[Pdns-users] First Alpha Release of PowerDNS Recursor 5.1.0

[Otto Moerbeek via Pdns-users]

   Hello!

   We are proud to announce the first alpha release of PowerDNS Recursor
   5.1.0!

   Compared to the latest 5.0 release, this release adds the possibility
   to include settings previously set in the Lua configuration file in the
   YAML configuration format that was introduced in the previous release.
   See YAML settings[1] for details on the settings and the conversion of
   existing Lua configuration to the new YAML syntax. The existing Lua
   syntax is still supported.

   This release  also includes the following changes:

 * A feature to allow names (resolved by the system resolver[2]) in
   addition to IP addresses in the forwarding configuration . This is
   very useful in setups where where the forwarding target addresses
   are dynamic in nature.
 * Add structured logging backend[3] that uses JSON representation has
   been added.
 * Notifies can now be used to trigger[4] RPZ freshness checks.
 * The Newly Observed Domain (and/or Unique Domain Response) database
   is now shared between threads, avoiding multiple copies in memory
   and on disk. It is now also possible to set the snapshot
   interval[5].
 * Structured logging is now enabled[6] always, it is no longer
   possible to switch to old style logging.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the changelog[7] for additional details. When upgrading
   do not forget to check the upgrade guide.[8]

   Please send us all feedback and issues you might have via the mailing
   list[9], or in case of a bug, via GitHub[10].

   The tarball[11] (signature[12]) is available from our
   download server[13] and packages for several distributions are
   available from our repository[14].

   We also made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[15] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/settings.html#system-resolver-ttl
   3. 
https://docs.powerdns.com/recursor/settings.html#structured-logging-backend
   4. 
https://docs.powerdns.com/recursor/yamlsettings.html#incoming-allow-notify-from
   5. 
https://docs.powerdns.com/recursor/settings.html#new-domain-db-snapshot-interval
   6. https://docs.powerdns.com/recursor/settings.html#structured-logging
   7. https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1-alpha1.0
   8. https://docs.powerdns.com/recursor/upgrade.html
   9. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  10. https://github.com/PowerDNS/pdns/issues/new/choose
  11. https://downloads.powerdns.com/releases/pdns-recursor-5.1.0-alpha1.tar.bz2
  12. 
https://downloads.powerdns.com/releases/pdns-recursor-5.1.0-alpha1.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/
  14. https://repo.powerdns.com/
  15. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
Senior Developer PowerDNS


Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.8.9, 4.9.6 and 5.0.5 released

[Otto Moerbeek via Pdns-users]

   Hello!

   Today we have released PowerDNS Recursor 4.8.9, 4.9.6 and 5.0.5.

   These releases are maintenance releases that fix a few bugs. The most
   important ones are:

 * Two cases of counting towards limits related to DNSSEC validation
   have been fixed.
 * When using YAML settings only: the type of the
   incoming.edns_padding_from[1] and incoming.proxy_protocol_from[2]
   has been changed from "String" to "Sequence of Subnet". This
   applies to version 5.0.5 only.

   There are also a few other bug fixes and improvements, please refer to
   the changelogs  (4.8.9[3], 4.9.6[4] and 5.0.5[5]) for additional
   details.

   Please send us all feedback and issues you might have via the mailing
   list[6], or in case of a bug, via GitHub[7].

   The tarballs (4.8.9[8], 4.9.6[9], 5.0.5[10]) (with signature files
   4.8.9[11], 4.9.6[12], 5.0.5[13]) are available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   Recently we made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[16] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
file:///Users/otto/pdns/pdns/recursordist/html-docs/yamlsettings.html#setting-yaml-incoming-edns-padding-from
   2. 
file:///Users/otto/pdns/pdns/recursordist/html-docs/yamlsettings.html#setting-yaml-incoming-proxy-protocol-from
   3. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.9
   4. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.6
   5. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.5
   6. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   7. https://github.com/PowerDNS/pdns/issues/new/choose
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.9.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.9.6.tar.bz2
  10. https://downloads.powerdns.com/releases/pdns-recursor-5.0.5.tar.bz2
  11. https://downloads.powerdns.com/releases/pdns-recursor-4.8.9.tar.bz2.sig
  12. https://downloads.powerdns.com/releases/pdns-recursor-4.9.6.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/pdns-recursor-5.0.5.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/
  16. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
Senior Developer PowerDNS


Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] noble-auth-49 repo for ubuntu 24.04 missing

[Otto Moerbeek via Pdns-users]

On Mon, May 06, 2024 at 11:02:27AM +0200, Otto Moerbeek via Pdns-users wrote:

> On Fri, May 03, 2024 at 03:41:02PM +0200, rob777 via Pdns-users wrote:
> 
> > Hi
> > 
> > I want to install pdns authoritative server on the newly released Ubuntu
> > 24.04 LTS
> > 
> > $ apt-get update
> > ...
> > Fehl:5 http://repo.powerdns.com/ubuntu noble-auth-49 Release
> >   404  Not Found [IP: 188.166.116.224 80]
> > E: Das Depot »http://repo.powerdns.com/ubuntu noble-auth-49 Release«
> > enthält keine Release-Datei.
> > ...
> > 
> > Looks like the noble-auth-49 repo is missing on
> > https://repo.powerdns.com/ubuntu/dists/ - according to the Instructions on
> > https://repo.powerdns.com/ the stable Branch should be available for the
> > Ubuntu Nobal Numpat - or am i missing something?
> > 
> > regards
> 
> Thanks for the note. I'll pull some strings to get this resolved.

It should be available now,

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] noble-auth-49 repo for ubuntu 24.04 missing

[Otto Moerbeek via Pdns-users]

On Fri, May 03, 2024 at 03:41:02PM +0200, rob777 via Pdns-users wrote:

> Hi
> 
> I want to install pdns authoritative server on the newly released Ubuntu
> 24.04 LTS
> 
> $ apt-get update
> ...
> Fehl:5 http://repo.powerdns.com/ubuntu noble-auth-49 Release
>   404  Not Found [IP: 188.166.116.224 80]
> E: Das Depot »http://repo.powerdns.com/ubuntu noble-auth-49 Release«
> enthält keine Release-Datei.
> ...
> 
> Looks like the noble-auth-49 repo is missing on
> https://repo.powerdns.com/ubuntu/dists/ - according to the Instructions on
> https://repo.powerdns.com/ the stable Branch should be available for the
> Ubuntu Nobal Numpat - or am i missing something?
> 
> regards

Thanks for the note. I'll pull some strings to get this resolved.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to create zone via API?

[Otto Moerbeek via Pdns-users]

On Mon, Apr 01, 2024 at 04:57:08PM +0700, Bino Oetomo via Pdns-users wrote:

> Dear All.
> 
> I'm trying to playing with PDNS API.
> 
> I try to create new zone.
> 
> The json payload is :
> ```
> {
> "name": "domain07.bino.",
> "kind": "Native",
> "records": [
> {
> "content": "ns1.cpaneldev.bino. emailserver.bino. 2024040101
> 3600 1800 1209600 86400",
> "ttl": 86400,
> "name": "domain07.bino",
> "type": "SOA"
> }
> ],
> }
> ```

A Zone object has no `records` member. It does have an `rrset` member,
which is an array of rssets. See
https://docs.powerdns.com/authoritative/http-api/zone.html#zone and
https://docs.powerdns.com/authoritative/http-api/zone.html#rrset

-Otto

> 
> I post it to 'http://127.0.0.1:9530/api/v1/servers/localhost/zones'
> Got http status of 201.
> 
> But when I check directly to mysql backend, I got :
> ```
> mysql> select * from records where domain_id = 41244;
> +-+---+---+--+---+--+--+--+---+--+
> | id  | domain_id | name  | type | content
>   | ttl  |
> prio | disabled | ordername | auth |
> +-+---+---+--+---+--+--+--+---+--+
> | 1065344 | 41244 | domain07.bino | SOA  |
> a.misconfigured.dns.server.invalid hostmaster.domain07.bino 2024040101
> 10800 3600 604800 3600 | 3600 |0 |0 | NULL  |1 |
> +-+---+---+--+---+--+--+--+---+--+
> 1 row in set (0,00 sec)
> 
> ```
> 
> Kindly please tell me how to prepare proper json payload to create zone via
> pdns API
> 
> regards
> -bino-

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor getting pegged at 100% CPU

[Otto Moerbeek via Pdns-users]

On Fri, Mar 15, 2024 at 05:25:20PM +0100, Otto Moerbeek via Pdns-users wrote:

> > Op 15 mrt. 2024, om 17:01 heeft Tim Burns via Pdns-users 
> >  het volgende geschreven:
> > 
> > Hello all, I’m experiencing a performance degradation while using the 
> > Recursor that I haven’t been able to root cause, and I was hoping to get 
> > some insight on what might be causing it, or some troubleshooting and 
> > diagnostics tips.
> >  
> > The observed issue is that the Recursor would start up, begin receiving and 
> > forwarding traffic for several minutes, suddenly the CPU usage would jump 
> > to 100%, rec_control started timing out attempting to talk to the program, 
> > and Prometheus metrics scrapes would stop succeeding.
> > The Recursor also stopped reporting statistics at the 
> > logging.statistics_interval, although if I added a debug Lua script it 
> > would still log messages from the threads.
> >  
> > I’m running the Recursor as a container in Kubernetes with the 5.0.3 image 
> > from Docker Hub. The replicas receive anywhere from 2-6k QPS nominally, but 
> > this issue seems to occur regardless of query rate. Before the metrics 
> > freeze, the instance only uses 10% of its allocated CPU and about 20% of 
> > allocated memory, and then gets pegged to 100% CPU usage and stops 
> > responding. This happens anywhere from several minutes to an hour after 
> > process start.
> >  
> > Below is the configuration used. We’re using this as a middleman for now to 
> > forward requests upstream to larger recursors and cache the results, and is 
> > only accessible from within our network.
> >  
> > recursor:
> > forward_zones_recurse:
> > - zone: .
> >   forwarders:
> > - 8.8.8.8
> > - 1.1.1.1
> > - 8.8.4.4
> > - 1.0.0.1
> > - 208.67.222.222
> > - 208.67.220.220
> >   threads: 8
> > security_poll_suffix: ''
> >   server_id: ''
> >   version_string: ''
> >   any_to_tcp: true
> > dnssec:
> >   validation: process-no-validate
> > incoming:
> >   allow_from:
> > - 0.0.0.0/0
> >   listen:
> > - 0.0.0.0
> >   port: 2353
> > logging:
> >   disable_syslog: true
> > recordcache:
> >   max_entries: 50
> > webservice:
> >   address: 0.0.0.0
> >   allow_from:
> > - 10.0.0.0/8
> > - 172.16.0.0/12
> > - 127.0.0.1
> >   loglevel: none
> >   port: 8912
> >   webserver: true
> >  
> >  
> >  
> > While attempting to mitigate this live, I took a variety of actions in an 
> > attempt to root cause the issue, but none of the actions made a difference 
> > and we observed the same failure mode each time.
> > Actions taken:
> > - Disabling DNSSEC entirely with dnssec.validation: off
> > - Reducing threads from 8 -> 4, we had this scaled up to 8 as the default 2 
> > would lead to a high volume of UdpInErrors after some time
> > - Turned off TCP, only receiving queries over UDP
> > - Enabled logging.common_errors to see if there was anything interesting, 
> > but nothing notable happened around the time of freeze
> >  
> > Notably, rec_control would report the error: “Timeout waiting for control 
> > channel data”, and when I attempted to turn on trace logging for SERVFAILs 
> > (logging.trace: fail), logs indicated “Could not dup trace file” with 
> > reason “Bad file descriptor”.
> >  
> > Let me know if there’s any other information I can provide. I haven’t been 
> > able to correlate this behavior to any unusual metrics before the freeze as 
> > everything appeared reasonably nominal, but I’m happy to provide the last 
> > Prometheus scrape we got if it would help. Any ideas?
> >  
> > Thank you!
> > Tim
> 
> Try running when the recursor is peggef
> 
>   perf top
> 
> Or attach gdb and run 
> 
>   thread apply all bt
> 
> on gdb's command line
> 
> This might not possible in a container (I don’t know that), but you might be 
> able to install the perf tools or gdb in the container. Or otherwise try to 
> reproduce in an ordinary VM or bare metal.
> 
>   -Otto
> 

Oh, and some questions: in addition to collecting Prometheus metrics,
are you peridodically querying using rec_control or the web
server/web-api for other things? If so what exactly?

