched, but haven't been able to find a solution, neither to investigate myself. I have PowerDNS running on master server with MySQL as backend - works like a charm. Now I want to setup a slave server with SQLite backend (no access to MySQL on that server) Everything is configured correctly, but on slave site I get this error when my master server is sending NOTIFY: Received NOTIFY for example.com from 123.123.123.123 for which we are not authoritative gsqlite3: connection to '/etc/pdns/pdns.db' succesful Backend error: Database error trying to insert new slave 'example.com': Error while retrieving SQLite query results Any clues? What should I look for? Thanks in advance Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] installating powerdns - recurse agains root servers
Hi, Now i have been studying the installation for hours.. and still i havent found a way to make a simple setup.. I would like to install pdns-recursor, and have it to recurse up against the root servers.. but, i just cannot find out how to configure this. I have a running power dns service, where i have entered my ISP as recursor.. but they seems rather unrelayable.. so i hope someone can help me.. and yes i have read the documentation.. and google for hours, but.. i just cant make the right config :/ Best regards, -- mvh Michael Holm ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Master/Slave replication
I'm a newb, but found PowerDNS and Poweradmin very nice. I'm having a problem with my Master not updating my slave. I'm on Ubuntu 9.04 pdns was installed via apt, pa was installed via tar, latest version available on the site. Any help would be graciously accepted. Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS and DNSSEC
I all, I've test DNS packet size with my pdns-resursor and it seems that I cannot get packet size over 512bytes. :~# dig +short rs.dns-oarc.net txt rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. Tested at 2010-01-25 14:29:42 UTC 92.103.108.34 lacks EDNS, defaults to 512 92.103.108.34 DNS reply size limit is at least 490 It seems that the DNSSEC version of pdns is in developpement but what is the planning for this release? What is the impact on pdns-recursor with the migration of the G root server with the dnssec protocol? Kind regards Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] EDNS support + default buffer size
Hi all, I've just tested the PowerDNS Recursor 3.2 with its out of the box configuration against the tests outlined at https://www.dns-oarc.net/oarc/services/replysizetest It seems that EDNS is disabled by default, which is confirmed by the comment attached to changeset #1430 (http://wiki.powerdns.com/trac/changeset/1430) Looking at the source it seems in 3.2 an option disable-edns=no was added which turns EDNS support on. A cursory test here shows that adding this to the stock config does cause the dns-oarc reply size test to report a reply size of 1200 vs 512 when EDNS is off. What is the status of EDNS support? Is it safe to rely on in production environments? What specifically does the nothing but trouble comment on the changeset refer to? Also, the buffer size of 1200 appears to be hard coded. Is there any particular reason for this value? I'm guessing it has to do with avoiding fragmentation, but it'd be nice to know for sure. Thanks, -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Possible tcp listener issue
Hi, Simon is off at the moment, the details of our installation are: Debian Etch (2.6.24-etchnhalf.1-686-bigmem) and Lenny (2.6.26-2-686-bigmem). We have used the supplied binary version of 3.2 and are seing the TCP listener fail every few days (but not at regular intervals). If you need any further information please let me know. Michael Now I don't know anything about this issue specifically, but it's customary to provide some extra information when reporting bugs, what OS and OS version are you using for example ? Did you download a Linux-distribution binary ? What kernel version are you using ? Or did you build from an updated BSD-ports. Did you do your own build ? If so, what compiler did you use ? And so on. Some information would be better then no information. :-) Just so you know. Have a nice day, Leen. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users . -- | Michael Presson Broadband Solutions for | | Network and Systems LeadHome Business@ | | Plusnet PLC www.plus.net | | Registered in England no:3279013 | | Registered Office:Internet House, 2 Tenter Street, Sheffield, S1 4BY | +--- Plusnet - ISPA Best Consumer ISP 2008 + ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNSSEC
Hi, I'm currently evaluating the PowerDNSSEC implementation and found 2 issues: -) Is it possible to disable the signing-on-demand feature? I want the powerdns to act as slave to a hidden-master which does the signing of the domain, and the powerdns should just serve the signed zone (without any resigning and without access to the Keys). -) I tried the PostgreSQL-Backend, but I allways received the following error message: TCP server is unable to launch backends - will try again when questions come in: Undefined but needed argument: 'gpgsql-dnssec'. What is the format of the missing gpgsql-dnssec'-Parameter I've to add? Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Hidden supermasters
Hi Richard, On Fri, 2010-08-06 at 15:27 +1000, Richard McLean wrote: I have wondered about this. We'd love to implement a hidden supermaster type setup, using AXFR, which auto-updates the 4 main name servers, but is *not* in the list of name servers for a domain and is not publicly available. Is the restriction above able to be worked around or turned off? I've managed to work around this by adding a config line like: gsql-supermaster-query=select account from supermasters where ip='%s' In this setup, only IP addresses need to be listed in the supermasters table and the other checks are bypassed. This might need some careful checks if the database schema / the expected returned field list etc changes at some point in the future. -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Multiple IPs per host name / round robin
The recursive resolver is what clients talk to locally. AKA a caching resolver, it's not part of your authoritative infrastructure at all. In fact, if you're using your authoritative nameservers as caching resolvers, you should stop. For most people the recursive resolver is provided by their ISP unless they elect to run their own (like I do) or to use an external one (like OpenDNS or Google's DNS). What makes them recursive is that they answer queries that aren't necessarily in their cache or known from zone files by recursing up the tree until it finds an answer it knows (either from root hints or previous cached lookups) then works it's way back down the tree to the answer. On Thu, Feb 24, 2011 at 10:25 AM, PLists jkli...@ifm-services.com wrote: Here's your DNS noob question for the day. (I'm not a real sysadmin. I only pretend to be when backed into a corner.) I've been running PowerDNS (with a MySQL backend) successfully and happily for a couple of years now. It's really basic stuff, one A record per host name. Now I'm in a situation where I need to serve up two possible IP addresses for a certain host name. From my treks through Google, I'm assuming the following: 1) I simply enter multiple A records into the database, one for each IP. 2) PowerDNS does not randomize these. [informational] 3) Recursors are supposed to do this. [informational] So all I need to do, really, is enter in the multiple A records. What I'm confused about is the role of the recursor. Is it already installed as part of PowerDNS? If not, do I need to install the recursor on my name servers? Does it take over port 53? From reading about recursors, the answer is, No, I think. But I'm not completely sure when one would run a recursor. Thanks for making something so simple and reliable. :) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] pdns generates records when presigned=1 is set
Hi, I noticed a strange dnssec behavoir with pdns 3.0 (and postgresql-backend): I have loaded a zone into the db, the zone is unsigned but the domainmetadata presigned is set to 1. Everything works fine, except if I ask for a non-available record (with dnssec-ok flag set in the query), then I receive 2 additional NSEC-records: Without DNSSEC-OK Query flag: ;; QUESTION SECTION: ;.unsigned.at. IN A ;; AUTHORITY SECTION: unsigned.at.3600IN SOA ns2.at43.at. office.enum.at. 2 1200 3600 604800 600 With DNSSEC-OK Query flag: ;; QUESTION SECTION: ;.unsigned.at. IN A ;; AUTHORITY SECTION: unsigned.at.3600IN SOA ns2.at43.at. office.enum.at. 2 1200 3600 604800 600 www.unsigned.at.3600IN NSECwww.unsigned.at. A RRSIG NSEC unsigned.at.3600IN NSECwww.unsigned.at. A NS SOA MX RRSIG NSEC DNSKEY I know this setup (PRESIGNED=1 and an unsigned domain) is an undocumented setup, but I think it will be a good feature if PRESIGNED=1 disables all automatic record generation and pdns serves only the records it has configured in its backend. So it will be possible, if I have a lot of slave zones, which are mixed between DNSSEC signed and non-signed, to configure all zones the same way (like in Bind). Do you have any comments on this? Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 1:38 AM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: Hi All, Quick question – is anyone on the list using PDNS in an ISP environment, especially for auth services ? Up until a couple years ago I worked as Sr. SA/Ops Manager at Modwest, we used PowerDNS then, and they still do today. Something like 10k or 15k domains at the time, no idea how many today honestly. As with many the draw was a database backend. There wasn't much else out there at the time, and certainly nothing stable like PowerDNS. With 10k+ domains BIND would take a very LONG time to start/restart or even check for updates. There was also the headaches involved in maintaining slave and master zone configs too. Authoritative DNS only. There's a cluster of BIND servers for resolver functionality. The actual NS records point at load balanced clusters of DNS servers. To the outside it looks like there are only a handful of geographically diverse nameservers, in reality there's multiple PowerDNS servers behind each IP. Makes doing upgrades REALLY easy, you just pull one out of the load balancer, upgrade it. Then you can do all the testing you want (one thing I did was to play back DNS queries and observe/systematically check the responses, without letting any actual traffic out) -- if it doesn't work out you can then use whatever process you have to roll that machine back and put it back into the cluster, or, more deeply investigate the failure. This was a situation though where there was a very well proven and trusted load balancer infrastructure in place already so it absolutely made sense to deploy externally facing DNS services behind this same setup. It definitely requires thought to do it that way (chicken-and-egg scenarios come to mind, you can not have your load balancers depend on DNS if you're going to run DNS behind them!!!) but it is reliable when done right. There have definitely been a few pains here and there. Some of them were caused by the fact that wildcard records are used. Some of the issues I had were caused by MySQL's sometimes flaky replication, monitoring them was an absolute must, making sure that they were all in sync and up to date was also absolutely required. The benefits far outweighed the costs at that scale for certain. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Additional NSEC3-Record in Response - DNSSEC Validation fails
Hi, I did some more DNSSEC-testing and found another bug: My setup looks like this: Bind accting as Master server, serving a presigned zone. PDNS 3.0 accting as Slave server, PRESIGNED=1 and NSEC3PARAM is set in Domainmetatable. When querying for an undefined records, PDNS adds an additional NSEC3-Record into the response and the validation of the response failes. Response from Bind: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 1200 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE NS SOA RRSIG DNSKEY NSEC3PARAM O8IVN054N94M5JUQ5H7G0I882UAHH62U.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= The same query against the PDNS: ;; QUESTION SECTION: ;notfound.nsec3test.at. IN A ;; AUTHORITY SECTION: nsec3test.at. 600 IN SOA ns2.at43.at. mib.nic.at. 3 86400 3600 604800 600 nsec3test.at. 600 IN RRSIG SOA 7 2 600 20110921115504 20110822115504 54530 nsec3test.at. CAljGUcw6e2pHiajLF+T0uCNfBrrtF2ZleDKrPe8gWiBOSmrhGPDGRVQ NUF5CX07AkBvG1pfoe5IKB4sIri0Un9C7MGznKNgc/1xBnmWBFCYzILS 8SkFzyyNalYYpvNnhO7q+MpE6kciv3soZbZJ+fl8Y2xibvvvYswO+vPy 0l4= o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 0 IN NSEC3 1 1 10 - 66R3IIGV513QGD458A2S11T0MH3E6IET NS SOA RRSIG DNSKEY NSEC3PARAM o8ivn054n94m5juq5h7g0i882uahh62u.nsec3test.at. 600 IN RRSIG NSEC3 7 3 600 20110921115504 20110822115504 54530 nsec3test.at. Z5lAmFDBRLYO2J/l2o1CwYfcuuvSixR26B5GIPTDaNvxRdHkVIJEHctQ Hc+4xie3POEed4eZBuYF2mqCCaF0GC5d0D5Y8sJui7Vu3oGxmwWO49vm e0WnNL4WiXWUzd0hOEobK/XJn6ObHLscbR5SmupdIdpA5DaJZ1w1VPQp faw= 76nqadco30ibl06a9vmdvu7r31l6r3oi.nsec3test.at. 600 IN NSEC3 1 1 10 - NCH5FA1SAKRN1LLO8EKOK28S80L05EQE RRSIG The last line is the additional NSEC3-Record. Can you please have a look? Thanks in advance and Best, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Bad cache TTL with pdns-resursor