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor getting pegged at 100% CPU

[Otto Moerbeek via Pdns-users]

> Op 15 mrt. 2024, om 17:01 heeft Tim Burns via Pdns-users 
>  het volgende geschreven:
> 
> Hello all, I’m experiencing a performance degradation while using the 
> Recursor that I haven’t been able to root cause, and I was hoping to get some 
> insight on what might be causing it, or some troubleshooting and diagnostics 
> tips.
>  
> The observed issue is that the Recursor would start up, begin receiving and 
> forwarding traffic for several minutes, suddenly the CPU usage would jump to 
> 100%, rec_control started timing out attempting to talk to the program, and 
> Prometheus metrics scrapes would stop succeeding.
> The Recursor also stopped reporting statistics at the 
> logging.statistics_interval, although if I added a debug Lua script it would 
> still log messages from the threads.
>  
> I’m running the Recursor as a container in Kubernetes with the 5.0.3 image 
> from Docker Hub. The replicas receive anywhere from 2-6k QPS nominally, but 
> this issue seems to occur regardless of query rate. Before the metrics 
> freeze, the instance only uses 10% of its allocated CPU and about 20% of 
> allocated memory, and then gets pegged to 100% CPU usage and stops 
> responding. This happens anywhere from several minutes to an hour after 
> process start.
>  
> Below is the configuration used. We’re using this as a middleman for now to 
> forward requests upstream to larger recursors and cache the results, and is 
> only accessible from within our network.
>  
> recursor:
> forward_zones_recurse:
> - zone: .
>   forwarders:
> - 8.8.8.8
> - 1.1.1.1
> - 8.8.4.4
> - 1.0.0.1
> - 208.67.222.222
> - 208.67.220.220
>   threads: 8
> security_poll_suffix: ''
>   server_id: ''
>   version_string: ''
>   any_to_tcp: true
> dnssec:
>   validation: process-no-validate
> incoming:
>   allow_from:
> - 0.0.0.0/0
>   listen:
> - 0.0.0.0
>   port: 2353
> logging:
>   disable_syslog: true
> recordcache:
>   max_entries: 50
> webservice:
>   address: 0.0.0.0
>   allow_from:
> - 10.0.0.0/8
> - 172.16.0.0/12
> - 127.0.0.1
>   loglevel: none
>   port: 8912
>   webserver: true
>  
>  
>  
> While attempting to mitigate this live, I took a variety of actions in an 
> attempt to root cause the issue, but none of the actions made a difference 
> and we observed the same failure mode each time.
> Actions taken:
> - Disabling DNSSEC entirely with dnssec.validation: off
> - Reducing threads from 8 -> 4, we had this scaled up to 8 as the default 2 
> would lead to a high volume of UdpInErrors after some time
> - Turned off TCP, only receiving queries over UDP
> - Enabled logging.common_errors to see if there was anything interesting, but 
> nothing notable happened around the time of freeze
>  
> Notably, rec_control would report the error: “Timeout waiting for control 
> channel data”, and when I attempted to turn on trace logging for SERVFAILs 
> (logging.trace: fail), logs indicated “Could not dup trace file” with reason 
> “Bad file descriptor”.
>  
> Let me know if there’s any other information I can provide. I haven’t been 
> able to correlate this behavior to any unusual metrics before the freeze as 
> everything appeared reasonably nominal, but I’m happy to provide the last 
> Prometheus scrape we got if it would help. Any ideas?
>  
> Thank you!
> Tim

Try running when the recursor is peggef

perf top

Or attach gdb and run 

thread apply all bt

on gdb's command line

This might not possible in a container (I don’t know that), but you might be 
able to install the perf tools or gdb in the container. Or otherwise try to 
reproduce in an ordinary VM or bare metal.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Understanding why pdns-recursor 4.8.6 queries DS extremely often

[Otto Moerbeek via Pdns-users]

On Tue, Mar 12, 2024 at 08:43:20AM +0100, Thomas Mieslinger via Pdns-users 
wrote:

> While analyzing a spam run, I found the following queries and responses
> for the not delegated domain YALRDRK.net
> 
> For _dmarc.ja<> the queries and responses look as expected.
> 
> For default._bimi.jaqg<> a SERVFAIL is returned by instead of the
> expected NXDOMAIN.
> 
> For _bimi.jaqgs<> the gtld nameserver is queried once which is what I
> expect.
> 
> For default._bimi.jaqg<> the gtld nameservers are queried 5 times for
> the DS Record. Is there a good reason to torture .net gtld Nameservers?
> 
> > "PacketTime","Server","SrcIP","DstIP","QR","ResponseCode","Type","Question"
> > "2024-03-09 
> > 19:31:23",":::10.74.42.28",":::172.19.254.2",0,0,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:23",":::172.19.254.2",":::10.74.42.28",1,3,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::10.74.42.31",":::172.19.255.2",0,0,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::172.19.255.2",":::10.74.42.31",1,3,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::10.74.42.31",":::172.19.255.2",0,0,16,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::172.19.255.2",":::10.74.42.31",1,2,16,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,43,"jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,43,"jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:23",":::82.165.226.66",":::192.42.93.30",0,0,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:23",":::192.42.93.30",":::82.165.226.66",1,3,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,16,"_dmarc.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,43,"_bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,43,"_bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,16,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,16,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::82.165.226.66",":::192.54.112.30",0,0,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55",":::192.54.112.30",":::82.165.226.66",1,3,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55","2001:8d8:5c1:453:82:165:226:66","2001:502:8cc::30",0,0,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> > "2024-03-09 
> > 19:31:55","2001:502:8cc::30","2001:8d8:5c1:453:82:165:226:66",1,3,43,"default._bimi.jaqgsfzaxlvvegquwrjaaztnpaskgocqfvregpwqbplmwqahqe.YALRDRK.net."
> 
> dnssec=process
> root-nx-trust=on
> nothing-below-nxdomain=no
> qname-minimization=no
> 
> If you need the full config or packetcapture, please ask.
> 
> Thanks 

[Pdns-users] PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3 released

[Otto Moerbeek via Pdns-users]

   Hello,

   Today we have released PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3.

   These releases are maintenance releases that fix a few bugs. The most
   important ones are:

 * The regression with respect to the ZoneToCache function in the
   preceding releases has been solved.
 * In the case of a recursive forwarding the gathering of denial of
   existence proof for wildcard-expanded names has been fixed.

   There are also a few other bug fixes and improvements, please refer to
   the changelogs  (4.8.7[1], 4.9.4[2] and 5.0.3[3]) for additional
   details.

   Please send us all feedback and issues you might have via the mailing
   list[4], or in case of a bug, via GitHub[5].

   The tarballs (4.8.7[6], 4.9.4[7], 5.0.3[8]) (with signature files
   4.8.7[9], 4.9.4[10], 5.0.3[11]) are available from our
   download server[12] and packages for several distributions are
   available from our repository[13].

   Recently we made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[14] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.7
   2. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.4
   3. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.3
   4. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   5. https://github.com/PowerDNS/pdns/issues/new/choose
   6. https://downloads.powerdns.com/releases/pdns-recursor-4.8.7.tar.bz2
   7. https://downloads.powerdns.com/releases/pdns-recursor-4.9.4.tar.bz2
   8. https://downloads.powerdns.com/releases/pdns-recursor-5.0.3.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.8.7.tar.bz2.sig
  10. https://downloads.powerdns.com/releases/pdns-recursor-4.9.4.tar.bz2.sig
  11. https://downloads.powerdns.com/releases/pdns-recursor-5.0.3.tar.bz2.sig
  12. https://downloads.powerdns.com/releases/
  13. https://repo.powerdns.com/
  14. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
Senior Developer PowerDNS


Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC: How to add TA for . to recursor of self hosted . zone

[Otto Moerbeek via Pdns-users]

On Mon, Mar 04, 2024 at 05:01:12PM +0100, Jan Huijsmans via Pdns-users wrote:

> Hello,
> 
> I'm tryting to setup a DNSSEC lab environment with an isolated DNS set.
> 
> Service setup:
> 
> Servers
> - hidden master root server (pdns-auth 4.6.3-1)
> - queriable slave root servers (pdns-auth 4.6.3-1 & 4.8.4-1)
> - master + slave domain server (pdns-auth 4.8.4-1)
> - recursors on 4.9.2-1
> 
> pdns.conf of the auth instances include a .conf with
> gmysql=dnssec=yes
> 
> recursor.conf of the recursors include a lua-config file with clearTA() and 
> either either the addTA function with '.' and the DS content or 
> reedTrustAnchorsFromFile that points to a file with the output of
> 
> pdnsutil export-zone-ds .
> 
> All zones are, from lowest to highest zone, signed via the pdns secure-zone 
> command and the DS records are exported via pdnsutil export-zone-ds and that 
> output is added to the higher zone up to . .
> 
> When I use dig to request records directly from the authoritive instances, I 
> get answerd with RRSIG responces I expect. However, when I try via the 
> recursor, the . zone is not trusted.
> 
> The error the pdns recursor logs shows on a restart is:
> 
> msg="Failed to update . records" error="Got Bogus validation result for .|NS" 
> subsystem="housekeeping" level="0" prio="Error" tid="0" ts="1709563954.159" 
> exception="PDNSException"
> 
> When I request the DNSKEY from the . zone and add that to the root.key file 
> (checkes on a debian system what's in /usr/share/dns/root.key to find the 
> syntax) I read TA from via lua-config, then the result is the same.
> 
> Documentation used:
> - https://doc.powerdns.com/recursor/dnssec.html
> - https://doc.powerdns.com/recursor/lua-config/dnssec.html#addTA
> - https://doc.powerdns.com/authoritative/dnssec/index.html
> - https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html
> and what I could find with DDG.
> 
> dnssec is set to process in the recursor, but it refuses to answer when I use 
> dig, nelookup works. (so applications have no impact by this issue)
> 
> It looks to me I'm missing something simple in establishing the initial trust 
> of the . zone within the recursor, the rest looks like it works as it should.
> 
> Any help is appreciated.

Show your recursor.conf and your root hints.

-Otto

> 
> Regards,
> 
> Jan Huijsmans
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor help

[Otto Moerbeek via Pdns-users]

On Sun, Feb 18, 2024 at 01:35:04AM -0800, Bill MacAllister wrote:

> On 2024-02-17 23:30, Otto Moerbeek wrote:
> > On Sat, Feb 17, 2024 at 06:07:16PM -0800, Bill MacAllister wrote:
> > 
> > > Okay, I set "dnssec=off" and look ups are working now.  Guess I
> > > need to educate myself about dnssec.  I would like to make the
> > > dnssec default work if I can.  Pointers welcomed.
> > > 
> > > Bill
> > 
> > Looking at the trace your upstream mangles DNS. DNSSEC was designed to
> > prtotect against that.
> 
> Hmmm, is this a problem with my list of root servers?  Or maybe a
> protocol aware router/firewall is "helping" and breaking the dialogue?
> The problem might be in the Comcast hardware that was just replaced.
> I'll check that out in the morning.
> 

Your root hints are probably fine, it's a box somewhere that is doing
stuff to your DNS request/replies.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor help

[Otto Moerbeek via Pdns-users]

On Sat, Feb 17, 2024 at 06:07:16PM -0800, Bill MacAllister wrote:

> On 2024-02-17 12:08, Bill MacAllister via Pdns-users wrote:
> > On 2024-02-17 00:31, Otto Moerbeek wrote:
> 
> > > Your recursor is not able to get an answer from the root servers, at
> > > least not for DS queries.
> > > 
> > > A run with --trace as a command line option will reveal more details
> > > of what is going on.
> > > 
> > > Also: please show your config file.
> > > 
> > >   -Otto
> > 
> > Here is my configuration file: https://pastebin.com/jatVMq42
> > 
> > BUT, this morning the recursor was working for a bit.  Now it is
> > failing again. I suspect comcast, but only because I have not made
> > any changes to my internal network.  Gremlins are other suspects.
> > 
> > Here is the command line that I used to get a trace:
> > 
> >   /usr/sbin/pdns_recursor --daemon=no --write-pid=no \
> > --log-timestamp=no --trace --socket-dir=/run
> > 
> > The trace output is here: https://pastebin.com/Bke0qXtJ
> 
> Okay, I set "dnssec=off" and look ups are working now.  Guess I
> need to educate myself about dnssec.  I would like to make the
> dnssec default work if I can.  Pointers welcomed.
> 
> Bill

Looking at the trace your upstream mangles DNS. DNSSEC was designed to
prtotect against that. 

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor help

[Otto Moerbeek via Pdns-users]

On Sat, Feb 17, 2024 at 12:22:06AM -0800, Bill MacAllister via Pdns-users wrote:

> I am new to Power DNS and am attempting to setup a Power DNS recursor
> server.  I am using Debian bookworm and I have installed the pdns-recursor
> package.  The server is listening and dig can connect to the server,
> but dig returns a status of SERVFAIL.  What should I look at?  What am
> I missing?
> 
> Ahh, finally figured out how to get queries into syslog.  Here is what I am
> seeing there:
> 
> 2024-02-17T08:11:50.536920+00:00 zoot-bookworm pdns_recursor[10110]:
> msg="Question" subsystem="syncres" level="0" prio="Info" tid="2"
> ts="1708157510.535" ecs="" mtid="1" proto="udp" qname="web.stanford.edu"
> qtype="A" remote="10.0.0.32:55021"
> 
> 2024-02-17T08:11:50.846316+00:00 zoot-bookworm pdns_recursor[10110]:
> msg="Sending SERVFAIL during resolve" error="Server Failure while retrieving
> DS records for edu" subsystem="syncres" level="0" prio="Notice" tid="2"
> ts="1708157510.845" ecs="" mtid="1" proto="udp" qname="web.stanford.edu"
> qtype="A" remote="10.0.0.32:55021"
> 
> 2024-02-17T08:11:50.846977+00:00 zoot-bookworm pdns_recursor[10110]:
> msg="Answer" subsystem="syncres" level="0" prio="Info" tid="2"
> ts="1708157510.846" additional="1" answers="0" dotout="0" ecs="" mtid="1"
> netms="306.381000" outqueries="28" proto="udp" qname="web.stanford.edu"
> qtype="A" rcode="2" rd="1" remote="10.0.0.32:55021" tcpout="0" throttled="0"
> timeouts="0" totms="310.015000" validationState="Indeterminate"
> 
> Thanks in advance for your help,
> 
> Bill

Your recursor is not able to get an answer from the root servers, at
least not for DS queries.

A run with --trace as a command line option will reveal more details
of what is going on.

Also: please show your config file.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor Security Advisory 2024-01

[Otto Moerbeek via Pdns-users]

   Today we have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2.

   These releases fix PowerDNS Security Advisory 2024-01: crafted DNSSEC
   records in a zone can lead to a denial of service in Recursor. The
   Advisory follows:

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead
to a denial of service in Recursor

 * CVE: CVE-2023-50387 and CVE-2023-50868
 * Date: 13th of February 2024.
 * Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and
   5.0.1
 * Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
 * Severity: High
 * Impact: Denial of service
 * Exploit: This problem can be triggered by an attacker publishing a
   crafted zone
 * Risk of system compromise: None
 * Solution: Upgrade to patched version or disable DNSSEC validation

   An attacker can publish a zone that contains crafted DNSSEC related
   records. While validating results from queries to that zone using the
   RFC mandated algorithms, the Recursorâs resource usage can become so
   high that processing of other queries is impacted, resulting in a
   denial of service. Note that any resolver following the RFCs can be
   impacted, this is not a problem of this particular implementation.

   CVSS Score: 7.5, see
   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
   R:N/UI:N/S:U/C:N/I:N/A:H=3.1[2]

   The remedies are one of:

 * upgrade to a patched version
 * disable DNSSEC validation by setting dnssec=off or
   process-no-validate; when using YAML settings: dnssec.validate: off
   or process-no-validate. Note that this will affect clients
   depending on DNSSEC validation.

   We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
   Michael Waidner from the German National Research Center for Applied
   Cybersecurity ATHENE for bringing CVE-2023-50387 to the attention of
   the DNS community and especially Niklas Vogel for his assistance in
   validating the patches. We would also like to thank Petr Spacek from
   ISC for discovering and responsibly disclosing CVE-2023-50868.
 __

   Please refer to the changelogs  (4.8.6[3], 4.9.3[4] and 5.0.2[5]) and
   upgrade guide for additional details. The upgrade guide describes one
   known issue related to the zoneToCache function.

   Please send us all feedback and issues you might have via the mailing
   list[6], or in case of a bug, via GitHub[7].

   The tarballs (4.8.6[8], 4.9.3[9], 5.0.2[10]) (with signature files
   4.8.6[11], 4.9.3[12], 5.0.2[13]) are available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
file:///Users/otto/pdns/pdns/recursordist/html-docs/security-advisories/powerdns-advisory-2024-01.html#powerdns-security-advisory-2024-01-crafted-dnssec-records-in-a-zone-can-lead-to-a-denial-of-service-in-recursor
   2. 
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H=3.1
   3. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.6
   4. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.3
   5. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.2
   6. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   7. https://github.com/PowerDNS/pdns/issues/new/choose
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.6.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.9.3.tar.bz2
  10. https://downloads.powerdns.com/releases/pdns-recursor-5.0.2.tar.bz2
  11. https://downloads.powerdns.com/releases/pdns-recursor-4.8.6.tar.bz2.sig
  12. https://downloads.powerdns.com/releases/pdns-recursor-4.9.3.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/pdns-recursor-5.0.2.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/


-- 

kind regards,
Otto Moerbeek
Senior Developer PowerDNS 


Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366 
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin 
Chairman of the Board: Richard Seibt 
 
PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] QNAME minimization support

[Otto Moerbeek via Pdns-users]

On Sat, Feb 10, 2024 at 10:41:12AM +0100, Otto Moerbeek via Pdns-users wrote:

> On Fri, Feb 09, 2024 at 08:39:16PM -0800, Ask Bjørn Hansen via Pdns-users 
> wrote:
> 
> > 
> > 
> > > On Feb 9, 2024, at 14:30, Jason Tremblett via Pdns-users 
> > >  wrote:
> > > 
> > > When querying with QNAME minimization on strict, the authoritative server 
> > > is queried for entry.sample.zone and returns NXDOMAIN.  This causes the 
> > > query to fail. 
> > 
> > That’s going to cause problems without QNAME minification, too.
> > 
> > I think the database backend requires you to add rows with empty non 
> > terminals for this.
> 
> Likely the zone is not rectified.
> 
>   pdnsutil rectify-zone ZONE
> or
> 
>   pdnsutil rectify-all-zones
> 

To elaborate a bit: PowerDNS Authoritative Server certainly supports
resolvers that do strict query minimization, but only if the data in
the zone it right.  Rectifying includes adding records for empty
non-terminals in the appropriate places, so that a proper empty
NOERROR (aka NODATA) is returned if there are child records. 

After editing a zone, a rectify is needd. When using the API that is
taken care of by default (on a reasoably modern version). But not if
you edit the DB by hand.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] QNAME minimization support

[Otto Moerbeek via Pdns-users]

On Fri, Feb 09, 2024 at 08:39:16PM -0800, Ask Bjørn Hansen via Pdns-users wrote:

> 
> 
> > On Feb 9, 2024, at 14:30, Jason Tremblett via Pdns-users 
> >  wrote:
> > 
> > When querying with QNAME minimization on strict, the authoritative server 
> > is queried for entry.sample.zone and returns NXDOMAIN.  This causes the 
> > query to fail. 
> 
> That’s going to cause problems without QNAME minification, too.
> 
> I think the database backend requires you to add rows with empty non 
> terminals for this.

Likely the zone is not rectified.

pdnsutil rectify-zone ZONE
or

pdnsutil rectify-all-zones

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Any chance of an actual PowerDNS upgrade guide ?

[Otto Moerbeek via Pdns-users]

On Fri, Jan 12, 2024 at 05:01:18PM +, Laura Smith via Pdns-users wrote:

> Hi
> 
> The release notes for PowerDNS Recursor 5.0.1 link to what is claimed to be 
> an "upgrade guide", however the "guide" reads more like a version change log.
> 
> Is there any chance we can actually be provided with an actual guide ?
> 
> For example:
> 
> I am on Debian, using the PowerDNS repo. Beyond the obvious of changing 
> "bookworm-rec-49" to "bookworm-rec-50" in the sources file, what actual steps 
> need to be taken ? For example, do I need to uninstall the old version first ?
> 
> Thanks !
> 
> Laura

https://docs.powerdns.com/recursor/upgrade.html describes the changes
that are potentially disruptive. We try to keep it consise, it wil
never answer every potenial sysadmin question.

But to answer your question: you do not need to de-install before
upgrading. It that would have been the case, we would have mentioned
it in the upgrade guide.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 5.0.1 Released

[Otto Moerbeek via Pdns-users]

   Hello,

   We are proud to announce the release of PowerDNS Recursor 5.0.1! This
   is the first public release of the 5.0 branch.

   Compared to the latest 4.9 release, this release features the ability
   to read settings from YAML files, enhancing structure, processing and
   error-checking of settings.

   There is also an internal change: the code processing the YAML file is
   written in Rust and generated from a table. The former allows for more
   secure code and the latter has the big advantage that old-style
   settings, YAML settings and documentation[1] are automatically kept in
   sync.

   Current old-style settings are still supported without change. There is
   a semi-automatic process[2] to convert old setting files to the new
   format. A future release will remove support for the old-style
   settings.

   Introducing Rust code implies that the build procedure has changed. Our
   own package builds for various distributions are adapted.

   In addition to YAML settings, this pre-release  also includes the
   following changes

 * The Recursor now has dedicated thread[3](s) to process incoming TCP
   queries
 * Improvements to the handling of a few edge cases related to NS
   records
 * A few files that are generated are now packaged in the source
   tarball, so that package builds do not have to generate them
 * The Recursor now includes extended[4] errors in responses by
   default
 * By default, the Recursor now disallows queries without the
   Recursion Desired (RD) [5]bit set.
 * The default of nsec3-max-iterations[6] has been lowered to 50.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the changelog[7] for additional details. When upgrading
   do not forget to check the upgrade guide.[8]

   Please send us all feedback and issues you might have via the mailing
   list[9], or in case of a bug, via GitHub[10].

   The tarball[11] (signature[12]) is available from our
   download server[13] and packages for several distributions are
   available from our repository[14].

   We also made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[15] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/appendices/yamlconversion.html
   3. https://docs.powerdns.com/recursor/settings.html#tcp-threads
   4. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   5. https://docs.powerdns.com/recursor/settings.html#allow-no-rd
   6. https://docs.powerdns.com/recursor/settings.html#nsec3-max-iterations
   7. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.0
   8. https://docs.powerdns.com/recursor/upgrade.html
   9. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  10. https://github.com/PowerDNS/pdns/issues/new/choose
  11. https://downloads.powerdns.com/releases/pdns-recursor-5.0.1.tar.bz2
  12. https://downloads.powerdns.com/releases/pdns-recursor-5.0.1.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/
  14. https://repo.powerdns.com/
  15. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Second Release Candidate of PowerDNS Recursor 5.0.0

[Otto Moerbeek via Pdns-users]

   Hello!

   We are proud to announce the second release candidate of PowerDNS
   Recursor 5.0.0.

   Compared to the latest 4.9 release, this pre-release features the
   ability to read settings from YAML files, enhancing structure,
   processing and error-checking of settings.

   There is also an internal change: the code processing the YAML file is
   written in Rust and generated from a table. The former allows for more
   secure code and the latter has the big advantage that old-style
   settings, YAML settings and documentation[1] are automatically kept in
   sync.

   Current old-style settings are still supported without change. There is
   a semi-automatic process[2] to convert old setting files to the new
   format. A future release will remove support for the old-style
   settings.

   Introducing Rust code implies that the build procedure has changed. We
   encourage third-party package maintainers to take this release
   candidate and adapt their builds and provide feedback on this
   conversion. Our own package builds for various distributions are
   already adapted.

   We invite everybody to test this release candidate. Some suggestions of
   things to test:

 * Reading an existing old-style configuration works as expected
 * Converting existing settings file(s) to YAML using the conversion
   guide
 * Running a converted or newly created YAML configuration
 * (Automatic) conversion of configuration files managed by the
   Recursor through its REST API

   In addition to YAML settings, this pre-release  also includes the
   following changes

 * The Recursor now has dedicated thread[3](s) to process incoming TCP
   queries
 * Improvements to the handling of a few edge cases related to NS
   records
 * A few files that are generated are now packaged in the source
   tarball, so that package builds do not have to generate them
 * The Recursor now includes extended[4] errors in responses by
   default
 * By default, the Recursor now disallows queries without the
   Recursion Desired (RD) [5]bit set.
 * The default of nsec3-max-iterations[6] has been lowered to 50.
 * The RUNTIME_DIRECTORY environment variable, as set by systemd is
   now respected again.
 * Disabling structured[7] logging has been deprecated and will be
   removed in a future release.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the changelog[8] for additional details. When upgrading
   do not forget to check the upgrade guide.[9]

   Please send us all feedback and issues you might have via the mailing
   list[10], or in case of a bug, via GitHub[11].

   The tarball[12] (signature[13]) is available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   We also made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[16] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/appendices/yamlconversion.html
   3. https://docs.powerdns.com/recursor/settings.html#tcp-threads
   4. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   5. https://docs.powerdns.com/recursor/settings.html#allow-no-rd
   6. https://docs.powerdns.com/recursor/settings.html#nsec3-max-iterations
   7. https://docs.powerdns.com/recursor/settings.html#structured-logging
   8. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.0-rc2
   9. https://docs.powerdns.com/recursor/upgrade.html
  10. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  11. https://github.com/PowerDNS/pdns/issues/new/choose
  12. https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-rc2.tar.bz2
  13. 
https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-rc2.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/
  16. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski

[Pdns-users] First Release Candidate of PowerDNS Recursor 5.0.0

[Otto Moerbeek via Pdns-users]

   Hello!,

   We are proud to announce the first release candidate of PowerDNS
   Recursor 5.0.0.

   Compared to the latest 4.9 release, this pre-release features the
   ability to read settings from YAML files, enhancing structure,
   processing and error-checking of settings.

   There is also an internal change: the code processing the YAML file is
   written in Rust and generated from a table. The former allows for more
   secure code and the latter has the big advantage that old-style
   settings, YAML settings and documentation[1] are automatically kept in
   sync.

   Current old-style settings are still supported without change. There is
   a semi-automatic process[2] to convert old setting files to the new
   format. A future release will remove support for the old-style
   settings.

   Introducing Rust code implies that the build procedure has changed. We
   encourage third-party package maintainers to take this release
   candidate and adapt their builds and provide feedback on this
   conversion. Our own package builds for various distributions are
   already adapted.

   We invite everybody to test this release candidate. Some suggestions of
   things to test:

 * Reading an existing old-style configuration works as expected
 * Converting existing settings file(s) to YAML using the conversion
   guide
 * Running a converted or newly created YAML configuration
 * (Automatic) conversion of configuration files managed by the
   Recursor through its REST API

   In addition to YAML settings, this pre-release  also includes the
   following changes

 * The Recursor now has dedicated thread[3](s) to process incoming TCP
   queries
 * Improvements to the handling of a few edge cases related to NS
   records
 * A few files that are generated are now packaged in the source
   tarball, so that package builds do not have to generate them
 * The Recursor now includes extended[4] errors in responses by
   default
 * By default, the Recursor now disallows queries without the
   Recursion Desired (RD) [5]bit set.
 * The default of nsec3-max-iterations[6] has been lowered to 50.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the changelog[7] for additional details. When upgrading
   do not forget to check the upgrade guide.[8]

   Please send us all feedback and issues you might have via the mailing
   list[9], or in case of a bug, via GitHub[10].

   The tarball[11] (signature[12]) is available from our
   download server[13] and packages for several distributions are
   available from our repository[14].