Hi bert, Thanks for the answer I've uderstand the strange ttl response when the answer come from the paquet cache. Now here is a little more strange problem ;; QUESTION SECTION: ;s4.noelshack.com. IN A ;; ANSWER SECTION: s4.noelshack.com. 3600IN CNAME noelshack.com. noelshack.com. 3600IN A 91.121.63.175 ;; QUESTION SECTION: ;s4.noelshack.com. IN NS ;; ANSWER SECTION: s4.noelshack.com. 2175IN CNAME noelshack.com. noelshack.com. 85974 IN NS ns1.afraid.org. noelshack.com. 85974 IN NS ns4.afraid.org. noelshack.com. 85974 IN NS ns2.afraid.org. noelshack.com. 85974 IN NS ns3.afraid.org. ;; QUESTION SECTION: ;noelshack.com. IN SOA ;; ANSWER SECTION: noelshack.com. 3535IN SOA ns1.afraid.org. dnsadmin.afraid.org. 1110170003 86400 7200 2419200 3600 The zone noelshack.com. have moved since more than a week at ns-01.odysseeinteractive.com The correct answer from another pdns_recursor : # ;; QUESTION SECTION: ;noelshack.com. IN SOA ;; ANSWER SECTION: noelshack.com. 86281 IN SOA ns-01.odysseeinteractive.com. noc.odysseeinteractive.com. 2011122801 86400 7200 604800 86400 # The ttl on this zone nerver goes to 0 and moreover after 1 hour ( the paquet cache duration) is sometime increased. We have around 100 servers and half are affected by this problem... The only solution I've find is to wipe the cache for this dns entrie. There is no reason to do this since 1 week as the TTL on the soa is only 86400... Any ideas? Kind regards Michael On 12/29/2011 04:20 PM, bert hubert wrote: Hi Michael, The SOA will indeed probably not go to zero because it will have been renewed in that time. PowerDNS Recursor 3.3 and later take care to decrement the TTL when serving contents from the packet cache. So when you don't see it going down in 3.2, that is correct, and maybe a bit strange, but not a bug. Bert On Thu, Dec 29, 2011 at 10:08:53AM +0100, Michael FROMENT wrote: Hi, I have some strange cached TTL on my pdns-recursor ( version 3.2-4 under debian ). When I query my recursor the TTL doesn't decrease by 1 second. Moreover the TTL never goes to 0 so the zone never expire in cache. As an example: root@BBK2NS:~# dig soa google.com @89.2.0.1 ;; ANSWER SECTION: google.com. 569 IN SOA ns1.google.com. dns-admin.google.com. 1472387 7200 1800 1209600 300 ;; Query time: 0 msec ;; SERVER: 89.2.0.1#53(89.2.0.1) ;; WHEN: Thu Dec 29 10:02:46 2011 ;; MSG SIZE rcvd: 78 root@BBK2NS:~# dig soa google.com @89.2.0.1 ;; ANSWER SECTION: google.com. 40 IN SOA ns1.google.com. dns-admin.google.com. 1472388 7200 1800 1209600 300 ;; Query time: 0 msec ;; SERVER: 89.2.0.1#53(89.2.0.1) ;; WHEN: Thu Dec 29 10:02:47 2011 ;; MSG SIZE rcvd: 78 root@BBK2NS:~# dig soa google.com @89.2.0.1 ;; ANSWER SECTION: google.com. 562 IN SOA ns1.google.com. dns-admin.google.com. 1472388 7200 1800 1209600 300 ;; Query time: 0 msec ;; SERVER: 89.2.0.1#53(89.2.0.1) ;; WHEN: Thu Dec 29 10:04:08 2011 ;; MSG SIZE rcvd: 78 Is this a known bug on the recursor? Kind Regards Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Bad cache TTL with pdns-resursor
Hi David, Thanks for the bug related link and the solution... We will upgrade our recursor asap. Nice to meet you on another mailing list... as you can see we were on the problem Regards Michael On 12/29/2011 05:08 PM, GAVARRET, David wrote: On Thu, Dec 29, 2011, Michael FROMENT wrote: Hi bert, Thanks for the answer I've uderstand the strange ttl response when the answer come from the paquet cache. Now here is a little more strange problem The zone noelshack.com. have moved since more than a week at ns-01.odysseeinteractive.com Hello Michael, (I was just reading the frnog related topic ;) ) this is a problem we already encounter here, due to a bug in version 3.2 of the recursor : http://wiki.powerdns.com/trac/changeset/1548 The cache still continues using old NS informations concerning the domain (as the old authoritative servers still answer for it), and so the migration of the domain to new authoritatives servers is not seen by PowerDNS Recursor. You should consider upgrading your version of the recursor, and if so, going directly to version 3.4-pre, because we also encounter another irritative bug in version 3.3: when an authoritative server wrongly announces itself as authoritative for another domain :) (especially domains hosted on ns20.ovh.net, that answers itself as authoritative for google.com ;) ). Kind regards, ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Authrotative and recursive on same ip creates an open recursive server
The recursor only ever talks to the authoritative ersolver in this scneario so the authoritative resolver needs further configuration to properly restrict who is being allowed to use it recursively. recursor.conf only affects the recursor itself. You need to set, in pdns.conf, allow-recursion to restrict appropriately. Also, its usually not a good idea to have your recursors and authoritative nameservers on the same IPs, the authoritative should really just be serving authoritative data and never recursing. This helps prevent accidental (and malicious) cache poisoning of your authoritative nameserver. On Thu, Mar 29, 2012 at 2:27 PM, Miguel Miranda miguel.miran...@gmail.com wrote: Hello to all, im migrating several of my dns server from bind to powerdns, i was trying the recursor only and it restricted who can use my server to the nets listed in allow-from-file, when i configure the authoritative and recursor using the recursor= 127.0.0.1, everybody can use my server for recursion, am i missing something or bypassing allow-from-file is the normal operation in this scenario? regards ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] problems with glue records
Its the CNAME - think of it like a symbolic link on a file system. It points all access towards the given place. For your domain to work at all you'll need to remove the yeetta.net CNAME. Sent from my iPhone On Feb 10, 2013, at 7:28, Florus Both flo...@yeetta.com wrote: Hi, maybe someone can shed a light on this. I have a domain (yeetta.net) and i have 3 pdns server ns1..ns3.yeetta.net. My domain provider said that they have created the glue records. I can change ns on for example yeetta.com to ns1..ns3.yeetta.net. But i can make the ns1..ns3.yeetta.net change work for yeetta.net. Floruss-MacBook-Air:~ fb$ host -t ns yeetta.net 8.8.4.4 Using domain server: Name: 8.8.4.4 Address: 8.8.4.4#53 Aliases: yeetta.net is an alias for sloth.dc2.dk. Floruss-MacBook-Air:~ fb$ host -t ns yeetta.com 8.8.4.4 Using domain server: Name: 8.8.4.4 Address: 8.8.4.4#53 Aliases: yeetta.com name server ns2.yeetta.net. yeetta.com name server ns3.yeetta.net. yeetta.com name server ns1.yeetta.net. Floruss-MacBook-Air:~ fb$ host -t soa yeetta.net 8.8.4.4 Using domain server: Name: 8.8.4.4 Address: 8.8.4.4#53 Aliases: yeetta.net is an alias for sloth.dc2.dk. Floruss-MacBook-Air:~ fb$ host -t soa yeetta.net yeetta.net has SOA record ns1.yeetta.net. hostmaster.yeetta.net. 2013020916 86400 86400 604800 300 Floruss-MacBook-Air:~ fb$ whois yeetta.net | grep -i server Whois Server Version 2.0 Whois Server: whois.joker.com Name Server: NS1.YEETTA.NET Name Server: NS2.YEETTA.NET Name Server: NS3.YEETTA.NET nserver: ns1.yeetta.net 188.40.130.134 2a01:4f8:101:2446::10 nserver: ns2.yeetta.net 213.133.100.34 2a01:4f8:a0:92a1::10 nserver: ns3.yeetta.net 199.233.228.66 2607:fc50:1:d00::10 # data on master pdns: mysql select * from records where domain_id=(select id from domains where name='yeetta.net') order by type; +-+---+---+---++---+--+-+---+--+ | id | domain_id | name | type | content | ttl | prio | change_date | ordername | auth | +-+---+---+---++---+--+-+---+--+ | 78 |14 | ns1.yeetta.net| A | 188.40.130.134 | 300 |0 | 1358881107 | ns1 |1 | | 79 |14 | ns2.yeetta.net| A | 213.133.100.34 | 300 |0 | 1358881107 | ns2 |1 | | 85 |14 | sloth.yeetta.net | A | 213.133.100.45 | 300 |0 | 1359117905 | sloth |1 | | 104 |14 | ns3.yeetta.net| A | 199.233.228.66 | 300 |0 | 1358938795 | ns3 |1 | | 110 |14 | fiji.yeetta.net | A | 78.47.100.74 | 300 |0 | 1358938752 | fiji |1 | | 111 |14 | guam.yeetta.net | A | 78.47.120.205 | 300 |0 | 1358938772 | guam |1 | | 181 |14 | palau.yeetta.net | A | 82.145.35.117 | 600 |0 | 1359364715 | palau |1 | | 105 |14 | ns3.yeetta.net| | 2607:fc50:1:d00::10 | 300 |0 | 1358932084 | ns3 |1 | | 106 |14 | ns2.yeetta.net| | 2a01:4f8:a0:92a1::10 | 300 |0 | 1358933489 | ns2 |1 | | 148 |14 | ns1.yeetta.net| | 2a01:4f8:101:2446::10 | 600 |0 | 1359105247 | ns1 |1 | | 74 |14 | mail.yeetta.net | CNAME | yeetta.net | 300 |0 | 1358881048 | mail |1 | | 86 |14 | dnsapi.yeetta.net | CNAME | sloth.yeetta.net | 86400 |0 | 1358881368 | dnsapi|1 | | 228 |14 | yeetta.net| CNAME | sloth.dc2.dk | 600 |0 | 1360346937 | |1 | | 235 |14 | www.yeetta.net| CNAME | sloth.dc2.dk | 600 |0 | 1360349998 | www |1 | | 80 |14 | yeetta.net|
[Pdns-users] pdns-recursor: Block domains
HI! What's the simplest and hopefully efficient way to block domains from being resolved by pdns-recursor? I'd like to just NXDOMAIN being returned for all RRs in unwanted domains. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor: Block domains
Peter van Dijk wrote: On Apr 26, 2013, at 18:57 , Michael Ströder wrote: What's the simplest and hopefully efficient way to block domains from being resolved by pdns-recursor? I'd like to just NXDOMAIN being returned for all RRs in unwanted domains. Like JP said, Lua is a very good option. The other option is using local-zones or forward-zones. Hmm, in case of forward-zones I'd need an additional DNS server generating the NXDOMAIN. So I will try with pseudo local-zones. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] turn off all type of caching in pdns-recursor
Posner, Sebastian wrote: CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative nameservers' performance/availability, but that of the resolver his upstream provides him with, and/or get a general heatmap of the state of DNS on teh intartubes. Whilst for monitoring _your_ zones' availability, this approach is a good idea, it is not feasible for domains you do not control^^ Well, this entirely depends on your recursor configuration and the domains you control. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] turn off all type of caching in pdns-recursor
Michael Ströder wrote: Posner, Sebastian wrote: CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative nameservers' performance/availability, but that of the resolver his upstream provides him with, and/or get a general heatmap of the state of DNS on teh intartubes. Whilst for monitoring _your_ zones' availability, this approach is a good idea, it is not feasible for domains you do not control^^ Well, this entirely depends on your recursor configuration and the domains you control. Sorry, I've misread your comment. Pleas ignore mine. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor
What about giving the full dig output too? My bet is you're actually experiencing some sort of huge delay starting up dig or resolving localhost, use @127.0.0.1 instead and see if the time goes away. Does your /etc/hosts contain 'localhost'? Have you modified your nsswitch.conf? (Assuming standard *nix like system) On Sun, Jun 23, 2013 at 3:58 AM, Shamus Smith smithsha...@yahoo.de wrote: Hello Bert, Any ideas why it takes so long? Rerun with --trace enabled and check what is happening. With some study, it should be clear what it is waiting for. did that already before, but still did not found anything helpful there. Below is a new trace. btw, I am using 3.5.1 (package pdns-recursor-3.5.1-1.el6.x86_64). Thanks, Shamus - /etc/init.d/pdns-recursor start Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS recursor 3.5.1 (C) 2001-2013 PowerDNS.COM BV (May 3 2013, 20:04:33, gcc 4.4.7 20120313 (Red Hat 4.4.7-3)) starting up Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Jun 23 12:30:12 server pdns_recursor[11064]: Operating in 64 bits mode Jun 23 12:30:12 server pdns_recursor[11064]: Reading random entropy from '/dev/urandom' Jun 23 12:30:12 server pdns_recursor[11064]: Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 Jun 23 12:30:12 server pdns_recursor[11064]: Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10, 0.0.0.0, :: Jun 23 12:30:12 server pdns_recursor[11064]: NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable Jun 23 12:30:12 server pdns_recursor[11064]: Redirecting queries for zone '.' to: 8.8.8.8:53 Jun 23 12:30:12 server pdns_recursor[11064]: Inserting rfc 1918 private space zones Jun 23 12:30:12 server pdns_recursor[11064]: Not decreasing socket buffer size from 229376 to 20 Jun 23 12:30:12 server pdns_recursor[11064]: Listening for UDP queries on 127.0.0.1:53 Jun 23 12:30:12 server pdns_recursor[11064]: Enabled TCP data-ready filter for (slight) DoS protection Jun 23 12:30:12 server pdns_recursor[11064]: Listening for TCP queries on 127.0.0.1:53 Jun 23 12:30:12 server pdns_recursor[11064]: Calling daemonize, going to background Jun 23 12:30:12 server pdns_recursor[11065]: Set effective group id to 497 Jun 23 12:30:12 server pdns_recursor[11065]: Set effective user id to 497 Jun 23 12:30:12 server pdns_recursor[11065]: Launching 2 threads Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root hints Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root hints Jun 23 12:30:12 server pdns_recursor[11065]: Enabled 'epoll' multiplexer Jun 23 12:30:12 server pdns_recursor[11065]: .: No cache hit for '.|NS', trying to find an appropriate NS record Jun 23 12:30:12 server pdns_recursor[11065]: .: No cache hit for '.|NS', trying to find an appropriate NS record Jun 23 12:30:12 server pdns_recursor[11065]: .: Cache consultations done, have 1 NS to contact Jun 23 12:30:12 server pdns_recursor[11065]: .: Cache consultations done, have 1 NS to contact Jun 23 12:30:12 server pdns_recursor[11065]: .: Nameservers: -8.8.8.8:53(0.00ms) Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying to resolve NS '-8.8.8.8:53' (1/1) Jun 23 12:30:12 server pdns_recursor[11065]: .: Domain has hardcoded nameserver(s) Jun 23 12:30:12 server pdns_recursor[11065]: .: Resolved '.' NS -8.8.8.8:53 to: 8.8.8.8 Jun 23 12:30:12 server pdns_recursor[11065]: .: Nameservers: -8.8.8.8:53(0.00ms) Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying to resolve NS '-8.8.8.8:53' (1/1) Jun 23 12:30:12 server pdns_recursor[11065]: .: Domain has hardcoded nameserver(s) Jun 23 12:30:12 server pdns_recursor[11065]: .: Resolved '.' NS -8.8.8.8:53 to: 8.8.8.8 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying IP 8.8.8.8:53, asking '.|NS' Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying IP 8.8.8.8:53, asking '.|NS' Jun 23 12:30:12 server pdns_recursor[11065]: .: Got 13 answers from -8.8.8.8:53 (8.8.8.8), rcode=0, aa=0, in 6ms Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer '.|NS|d.root-servers.net.' from '.' nameservers? YES! Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer '.|NS|l.root-servers.net.' from '.' nameservers? YES! Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer '.|NS|c.root-servers.net.' from '.' nameservers? YES! Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer '.|NS|g.root-servers.net.' from '.' nameservers? YES! Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer '.|NS|h.root-servers.net.' from '.' nameservers? YES! Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor
On Sunday, June 23, 2013, Shamus Smith wrote: Thanks for your answer. The full dig output was in the first posting. I have not modified nsswitch.conf and /etc/hosts contains only this: No, only the +short is in any of your responses, when I say full output I mean without +short - there's a hint of timing information in the full dig output. We have teh time it took for the entire command to execute but we don't have the actual RTT of the DNS query. It'll indicate the query time, as well as whom it sent the query too IE what @localhost was resolved to prior to dig starting it's own query - which I think it uses gethostent or one of the other get* calls. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 And you were right! When using dig www.google.com @127.0.0.1 it takes just 0.021 seconds. But I still do not have a clue why, do you? My *guess* or hunch is that your internal OS stack gethostent, getaddrinfo, etc, is failing/falling over somehow or in some form. It shouldn't be talking to anything in resolv.conf but if it is then the later response about correctly having the RD bit set or not because of the configuration could explain the different behavior with dnsmasq. Normally it should be consulting your local files first, finding an answer, and immediately returning. But if there's something funny going on it might not be. Other issues can occur if you have LDAP user databases/etc, or even if you've got some heavy swapping/paging going on it'll take a while to start up any command that isn't already fully in cache/RAM. All that is why I asked for the timing information from dig, which it runs *after* any of that could get into the way. When using another recursor (Dnsmasq) there is no time difference when using @localhost or @127.0.0.1. Thanks, Shamus I don't think anything other than /etc/hosts should get involved but your stall pretty clearly appears to be happening during the resolution of the @localhost and not the round trip to the world and through the pdns recursor. What about giving the full dig output too? My bet is you're actually experiencing some sort of huge delay starting up dig or resolving localhost, use @127.0.0.1 instead and see if the time goes away. Does your /etc/hosts contain 'localhost'? Have you modified your nsswitch.conf? (Assuming standard *nix like system) On Sun, Jun 23, 2013 at 3:58 AM, Shamus Smith smithsha...@yahoo.de wrote: Hello Bert, Any ideas why it takes so long? Rerun with --trace enabled and check what is happening. With some study, it should be clear what it is waiting for. did that already before, but still did not found anything helpful there. Below is a new trace. btw, I am using 3.5.1 (package pdns-recursor-3.5.1-1.el6.x86_64). Thanks, Shamus - /etc/init.d/pdns-recursor start Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS recursor 3.5.1 (C) 2001-2013 PowerDNS.COM BV (May 3 2013, 20:04:33, gcc 4.4.7 20120313 (Red Hat 4.4.7-3)) starting up Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Jun 23 12:30:12 server pdns_recursor[11064]: Operating in 64 bits mode Jun 23 12:30:12 server pdns_recursor[11064]: Reading random entropy from '/dev/urandom' Jun 23 12:30:12 server pdns_recursor[11064]: Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 Jun 23 12:30:12 server pdns_recursor[11064]: Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10, 0.0.0.0, :: Jun 23 12:30:12 server pdns_recursor[11064]: NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable Jun 23 12:30:12 server pdns_recursor[11064]: Redirecting queries for zone '.' to: 8.8.8.8:53 Jun 23 12:30:12 server pdns_recursor[11064]: Inserting rfc 1918 private space zones Jun 23 12:30:12 server pdns_recursor[11064]: Not decreasing socket buffer size from 229376 to 20 Jun 23 12:30:12 server pdns_recursor[11064]: Listening for UDP queries on 127.0.0.1:53 Jun 23 12:30:12 server pdns_recursor[11064]: Enabled TCP data-ready filter for (slight) DoS protection Jun 23 12:30:12 server pdns_recursor[11064]: Listening for TCP queries on 127.0.0.1:53 Jun 23 12:30:12 server pdns_recursor[11064]: Calling daemonize, going to background Jun 23 12:30:12 server pdns_recursor[11065]: Set effective group id to 497 Jun 23 12:30:12 server pdns_recursor[11065]: Set effective user id to 497 Jun 23 12:30:12 server pdns_recursor[11065]: Launching 2 threads Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root hints Jun
Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor
On Sun, Jun 23, 2013 at 5:40 PM, Michael Loftis mlof...@wgops.com wrote: I don't think anything other than /etc/hosts should get involved but your stall pretty clearly appears to be happening during the resolution of the @localhost and not the round trip to the world and through the pdns recursor. Which is to say I don't think that pdns-recursor is at fault for your slow dig resolution time...your OS stack I believe is failing elsewhere. -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor
On Tuesday, June 25, 2013, Shamus Smith wrote: Hello all, thanks for all your answers, but I'm still stuck. Below is the full output for dig for pdns and dnsmasq. The query time is 2 ms for the first uncached request and 0 ms for pdns and dnsmasq. However, the whole execution of the dig command takes over 1 second for pdns and below 30 ms for dnsmasq. The same for nslookup. For the second request trace just shows: 1 question answered from packet cache from 127.0.0.1 But it still takes more than 1 second. - /etc/pdns-recursor/recursor.conf (default-config from package plus own forward-zone, removed comments) forward-zones=.=8.8.8.8 setgid=pdns-recursor setuid=pdns-recursor - /etc/dnsmasq.conf (default-config from package, removed comments) bogus-priv cache-size=1500 domain-needed no-hosts - /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 /etc/nsswitch.conf was not modified and there is absolutely no load on the machine. I do not have a LDAP user database, this is just a minimum install of CentOS 6.5. Any ideas? Someone else mentioned use forward-zones-recurse instead. Try that. There's obviously an issue between your OS resolver and pdns-recursor. That well be the cause. Thanks, Shamus -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Can the zone data be edited from passing mysql queries?
PowerDNS is database driven. Read the docs, or even just the features. On Monday, July 22, 2013, Manish Rane wrote: Hi Folks, Wondering if I can edit/change the static zone file as a result of certain bash script. Since the backend is Mysql can we really pass mysql statement by which I can update the zone file? Well, I am trying to write a script which will monitor the server on certain ports and it if fails to connect to the server it will delete or add the entry from zone file so that traffic will be routed to another server, possible? I am thinking same possibility with BIND but let me know if this can be possible with pdns OR does any one aware of such solution available in open source? -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Power Dns Server As A Domain Name Registry(Parent Name Server)
You're making several mistakes in setting up your delegation. First you've included an SOA in your PowerDNS records. Start Of Authority is exactly that. The etc zone needs to have only NS records and (if necessary) A glue records inside of the delegating server. The PDNS server is being given a record that indicates *IT* has authority for the forum.etc zone. Secondly you delegate to ns1.forum.etc but forum.etc has ns1. as it's listed delegate, which would be a zone/record that would not exist. Either add glue, or change that to correctly read ns1 or ns1.forum.etc. (note the trailing dot, VERY important) The PDNS server may also need an SOA for etc as well as depending on the resolver/resolver lib being used you might even need to have delegation in your PDNS for . (the root). On Tue, Jul 23, 2013 at 5:19 PM, Önem Özgülgen onemozgul...@gmail.com wrote: Hello, Ip Address Of PowerDNS Server with MySQL Backend(Both Authoritative and Recursive) : 188.132.241.151 Ip Address Of Bind9 Server: 188.132.250.197 Here's the MySQL dump of domains table; mysql select * from domains; ++--++++-+-+ | id | name | master | last_check | type | notified_serial | account | ++--++++-+-+ | 5 | etc | yes| 1 | master | 1 | vixen | ++--++++-+-+ 1 row in set (0.00 sec) Here's the MySQL dump of records table; mysql select * from records; ++---+---+--+-+--+--+-+ | id | domain_id | name | type | content | ttl | prio | change_date | ++---+---+--+-+--+--+-+ | 41 | 5 | forum.etc | NS | ns1.forum.etc |1 |1 | 1 | | 43 | 5 | ns1.forum.etc | A| 188.132.250.197 |1 |1 | 1 | | 39 | 5 | forum.etc | SOA | 45325325325 |1 |1 | 1 | ++---+---+--+-+--+--+-+ 3 rows in set (0.00 sec) Here's the records file input for the master zone of forum.etc created in Bind9 Server; $ttl 38400 forum.etc.INSOAns1. info.forum.etc. ( 1374623190 10800 3600 604800 38400 ) forum.etc.INNSns1. ns1 IN A 188.132.250.197 www IN A 94.101.88.30 After i've replaced my pc's dns server ip to PowerDns Server, here's the nslookup dump for both forum.etc and ns1.forum.etc; C:\Users\vixennslookup forum.etc Server:static-151-241-132-188.sadecehosting.net Address: 188.132.241.151 Name: forum.etc C:\Users\vixennslookup ns1.forum.etc Server: static-151-241-132-188.sadecehosting.net Address: 188.132.241.151 Name: ns1.forum.etc Address: 188.132.250.197 On the web browser of my pc, when i typed http://ns1.forum.etc i'm getting an Apache test page of the Bind9 Server and it' ok. But, if i type http://www.forum.etc it can't connect to the ip address which i've added in zone records of Bind9 Server. If you need anything more, please let me know. Thanks. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Installation PDNS Server auf Raspberry Pi (weezy)
Marc Haber wrote: pdns-users is an english language mailing list. On Fri, Aug 16, 2013 at 10:09:44AM +0200, abang wrote: aber ich brauche eines für Debian auf Raspberry Pi. wo du ein fertiges Binary für armv6l bekommst weiß ich nicht. Aber du könntest versuchen, selbst zu kompilieren. apt-get install libboost-dev wget http://downloads.powerdns.com/releases/pdns-recursor-3.5.2.tar.bz2 tar -xjf pdns-recursor-3.5.2.tar.bz2 cd pdns-recursor-3.5.2 ./configure make all Ich versuchs auch gerade. Dauert allerdings gefühlt ewig auf dem Pi ;-) The PowerDNS recursor cannot be compiled on arm architectures. It needs a feature called swapcontext which is not available on arm. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579194 Frankly I have no idea what swapcontext is but FWIW I'm running package pdns-recursor-3.3-5.1.armv5tel found in the openSUSE snapshot build for Raspberry Pi. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
Fredrik Roubert wrote: My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html But seeing that my ISP's position of we'll use what's default in the LTS is kind of reasonable, IMO it's nonsense to rely on a distribution package in case the upstream developers strongly discourage a release for a certain usage. You should really discuss this with your ISP even if you manage to work-around the current problem. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
So there is no A record for labisilon.lab.example.com in the pdns01 name server? (What's the dig output when you request the A record for the delegated domain?) Michael, You are correct - my typo - it is labisilon (not simply isilon). When I do “dig @pdns01 NS labisilon.lab.example.com I get the following: $ dig @psl-pdns01 ns pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @psl-pdns01 ns pslisilon.lab.securustech.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.example.com. IN NS ;; AUTHORITY SECTION: labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com. ;; ADDITIONAL SECTION: lab-isilon.lab.example.com. 900 IN A x.x.x.x ;; Query time: 59 msec I don’t believe the records are overlapping according to this output but please correct me if I’m wrong on this. -- Drew Decker Sent with Airmail http://airmailapp.com/tracking On December 13, 2013 at 12:35:02 AM, Michael Loftis (mlof...@wgops.com//mlof...@wgops.com) wrote: Is the delegated zone isilon or labisilon? I think you need to check the A, and NS records as you've mixed them up even in the email there. I would delegate a completely different sub domain than I would name the A record just to avoid such confusion, it sounds like you've got an NS and A records for the same name, which is why you're getting the static A record from powerdns. In your typed example you are using labisilon as the sub domain and lab-isilon as the A record and NS delegation... What does dig NS labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns auth server ip address) you should get back two records, one NS type pointing to lab-isilon and one A type giving the address to send UDP/TCP queries to. Sounds like that's where the problem is still. Your delegation shouldn't have any overlapping A records labisilon should be just an NS which points to lab-isilon, otherwise you get the behavior you described. Which is a broken delegation. On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote: Michael, I think you only read a few posts on this thread, so I’ll give you some details of what had/has been done up to this point, as I read your entire email and from what you are saying, I’ve already done (which is why I’m reaching out to the community) - correct me if I’m wrong. I have a single zone: *lab.example.com http://lab.example.com* The isilon needs a delegated zone for it to use, so we simply chose *isilon.lab.example.com http://isilon.lab.example.com* From a PowerDNS perspective, *lab.example.com http://lab.example.com*lives on a single server *pdns01* and the database server runs on its own dedicated hardware *pdnsdb01*. A single zone was created - *lab.example.com http://lab.example.com* We added the following DNS records to PowerDNS (in the *lab.example.com http://lab.example.com* zone): labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x Once we added this, it still does not work; when we ping labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP on the Isilon, it actually takes that IP gives a random IP (depends on how the Isilon is configured) back to the client. So, in our case, we basically round-robin it, so each new request to the isilon should give us a new IP, until we get to the end, and then we start over. I just need to know if I’m missing something here, and if not, maybe it is an issue with the Isilon, in this case. I just want to make sure that I’m setting up DNS delegation correctly in PowerDNS, or if I’m missing something PowerDNS specific. Thanks for your continued input. -- Drew Decker On December 12, 2013 at 9:32:33 PM, Michael Loftis (mlof...@wgops.com//mlof...@wgops.com) wrote: The most common and obvious example of glue is when you have a TLD such as GOV, COM, or EDU delegate your domain, your NS records usually exist within your domain so glue must exist higher up, exact same principal applies at every level where a delegation occurs. Say isil.lab.example.com is served by the isilon. This is the delegated subdomain. lab.example.com is served by other nameservers. The A record you're using could be ns1.isil.lab.example.com, and so must exist in both the isil.lab.example.com domain, AND the lab.example.com domain, in two seperate nameservers. You must have on BOTH the lab.example.com and the isil.lab.example.com domains and nameservers A records for out of zone nameservers in subdomains are called glue. Nothing magical. Everyone has some in COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see ns1 through ns4.google.com -- those four A records exist in the COM zone