   We also made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[15] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/appendices/yamlconversion.html
   3. https://docs.powerdns.com/recursor/settings.html#tcp-threads
   4. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   5. https://docs.powerdns.com/recursor/settings.html#allow-no-rd
   6. https://docs.powerdns.com/recursor/settings.html#nsec3-max-iterations
   7. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.0-rc1
   8. https://docs.powerdns.com/recursor/upgrade.html
   9. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  10. https://github.com/PowerDNS/pdns/issues/new/choose
  11. https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-rc1.tar.bz2
  12. 
https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-rc1.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/
  14. https://repo.powerdns.com/
  15. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@powerdns.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First beta release of PowerDNS Recursor 5.0.0

[Otto Moerbeek via Pdns-users]

   Hello!

   We are proud to announce the first beta release of PowerDNS Recursor
   5.0.0.

   Compared the the latest 4.9 release, this pre-release features the
   ability to read settings from YAML files, enhancing structure,
   processing and error-checking of settings.

   There is also an internal change: the code processing the YAML file is
   written in Rust and generated from a table. The former allows for more
   secure code and the latter has the big advantage that old-style
   settings, YAML settings and [1]documentation are automatically kept in
   sync.

   Current old-style settings are still supported without change. There is
   a semi-automatic [2]process to convert old setting files to the new
   format. A future release will remove support for the old-style
   settings.

   Introducing Rust code implies that the build procedure has changed. We
   encourage third-party package maintainers to take this alpha release
   and adapt their builds and provide feedback on this conversion. Our own
   package builds for various distributions are already adapted.

   We invite everybody to test this beta release. Some suggestions of
   things to test:

 * Reading an existing old-style configuration works as expected
 * Converting existing settings file(s) to YAML using the conversion
   guide
 * Running a converted or newly created YAML configuration
 * (Automatic) conversion of configuration files managed by the
   Recursor through its REST API

   In addition to YAML settings, this pre-release  also includes the
   following changes

 * The recursor now has dedicated [3]thread(s) to process incoming TCP
   queries
 * Improvements to the handling of a few edge cases related to NS
   records
 * A few files that are generated are now packaged in the source
   tarball, so that package builds do not have to generate them
 * The recursor now includes [4]extended errors in responses by
   default

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [5]changelog for additional details. When upgrading
   do not forget to check the [6]upgrade guide.

   Please send us all feedback and issues you might have via
   the [7]mailing list, or in case of a bug, via [8]GitHub.

   The [9]tarball ([10]signature) is available from our
   download [11]server and packages for several distributions are
   available from our [12]repository.

   With the upcoming final 5.0.0 release, the 4.7.x releases will be EOL
   and the 4.8.x and 4.9.x releases will go into critical fixes only mode.
   Consult the EOL [13]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/appendices/yamlconversion.html
   3. https://docs.powerdns.com/recursor/settings.html#tcp-threads
   4. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   5. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.0-beta1
   6. https://docs.powerdns.com/recursor/upgrade.html
   7. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   8. https://github.com/PowerDNS/pdns/issues/new/choose
   9. https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-beta1.tar.bz2
  10. 
https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-beta1.tar.bz2.sig
  11. https://downloads.powerdns.com/releases/
  12. https://repo.powerdns.com/
  13. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.9.2 Releases

[Otto Moerbeek via Pdns-users]

   Hello!

   Today we have released PowerDNS Recursor 4.9.2.

   This release is a maintenance release that fixes a few bugs and
   contains a few improvements. The most important ones are:

 * Two cache management edge cases that can occur when serve-stale is
   enabled have been corrected
 * The pruning of the NSEC aggressive cache is more fair, improving
   performance

   Please refer to the [1]changelog for additional details.

   Please send us all feedback and issues you might have via
   the [2]mailing list, or in case of a bug, via [3]GitHub.

   The [4]tarball (with [5]signature file) are available from our
   download [6]server and packages for several distributions are available
   from our [7]repository.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/changelog/4.9.html#change-4.9.2
   2. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   3. https://github.com/PowerDNS/pdns/issues/new/choose
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.9.2.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.9.2.tar.bz2.sig
   6. https://downloads.powerdns.com/releases/
   7. https://repo.powerdns.com/


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor 4.8.x Debian 12 repo

[Otto Moerbeek via Pdns-users]

The rec-4.8.5 Debian 12 package is now available again from our repo.

Regards,

 -Otto


> On 30/10/2023 15:23 CET Otto Moerbeek via Pdns-users 
>  wrote:
>
>
> Hello,
>
> an error crept into ont of the publishing proceses.
>
> I built a rec-4.8.5 for Debian 12, which can be retrieved here:
>
> https://github.com/PowerDNS/pdns/actions/runs/6693473758/job/18184678477
>
> We wil also make sure the package gets published in the regular place. This 
> might take some time though.
>
>  -Otto
>
> > On 29/10/2023 09:42 CET Christoph via Pdns-users 
> >  wrote:
> >
> >
> > Hi,
> >
> > for regression testing we would like to downgrade our recursor to
> > version 4.8.x but we noticed that there is no rec-48 debian repo on
> > https://repo.powerdns.com/debian/dists/
> > for Debian Bookworm.
> >
> > Is this on purpose or will there be a recursor 48 repo for Debian 12 in
> > the future?
> >
> > thank you!
> > Christoph
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor Container Issue

[Otto Moerbeek via Pdns-users]

Hello Alberto,

It would help if you exactly describe what you did, with command line and the 
recursor.conf you used. That way we can try to reproduce.

Also, did you check log messages from the recursor? It almost sounds like the 
recursor did not start because of an issue with the configuration. It should 
log a message in that case.

On a side note: the recursor.d directory *is* documented in page that is linked 
from the README in the docker hub:

https://github.com/PowerDNS/pdns/blob/master/Docker-README.md

Regards, 

 -Otto

> On 30/10/2023 17:19 CET Alberto via Pdns-users 
>  wrote:
> 
> 
> De: Pdns-users En nombre deBlue Thunder Somogyi via Pdns-users
> Enviado el: lunes, 20 de marzo de 2023 17:34
> Para: pdns-users@mailman.powerdns.com
> Asunto: [Pdns-users] Recursor Container Issue
> 
> Hello,
> When using the PowerDNS recursor container 
> (https://hub.docker.com/r/powerdns/pdns-recursor-48) if you mount a 
> configuration file directly under `/etc/powerdns/recursor.conf` in the 
> container, the recursor seems to hang and be non-responsive (no response from 
> API, nor from DNS queries). I raise this because this behavior is different 
> from the Auth server (container), which has no issue with a config file 
> mounted under `/etc/powerdns/pdns.conf`.
> 
> Is this a known issue? The workaround is to put the config under 
> `/etc/powerdns/recursor.d/` directory, but this is not documented, and I've 
> lost a non-trivial amount of my life figuring this out 
> 
> Yes, It’s very confuse.
> 
> 2.4.9 release have the same issue.
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor 4.8.x Debian 12 repo

[Otto Moerbeek via Pdns-users]

Hello,

an error crept into ont of the publishing proceses.

I built a rec-4.8.5 for Debian 12, which can be retrieved here:

https://github.com/PowerDNS/pdns/actions/runs/6693473758/job/18184678477

We wil also make sure the package gets published in the regular place. This 
might take some time though.

 -Otto

> On 29/10/2023 09:42 CET Christoph via Pdns-users 
>  wrote:
>
>
> Hi,
>
> for regression testing we would like to downgrade our recursor to
> version 4.8.x but we noticed that there is no rec-48 debian repo on
> https://repo.powerdns.com/debian/dists/
> for Debian Bookworm.
>
> Is this on purpose or will there be a recursor 48 repo for Debian 12 in
> the future?
>
> thank you!
> Christoph
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA for "filter-aaaa-on-v4"

[Otto Moerbeek via Pdns-users]

On Mon, Oct 30, 2023 at 04:35:25AM +, Djerk Geurts via Pdns-users wrote:

> Hi all,
> 
> Not had the opportunity to test this yet, but wanted to check with those more 
> experienced at LUA scripting if the following has any unexpected side effects:
> 
> function preresolve(dq)
>   -- Implementation of 'filter--on-v4'
>   if dq.qtype == pdns. and dq.remoteaddr:isIPv4() then
> dq.appliedPolicy.policyKind = pdns.policykinds.Drop
> return false
>   else
> return false
>   end
> end
> 
> I will run a test when I get the opportunity. Does anyone filter  
> requests for single stack clients (IPv4 only obviously)?
> 
> Thanks,
> Djerk Geurts

This polciy will also apply to dual stack clients that happen to
contact the rescursor over v4 to request an . There is nothing
wrong with that, but your policy will cause timeouts for the clients.
So not recommended.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns stop responding and restarted himself

[Otto Moerbeek via Pdns-users]

On Thu, Oct 19, 2023 at 11:36:13AM +0200, Steffan via Pdns-users wrote:

> Hello,
> 
>  
> 
> I have 2 dns servers.
> Both running on centos with his own replicated mysql backends
> 
>  
> 
> Yesterday both dns servers stopped responding for 3 minutes.
> 
> In the periode of 3 minutes I see a lot of lines for the same domain.
> 
> Pdns that was restared by it self and again the fluid of this domain.
> 
>  
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 91.202.230.18 wants
> 'lp2.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 46.51.160.145 wants
> 'ns34.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 192.73.240.129 wants
> 'thai.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 146.112.128.69 wants
> 'auth-hack.xxx.com|A', do = 1, bufsize = 1232 (1410): packetcache HIT
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 117.54.16.252 wants
> 'payments.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a02:2f0e:5fff:::2
> wants 'skyline.xxx.com|A', do = 1, bufsize = 1232 (4096): packetcache MISS
> 
> Oct 18 21:40:47 ns1 pdns_server[2135429]: Remote 2a04:c602:409:fe::27 wants
> 'app3.xxx.com|A', do = 1, bufsize = 1232: packetcache MISS

Logging each request is not wise, disabling that will probably make
your server be able to handle way more requests per sec.

-Otto

> 
>  
> 
> After this:
> 
> Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Service RestartSec=1s expired,
> scheduling restart.
> 
> Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Scheduled restart job, restart
> counter is at 59.
> 
> Oct 18 21:42:36 ns1 systemd[1]: Stopped PowerDNS Authoritative Server.
> 
> Oct 18 21:42:36 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
> 
> Oct 18 21:42:36 ns1 rsyslogd[795583]: imjournal: 102527 messages lost due to
> rate-limiting (2 allowed within 600 seconds)
> 
> Oct 18 21:42:36 ns1 systemd[1]: Started PowerDNS Authoritative Server.
> 
> Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Main process exited,
> code=exited, status=1/FAILURE
> 
> Oct 18 21:42:36 ns1 systemd[1]: pdns.service: Failed with result
> 'exit-code'.
> 
> Oct 18 21:42:37 ns1 systemd[1]: pdns.service: Service RestartSec=1s expired,
> scheduling restart.
> 
> Oct 18 21:42:37 ns1 systemd[1]: pdns.service: Scheduled restart job, restart
> counter is at 60.
> 
> Oct 18 21:42:37 ns1 systemd[1]: Stopped PowerDNS Authoritative Server.
> 
> -
> 
>  
> 
> Oct 18 21:42:51 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
> 
> Oct 18 21:42:53 ns1 systemd-journald[218]: Suppressed 80113 messages from
> pdns.service
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: Failed to retrieve security status
> update for '4.8.2' on 'auth-4.8.2.security-status.secpoll.powerdns.com.':
> RCODE was Server Failure
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: gmysql Connection successful.
> Connected to database 'powerdns' on '127.0.0.1'.
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: Creating backend connection for
> TCP
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: Primary/secondary communicator
> launching
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: gmysql Connection successful.
> Connected to database 'powerdns' on '127.0.0.1'.
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: gmysql Connection successful.
> Connected to database 'powerdns' on '127.0.0.1'.
> 
> Oct 18 21:42:53 ns1 pdns_server[2514841]: About to create 3 backend threads
> for UDP
> 
>  
> 
> Than again a lot of the same lines for the same domain.
> afther 3:36 minutes dns was responding normaly  and the request are back to
> normal.
> So It looks like some kind of attack.
> 
> Is there something that I can do to prevent this from the future.
> 
> 
> 
>  
> 
>  
> 
> 
> Met vriendelijke groet,
> 
>  
> 
> Steffan Noord
> 
>  
> 
>  
> 
>   
>   
> 
>  
> 
>  
> 

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Second Alpha Release of PowerDNS Recursor 5.0.0

[Otto Moerbeek via Pdns-users]

   Hello,

   We are proud to announce the second alpha release of PowerDNS Recursor
   5.0.0.

   Compared the the latest 4.9 release, this pre-release features the
   ability to read settings from YAML files, enhancing structure,
   processing and error-checking of settings.

   There is also an internal change: the code processing the YAML file is
   written in Rust and generated from a table. The former allows for more
   secure code and the latter has the big advantage that old-style
   settings, YAML settings and [1]documentation are automatically kept in
   sync.

   Current old-style settings are still supported without change. There is
   a semi-automatic [2]process to convert old setting files to the new
   format. A future release will remove support for the old-style
   settings.

   Introducing Rust code implies that the build procedure has changed. We
   encourage third-party package maintainers to take this alpha release
   and adapt their builds and provide feedback on this conversion. Our own
   package builds for various distributions are already adapted.

   We invite everybody to test this alpha release. Some suggestions of
   things to test:

 * Reading an existing old-style configuration works as expected
 * Converting existing settings file(s) to YAML using the conversion
   guide
 * Running a converted or newly created YAML configuration
 * (Automatic) conversion of configuration files managed by the
   Recursor through its REST API

   In addition to YAML settings, this pre-release  also includes the
   following changes

 * The recursor now has dedicated thread(s) to process incoming TCP
   queries
 * Improvements to the handling of a few edge cases related to NS
   records
 * A few files that are generated are now packaged in the source
   tarball, so that package builds do not have to generate them.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [3]changelog for additional details. When upgrading
   do not forget to check the [4]upgrade guide.