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 Might actually be that bug you're seeing! Sorry for the run around if so, I didn't even know the bug existed until now. This of course assumes correct records and all...which is why I had you run all those digs... On Fri, Dec 13, 2013 at 10:22 AM, Drew Decker drewrocksh...@gmail.com wrote: Michael, the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS server is actually in /etc/resolv.conf for all of the platform servers. We no longer have any BIND servers in our infrastructure. Here are the dig outputs: $ dig @pdns01 NS labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 NS labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN NS ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 1 msec [~] ddecker$ dig @pdns01 A labisilon.lab.domain.com ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com. 2013073047 86400 7200 604800 3600 ;; Query time: 0 msec -- Drew Decker Sent with Airmail On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com) wrote: No you definitely do not want to add an A record for labisilon.lab.domain.com to the powerdns server, that would cause it to always serve the A record. From the response information I take it the powerdns server isn't your recursive resolver (IE it's not whats in the /etc/resolv.conf or equivalent for your platform) - but from the output you've shown me the first half of the delegation is fine. The second half of the delegation must also exist or BIND in particular won't count it as valid (though the validation is lazy so you'll sometimes get an answer, but most of the time not) -- and hte second half is the matching NS record on the isilon, and the SOA (though the SOA is less important) -- you'll want to do the same dig @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A labisilon.lab.domain.com - this is all part of diagnosing what actually *is* happening with this delegation. If the NS records aren't being returned from the isilon or the A or SOA isn't I can't really help you out there if those aren't there as I've never used the smartconnect product though there's a small chance I can get some information since we used their storage boxes at my present day job years back before I started (We literally have a couple racks worth of them sitting around after being decommissioned). ... reading a bit in...is securustech.net the actual domain? It has wild cards which would be causing all manner of hell for you, if the A record you're getting back is the same as I'm seeing from the outside - 69.43.161.163 - then that would explain your problems. Your recursive resolver is getting the wildcard answers from your outside nameservers. On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote: Same output - dig @psl-pdns01 A pslisilon.lab.securustech.net ; DiG 9.8.3-P1 @pdns01 A labisilon.lab.domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;labisilon.lab.domain.com. IN A ;; AUTHORITY SECTION: labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com. ;; ADDITIONAL SECTION: lab-isilon.lab.domain.com. 900 IN A x.x.x.x ;; Query time: 2 msec Do I need to specifically add an “A” record of labisilon.lab.domain.com - x.x.x.x? -- Drew Decker Sent with Airmail On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com) wrote: labisilon.lab.example.com -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler -- Genius might be described as a supreme capacity for getting its possessors
Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)
I can't replicate with 3.0.1 so I don't think its in any current code. Barring a regression of course. Idk what he is running but it is possible that its old and affected. Can't be sure since I can't investigate directly. On Dec 15, 2013 11:40 PM, Peter van Dijk peter.van.d...@netherlabs.nl wrote: Hello folks, I have not followed this thread (I saw it was full of helpful people already!), but I would just like to point out that that bug is actually 8 years old -- our github migration could not copy the timestamps reliably. The fix was in version 2.9.20, released March 2006. That said, if anybody does think a bug has been found in a recent PowerDNS, we're happy to look into it! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ On Dec 13, 2013, at 23:54 , Michael Loftis wrote: Ah...You actually *may* have hit a bug. What version of powerdns and what backend? There's an issue on github, number 49, fixed in commit number 549 according to the bug where PDNS was behaving similar to this...if you dig for things *under* that subdomain eg test.labisilon.lab.domain.com you get the correct response (NS and A records w/ no AA bit indicating you must chase the delegation) -- but when querying for the delegated domain, it returns the SOA and an AA bit w/ NXDOMAIN indicating no such record. https://github.com/PowerDNS/pdns/issues/49 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] RaspPi Syslog Error
Hi All I have a version up and running on my RaspPi and it works fine. However in the syslog I have the following error and wonder if you can provide some direction. The download site offers no insight: Feb 27 22:55:12 raspbmc pdns[1152]: Recursive query for remote 192.168.15.160:3127 with internal id 8 was not answe red by backend within timeout, reusing id Feb 27 22:55:12 raspbmc pdns[1152]: Unable to send a packet to our recursing backend: Invalid argument My allow-recursion line looks like this: allow-recursion=127.0.0.1,192.168.15.0/24,192.168.15.155 recursor=8.8.8.8 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)
k...@rice.edu wrote: On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote: For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ? If not, the solution is to run pdnssec secure-zone ZONE in a loop on a cron script, am I right? I do not know about a SQL only solution for MySQL DNSSEC signing, but I know that there is a sample schema for Oracle that includes the needed triggers and functions and that I have a basically complete version of the same for PostgreSQL that I will be submitting to the PDNS folks once we have it vetted for production. Hmm, am I the only one who is concerned about the security of the signing process? Please don't get me wrong. But people are advocating DANE nowadays and aim to completely replace X.509 certs with that. So security of the signed RRs is crucial just like issuing X.509 certs. And yes, I know that it's hard to achieve a higher level of operational security. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursion issue--SERVFAIL then NOERROR totally at random
On Tue, Sep 9, 2014 at 9:55 AM, Brian Menges bmen...@gogrid.com wrote: I’d say it’s on Toyota’s end: Same here gslb-ns1.toyota-na.com not responding (Comcast, Seattle, WA) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] RFE LDAP backend: Filter template
HI! I know that the LDAP backend is not very high on the list of powerdns development. But I'd like to propose a small enhancement which would make some unusual LDAP-related setups easier. Simple new config item 'ldap-filter-template': Default: ldap-filter-template = '(associatedDomain={0})' Which could be replaced when using DHCP server with LDAP backend by: ldap-filter-template = '((objectClass=)(dhcpAssignedHostName={0}))' Even more nice would be a configurable filter map. The {} syntax is inspired by Python's string formatting syntax only used as example. Of course I can use the pipe-backend to implement whatever is needed for LDAP integration. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSSEC with LDAP backend
HI! Would it be possible to setup a authorative PowerDNS server with DNSSEC support using the LDAP backend? Do I have to extend some DNSSEC-related RRs in the list ldap_attrany in file modules/ldapbackend/ldapbackend.hh ? As it seems to me the attribute name is derived from qtype name string and not from content of ldap_attrany if qtype is set. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC with LDAP backend
Jan-Piet Mens wrote: Would it be possible to setup a authorative PowerDNS server with DNSSEC support using the LDAP backend? The LDAP back-end doesn't support DNSSEC. I'm aware that the LDAP back-end is not fully supported. Let me be more precise: I don't need auto-signing or support by other PowerDNS tools. I'd implement generating DNSSEC related RRs with own custom scripts writing LDAP entries. All I need is that powerdns delivers the RRs needed for DNSSEC read from LDAP entries. Is that possible? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Currently using distro packages, want to update
Nick Williams wrote: I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. But my distro Which is your distro? Vendor and exact version number? For openSUSE I'm trying to keep up with powerdns releases and my submissions most times end up here pretty soon: https://build.opensuse.org/package/show/server:dns/pdns (currently pdns-3.4.2) https://build.opensuse.org/package/show/server:dns/pdns-recursor (currently pdns-recursor-3.6.2, 3.7.1 is in my home project but not built yet) Sooner or later this will be passed downstream in openSUSE Factory for the next openSUSE release. You can see here which platforms are enabled for default builds: https://build.opensuse.org/project/repositories/server:dns There you will also find the direct download links to zypper repo for your openSUSE version. In my OBS home project I'm also building openSUSE Factory_ARM for running the packages on rasperry pi. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Why was content length increased?
DNSSEC and DKIM. On Thursday, February 19, 2015, Nick Williams nicho...@nicholaswilliams.net wrote: I'm upgrading to authoritative 3.4 and noticed that the records.content column has been increased from 255 characters to 64000 characters. Because my table is UTF-8, I get the following error: mysql ALTER TABLE records MODIFY content VARCHAR(64000); ERROR 1074 (42000): Column length too big for column 'content' (max = 21845); use BLOB or TEXT instead I know I can use latin1, but I tend to avoid any non-Unicode character sets completely, and would prefer to stick with UTF-8. Given that: - What changed that required the increase from 255 to 64,000 characters? - Is there any reason that I couldn't just use VARCHAR(21845)? - Are there any performance implications to using TEXT instead of VARCHAR(64000)? Thanks, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com javascript:; http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds. -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
Nikolaos Milas wrote: If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend) for the Linux-Tage, could you please post this work here or a link to a page where it is available? Basically it boils down to this ACL: access to dn.subtree=cn=pdns,ou=services,ou=infra-dir filter=(objectClass=dNSDomain2) by set=user/memberOf this/seeAlso read by * none Attribute 'seeAlso' contains DN(s) of group entries of service accounts of powerdns instances. Could not extensively test it though due to time constraints. And a nicer schema for not (ab)using attribute 'seeAlso' would be better. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Slave DNSKeys
Peter van Dijk wrote: (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we recommend increasing the size of the ‘content’ column in the records table (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/ ) (Sigh!) I really wonder why the LDAP backend is not improved to support DNSSEC. It's so much easier to setup a LDAP server with multi-master and two-tier replication than a mySQL server. And attributes are of variable length by default. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
Nikolaos Milas wrote: On 3/3/2015 2:44 μμ, Nikolaos Milas wrote: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally. Corrections/Clarifications: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records to all requests, except to those from our own networks (as would be configured), to which full replies would be provided. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally (to our own networks, which would be specified explicitly). This sounds a bit like a special case for split horizon DNS. I promised to configure a demo using powerdns with LDAP backend for this based on OpenLDAP ACLs and several powerdns instances using different LDAP identities. Feel free to come here and ask whether I managed to get it working in time: https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134 Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)
bert hubert wrote: In this post, we’d like to share our current plans for .. PowerDNS 4.x! Glad to read all your plans. * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. Unfortunately the term string is used in many different ways. Could you please elaborate on what that means exactly? E.g. will this affect the way NON-ASCII DNS names are stored in backend files? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] ANY+Reflection Attacks?
Ciro Iriarte wrote: 2015-02-24 17:49 GMT-03:00 Ciro Iriarte cyru...@gmail.com: Hi!, I'm seeing a lot of messages of type Timeout from remote TCP client 10.XXX.XXX.XXX, it seems to be an attack given we have any-to-tcp = yes. Is this usual?, is there anyway to identify the attackers?. The service is working fine and we have in our roadmap constant packed capture for data mining but I find this behaviour new/interesting today :) Any comments? Regards, Well, never mind. After all, those are legitimate clients and there seems to be a firewall with connection tracking issues. What's unexpected to me is having TCP requests, I was expecting only UDP traffic from end users. DNSSEC used? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSSEC, pdns-recursor and libunbound
HI! We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did anybody else try such a setup before? Did it work? Most people doing DNSSEC validation simply use bind9 or unbound for recursing and as validating resolver but for now that's likely not an option in this infrastructure. Any hint is appreciated. Thanks in advance. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
l...@consolejunkie.net wrote: On 2015-04-24 21:35, Michael Ströder wrote: Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 It's to bad nobody replied to you yet. Given my last posting was late in the evening your response is pretty quick. :-) Let me tell how it is: The DO-bit in the request to the recursor means: please include DNSSEC information. Yes. Then if the recursor you are requesting it from does validation and it fails it will return an error similar to domain not found. Actually I'm using python-unbound (mainly libunbound) for the validation but would like to use the existing pdns-recursor for simply retrieving the RRs. But since the D0 bit is not forwarded it does not get the RRSIG RRs back and returns the result with validation status bogus. http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ If I understand correctly the PowerDNS developers have put in some of the time to add DNSSEC to their recursor but it isn't done yet. Already saw this blog article before. I'm looking forward to pdns-recursor 4.x because I like its logging more than that of other recursors. In the past I've requested from the PowerDNS developers, would it be possible to at least include the DNSSEC-information so Unbound do the validation. I told them you can leave the validation out of PowerDNS-recursor, I care less about that. The answer I got was: The validation is in comparison the easy part, changing the recursor to return the DNSSEC-information is more work. Hmm, but if explicitly requested in the query pdns-recursor does actually retrieve the RRSIG RRs. Wouldn't it be possible to also send the D0 bit in the out-going query if the incoming query had it set? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] LargeScaleDNSSECBCP / versions
HI! It seems this wiki page mentions rather old pdns versions: http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP Are there more recent insight to consider regarding versions? Especially when thinking about pdns upgrade 3.3.x - 3.4.1 for DNSSEC? Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS to answer as NON-authoritative?
Two people have answered your question and told you what you're missing. I'm not going to try to guess at whatever misconfiguration or misunderstanding resulted in you getting (or seemingly getting) recursive results from bind when you were attempting to disable them. PowerDNS fully and completely separates all authoritative functionality from recursive functionality (and any associated caches). This is in contrast to bind which merges all such functionality. On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz < luis.daniel.lu...@gmail.com> wrote: > No because in bind, when you turn off recursive resolution it resolves. I > can't figure out the missing part to have the same behavior. > Le 3 janv. 2016 2:39 PM, "Michael Loftis" <mlof...@wgops.com > <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit : > >> Again not a resolver. Sorry but you're the one misunderstanding. If you >> want answers for data not present you need a recursive resolver. >> >> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz < >> luis.daniel.lu...@gmail.com >> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote: >> >>> Host command does not do that as well. It off on the sample output >>> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi> a écrit : >>> >>>> That is because dig is not a resolver. >>>> >>>> >>>> >>>> --- >>>> Aki Tuomi >>>> >>>> >>>> Original message >>>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com> >>>> Date: 03/01/2016 20:56 (GMT+02:00) >>>> To: Michael Loftis <mlof...@wgops.com> >>>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi>, >>>> pdns-users@mailman.powerdns.com >>>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative? >>>> >>>> You don't pay attention. >>>> My question is why the resolver doesn't continue the iterative query. >>>> It just stops when it gets the ns answer >>>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com> a >>>> écrit : >>>> >>>>> Then quit asking it for information it doesn't have. Responding with >>>>> the root NS set is correct when you're asking for Google.com which it >>>>> knows >>>>> nothing about. >>>>> >>>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz < >>>>> luis.daniel.lu...@gmail.com> wrote: >>>>> >>>>>> Thanks. But that's the way u don't want to use. I know how. >>>>>> >>>>>> I need to make it work in non recursive mode. >>>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a >>>>>> écrit : >>>>>> >>>>>>> If you want to use auth as recursor, you need to configure >>>>>>> >>>>>>> recursor= >>>>>>> allow-recursion= >>>>>>> >>>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote: >>>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does >>>>>>> > authoritative which is your problem here. >>>>>>> > >>>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz < >>>>>>> > luis.daniel.lu...@gmail.com> wrote: >>>>>>> > >>>>>>> > > Hello >>>>>>> > > >>>>>>> > > Wat am I missing? I have this: >>>>>>> > > launch=pipe,bind >>>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin >>>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$ >>>>>>> > > bind-config=/etc/named.pdns.conf >>>>>>> > > bind-check-interval=300 >>>>>>> > > bind-ignore-broken-records=no >>>>>>> > > send-root-referral=lean >>>>>>> > > allow-recursion=192.168.7.0/24 >>>>>>> > > >>>>>>> > > /etc/named.pdns.conf looks like this >>>>>>> > > zone "mylocaldomain.net" IN { >>>>>>> > >type master; >>>>>>> > >file "/var/named/data/mylocaldomain.net"; >>>>&g
Re: [Pdns-users] PDNS to answer as NON-authoritative?
PowerDNS is not the same as PowerDNS Recursor. The former only does authoritative which is your problem here. On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz < luis.daniel.lu...@gmail.com> wrote: > Hello > > Wat am I missing? I have this: > launch=pipe,bind > pipe-command=/usr/local/libexec/latency.pdns.plugin > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$ > bind-config=/etc/named.pdns.conf > bind-check-interval=300 > bind-ignore-broken-records=no > send-root-referral=lean > allow-recursion=192.168.7.0/24 > > /etc/named.pdns.conf looks like this > zone "mylocaldomain.net" IN { >type master; >file "/var/named/data/mylocaldomain.net"; > }; > > zone "root-servers.net" IN { >type master; >file "/var/named/data/named.ca"; > }; > > > when I do a dig, or a host, i get this: > > dig google.com @PUBLICIP > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;. IN A > > ;; AUTHORITY SECTION: > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > > ;; ADDITIONAL SECTION: > a.root-servers.net. 360 IN A 198.41.0.4 > a.root-servers.net. 360 IN 2001:503:ba3e::2:30 > b.root-servers.net. 360 IN A 192.228.79.201 > c.root-servers.net. 360 IN A 192.33.4.12 > d.root-servers.net. 360 IN A 199.7.91.13 > d.root-servers.net. 360 IN 2001:500:2d::d > e.root-servers.net. 360 IN A 192.203.230.10 > f.root-servers.net. 360 IN A 192.5.5.241 > f.root-servers.net. 360 IN 2001:500:2f::f > g.root-servers.net. 360 IN A 192.112.36.4 > h.root-servers.net. 360 IN A 128.63.2.53 > h.root-servers.net. 360 IN 2001:500:1::803f:235 > i.root-servers.net. 360 IN A 192.36.148.17 > > ;; Query time: 24 msec > ;; > ;; WHEN: Sun Jan 3 05:10:27 2016 > ;; MSG SIZE rcvd: 484 > > > or > > host google.com PUBLICIP > Using domain server: > Name: PUBLICIP > Address: PUBLICIP#53 > Aliases: > > > As you see, there is no answer. I only get the root NS servers. > > -- > Luis Daniel Lucio Quiroz > CISSP, CISM, CISA > Linux, VoIP and much more fun > www.okay.com.mx > > Need LCR? Check out LCR for FusionPBX with FreeSWITCH > Need Billing? Check out Billing for FusionPBX with FreeSWITCH > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS to answer as NON-authoritative?
Again not a resolver. Sorry but you're the one misunderstanding. If you want answers for data not present you need a recursive resolver. On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz < luis.daniel.lu...@gmail.com> wrote: > Host command does not do that as well. It off on the sample output > Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi > <javascript:_e(%7B%7D,'cvml','cmo...@cmouse.fi');>> a écrit : > >> That is because dig is not a resolver. >> >> >> >> --- >> Aki Tuomi >> >> >> Original message >> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com >> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> >> Date: 03/01/2016 20:56 (GMT+02:00) >> To: Michael Loftis <mlof...@wgops.com >> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> >> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi >> <javascript:_e(%7B%7D,'cvml','cmo...@youzen.ext.b2.fi');>>, >> pdns-users@mailman.powerdns.com >> <javascript:_e(%7B%7D,'cvml','pdns-users@mailman.powerdns.com');> >> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative? >> >> You don't pay attention. >> My question is why the resolver doesn't continue the iterative query. >> It just stops when it gets the ns answer >> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com >> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit : >> >>> Then quit asking it for information it doesn't have. Responding with the >>> root NS set is correct when you're asking for Google.com which it knows >>> nothing about. >>> >>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz < >>> luis.daniel.lu...@gmail.com >>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote: >>> >>>> Thanks. But that's the way u don't want to use. I know how. >>>> >>>> I need to make it work in non recursive mode. >>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a >>>> écrit : >>>> >>>>> If you want to use auth as recursor, you need to configure >>>>> >>>>> recursor= >>>>> allow-recursion= >>>>> >>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote: >>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does >>>>> > authoritative which is your problem here. >>>>> > >>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz < >>>>> > luis.daniel.lu...@gmail.com> wrote: >>>>> > >>>>> > > Hello >>>>> > > >>>>> > > Wat am I missing? I have this: >>>>> > > launch=pipe,bind >>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin >>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$ >>>>> > > bind-config=/etc/named.pdns.conf >>>>> > > bind-check-interval=300 >>>>> > > bind-ignore-broken-records=no >>>>> > > send-root-referral=lean >>>>> > > allow-recursion=192.168.7.0/24 >>>>> > > >>>>> > > /etc/named.pdns.conf looks like this >>>>> > > zone "mylocaldomain.net" IN { >>>>> > >type master; >>>>> > >file "/var/named/data/mylocaldomain.net"; >>>>> > > }; >>>>> > > >>>>> > > zone "root-servers.net" IN { >>>>> > >type master; >>>>> > >file "/var/named/data/named.ca"; >>>>> > > }; >>>>> > > >>>>> > > >>>>> > > when I do a dig, or a host, i get this: >>>>> > > >>>>> > > dig google.com @PUBLICIP >>>>> > > >>>>> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP >>>>> > > ;; global options: +cmd >>>>> > > ;; Got answer: >>>>> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059 >>>>> > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13 >>>>> > > ;; WARNING: recursion requested but not available >>>>> &g
Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment
(inline) On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williamswrote: > I'll look into that other script. Thanks, Bert. > >> How about a creating a separate sub-zone with a broken presigned DNSSEC > >> You can set presigned for just that single zone using the PRESIGNED domain >> metadata[1] int your database. > > I really like this idea in combination. That documentation that Pieter sent > me should help me get set up with presigning. But, Leen, how would I set up > a subzone delegated to the same authoritative server (or can I, even?)? Can > you point me to that documentation? B/C the server is the same you don't necessarily need to setup the delegation in the zone with records table. You just need to have it in the domains table. That said you *can* totally do a full delegation. You just insert NS records into the parent zone records w/ the parent domain_id, and do SOA+NS/whatever you normally do (synthetic SOA/generated SOA comes to mind) inside the delegated zone (child) domain_id...there's no magic to delegations. You'll have like 2x the NS records for a self delegated zone (as the parent zone will have the same records with a the parent/delegating domain_id) > > Google really hasn't indexed this documentation very well at all... > > Thanks, > > Nick -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [Pdns-announce] PowerDNS Authoritative Server 4.0.0 released
Pieter Lexis wrote: > * A revived and supported LDAP backend (ldap). Thanks! :-) CIao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-ldap <-> Rudder-ldap
StanC wrote: > Is there a method of translating the ldap schema that Rudder uses for > its node inventory and using this in a pdns ldap backend? More or less you're asking for same feature like me: https://github.com/PowerDNS/pdns/issues/1832 > I had this fantasy that one could connect to Rudder's ldap server from > psdn and use it directly as a backend, but I cannot imagine that the > schemas could possible align For tight integration with my Æ-DIR I plan to use the remote-backend: https://doc.powerdns.com/md/authoritative/backend-remote/ http://jpmens.net/2015/11/03/powerdns-with-the-remote-back-end-and-dnssec/ Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] GUI with LDAP backend ?