   Please send us all feedback and issues you might have via
   the [5]mailing list, or in case of a bug, via [6]GitHub.

   The [7]tarball ([8]signature) is available from our
   download [9]server and packages for several distributions are available
   from our [10]repository.

   With the upcoming final 5.0.0 release, the 4.7.x releases will be EOL
   and the 4.8.x and 4.9.x releases will go into critical fixes only mode.
   Consult the EOL [11]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/appendices/yamlconversion.html
   3. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.0-alpha2
   4. https://docs.powerdns.com/recursor/upgrade.html
   5. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   6. https://github.com/PowerDNS/pdns/issues/new/choose
   7. https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-alpha2.tar.bz2
   8. 
https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-alpha2.tar.bz2.sig
   9. https://downloads.powerdns.com/releases/
  10. https://repo.powerdns.com/
  11. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer


Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com

Re: [Pdns-users] Error prio events with loglevel 2

[Otto Moerbeek via Pdns-users]

On Sun, Sep 17, 2023 at 12:32:11PM +0200, Christoph via Pdns-users wrote:

> Thanks for looking into this.
> I've filed it as a github issue now.
> 
> As a workaround I'm now trying to block these DNS queries in dnsdist, so
> they do not reach recursor and the logs:
> 
> addAction(QTypeRule(qtype from the logs), RCodeAction(DNSRCode.NOTIMP))
> 
> best regards,
> Christoph

I have made a note to look into this. The recursor is not supposed to
submit internal tasks with that qtype.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error prio events with loglevel 2

[Otto Moerbeek via Pdns-users]

On Sat, Sep 16, 2023 at 05:40:42PM +0200, Otto Moerbeek via Pdns-users wrote:

> On Sat, Sep 16, 2023 at 05:19:01PM +0200, Otto Moerbeek via Pdns-users wrote:
> 
> > On Sat, Sep 16, 2023 at 12:04:16PM +0200, Christoph via Pdns-users wrote:
> > 
> > > Hello,
> > > 
> > > we changed our recursor loglevel from 3 to 2 with the intention to avoid
> > > logging these events because they contain qnames:
> > > 
> > > msg="qtype unsupported" error="Cannot push task" subsystem="taskq" 
> > > level="0"
> > > prio="Error" tid="6" ts="..." name="..." netmask="" qtype="TYPE65535"
> > > 
> > > but these events are still in the logs after the config change and a 
> > > service
> > > restart.
> > > 
> > > Are these expected log entries with loglevel 2?
> > 
> > This is a bit confusing. The determining thing is prio. That name
> > derives from the name as used in the syslog man page, e.g.
> > https://www.man7.org/linux/man-pages/man3/syslog.3.html
> > 
> > It's a hystorical accident that this is called Loglevel in in the
> > settings file.
> 
> But to answer your question better, it *is* surprising. leglevel=2 should
> exclude pro=Error, as Error corresponds to prio 3.

The explanation can be found in rec-main:

if (s_logUrgency < Logger::Error) {
  s_logUrgency = Logger::Error;
}
if (!g_quiet && s_logUrgency < Logger::Info) { // Logger::Info=6, 
Logger::Debug=7
  s_logUrgency = Logger::Info; // if you do --quiet=no, you need
Info to also see the query log
}
g_log.setLoglevel(s_logUrgency);
g_log.toConsole(s_logUrgency);


This means that in these two cases s_logUrgency gets overridden, so
the efective loglevel is different from what you expect.

Apart from re-evaluating this, we might ponder a structured logging
backend that filters out privacy sensitive information, independent of
log/prio considerations. e.g. that would never print values of keys
"qname" (and a few more). But this all something of a somewhat vague
idea.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error prio events with loglevel 2

[Otto Moerbeek via Pdns-users]

On Sat, Sep 16, 2023 at 05:19:01PM +0200, Otto Moerbeek via Pdns-users wrote:

> On Sat, Sep 16, 2023 at 12:04:16PM +0200, Christoph via Pdns-users wrote:
> 
> > Hello,
> > 
> > we changed our recursor loglevel from 3 to 2 with the intention to avoid
> > logging these events because they contain qnames:
> > 
> > msg="qtype unsupported" error="Cannot push task" subsystem="taskq" level="0"
> > prio="Error" tid="6" ts="..." name="..." netmask="" qtype="TYPE65535"
> > 
> > but these events are still in the logs after the config change and a service
> > restart.
> > 
> > Are these expected log entries with loglevel 2?
> 
> This is a bit confusing. The determining thing is prio. That name
> derives from the name as used in the syslog man page, e.g.
> https://www.man7.org/linux/man-pages/man3/syslog.3.html
> 
> It's a hystorical accident that this is called Loglevel in in the
> settings file.

But to answer your question better, it *is* surprising. leglevel=2 should
exclude pro=Error, as Error corresponds to prio 3.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error prio events with loglevel 2

[Otto Moerbeek via Pdns-users]

On Sat, Sep 16, 2023 at 12:04:16PM +0200, Christoph via Pdns-users wrote:

> Hello,
> 
> we changed our recursor loglevel from 3 to 2 with the intention to avoid
> logging these events because they contain qnames:
> 
> msg="qtype unsupported" error="Cannot push task" subsystem="taskq" level="0"
> prio="Error" tid="6" ts="..." name="..." netmask="" qtype="TYPE65535"
> 
> but these events are still in the logs after the config change and a service
> restart.
> 
> Are these expected log entries with loglevel 2?

This is a bit confusing. The determining thing is prio. That name
derives from the name as used in the syslog man page, e.g.
https://www.man7.org/linux/man-pages/man3/syslog.3.html

It's a hystorical accident that this is called Loglevel in in the
settings file.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] edns

[Otto Moerbeek via Pdns-users]

I asked for complete, unedited configs, both old and new. This waay I
cannot help you.

-Otto

On Fri, Sep 15, 2023 at 02:09:11AM -0300, Alex Trevisol wrote:

> in my old configuration it was enough to activate the option
> # edns-subnet-whitelist List of netmasks and domains that we should enable
> EDNS subnet for (deprecated)
> edns-subnet-whitelist=0.0.0.0/0, ::/0
> 
> 
> new configuration
> 
> # edns-subnet-allow-listList of netmasks and domains that we should
> enable EDNS subnet for
> #
> edns-subnet-allow-list=0.0.0.0/0, ::/0
> 
> 
> #
> # ecs-add-for   List of client netmasks for which EDNS Client Subnet will
> be added
> #
> ecs-add-for=0.0.0.0/0, ::/0, !127.0.0.0/8, !10.0.0.0/8, !100.64.0.0/10, !
> 169.254.0.0/16, !192.168.0.0/16, !172.16.0.0/12, !::1/128, !fc00::/7,
> !fe80::/10
> 
> 
> Em sex., 15 de set. de 2023 às 01:38, Otto Moerbeek 
> escreveu:
> 
> > On Fri, Sep 15, 2023 at 12:49:56AM -0300, Alex Trevisol via Pdns-users
> > wrote:
> >
> > > hello,
> > >
> > > I reinstalled my recuersor server, and took advantage of it and installed
> > > pdns-recursor 4.9, but I did the basic configuration and activated Edns
> > in
> > > the same way it was before.
> > > edns-subnet-allow-list=0.0.0.0/0, ::/0 however the recursor does not
> > > respond to queries with edns as if it had not been activated. Any tips on
> > > what I'm doing wrong?
> >
> > Possibly you did not set
> > https://docs.powerdns.com/recursor/settings.html#ecs-add-for
> >
> > But we can only really help you if you list your *complete* old and new
> > config.
> >
> > -Otto
> >
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] edns

[Otto Moerbeek via Pdns-users]

On Fri, Sep 15, 2023 at 12:49:56AM -0300, Alex Trevisol via Pdns-users wrote:

> hello,
> 
> I reinstalled my recuersor server, and took advantage of it and installed
> pdns-recursor 4.9, but I did the basic configuration and activated Edns in
> the same way it was before.
> edns-subnet-allow-list=0.0.0.0/0, ::/0 however the recursor does not
> respond to queries with edns as if it had not been activated. Any tips on
> what I'm doing wrong?

Possibly you did not set 
https://docs.powerdns.com/recursor/settings.html#ecs-add-for

But we can only really help you if you list your *complete* old and new config.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First Alpha Release of PowerDNS Recursor 5.0.0

[Otto Moerbeek via Pdns-users]

   We are proud to announce the first alpha release of PowerDNS Recursor
   5.0.0.

   This pre-release features the ability to read settings from YAML files,
   enhancing structure, processing and error-checking of settings.

   There is also an internal change: the code processing the YAML file is
   written in Rust and generated from a table. The former allows for more
   secure code and the latter has the big advantage that old-style
   settings, YAML settings and documentation[1] are automatically kept in
   sync.

   Current old-style settings are still supported without change. There is
   a semi-automatic process[2] to convert old setting files to the new
   format. A future release will remove support for the old-style
   settings.

   Introducing Rust code implies that the build procedure has changed. We
   encourage third-party package maintainers to take this alpha release
   and adapt their builds and provide feedback on this conversion. Our own
   package builds for various distributions are already adapted.

   We invite everybody to test this alpha release. Some suggestions of
   things to test:

 * Reading an existing old-style configuration works as expected
 * Converting existing settings file(s) to YAML using the conversion
   guide
 * Running a converted or newly created YAML configuration

   As always, there are also many smaller bug fixes and improvements,
   please refer to the changelog[3] for additional details. When upgrading
   do not forget to check the upgrade guide.[4]

   Please send us all feedback and issues you might have via the mailing
   list[5], or in case of a bug, via GitHub[6].

   The tarball[7] (signature[8]) is available from our
   download server[9] and packages for several distributions are available
   from our repository[10].

   With the upcoming final 5.0.0 release, the 4.7.x releases will be EOL
   and the 4.8.x and 4.9.x releases will go into critical fixes only mode.
   Consult the EOL policy[11] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html
   2. https://docs.powerdns.com/recursor/appendices/yamlconversion.html
   3. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.0-alpha1
   4. https://docs.powerdns.com/recursor/upgrade.html
   5. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   6. https://github.com/PowerDNS/pdns/issues/new/choose
   7. https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-alpha1.tar.bz2
   8. 
https://downloads.powerdns.com/releases/pdns-recursor-5.0.0-alpha1.tar.bz2.sig
   9. https://downloads.powerdns.com/releases/
  10. https://repo.powerdns.com/
  11. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] IXFR with PowerDNS

[Otto Moerbeek via Pdns-users]

On Mon, Sep 11, 2023 at 11:44:57AM +0200, Thomas Mieslinger via Pdns-users 
wrote:

> Hi all,
> 
> I switched an Active Directory Zone to IXFR instead of AXFR.
> 
> When doing AXFR all records have "auth=1" in the MySQL Backend.
> 
> When doing IXFR the individually updated records get "auth=0" including
> the SOA record. Consequently the zone is not served anymore by PowerDNS.
> 
> What can I change to IXFRs write the records with "auth=1" to the database?
> 
> Thanks Thomas

There are basic regression tests for IXFR that check the resulting
records are served by auth correctly, so we have to find out why auth
becomes 0 in your case. On thing that can make a difference is DNSSEC,
since signed zones have different handling of the auth field in the
DB.

So we need full information: config, zone details, logs, with captures
of the incoming IXFR and the database content before and after the IXFR.

It's probably more convenient to create a github issue with all the
information.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor Cache Sizing: Is more always better?

[Otto Moerbeek via Pdns-users]

On Sun, Sep 10, 2023 at 02:37:49PM +0200, Christoph via Pdns-users wrote:

> > Another word of advice: see
> > 
> > https://docs.powerdns.com/recursor/performance.html#threading-and-distribution-of-queries
> > 
> > in particular the "imbalance" section.
> 
> Thanks for the pointer, changing this had a significant positive impact.
> 
> This feels like an important metric to monitor.
> I was not able to find the per thread query counter in the rec prometheus
> metrics. Is there one?
> Using pdns_recursor_cpu_msec as a workaround for now.

The queries per thread is missing from all stats except the periodic
stats in the log. It's on my list of things to do: adding it to the
general stats mechanism, making it visible using rec_control get-all,
carbon, Prometheus and SNMP.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor Cache Sizing: Is more always better?

[Otto Moerbeek via Pdns-users]

On Sat, Sep 09, 2023 at 11:20:30AM +0200, Christoph via Pdns-users wrote:

> > Agrreed, I think that general rules are hard to give for cache sizing,
> > as each site and its users are different. Do remember that the packet
> > cache was changed in 4.9.0, it is now shared between threads. This means
> > that its performance and behaviour wrt hit ratio etc did change as
> > well. The difference (for the better!) will be mostly noticable when
> > pdns-distributes-queries=no
> 
> Thanks for pointing that out, I've removed pdns-distributes-queries and
> distributor-threads from our config to take advantage of the defaults.

Another word of advice: see

https://docs.powerdns.com/recursor/performance.html#threading-and-distribution-of-queries

in particular the "imbalance" section. 

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor forwarder DoT configuration

[Otto Moerbeek via Pdns-users]

On Sat, Sep 09, 2023 at 08:07:02AM +0200, Christoph via Pdns-users wrote:

> > I do wonder about the purpose of the recursor in the
> > 
> > recursor -> dnsdist -> upstream-recursive
> > 
> > case. You might as well use
> > 
> > dnsdist -> upstream-recursive
> > 
> > With a caching dnsdist.
> > Unless you need recursor specific functionality, of course.
> 
> It was my impression that dnsdist was meant for smaller caches not for large
> caches in the order of several GB of cached records (with prefetching and
> DNSSEC validation functionality)

If you need DNSEC validation you must use recursor, dnsdist cannot do
that.  Others might reflect on the dnsdist cache performance and hit
ratio's compared to recursor's packet cache and/or record cache. Do
note that dnsdist cache is more like the recursor's packet cache. The
recursor's record cache is different in purpose and structure.

-Otto

> but if we can remove something in the chain that might probably benefit
> latency, CPU usage and reduce complexity, so I'm very open for suggestions.
> I've also some generic question about cache sizing that I'll put in a second
> email.
> 
> We will also publish our entire setup and what we are actually aiming to
> achieve with it. We find it wonderful that dnsdist allows us to offer
> multiple DNS privacy services with distinct privacy properties using a
> single dnsdist configuration.
> 
> best regards,
> Christoph
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor Cache Sizing: Is more always better?

[Otto Moerbeek via Pdns-users]

On Sat, Sep 09, 2023 at 09:59:19AM +0200, Winfried via Pdns-users wrote:

> Hi Christoph,
> 
> My recommendation is to limit the TTL to 12 or 6 hours and find out how many 
> cache entries are created during this time. Increase that by 50% and that's 
> your value. You'll see that it doesn't require that much memory space.
> 
> Winfried 
> 
> Am 9. September 2023 09:15:04 MESZ schrieb Christoph via Pdns-users 
> :
> >Hi,
> >
> >if you have 20 or 100 GB of free RAM
> >what is a good approach to choose the different Recursor's cache sizes?
> >
> >Is larger always better or is there a sweet spot
> >between cache size, cache lookup time, cache management overhead and CPU 
> >usage? How does upstream latency fit into the equation?
> >
> >In our case we consider caching and prefetching also an important privacy 
> >property to decouple inbound and outbound queries to some extend.
> >
> >We have different kinds of setups:
> >- fully recursive resolvers
> >- forwarding resolvers (~12ms upstream latency)
> >
> >best regards,
> >Christoph
> >___

Agrreed, I think that general rules are hard to give for cache sizing,
as each site and its users are different. Do remember that the packet
cache was changed in 4.9.0, it is now shared between threads. This means
that its performance and behaviour wrt hit ratio etc did change as
well. The difference (for the better!) will be mostly noticable when
pdns-distributes-queries=no

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor forwarder DoT configuration

[Otto Moerbeek via Pdns-users]

On Fri, Sep 08, 2023 at 11:56:07PM +0200, Christoph via Pdns-users wrote:

> Thanks a lot for the fast reply, very much appreciated!
> best regards,
> Christoph

I do wonder about the purpose of the recursor in the

recursor -> dnsdist -> upstream-recursive

case. You might as well use 

dnsdist -> upstream-recursive

With a caching dnsdist.
Unless you need recursor specific functionality, of course.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor forwarder DoT configuration

[Otto Moerbeek via Pdns-users]

On Fri, Sep 08, 2023 at 04:50:18PM +0200, Christoph via Pdns-users wrote:

> Hello!
> 
> I'm looking for documentation about configuring
> recursor to talk DoT to a recursive resolver.
> 
> This minimal config works:
> 
> dot-to-port-853=yes
> forward-zones-recurse=.=1.1.1.1:853;1.0.0.1:853
> 
> but compared to DNSdist newServer() configuration options
> I'm not sure about:
> 
> - does it validate the server certificate? how do I configure the name when
> performing certificate verification?

No validation is done, this is hinted at in
https://docs.powerdns.com/recursor/settings.html#dot-to-auth-names

> - does it support TCP fast open?

Yes, if tcp-fast-open-connect=yes, but please read
https://docs.powerdns.com/recursor/performance.html#tcp-fast-open-support

> - does it support out of order processing?

No, but it will keep outgoing connections open for a while and
re-use if the opportunity arises. Some rules as regular TCP outgoing
queries apply, see the tcp-out-* settings.

> - how are queries distributed across multiple servers?

The recursor will use the fastest, but probe the slower ones once in a
while tio get up-to-date round-trip times.

> Or is it generally better to have a
> recursor -> dnsdist -> upstreams resolver
> setup to be able to use dnsdist's configuration options there?

if you have reasons to need these features, then yes.

> 
> best regards,
> Christoph
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CPU Usage Regression in Recursor 4.9.1?

[Otto Moerbeek via Pdns-users]

On Mon, Sep 04, 2023 at 10:49:23AM +0200, Otto Moerbeek via Pdns-users wrote:

> On Mon, Sep 04, 2023 at 10:30:38AM +0200, Christoph via Pdns-users wrote:
> 
> > 
> > > Thanks, recursor is now running with aggressive-nsec-cache-size=0
> > > and I'll report my findings after a few days.
> > 
> > Already after less than a day I can say that this setting mitigates
> > the problem, thank you very much!
> > The CPU usage is significantly lower and stopped growing after 12 hours at a
> > lower level than without the setting. Also the drop rate is back to an usual
> > level.
> > 
> > 'Timeout while waiting for the health check response from backend'
> > event counts also got reduced drastically:
> > 
> >4529 2023-09-03
> >  65 2023-09-04 (10hours only)
> > 
> > 
> > Is this related to this 4.9.1 changelog entry?
> > > Replace data in the aggressive cache if new data becomes available.
> > > 
> > > References: #13106, pull request 13161
> 
> Yes, that is very likely. I do not understand the issue completely
> yet, in my testing the changes do not cause any significant change in
> CPU time. But I'm on it.
> 
>   -Otto

Would it be possible to give me some stats on the aggresisve cache on the 
node(s)
showing the issue? Specifcially, the values over time of

aggressive-nsec-cache-entries
aggressive-nsec-cache-nsec-hits
aggressive-nsec-cache-nsec-wc-hits  
aggressive-nsec-cache-nsec3-hits
aggressive-nsec-cache-nsec3-wc-hits

The first is the most interesting.

-Otto


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.9.0 Released

[Otto Moerbeek via Pdns-users]

   We are proud to announce the release of PowerDNS Recursor 4.9.0.

   Compared to the previous major (4.8) release of PowerDNS Recursor, this
   release contains the following major changes:

 * The performance impact of metrics collection has been reduced by
   using lock-free non-atomic thread-local counters.
 * The packet cache is sharded and shared by all threads.
 * The TTL of negative answers in the packet cache can now be
   controlled separately from positive and failure answers.
 * The rec_control trace_regex command writes the generated trace
   information to a specified file instead of the general log. The
   trace information contains more precise timestamps and DNSSEC
   validation information.
 * If extended-resolution-errors [1]is enabled EDNS errors are now
   generated in more cases, specifically when authoritative servers
   for a zone are unreachable or when synthesising answers by e.g.
   using the aggressive NSEC cache.
 * The aggressive NSEC cache has been changed not to store NSEC3
   entries which cover only a small fraction[2] of possible names.
   This also allows switching off the aggressive cache for NSEC3 only.
 * It is now possible to switch off root-refreshing[3] completely.
 * Proper handling of security policies that restrict [4]the use of
   specific DNSSEC algorithms on RHEL9 derived systems.

   As a follow-up to the shared packet cache, the default way the recursor
   distributes requests over worker threads has now been changed to let
   the operating system kernel do that, by changing the defaults
   of pdns-distributes-queries[5] to no and reuseport[6] to yes. Though
   our testing has shown benefits to this approach, we have seen that in
   some cases (depending on OS and client traffic patterns) this can have
   negative consequences: the queries are not distributed equally over the
   worker threads. See the performance[7] section of the online docs for
   details in how to diagnose and remedy this imbalance.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the changelog[8] for additional details. When upgrading
   do not forget to check the upgrade guide.[9]

   Please send us all feedback and issues you might have via the mailing
   list[10], or in case of a bug, via GitHub[11].

   The tarball[12] (signature[13]) is available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   With this final 4.9.0 release, the 4.6.x releases will be EOL and the
   4.7.x and 4.8.x releases will go into critical fixes only mode. Consult
   the EOL policy[16] for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   2. 
https://docs.powerdns.com/recursor/settings.html#aggressive-cache-min-nsec3-hit-ratio
   3. https://docs.powerdns.com/recursor/settings.html#hint-file
   4. 
https://docs.powerdns.com/recursor/settings.html#dnssec-disabled-algorithms
   5. https://docs.powerdns.com/recursor/settings.html#pdns-distributes-queries
   6. https://docs.powerdns.com/recursor/settings.html#reuseport
   7. https://docs.powerdns.com/recursor/performance.html
   8. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.0
   9. https://docs.powerdns.com/recursor/upgrade.html
  10. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  11. https://github.com/PowerDNS/pdns/issues/new/choose
  12. https://downloads.powerdns.com/releases/pdns-recursor-4.9.0.tar.bz2
  13. https://downloads.powerdns.com/releases/pdns-recursor-4.9.0.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/
  15. https://repo.powerdns.com/
  16. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns recursor - forward-zones-file not working

[Otto Moerbeek via Pdns-users]

On Mon, Jun 19, 2023 at 05:10:01PM +0100, Djerk Geurts via Pdns-users wrote:

> Hi all,
> 
> Reading up on recursor settings I found that with forward-zones-file one can 
> set recurse an RD flag and also add domains to an allow-notify-for list.
> 
> "Zones prefixed with a ‘+’ are treated as with forward-zones-recurse 
> . 
> Default behaviour without ‘+’ is as with forward-zones 
> ."
> 
> "Zones prefixed with a ‘^’ are added to the allow-notify-for 
>  list. Both 
> prefix characters can be used if desired, in any order."
> 
> However, when I try this. I get the following errors thrown no matter whether 
> I use either ‘+’, ‘^’, both or without.
> 
> Jun 19 17:56:04 rdns.local.domain.com systemd[1]: Starting PowerDNS Recursor…
> 
> Jun 19 17:56:04 rdns.local.domain.com pdns-recursor[3200410]: Jun 19 17:56:04 
> msg="Fatal error" error="Trying to set unknown setting ‘domain.com'" 
> subsystem="config" level="0" prio="Critical" tid="0" ts="1687190164.328" 
> exception="PDNSException"
> 
> Jun 19 17:56:04 rdns.local.domain.com [3200410]: msg="Fatal error" 
> error="Trying to set unknown setting ‘domain.com'" subsystem="config" 
> level="0" prio="Critical" tid="0" ts="1687190164.328" 
> exception="PDNSException"
> 
> Jun 19 17:56:04 rdns.local.domain.com systemd[1]: pdns-recursor.service: Main 
> process exited, code=exited, status=1/FAILURE
> 
> Jun 19 17:56:04 rdns.local.domain.com systemd[1]: pdns-recursor.service: 
> Failed with result 'exit-code'.
> 
> Jun 19 17:56:04 rdns.local.domain.com systemd[1]: Failed to start PowerDNS 
> Recursor.
> 
> Has the format of this file changed?

No. 

Please show your recursor.conf and the forwarding file.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] signatures were invalid: EXPKEYSIG 1B0C6205FD380FBB

[Otto Moerbeek via Pdns-users]

On Wed, Jun 07, 2023 at 06:03:29PM +0200, Otto Moerbeek via Pdns-users wrote:

> On Wed, Jun 07, 2023 at 04:26:53PM +0100, Djerk Geurts via Pdns-users wrote:
> 
> > Hi all,
> > 
> > Is there an issue with the Ubuntu repo? I changes a host from 
> > focal-auth-master to focal-auth-48 and encountering a GPG error, previously 
> > the GPG key had been updated but I see the normal key listed everywhere 
> > still.
> > 
> > Err:1 http://repo.powerdns.com/ubuntu focal-auth-48 InRelease
> >   The following signatures were invalid: EXPKEYSIG 1B0C6205FD380FBB 
> > PowerDNS Release Signing Key 
> > Reading package lists... Done
> > W: GPG error: http://repo.powerdns.com/ubuntu focal-auth-48 InRelease: The 
> > following signatures were invalid: EXPKEYSIG 1B0C6205FD380FBB PowerDNS 
> > Release Signing Key 
> > E: The repository 'http://repo.powerdns.com/ubuntu focal-auth-48 InRelease' 
> > is not signed.
> > N: Updating from such a repository can't be done securely, and is therefore 
> > disabled by default.
> > N: See apt-secure(8) manpage for repository creation and user configuration 
> > details.
> 
> Looks like the Release Signing Key expired.

Confirmed. This means validation using the current key will fail,
although the files are still valid and not changed. We wil fix this as
soon as possible. It may take some time though, the right persons need
to be available.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] signatures were invalid: EXPKEYSIG 1B0C6205FD380FBB

[Otto Moerbeek via Pdns-users]

On Wed, Jun 07, 2023 at 04:26:53PM +0100, Djerk Geurts via Pdns-users wrote:

> Hi all,
> 
> Is there an issue with the Ubuntu repo? I changes a host from 
> focal-auth-master to focal-auth-48 and encountering a GPG error, previously 
> the GPG key had been updated but I see the normal key listed everywhere still.
> 
> Err:1 http://repo.powerdns.com/ubuntu focal-auth-48 InRelease
>   The following signatures were invalid: EXPKEYSIG 1B0C6205FD380FBB PowerDNS 
> Release Signing Key 
> Reading package lists... Done
> W: GPG error: http://repo.powerdns.com/ubuntu focal-auth-48 InRelease: The 
> following signatures were invalid: EXPKEYSIG 1B0C6205FD380FBB PowerDNS 
> Release Signing Key 
> E: The repository 'http://repo.powerdns.com/ubuntu focal-auth-48 InRelease' 
> is not signed.
> N: Updating from such a repository can't be done securely, and is therefore 
> disabled by default.
> N: See apt-secure(8) manpage for repository creation and user configuration 
> details.