r0m5 wrote: > So here is my question : what do you think would be a convenient way to > manage zone and > records using the LDAP backend ? How do you guys proceed ? For managing DNS zones in a pdns LDAP backend I've added some plugin classes to my own client: https://web2ldap.de/ Be warned it's still not an ideal DNS UI. But once you get used to it it's IMHO not much worse than poweradmin. (You can contact me off-list if you have issues installing/using it.) Hmm, so far I did not see an intuitive DNS management UI anyway. I guess it's the generic flexibility of DNS RRs which put so much burden on the UI. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
Dirk Bartley wrote: > You could log the who of who is logged into the database, but if the database > connection is done from a front end, it would always be the users the front > end > connects to the database as. But if you have a front end, just manage it by > who > is logged into the Front end. Depends on the frontend. If it lets the user impersonate as personal user account on the DB connection you get the real who. It would be nice if the PowerDNS API would have a config option like "connect-as-user" to avoid using a hard-coded API password/key. In this case you could also let the database backend enforce access control even for API requests. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
Dirk Bartley wrote: > I have been asked to look at some options for assisting my employer to > alter the way our internal dns is served. One of the features being > requested is the ability to log the who, what and when of all changes > to the data that dns is serving. Of course when I search for change > logging, I get the change logs of the code. Would there be a better > phrase than "change log" to search for. Is this the kind of feature > that already exists, or is this the kind of feature that would be > better accomplished by writing a front end that we would force everyone > here to use that does the update. We are considering using LDAP as a > backend for the dns service. How do you plan to maintain the data? E.g. if you're using LDAP server as backend *and* you're going to maintain the data via LDAP it more boils down how to audit write operations on the LDAP server. And this depends on the features of the LDAP server you're planning to use. Personally I love accesslog overlay (originally implemented for delta-replication) in OpenLDAP because it automatigally gives you a perfect audit trail in a separate database. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Meltdown impact on PowerDNS/dnsdist
bert hubert wrote: > We have done some very tentative measurements on the Linux Meltdown > workaround & impact on DNS performance. Besides the performance impact of the "fixes" doesn't this mean that people should stop doing DNSSEC signing on-the-fly on the authorative server and move DNSSEC signing to isolated systems? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] BIND-Zonefiles: @ vs blank
On Thu, Aug 8, 2019 at 07:01 Bjoern Franke wrote: > Hi, > > we have a zonefile which got recently added TXT entries for SPF and DMARC: > > _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:foo; > IN MX 10 mx.domain.tld. > IN TXT "v=spf1 include:spf1.domain.tld ?all" > > Since then, requests for the MX record were not answered any more, > adding a @ fixed it. > > I'm wondering now why this happens, as in other zonefiles without TXT > records the blank substitution works. I've always had the understanding that blank meant "reuse last" so by adding the _dmarc TXT record ahead of the blank records you inadvertently moved them to be _dmarc.ZONE I could certainly be wrong because I haven't looked at the man page for bind zone files in the last decade. > > Kind regards > Bjoern > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Log all zone changes
On 9/27/19 8:30 PM, Vitali Quiering via Pdns-users wrote: > I just started using PowerDNS Authoritative Server recently and got > to the point where I need all changes logged. Is there an option I > missed? If there is none: How do you log your changes? Probably not exactly the answer you're looking for: I'm using PowerDNS with LDAP backend and write operations to OpenLDAP server(s) are logged with accesslog overlay. My personal setup is very small but the components should easily scale up. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Contents of Pdns-users digest
I think load balancer is the best option and configure the policy(ies) on it. Michael Chisina On Wed, Nov 13, 2019, 2:00 PM wrote: > Send Pdns-users mailing list submissions to > pdns-users@mailman.powerdns.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.powerdns.com/mailman/listinfo/pdns-users > or, via email, send a message with subject or body 'help' to > pdns-users-requ...@mailman.powerdns.com > > You can reach the person managing the list at > pdns-users-ow...@mailman.powerdns.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pdns-users digest..." > > > Today's Topics: > >1. Re: Forward client request (Thomas Mieslinger) > > > -- > > Message: 1 > Date: Tue, 12 Nov 2019 15:37:32 +0100 > From: Thomas Mieslinger > To: pdns-users@mailman.powerdns.com > Subject: Re: [Pdns-users] Forward client request > Message-ID: <78ad5583-6f4e-a150-86c0-eece65eee...@mail.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > If you are familiar with policy based routing or multiple vrfs and > running multiple pdns_recursor instances you could create two (or more) > pdns_recursor services and configure the routing to send the dns > requests to the desired recursor. > > On 11/12/19 12:05 PM, mendisobal via Pdns-users wrote: > > How i can forward recursive DNS requests based on source address of the > > client. To do this need to have ability to return address of the next NS > > from preresove function (instead of NS-records). > > Is there any example on lua? > > > > ___ > > Pdns-users mailing list > > Pdns-users@mailman.powerdns.com > > https://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > -- > > Subject: Digest Footer > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > > > -- > > End of Pdns-users Digest, Vol 202, Issue 7 > ** > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor Permissions Error
On 1/7/20 3:00 PM, Sharone Bakara wrote: > On 7 Jan 2020, at 16:55, Remi Gacogne wrote: >> On 1/7/20 2:41 PM, Sharone wrote: >>> '/var/run/pdns-recursor': Permission denied"* >> I'm not sure of what your SNMP setup is, but it looks like the user >> invoking rec_control does not have the rights to create a new file in >> /var/run/pdns-recursor. What happens if you invoke the rec_control >> command directly as the 'pdns' user? > > I get the same error as when I run it root. Whenever "permissions denied" happens while running an action as root I'd check whether SELinux or AppArmor blocks some access. => check your audit log (assuming you're running auditd) Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Debugging
Hi Bert, I get about 3 different types of crashes. There is no rhyme or reason to them. I watch the command prompt log to see if it crashes on the same type of action, and it doesn't. I was hoping setting up the service to restart after a failure would fix the problem, but it seems that the program is still running, just not answering. I have been trying to figure out why 1 server works fine, and 2 others don't. There is no rhyme or reason to them either. Is there an older build of the windows version that is more stable? I don't need bells and whistles, just simple A, CNAME, MX, SOA records, etc. And I don't need primary and slave servers because I simply use replication in my MS SQL DB so if I update one, they all get updated. Thanks for your help. Michael C. Gates -Original Message- From: bert hubert [mailto:[EMAIL PROTECTED] Sent: Saturday, August 26, 2006 4:53 AM To: Michael C. Gates Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] Debugging On Fri, Aug 25, 2006 at 07:08:43PM -0400, Michael C. Gates wrote: Any way to create a program log so I can figure out why mine is crashing every once in a while? If I download the source, can I open it in Visual Studio 2005? Or was it written in something else? I know C#, but not much of C++. I wouldn't mind figuring it out if it solved the crashing C++problem. The PowerDNS Recursor compiles in Visual Studio 2005, the authoritative server doesn't. The currently last released version of the PowerDNS Authoritative server is known to have many, many bugs. Can you let us know more about your specific problem? Thanks. -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] problem with slave domains odbc backend w2000
What would sponsor mean? I would be glad to depending on what is involved. I would actually love to have a C# version of this for windows users... But that is probably a huge task... Let me know... I didn't get the email about it. Best regards, Michael C. Gates GatesHosting.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bert hubert Sent: Friday, November 03, 2006 3:18 AM To: Adam Bazylczyk Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] problem with slave domains odbc backend w2000 On Fri, Nov 03, 2006 at 06:17:44AM +0100, Adam Bazylczyk wrote: I am using odbc backedn on Windows with MS Access database file. Master domains working very good with AXFR but when I input any slave domain in domains table, everytime is error and pdns service stop. Can anybody help me, I can find any idea where is problem. My system is W2000. I have over 500 master domains and can't work with slave now :( The windows version of PowerDNS is very old and stale. We'd love to ship a new version, but it is a lot of work. We've asked a few windows users if they would consider sponsoring a new Windows release, but nobody was interested. So I'm afraid we can't really help you with this old version of PowerDNS.. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)
Make sure your server has a host name. And make sure it is set up correctly. If your DNS name is mail.gateshosting.com, make sure your server name is mail, and your suffix is gateshosting.com for a full name of mail.gateshosting.com. Also just make sure you HAVE a dns record for that ip, and a rDns record for that ip. Here is a tool I use to check my mail server: www.dnsreport.com - Just check your domain name, like gateshosting.com and it will actually let you know if you have any errors in DNS. Also, I see in one of the headers, the ip address is 127.0.0.1. You probably should have a public ip address. Otherwise some servers will deny your connection. Hope this helps, Michael C. Gates -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Vernooij Sent: Sunday, November 19, 2006 3:33 AM To: pdns-users@mailman.powerdns.com Subject: Fw: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner) Ok. For me it is clear that my problem has to do with reverse DNS, and not with SPF. Can someone tell me how to setup right configuration for Reverse DNS for the example i gave? Here is also an emailheader from a mail that is bounced: Received: from dedicated ([127.0.0.1]) by dedicated.domain.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 18 Nov 2006 09:55:21 +0100 Date: Sat, 18 Nov 2006 09:55:21 +0100 Subject: Order 12564 From: Companyname [EMAIL PROTECTED] To: Kevin Chin [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary==_0546849bb7db32079db89f7fa0271de5 Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Nov 2006 08:55:21.0578 (UTC) FILETIME=[4776D4A0:01C70AEF] The message i receive back: Reporting-MTA: dns;[EMAIL PROTECTED] Received-From-MTA: dns;dedicated Arrival-Date: Sat, 18 Nov 2006 09:55:21 +0100 Final-Recipient: rfc822;[EMAIL PROTECTED] Action: failed Status: 5.5.0 Diagnostic-Code: smtp;550 Spam refused: is a silly name for a mail server or server has no name. I also get many messages with other error codes: Action: failed Status: 5.4.0 ( most often message ) Action: failed Status: 4.4.7 I hope someone can tell me what to do with my DNS settings here, or if it is not my DNS, please tell me where to look. Thanks. Richard. - Forwarded Message From: Alex van den Bogaerdt [EMAIL PROTECTED] To: pdns-users@mailman.powerdns.com Sent: Saturday, November 18, 2006 10:40:37 PM Subject: Re: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner) On Sat, Nov 18, 2006 at 12:49:44PM -0700, Michael Loftis wrote: Now if you *have* an SPF record (which again is *NOT* a type of DNS record at all, it's a TXT record) Please be aware that there is an official SPF resource record. http://www.iana.org/assignments/dns-parameters But do publish TXT records for your SPF rules as well. The RR is brand new and isn't used that much yet. Eventually only the SPF resource record is going to be used. This will take time. Let's not discuss SPF here. If you want to know why it is the user's fault and not the SPF record's fault, let's meet on the spf-discuss mailing list. Alex ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users _ Everyone is raving about the http://us.rd.yahoo.com/evt=42297/*http://advision.webevents.yahoo.com/mailb eta all-new Yahoo! Mail beta. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Suse Linux and MS SQL
I have Suse Linux on one box, and MS SQL on another. Is it possible (And how hard would it be) to install PDNS on the Suse box, and then use MS SQL as the backend? Thanks, _ Michael C. Gates Ph/717.798.8142 Fx/954.252.4193 gateshosting.com http://www.gateshosting.com/ http://www.gateshosting.com/ GatesHosting.com http://www.gateshosting.com/ | BIGmail(tm) - Email Large http://www.gateshosting.com/aboutbigmail/ Files | Web Hosting http://www.gateshosting.com/web-hosting/ | Email http://www.gateshosting.com/ Protection | Custom Web http://www.gateshosting.com/web-sites/ Sites GatesHosting.com has been Hosting, developing custom designed Web Sites and writing Custom Programs since 1997. logo.gif Description: GIF image ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Suse Linux and MS SQL
Great, I will try it out. So Suse Linux will work fine for PDNS? The problem I am having is it is crashing every 15 minutes in windows. I wrote a routine to restart it every half hour, but it is getting out of hand now. It was only crashing 3 to 4 times a day, but now it is all the time. It is becoming a problem, and I definitely do not want to go back to MS DNS. Thanks, Michael C. Gates -Original Message- From: Marius Parescius [mailto:[EMAIL PROTECTED] Sent: Thursday, January 04, 2007 11:06 AM To: Michael C. Gates Subject: Re: [Pdns-users] Suse Linux and MS SQL Hello Michael, Thursday, January 4, 2007, 5:49:28 PM, you wrote: I have Suse Linux on one box, and MS SQL on another. Is it possible (And how hard would it be) to install PDNS on the Suse box, and then use MS SQL as the backend? Some time ago we used sybase client drivers to access mssql db and it works. (o)(o) -- --ooo--(__)--ooo-- Best regards, Marius Parescius mailto:[EMAIL PROTECTED] Elektronine prekyba Paneriu 51, Vilnius, Lithuania mob: +370 686 77781 tel: +370 5 2104330 fax: +370 5 2104329 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Suse Linux and MS SQL
I guess there is no type of ODBC driver for Suse Linux? That would be fine for me. I just can't deal with the windows problems anymore. Obviously, I am not a Unix/Linux pro... Best regards, Michael C. Gates -Original Message- From: bert hubert [mailto:[EMAIL PROTECTED] Sent: Thursday, January 04, 2007 12:54 PM To: Michael C. Gates Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] Suse Linux and MS SQL On Thu, Jan 04, 2007 at 11:13:50AM -0500, Michael C. Gates wrote: Great, I will try it out. So Suse Linux will work fine for PDNS? The problem I am having is it is crashing every 15 minutes in windows. I wrote a routine to restart it every half hour, but it is getting out of hand now. It was I don't think SQL Server support under Unix/Linux is actually working out of the box. It did work in the past but we never released the code, and it has since become outdated. It looks like it would take a few days to revive the UNIX based SQL Server support, but we are very sure it will work great as we've done work with SQL server from linux before. Sadly, we don't get a lot of requests for SQL Server based PowerDNS, so it is not very high on our agenda. (btw, the windows version has an easier time as it accesses sqlserver through the generic ODBC backend, but the windows version has other problems). Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Suse Linux and MS SQL
Well, it would depend on how much it costs, and also compared to sponsoring a windows version upgrade. Either one would work. Of course, Suse Linux is a lot cheaper, but I am more familiar with windows, and already have 20+ windows servers running... Let me know, I may be interested, Best regards, Michael C. Gates -Original Message- From: bert hubert [mailto:[EMAIL PROTECTED] Sent: Thursday, January 04, 2007 1:13 PM To: Michael C. Gates Subject: Re: [Pdns-users] Suse Linux and MS SQL On Thu, Jan 04, 2007 at 01:05:08PM -0500, Michael C. Gates wrote: I guess there is no type of ODBC driver for Suse Linux? That would be fine for me. I just can't deal with the windows problems anymore. Obviously, I am not a Unix/Linux pro... There is a commercial ODBC driver for Unix, but we don't really like it. It comes with agressive salespeople. What we could do is expedite the development of the SQL Server backend, if you would sponsor this development. Sponsorship allows us to dedicate a developer to implementing a desired feature, because we can in good concience use a developer that is doing billable work. For purely open source work we always have to justify this. We like to do public sponsorship, which means you get credited prominently in the release notes as the sponsor of SQL Server/Sybase support. In the past, Register.com has been a notable sponsor, they enabled us to add Oracle support. Let us know if this would work for you. We also offer free support to go with the sponsored feature for 6 months, so you can be sure it really works. Bert Best regards, Michael C. Gates -Original Message- From: bert hubert [mailto:[EMAIL PROTECTED] Sent: Thursday, January 04, 2007 12:54 PM To: Michael C. Gates Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] Suse Linux and MS SQL On Thu, Jan 04, 2007 at 11:13:50AM -0500, Michael C. Gates wrote: Great, I will try it out. So Suse Linux will work fine for PDNS? The problem I am having is it is crashing every 15 minutes in windows. I wrote a routine to restart it every half hour, but it is getting out of hand now. It was I don't think SQL Server support under Unix/Linux is actually working out of the box. It did work in the past but we never released the code, and it has since become outdated. It looks like it would take a few days to revive the UNIX based SQL Server support, but we are very sure it will work great as we've done work with SQL server from linux before. Sadly, we don't get a lot of requests for SQL Server based PowerDNS, so it is not very high on our agenda. (btw, the windows version has an easier time as it accesses sqlserver through the generic ODBC backend, but the windows version has other problems). Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users !DSPAM:459d415b282181277382813! -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Suse Linux and MS SQL
Great, I will power up the server later this week... Oh shoot, it already is later! I guess I am behind... Well, I will set it up in the next couple of days, and see where I get. Thanks for all your help, Michael C. Gates -Original Message- From: Norbert Sendetzky [mailto:[EMAIL PROTECTED] Sent: Thursday, January 04, 2007 4:52 PM To: pdns-users@mailman.powerdns.com Cc: Michael C. Gates Subject: Re: [Pdns-users] Suse Linux and MS SQL Hi Michael I have Suse Linux on one box, and MS SQL on another. Is it possible (And how hard would it be) to install PDNS on the Suse box, and then use MS SQL as the backend? You can use the PDNS OpenDBX backend and FreeTDS to connect to your MS SQL server. This setup worked very well for another member of this list. The servers officially supported by the OpenDBX backend are: - MySQL - PostgreSQL - SQLite 2 and 3 - MS SQL Server Supported but not extensively tested yet: - Oracle 8i to 10g - Sybase ASE - Firebird 2 Norbert -- OpenPGP public key http://www.linuxnetworks.de/norbert.pubkey.asc ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
RE: [Pdns-users] Supported databases of the OpenDBX backend
Is this a new version of PDNS, or a program used to connect Linux to different DB's? Will this combination work with Suse Linux and MS SQL? Best regards, Michael C. Gates -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Norbert Sendetzky Sent: Friday, January 26, 2007 12:00 PM To: pdns-users@mailman.powerdns.com Subject: [Pdns-users] Supported databases of the OpenDBX backend Hi all After having released the next stable series of OpenDBX (1.2.x), I would like to give you an update about the supported and tested databases in combination with the OpenDBX backend. These databases are tested and officially supported: - MySQL - PostgreSQL - SQLite 2 and 3 - MS SQL Server - Sybase ASE - Oracle The new Firebird 2.0 database wasn't tested up to now but should also work. Speed tests done a while ago have shown that the OpenDBX backend not only offers more high-end features than the other backends shipped with PowerDNS but also higher performance. This is at least true for the gmysql backend I've used for comparison as it is probably the backend used most often in installations. Links: http://wiki.linuxnetworks.de/index.php/OpenDBX http://wiki.linuxnetworks.de/index.php/PowerDNS_OpenDBX_Backend http://wiki.linuxnetworks.de/index.php/PowerDNS_OpenDBX_Backend_-_Comparison Feel free to test PowerDNS with your favorite database now :-) Norbert -- OpenPGP public key http://www.linuxnetworks.de/norbert.pubkey.asc ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] RRSet
Hi All, I have a question. In PDNS Server, there is an option no-shuffle which if turned on records with multiple records always return in order. For example. A.test.com A 192.168.1.1 A.test.com A 192.168.1.2 If queried for A.test.com it returns in order of records as stored in the DB ( I am using mysql). Now, my question, is it possible to do this on specific URL basis vs global. In named, there is a rrset-order(A.test.com) in which only A.test.com returns in order and the rest of the records return in random order. How can I achieve something similar to this with pdns-server? Thanks for your time. I've research the mailing list way back 8+ years ago. There was a discussion on this. But the links to the solution no longer exists. Can anyway tell me if there is a new solution? Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Hi All, I'm a bit confused about my SOA record. When I query it. dig @server1.cyber-mage.com SOA cyber-mage.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @server1.cyber-mage.com SOA cyber-mage.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5232 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;cyber-mage.com.IN SOA ;; ANSWER SECTION: cyber-mage.com. 86400 IN SOA ns1.linode.com. hostmaster.cyber-mage.com. 2019033066 28800 7200 1209600 86400 ;; Query time: 219 msec ;; SERVER: 72.14.187.43#53(72.14.187.43) ;; WHEN: Wed Mar 06 14:49:45 +08 2019 ;; MSG SIZE rcvd: 101 But my mysql records are: MariaDB [powerdns]> select * from records where type="SOA"; ++---++--+--+---+--+-+--+--+--+ | id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername| auth | ++---++--+--+---+--+-+--+--+--+ | 1 | 1 | cyber-mage.com | SOA | ns1.linode.com hostmaster.cyber-mage.com 2019030501 28800 7200 1209600 86400 | 86400 |0 | NULL |0 | rvms80ecrvpfkr7n6a3ksp4tc5f2g9bk |1 | | 23 | 2 | 187.14.72.in-addr.arpa | SOA | ns1.linode.com hostmaster.cyber-mage.com 2019022501 28800 7200 1209600 86400 | 86400 |0 | NULL |0 | |1 | ++---++--+--+---+--+-+--+--+--+ And MariaDB [powerdns]> select * from domains; ++++++-+-+ | id | name | master | last_check | type | notified_serial | account | ++++++-+-+ | 1 | cyber-mage.com | NULL | NULL | MASTER | 2019030501 | NULL| | 2 | 187.14.72.in-addr.arpa | NULL | NULL | MASTER | 2019022501 | NULL| ++++++-+-+ How come the values are different? What am I doing wrong? Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Forgot to mention I am running. rpm -qa | grep pdns pdns-4.0.6-1pdns.el7.x86_64 dnsdist-1.1.0-1pdns.el7.x86_64 pdns-recursor-4.0.9-1pdns.el7.x86_64 pdns-backend-mysql-4.0.6-1pdns.el7.x86_64 And MariaDB-server-10.1.38-1.el7.centos.x86_64 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] MariaDB-server-10.1.38-1.el7.centos.x86_64
Opps wrong thread. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PDNS recursor dnssec settings
Forgot to mention I am running. rpm -qa | grep pdns pdns-4.0.6-1pdns.el7.x86_64 dnsdist-1.1.0-1pdns.el7.x86_64 pdns-recursor-4.0.9-1pdns.el7.x86_64 pdns-backend-mysql-4.0.6-1pdns.el7.x86_64 And MariaDB-server-10.1.38-1.el7.centos.x86_64 Thanks Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Opps wrong thread. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Hi Frank, Currently not using dnsdist.. just installed that in case I want to try special splitting of traffic. Currently Pdns Auth (72.14.187.43:53) -> Recursor (127.0.0.1:53) Yes I know, I know eventually need to change config so that Auth is standalone and not forward recursion traffic to recursor. Traffic is not high so not really urgent at the moment. So currently querying my server is direct to PdnsAuth not going through the recursor (which is for recursion traffic). Eventually, when traffic goes high, will use dnsdist to load balance multiple Auths and recursors. That is why I installed dnsdist as an eventual progression. Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Hi Frank, After removing the recursor option in pdns.conf dig @72.14.187.43 cyber-mage.com SOA ; <<>> DiG 9.2.4 <<>> @72.14.187.43 cyber-mage.com SOA ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22124 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cyber-mage.com.IN SOA ;; ANSWER SECTION: cyber-mage.com. 86400 IN SOA ns1.linode.com. hostmaster.cyber-mage.com. 2019033067 28800 7200 1209600 86400 ;; Query time: 200 msec ;; SERVER: 72.14.187.43#53(72.14.187.43) ;; WHEN: Thu Mar 7 16:16:19 2019 ;; MSG SIZE rcvd: 90 It still wrong. Read in this mailing list that somebody complained about the pdnsutils increase soa record time also results in a random last 4 digits instead of increasing it sequentially. But nobody replied to him. His version was 4.1.x. I presume that in his case the first setup was correct. Maybe it was partially fixed from 4.0.6 to 4.1.x Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Question about PDNS SOA presentation.
Hi Peter, That's interesting. My pdns.conf did not have default-soa-edit line. Also didn't even know about that option. Don't have any domain specific soa meta configs in the mysql database. Looking into the database I found. MariaDB [powerdns]> select * from domainmetadata -> ; ++---++-+ | id | domain_id | kind | CONTENT | ++---++-+ | 1 | 1 | NSEC3PARAM | 1 0 1 ab| | 2 | 1 | SOA-EDIT | INCREMENT-WEEKS | ++---++-+ 2 rows in set (0.00 sec) Didn't setup the fields. Either it was when I signed the domain. No matter.. Setting the SOA-EDIT to "" I get back the correct values. Thanks Peter! Been scratching my head about this for a while. Regards, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Re: pdns-recursor 4.0.0alpha1 crashes at startup
Hello Pieter, thanks for the clarification, the master branch fixed the problem indeed, but it crashes very often. For some odd reason I’am not able to do a wget from http://download.powerdns.com, it complains about not being able to resolve the name, but a 'host download.powerdns.com' returns successfully. I changed my dns from local recursor to 8.8.8.8 in /etc/resolv.conf and the problem with wget went away. Meanwhile I returned to 3.7.3, but I will give it another shot later because of the DNSSEC functionality. —Michael smime.p7s Description: S/MIME cryptographic signature ___ Pdns-users mailing list pdns-users@mailman.powerdns.com https://mailman.powerdns.com/listinfo/pdns-users@mailman.powerdns.com
Re: [Pdns-users] pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?