Looks like the Release Signing Key expired.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Issues with forward-zones-recurse

[Otto Moerbeek via Pdns-users]

On Fri, Jun 02, 2023 at 08:07:16PM -0300, Thiago G. Alencar via Pdns-users 
wrote:

> Hello,
> 
> I have a strange situation. When the "forward-zones-recurse" option is
> activated, after the expiration of record type A in the cache, the next
> queries will have no response but will be NOERROR.
> 
> In the log trace shows "Step0 found in cache" and completes the question
> without answer (without running the recursion)
> 
> Tests done with both pdns version 4.6 and 4.8 of recursor.
> 
> Has anyone ever had a problem like this?

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


This is something discussed on IRC yesterday. *This* report is pretty
useless, as it lacks full config and logs.

On IRC, (after you left), the issue was diagnosed as a case where
aggresive caching hits a problem, caused by an authoritiative sending
a wrong NSEC3 answer. The problem is this wrong answer lets the
recursor conclude certain records do not exist if aggressive caching
is enabled.

This can be worked around by setting aggressive-nsec-cache-size to 0.
The upcoming 4.9.0 versipon wil have a way to disable aggresisve
caching for NSEC3 only, still allowing it for the NSEC case.

Some background info: 
https://en.blog.nic.cz/2019/07/10/error-in-dnssec-implementation-on-f5-big-ip-load-balancers/

It is sad thet 4 years after this was written, buggy F5 load balancers
still cause issues for resolvers.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First Beta Release of PowerDNS Recursor 4.9.0

[Otto Moerbeek via Pdns-users]

Hello!,

   We are proud to announce the first beta release of PowerDNS Recursor
   4.9.0.

   Compared to the previous major (4.8) release of PowerDNS Recursor, this
   release contains the following major changes:

 * The performance impact of metrics collection has been reduced by
   using lock-free non-atomic thread-local counters.
 * The packet cache is sharded and shared by all threads.
 * The TTL of negative answers in the packet cache can now be
   controlled separately from positive and failure answers.
 * The rec_control trace_regex command writes the generated trace
   information to a specified file instead of the general log. The
   trace information contains more precise timestamps and DNSSEC
   validation information.
 * If [1]extended-resolution-errors is enabled EDNS errors are now
   generated in more cases, specifically when authoritative servers
   for a zone are unreachable or when synthesising answers by e.g.
   using the aggressive NSEC cache.
 * The aggressive NSEC cache has been changed to not store NSEC3
   entries which cover only a small [2]fraction of possible names.
 * It is now possible to switch off [3]root-refreshing completely.

  Feedback is appreciated!

   As a follow-up to the shared packet cache, the default way the recursor
   distributes requests over worker threads has now been changed to let
   the operating system kernel do that, by changing the defaults
   of [4]pdns-distributes-queries to no and [5]reuseport to yes. Though
   our testing has shown benefits to this approach, we have seen that in
   some rare cases (depending on OS and client traffic patterns) this can
   have negative consequences: the queries are not distributed equally
   over the worker threads. If you are running this alpha release we would
   appreciate your feedback, to be able to confirm the change of defaults
   benefits the vast majority of cases. Watch the periodic statistics
   printed by the recursor to see if the worker threads process about
   equal amounts of queries. Especially if you see an imbalance, send us
   details about the OS, hardware and configuration.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [6]changelog for additional details. When upgrading
   do not forget to check the [7]upgrade guide.

   Please send us all feedback and issues you might have via
   the [8]mailing list, or in case of a bug, via [9]GitHub.

   The [10]tarball ([11]signature) is available from our
   download [12]server and packages for several distributions are
   available from our [13]repository.

   With the future final 4.9.0 release, the 4.6.x releases will be EOL and
   the 4.7.x and 4.8.x releases will go into critical fixes only mode.
   Consult the EOL [14]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   2. 
https://docs.powerdns.com/recursor/settings.html#aggressive-cache-min-nsec3-hit-ratio
   3. https://docs.powerdns.com/recursor/settings.html#hint-file
   4. https://docs.powerdns.com/recursor/settings.html#pdns-distributes-queries
   5. https://docs.powerdns.com/recursor/settings.html#reuseport
   6. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.0-beta1
   7. https://docs.powerdns.com/recursor/upgrade.html
   8. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   9. https://github.com/PowerDNS/pdns/issues/new/choose
  10. https://downloads.powerdns.com/releases/pdns-recursor-4.9.0-beta1.tar.bz2
  11. 
https://downloads.powerdns.com/releases/pdns-recursor-4.9.0-beta1.tar.bz2.sig
  12. https://downloads.powerdns.com/releases/
  13. https://repo.powerdns.com/
  14. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Solution Engineer PowerDNS

[Otto Moerbeek via Pdns-users]

Hello,
  
PowerDNS is looking for a Solutions Engineer to strengthen our Professional 
Services team.
  
See 
https://careers.open-xchange.com/job/Turin-Solution-Engineer-PowerDNS-%28mfd%29/943837355/
for all information. Please feel free to reply to me or 
peter.van.d...@powerdns.com off-list
with any questions.


   
-- 
kind regards,
Otto Moerbeek
PowerDNS Developer 


 
Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366 
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin 
Chairman of the Board: Richard Seibt 
 
PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA SRV records

[Otto Moerbeek via Pdns-users]

On Tue, May 30, 2023 at 11:33:32AM +0200, Kai Stian Olstad via Pdns-users wrote:

> On 29.05.2023 15:44, George Asenov via Pdns-users wrote:
> > Hello community,
> > 
> > I already searched the documentation but couldn't find an answer to my
> > questions.
> > 
> > Is it possible to add LUA SRV record which will return different
> > weight based on query source IP address?
> > 
> > Are LUA SRV records supported at all?
> 
> 
> 
> > _k8splanes._tcp.example1.com30  IN  LUA SRV "view({ {
> > {'55.55.55.55/26'}, {'1 6444 k8s-plane1.example1.com'}},{
> > {'66.66.66.66/24'}, {'5 6444 k8s-plane1.example1.com'}}})"
> > 
> > A record works as it should but SRV don't.
> 
> The documentation[1] say this for view:
> "This function also works for CNAME or TXT records."
> And it have an example for A record, so I guess that answer your question.
> 
> 
> [1] https://doc.powerdns.com/authoritative/lua-records/functions.html#view

If you look at the logs you'll see the SRV record content is not correct.

It works if you supply correctly formed SRV records (in presentation format).
In particular, a SRV record has three numbers and then a name.

I just tried 

srv.example.net 10  IN  LUA SRV "view({{{'127.0.0.1'},{'10 20 999 
k8s-plane1.example1.com.'}},{{'0.0.0.0/0'}, {'10 20 999 
k8s-plane1.DEFAULT.'}}})"

And it worked as expected.


-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DoT for recursor

[Otto Moerbeek via Pdns-users]

On Tue, May 09, 2023 at 01:34:51PM +0100, Djerk Geurts via Pdns-users wrote:

> Hi all,
> 
> Had a look and the only thing I could find is that DoT apparently is enabled 
> when configuring PowerDNS-recursor with specific upstream servers on port 853.
> 
> Being relatively new to DoT and DoH I’m trying to work out why I can’t 
> configure the recursor to listen to port 853 without configuring a specific 
> forwarder. It looks like this is possible for dnsdist, so why not recursor, 
> or am I missing something?

Recursor 4.8 has a way to discover if an auth supports DoT. See
https://blog.powerdns.com/2022/06/13/probing-dot-support-of-authoritative-servers-just-try-it/

Recursor has no incoming DoT or DoH, because it is easy to use dnsdist
in front of Recursor for that.  So there is little incentive to add
that functionality to the Recursor itself.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First Alpha Release of PowerDNS Recursor 4.9.0

[Otto Moerbeek via Pdns-users]

Hello!

   We are proud to announce the first alpha release of PowerDNS Recursor
   4.9.0.

   Compared to the previous major (4.8) release of PowerDNS Recursor, this
   release contains the following major changes:

 * The performance impact of metrics collection has been reduced by
   using lock-free non-atomic thread-local counters.
 * The packet cache is sharded and shared by all threads.
 * The TTL of negative answers in the packet cache can now be
   controlled separately from positive and failure answers.
 * The rec_control trace_regex command writes the generated trace
   information to a specified file instead of the general log. The
   trace information contains more precise timestamps and DNSSEC
   validation information.
 * If [1]extended-resolution-errors is enabled EDNS errors are now
   generated in more cases, specifically when authoritative servers
   for a zone are unreachable or when synthesising answers by e.g.
   using the aggressive NSEC cache.
 * The aggressive NSEC cache has been changed to not store NSEC3
   entries which cover only a small [2]fraction of possible names.

  Feedback is appreciated!

   As a follow-up to the shared packet cache, the default way the recursor
   distributes requests over worker threads has now been changed to let
   the operating system kernel do that, by changing the defaults of
   [3]pdns-distributes-queries to no and [4]reuseport to yes. Though our
   testing has shown benefits to this approach, we have seen that in some
   rare cases (depending on OS and client traffic patterns) this can have
   negative consequences: the queries are not distributed equally over the
   worker threads. If you are running this alpha release we would
   appreciate your feedback, to be able to confirm the change of defaults
   benefits the vast majority of cases. Watch the periodic statistics
   printed by the recursor to see if the worker threads process about
   equal amounts of queries. Especially if you see an imbalance, send us
   details about the OS, hardware and configuration.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [5]changelog for additional details. When upgrading
   do not forget to check the [6]upgrade guide.

   Please send us all feedback and issues you might have via
   the [7]mailing list, or in case of a bug, via [8]GitHub.

   The [9]tarball ([10]signature) is available from our download
   [11]server and packages for several distributions are available from
   our [12]repository.

   With the future final 4.9.0 release, the 4.6.x releases will be EOL and
   the 4.7.x and 4.8.x releases will go into critical fixes only mode.
   Consult the EOL [13]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#extended-resolution-errors
   2. 
https://docs.powerdns.com/recursor/settings.html#aggressive-cache-min-nsec3-hit-ratio
   3. https://docs.powerdns.com/recursor/settings.html#pdns-distributes-queries
   4. https://docs.powerdns.com/recursor/settings.html#reuseport
   5. https://doc.powerdns.com/recursor/changelog/4.9.html#change-4.9.0-alpha1
   6. https://docs.powerdns.com/recursor/upgrade.html
   7. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   8. https://github.com/PowerDNS/pdns/issues/new/choose
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.9.0-alpha1.tar.bz2
  10. 
https://downloads.powerdns.com/releases/pdns-recursor-4.9.0-alpha1.tar.bz2.sig
  11. https://downloads.powerdns.com/releases/
  12. https://repo.powerdns.com/
  13. https://docs.powerdns.com/recursor/appendices/EOL.html




--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable

[Otto Moerbeek via Pdns-users]

   Hello,

   Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to
   a low severity security issue found.

   Please find the full text of the advisory below.

   The [1]4.6, [2]4.7 and [3]4.8 changelogs are available.

   The  [4]4.6.6  ([5]signature), [6]4.7.5 ([7]signature) and
   [8]4.8.4 ([9]signature) tarballs are available from our download
   [10]server. Patches are available at [11]patches. Packages for various
   distributions are available from our [12]repository.

   Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
   Consult the [13]EOL policy for more details.
 __

PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to
authoritative servers being marked unavailable

 * CVE: CVE-2023-26437
 * Date: 29th of March 2023
 * Affects: PowerDNS Recursor up to and including 4.6.5, 4.7.4 and
   4.8.3
 * Not affected: PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4
 * Severity: Low
 * Impact: Denial of service
 * Exploit: Successful spoofing may lead to authoritative servers
   being marked unavailable
 * Risk of system compromise: None
 * Solution: Upgrade to patched version

   When the recursor detects and deters a spoofing attempt or receives certain 
malformed DNS
   packets, it throttles the server that was the target of the impersonation 
attempt so that other
   authoritative servers for the same zone will be more likely to be used in 
the future, in case the
   attacker controls the path to one server only. Unfortunately this mechanism 
can be used by an
   attacker with the ability to send queries to the recursor, guess the correct 
source port of the
   corresponding outgoing query and inject packets with a spoofed IP address to 
force the recursor
   to mark specific authoritative servers as not available, leading a denial of 
service for the
   zones served by those servers.

   CVSS 3.0 score: 3.7 (Low)
   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/
   S:C/C:N/I:N/A:L

   Thanks to Xiang Li from Network and Information Security Laboratory,
   Tsinghua University for reporting this issue.

References

   1. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.6.6
   2. https://docs.powerdns.com/recursor/changelog/4.7.html#change-4.7.5
   3. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.8.4
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.6.6.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.6.6.tar.bz2.sig
   6. https://downloads.powerdns.com/releases/pdns-recursor-4.7.5.tar.bz2
   7. https://downloads.powerdns.com/releases/pdns-recursor-4.7.5.tar.bz2.sig
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.8.4.tar.bz2
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.8.4.tar.bz2.sig
  10. https://downloads.powerdns.com/releases/
  11. https://downloads.powerdns.com/patches/2023-01/
  12. https://repo.powerdns.com/
  13. https://docs.powerdns.com/recursor/appendices/EOL.html


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to create an account?

[Otto Moerbeek via Pdns-users]

The account field is just a text field that has no relation to any
other field in the pdns data model. You can fill in anything you like.