Hi Pieter, dnssec=off did the trick indeed. Hope you can fix this, because dnssec was the reason I went to 4.x in the first place :) If I can be of any help here, just let me know. Best regards. > Am 09.03.2016 um 10:05 schrieb Pieter Lexis <pieter.le...@powerdns.com>: > > Hi Michael, > > Please keep replies on the mailinglist (mails reproduced below). > > Judging by your log and some of my testing, I think you uncovered a bug in > the DNSSEC implementation. Could you try this with `dnssec=off` in the > recursor.conf? > > Best regards, > > Pieter > > On Wed, 9 Mar 2016 07:46:49 +0100 > Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote: > >> Hello Pieter, >> >> thanks for helping me out on this. >> >>> Am 08.03.2016 um 18:57 schrieb Pieter Lexis <pieter.le...@powerdns.com>: >>> >>> Hello Michael, >>> >>> On Tue, 8 Mar 2016 16:32:26 +0100 >>> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote: >>> >>>> I was wondering why an apt-get update cannot resolve repo.powerdns.com, >>>> but a ping is able to do so. This only happens if /etc/resolv.conf points >>>> to my recursor. If I use 8.8.8.8 as nameserver everything works as >>>> expected. >>>> >>>> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my >>>> local recursor. >>> >>> Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? >>> When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is >>> needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This >>> will set the Recursion Desired-bit on the query sent out. Google sends >>> SERVFAIL to clients without the RD-bit set. >>> >> I currently use this forward statements in my recursor.conf: >> >> forward-zones-file=/etc/powerdns/forward-zones >> forward-zones-recurse=.=8.8.8.8 >> >> The forward-zones file points to some internal nameservers, all 8.8.8.8 >> related is done through forward-zones-recurse. >> >> >>> If this is the case and you still have these issues, could you enable the >>> `trace`[3] option and query your local resolver for repo.powerdns.com and >>> email the traces? >>> >> I attached the trace log, hope it includes everything you need. I tried to >> kept the noise as low as possible, but some other systems queried the >> recursor as well. >> >>>> Maybe it’s how the apt-get tries to resolve the name? The only thing I >>>> found was, that getent is not returning the correct results. >>> >>> apt, ping and getent all seem to use the getaddrinfo(3) call. >>> >> I was 100% sure that a ping worked, but it do not work now, >> repo.powerdns.com is not resolving anywhere. repo1.powerdns.com is a >> different story: >> >> root@dns-1:/var/log# ping repo.powerdns.com >> ping: unknown host repo.powerdns.com >> root@dns-1:/var/log# getent hosts repo1.poerdns.com >> root@dns-1:/var/log# ping repo1.powerdns.com >> PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data. >> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 >> time=42.9 ms >> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 >> time=42.9 ms > > > On Wed, 9 Mar 2016 08:28:05 +0100 > Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote: > >> Hi Pieter, >> >> sorry I overlooked a typo. >> >> root@dns-1:/var/log# getent hosts repo.powerdns.com >> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com >> root@dns-1:/var/log# getent hosts repo1.powerdns.com >> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com >> >> Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at >> all. >> >> > -- > Pieter Lexis > PowerDNS.COM BV -- https://www.powerdns.com -- IT-Security Lösungen von DELL SonicWALL und Sophos von Ihrem zertifizierten Partner Bit World Computing. Michael Mertel Inhaber / company owner Bit World Computing e.K. Wredestraße 18 97082 Wuerzburg Deutschland / Germany Fon: +49 (0)931 45335-0 Fax: +49 (0)931 45335-99 E-Mail: michael.mer...@bwc.de <mailto:michael.mer...@bwc.de> GoogleTalk / Skype: bwc.michael Web: http://www.bwc.de <http://www.bwc.de/> Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065 Geschäftsführer / company owner: Michael Mertel BWC ... one bit ahead ... since 1993 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
Hi Leen, thanks for clearing this up. My approach was a bit to naive but my recursor is now returning whats expected. The +dnssec Parameter is the essential trick, and depending on dnssec=off or =process in my recursor.conf the recursor is returning the correct information. Thanks for your feedback. —Michael > Am 19.05.2016 um 17:36 schrieb Leen Besselink <l...@consolejunkie.net>: > > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael > Mertel wrote: >> Hi, >> > > Hi, > >> I’am currently trying to get a better unterstanding of DNSSEC. But even if I >> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related >> answer from it. What do I’am doing wrong here, I’am somewhat lost? >> >> — >> --- direct query >> dig @ns1.denic.de ANY www.denic.de >> ;; ANSWER SECTION: >> www.denic.de.3600IN A 81.91.170.12 >> www.denic.de.3600IN RRSIG A 8 3 3600 >> 2016060209 2016051909 26155 denic.de. >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS >> >> ;; AUTHORITY SECTION: >> denic.de.3600IN NS ns2.denic.de. >> denic.de.3600IN NS ns3.denic.de. >> denic.de.3600IN NS ns1.denic.de. >> >> ;; ADDITIONAL SECTION: >> ns1.denic.de.3600IN A 81.91.170.1 >> ns1.denic.de.3600IN 2a02:568:121:6:2::2 >> ns2.denic.de.3600IN A 78.104.145.26 >> ns3.denic.de.3600IN A 81.91.173.19 > > > DENIC can return whatever they want with an ANY-query, but that doesn't mean > it's DNSSEC. > >> >> — >> — query through dnsdist — >> dig @192.168.1.5 ANY www.denic.de >> >> ;; ANSWER SECTION: >> www.denic.de.2083IN A 81.91.170.12 >> www.denic.de.2083IN RRSIG A 8 3 3600 >> 2016060109 2016051809 26155 denic.de. >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa >> >> — >> — query through recursor (no forwarders, dnssec=process) — >> dig -p 5153 @192.168.1.5 ANY www.denic.de >> >> ;; ANSWER SECTION: >> www.denic.de.2724IN A 81.91.170.12 >> >> — >> >> Thanks in advance. >> > > This would be the usual way to check DNSSEC. Without: > > $ dig @d.ns.nic.cz labs.nic.cz A > > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;labs.nic.cz. IN A > > ;; ANSWER SECTION: > labs.nic.cz.1800IN A 217.31.205.52 > > ;; AUTHORITY SECTION: > nic.cz. 1800IN NS a.ns.nic.cz. > nic.cz. 1800IN NS b.ns.nic.cz. > nic.cz. 1800IN NS d.ns.nic.cz. > > ;; ADDITIONAL SECTION: > a.ns.nic.cz.1800IN A 194.0.12.1 > a.ns.nic.cz.1800IN 2001:678:f::1 > b.ns.nic.cz.1800IN A 194.0.13.1 > b.ns.nic.cz.1800IN 2001:678:10::1 > d.ns.nic.cz.1800IN A 193.29.206.1 > d.ns.nic.cz.1800IN 2001:678:1::1 > > With DNSSEC: > > $ dig +dnssec @d.ns.nic.cz labs.nic.cz A > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10 > ;; WARNING: recursio
[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
Hi, I’am currently trying to get a better unterstanding of DNSSEC. But even if I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related answer from it. What do I’am doing wrong here, I’am somewhat lost? — --- direct query dig @ns1.denic.de ANY www.denic.de ;; ANSWER SECTION: www.denic.de. 3600IN A 81.91.170.12 www.denic.de. 3600IN RRSIG A 8 3 3600 2016060209 2016051909 26155 denic.de. rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS ;; AUTHORITY SECTION: denic.de. 3600IN NS ns2.denic.de. denic.de. 3600IN NS ns3.denic.de. denic.de. 3600IN NS ns1.denic.de. ;; ADDITIONAL SECTION: ns1.denic.de. 3600IN A 81.91.170.1 ns1.denic.de. 3600IN 2a02:568:121:6:2::2 ns2.denic.de. 3600IN A 78.104.145.26 ns3.denic.de. 3600IN A 81.91.173.19 — — query through dnsdist — dig @192.168.1.5 ANY www.denic.de ;; ANSWER SECTION: www.denic.de. 2083IN A 81.91.170.12 www.denic.de. 2083IN RRSIG A 8 3 3600 2016060109 2016051809 26155 denic.de. CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa — — query through recursor (no forwarders, dnssec=process) — dig -p 5153 @192.168.1.5 ANY www.denic.de ;; ANSWER SECTION: www.denic.de. 2724IN A 81.91.170.12 — Thanks in advance. —Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Spoof MX records
Hi, I’am looking for the most efficent way to spoof the answer of a MX query. I need to redirect outgoing e-mails (specific domains only) to a smtp gateway for further processing before it leaves the local network. I cannot use any kind of transport tables at the MTA, so my approach was to use dns therefore. The number of zones to spoof is currently not defined, could be dozens if not hundreds. I would usually do this kind of stuff with dnsdist (which I love), but would the recursor a better choice here? Thanks for any advice. —Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Spoof MX records
Hi Aleksandr, I’am somewhat lost, I’am able to set a rule to have the Lua function called for MX requests, but how do I return a response? Spoof ist just for A-records, but not for MX. addLuaAction(QTypeRule(dnsdist.MX), luarule) Do I have to generate an Answer, but how? Is it possible to use dq::addAnswer(), which I have found in the recursor documentation, is this valid for dnsdist too? Best regards. > Am 14.12.2018 um 17:16 schrieb Aleksandr Rogozin : > > Hi Michael, > > You should be able to load the file (if the list of zones is large enough and > warrants a file) or initialize array of subzones (if there are few zones you > want to test) once, when the process starts and loads the Lua script. Loading > the file on every request would definitely become a performance issue. > > Best Regards, > > On Fri, Dec 14, 2018 at 10:50 AM Bit World Computing - Michael Mertel > mailto:michael.mer...@bwc.de>> wrote: > Hi Aleksandr, > > ja Lua was the way I’m planning to go. But just wasn’t sure to use dnsdist or > recursor, but probably does not matter in that case. > > Does the file gets loaded for every request with io.open and could this > become a performance issue in your opinion? All DNS requests from a fairly > good used mail gateway would be sent to this resolver. > > I think I’ll give it a try with dnsdist and see what happens. > > Best regards. > > > >> Am 14.12.2018 um 12:55 schrieb Aleksandr Rogozin > <mailto:arogo...@squarespace.com>>: >> >> Hi Michael, >> >> I recommend using Lua to intercept the DNS queries. Both dnsdist and >> recursor should be able to support it. In Lua you can check for query type >> to be MX and load a list of domains from a file using ‘io.open’. Provide >> necessary DNS response if the query matches your list of zones. >> Additionally, you might want to limit this operation to specific networks >> with NetMask or NetMaskGroup. >> >> >> On Fri, Dec 14, 2018 at 01:53 Bit World Computing - Michael Mertel >> mailto:michael.mer...@bwc.de>> wrote: >> Hi, >> >> I’am looking for the most efficent way to spoof the answer of a MX query. I >> need to redirect outgoing e-mails (specific domains only) to a smtp gateway >> for further processing before it leaves the local network. I cannot use any >> kind of transport tables at the MTA, so my approach was to use dns therefore. >> >> The number of zones to spoof is currently not defined, could be dozens if >> not hundreds. >> >> I would usually do this kind of stuff with dnsdist (which I love), but would >> the recursor a better choice here? >> >> Thanks for any advice. >> >> —Michael >> >> ___ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users >> <https://mailman.powerdns.com/mailman/listinfo/pdns-users> > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> > https://mailman.powerdns.com/mailman/listinfo/pdns-users > <https://mailman.powerdns.com/mailman/listinfo/pdns-users> — IT-Security und Infrastruktur-Lösungen optimal für Ihre Umgebung Befine / bintec elmeg / Deepnet Security / DELL / Hewlett Packard / Microsoft Mikrotik / NAKIVO / SonicWall / SOPHOS / STARFACE / VMware / ZyXEL sowie das Beste der Open-Source-Welt (NGiNX, PowerDNS, phpIPAM, Postfix, ZABBIX, zimbra) Michael Mertel Inhaber / company owner Bit World Computing e.K. Wredestr. 18 97082 Wuerzburg Deutschland / Germany Fon: +49 (0)931 45335-0 Fax: +49 (0)931 45335-99 E-Mail: michael.mer...@bwc.de <mailto:michael.mer...@bwc.de> Skype: bwc.michael Web: http://www.bwc.de <http://www.bwc.de/> Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065 Inhaber / company owner: Michael Mertel BWC ... one bit ahead ... since 1993 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Spoof MX records
> Am 15.12.2018 um 09:50 schrieb bert hubert : > > On Sat, Dec 15, 2018 at 09:42:21AM +0100, Bit World Computing - Michael > Mertel wrote: >> Hi Aleksandr, >> >> I’am somewhat lost, I’am able to set a rule to have the Lua function called >> for MX requests, but how do I return a response? Spoof ist just for >> A-records, but not for MX. >> addLuaAction(QTypeRule(dnsdist.MX), luarule) > > Hi Michael, > > As far as I know, dnsdist can't generate MX records, so you'll have to do > this in the PowerDNS Recursor. Sorry! > > In the Recursor it is not very hard to do though, use postResolve to > override all MX records you see in responses. > > This makes sure you don't invent MX records for domains that don't have > them. > > Also be aware that if there is no MX record for a domain, a mail server > might decide to send email directly to the A record. > > Good luck! > > Bert Thanks Bert you saved my day, will switch over to recursor. —Michael___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users