-Otto

On Sun, Mar 26, 2023 at 04:35:05PM +0200, Paul van der Vlis via Pdns-users 
wrote:

> Hello!
> 
> I connot find how to create an account with pdnsutil. Anybody here who knows
> what I can do to create a new account?
> 
> PowerDNS acts as a slave, and there is a new master-machine.
> 
> With regards,
> Paul van der Vlis
> 
> 
> 
> 
> -- 
> Paul van der Vlis Linux systeembeheer Groningen
> https://vandervlis.nl/
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Howto show settings of a domain

[Otto Moerbeek via Pdns-users]

On Tue, Mar 14, 2023 at 01:19:18PM +0100, Paul van der Vlis via Pdns-users 
wrote:

> Hello,
> 
> How can I show the settings of a domain with pdnsutil?  I don't mean the
> records, but settings like what you can set with commands as:
> pdnsutil set-kind
> pdnsutil set-account
> pdnsutil change-slave-zone-master
> 
> With regards,
> Paul van der Vlis

pdnsutil show-zone  is documented to show DNSSEC related information
but it does show more than that. From a quick glance only the account
info is missing.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.8.3 Released

[Otto Moerbeek via Pdns-users]

Hello!,

   We are proud to announce the release of PowerDNS Recursor 4.8.3

   This release is a maintenance release. The most important fixes concern
   the serve-stale functionality which could cause intermittent high CPU
   load. The serve-stale function is disabled by default.

   Please refer to the change log for the [1]4.8.3 release for additional
   details.

   Please send us all feedback and issues you might have via the
   [2]mailing list, or in case of a bug, via [3]GitHub.

   The [4]tarball and [5]signature are available from our download
   [6]server and packages for several distributions are available from our
   [7]repository. The Ubuntu Jammy package will be published soon.

   The 4.5.x releases are EOL and the 4.6.x and 4.7.x releases are in
   critical fixes only mode. Consult the [8]EOL policy for more details.

   We would also like to repeat that starting with the 4.5 release branch
   we stopped supporting systems using 32-bit time. This includes most
   32-bit Linux platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.3
   2. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   3. https://github.com/PowerDNS/pdns/issues/new/choose
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.8.3.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.8.3.tar.bz2.sig
   6. https://downloads.powerdns.com/releases/
   7. https://repo.powerdns.com/
   8. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Blocklist file format

[Otto Moerbeek via Pdns-users]

There is, check RPZs: https://docs.powerdns.com/recursor/lua-config/rpz.html

-Otto


On Tue, Mar 07, 2023 at 08:46:54AM +0200, Adrian M via Pdns-users wrote:

> Having a policy list implemented directly in pdns-resolver it will be a
> very nice feature nowadays IMHO.
> 
> On Sun, Mar 5, 2023 at 5:29 PM Darac Marjal via Pdns-users <
> pdns-users@mailman.powerdns.com> wrote:
> 
> > You might find https://github.com/thommay/blocklister useful. This script
> > takes lists of domains - in the common adblock format - and compiles them
> > into a lua file, performing sorting and deduplication as it goes.
> >
> >
> > On 05/03/2023 10:28, Clifford Dsouza via Pdns-users wrote:
> >
> > Hi
> >
> > I've configured Powerdns to block certain domain using lua..
> >
> > The lua file the recursor.conf refers to has the below code
> >
> > -
> > blocked_domains=newDS()
> >
> >  blocked_domains:add(dofile("/etc/pdns-recursor/blocklist.lua"))
> >
> > function preresolve(dq)
> >
> >   if(not blocked_domains:check(dq.qname) or (dq.qtype ~= pdns.A and
> > dq.qtype ~= pdns.)) then
> > return false
> > else
> >
> >   dq:addAnswer(pdns.A, "182.X.X.X", 60, "blockpage.co.in")
> > return true
> > end
> >end
> > -
> > the code references the block list file that has the below format
> > -
> > return {
> > "site1.tobeblocked.com",
> > "site2.tobeblocked.com",
> > "site3.tobeblocked.com",
> > }
> > --
> >
> > Is there a way I can populate the blocklist file it with the list of
> > domains that I want to block, one domain per line, instead of the other
> > extra characters that i need to type, I just want to avoid syntax errors
> > when updating the file.
> >
> >
> > Thanks
> >
> > Clifford
> >
> > NOTICE: This message contains privileged and confidential information
> > intended only for the use of the addressee named above. If you are not the
> > intended recipient of this message you are hereby notified that you must
> > not disseminate, copy or take any action in reliance on it. If you have
> > received this message in error please notify Microscan Infocommtech Pvt.
> > Ltd. immediately. Any views expressed in this message are those of the
> > individual sender, except where the sender has the authority to issue and
> > specifically states them. Tel - 022-66870600 Fax - 022-66870800
> >
> > ___
> > Pdns-users mailing 
> > listPdns-users@mailman.powerdns.comhttps://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.8.2 Released

[Otto Moerbeek via Pdns-users]

   Hello,

   We are proud to announce the release of PowerDNS Recursor 4.8.2.

   This release is a maintenance release, fixing some issues, in
   particular:

 * Record and negative cache cleaning now maintains balance between
   shards in a better way
 * A case where the wrong EDNS Client Subnet scope could be applied to
   outgoing queries has been fixed
 * A few other minor issues

   Please refer to the change log for the [1]4.8.2 release for additional
   details.

   Please send us all feedback and issues you might have via the
   [2]mailing list, or in case of a bug, via [3]GitHub.

   The [4]tarball and [5]signature are available from our download
   [6]server and packages for several distributions are available from our
   [7]repository. The Ubuntu Jammy package will be published soon.

   The 4.5.x releases are EOL and the 4.6.x and 4.7.x releases are in
   critical fixes only mode. Consult the [8]EOL policy for more details.

   We would also like to repeat that starting with the 4.5 release branch
   we stopped supporting systems using 32-bit time. This includes most
   32-bit Linux platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.2
   2. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   3. https://github.com/PowerDNS/pdns/issues/new/choose
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.8.2.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.8.2.tar.bz2.sig
   6. https://downloads.powerdns.com/releases/
   7. https://repo.powerdns.com/
   8. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] tsig key not being accepted

[Otto Moerbeek via Pdns-users]

On Sat, Jan 28, 2023 at 09:58:22AM -0500, Larry Wapnitsky via Pdns-users wrote:

> (domain names and keys changed in production from these values)
> 
> I'm running the following:
> 
> root@ns1:~# pdns_server --version
> Jan 28 09:54:21 PowerDNS Authoritative Server
> 4.8.0-alpha0.1002.master.g13427ee56 (C) 2001-2022 PowerDNS.COM BV
> Jan 28 09:54:21 Using 64-bits mode. Built using gcc 9.4.0 on Jan 18 2023
> 12:08:28 by root@4f762a9684f6.
> 
> I was able (until yesterday) to update DNS entries using RFC2136, but am
> now receiving the following error:
> 
> Packet for 'mydomain.com' denied: Signature with TSIG key 'dhcpupdate' does
> not match the expected algorithm (hmac-sha256 / hmac-md5.sig-alg.reg.int)
> 
> My TSIG key is set as follows:
> 
> root@ns1:~# pdnsutil generate-tsig-key dhcpupdate hmac-sha256Create new
> TSIG key dhcpupdate hmac-sha256
> W/ThmvveOYiOKDiMA/tphcm0bu+XsdHxmIPa5anY+U8NO94n8j5I7L7rTfrlTE7NRhTrbeRJ2f7s0oTiwWc9BA==
> 
> and the configuration in my RFC2136 client (opnsense) is:
> 
> [image: 2023-01-28_09-57.png]
> 
> Advice is very welcome on how to diagnose. I've recreated the keys multiple
> times to no avail.
> 
> Thank you.
> 
> *Larry G. Wapnitsky*
> 
> 
> *E: la...@wapnitsky.com*
> *Web: Larry.Wapnitsky.com *

If it worked before yesterday, it would be very good to know what changed:

- the auth server software version? What version were your running before?
- the RFC2136 client? Same question.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursor issue

[Otto Moerbeek via Pdns-users]

On Thu, Jan 26, 2023 at 10:57:21PM +0100, Arien Vijn wrote:

> 
> > On 26 Jan 2023, at 19:00, Otto Moerbeek  wrote:
> 
> [...]
> 
> > I expect the aggressive cache workaround to function.
> 
> It seems so indeed.
> 
> > What is happening is that a query of a non-existent type (e.g. )
> > for xdsl-c-serviceweb.gslb.kpn.com 
> > 
> > $ dig @ns1gslb.kpn.com.  xdsl-c-serviceweb.gslb.kpn.com 
> >   +dnssec
> > 
> > produces an NSEC3 record that denies all types except TXT and RRSIG:
> > 
> > cq026lgcduus730qu6cbhtrt7qpr2jnu.gslb.kpn.com 
> > . 86400 IN NSEC3 
> > 1 0 1 19623DE58C1E7E40 CQ026LGCDUUS730QU6CBHTRT7QPR2JNV TXT RRSIG
> > 
> > So when the A record expires and somebody has done an  query in
> > between, the aggressive cache concludes that the wanted A record  does
> > not exists and not even asks the auth for it.
> > 
> > The after a cache wipe it works because when the (aggressive) cache is
> > empty for that zone, there is also no NSEC3 record denying anything.
> > 
> > So in the end this is a misconfigured domain. Completely disabling the
> > aggressive cache is a bit of a big hammer, you can also add an NTA for
> > the specific problem domain, something like:
> > 
> > addNTA('gslb.kpn.com ', 'Invalid NSEC3 record served 
> > for xdsl-c-serviceweb.gslb.kpn.com 
> > ')
> > 
> > in your Lua config file. This effectively does disable DNSSEC for the
> > domain. And please also report this to KPN.
> 
> Thanks for the explanation! This is really useful because KPN pointed to our 
> DNS= servers.
> 
> We also saw this with other (KPN hosted) 'gslb-domains', which also show no 
> trouble anymore after disabling the
> aggressive cache. So, if we go the NTA-way then I am afraid that we'll have 
> to add a series of NTAs then :/
> 
> At any rate, I am really glad with this explanation. I hope that KPN, and the 
> parties they outsourced their DNS service to, wil appreciate this too :)
> 
> -- Arien

This gives background information and a link to a remedy to be
employed on the load balancer side.

https://en.blog.nic.cz/2019/07/10/error-in-dnssec-implementation-on-f5-big-ip-load-balancers/

-Otto



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursor issue

[Otto Moerbeek via Pdns-users]

On Thu, Jan 26, 2023 at 05:37:12PM +0100, Arien Vijn via Pdns-users wrote:

> Hi Peter,
> 
> > On 26 Jan 2023, at 17:28, Peter van Dijk via Pdns-users 
> >  wrote:
> 
> [...]
> 
> > After some brief investigation we somewhat suspect this is aggressive
> > NSEC caching. Can you see if aggressive-nsec-cache-size=0 makes the
> > problem go away?
> 
> Thanks! I'll add this line to the configuration right away :)
> 
> -- Ari??n
> 

I expect the aggressive cache workaround to function.

What is happening is that a query of a non-existent type (e.g. )
for xdsl-c-serviceweb.gslb.kpn.com

$ dig @ns1gslb.kpn.com.  xdsl-c-serviceweb.gslb.kpn.com  +dnssec 

produces an NSEC3 record that denies all types except TXT and RRSIG:

cq026lgcduus730qu6cbhtrt7qpr2jnu.gslb.kpn.com. 86400 IN NSEC3 1 0 1 
19623DE58C1E7E40 CQ026LGCDUUS730QU6CBHTRT7QPR2JNV TXT RRSIG

So when the A record expires and somebody has done an  query in
between, the aggressive cache concludes that the wanted A record  does
not exists and not even asks the auth for it.

The after a cache wipe it works because when the (aggressive) cache is
empty for that zone, there is also no NSEC3 record denying anything.

So in the end this is a misconfigured domain. Completely disabling the
aggressive cache is a bit of a big hammer, you can also add an NTA for
the specific problem domain, something like:

addNTA('gslb.kpn.com', 'Invalid NSEC3 record served for 
xdsl-c-serviceweb.gslb.kpn.com')

in your Lua config file. This effectively does disable DNSSEC for the
domain. And please also report this to KPN.

-Otto



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Proxy mapped address used for allow-from

[Otto Moerbeek via Pdns-users]

On Thu, Jan 26, 2023 at 03:07:17PM +0200, Robby Pedrica via Pdns-users wrote:

>  Thanks Otto,
> 
> I agree with the docs, but then the actual operation/result is not
> consistent unless I'm misunderstanding the operation or purpose of
> proxy-protocol-from.
> 
> *Product:*
> 
> pdns-recursor
> 
> *Version:*
> 
> 4.8.1
> 
> *Full recursor.conf config:*
> 
> allow-from=
> api-key=
> #config-dir=/usr/etc
> daemon=no
> #disable-syslog=no
> edns-subnet-allow-list=0.0.0.0/0.
> etc-hosts-file=/etc/hosts
> # export-etc-hosts=off
> #local-address=
> local-port=53
> loglevel=6
> log-common-errors=yes
> # max-cache-entries=100
> # max-concurrent-requests-per-tcp-connection=10
> max-tcp-clients=128
> # max-tcp-per-client=0
> # max-tcp-queries-per-connection=0
> # network-timeout=1500
> new-domain-log=yes
> quiet=no
> threads=2
> use-incoming-edns-subnet=yes
> webserver=yes
> webserver-address=0.0.0.0
> webserver-allow-from=0.0.0.0/0
> webserver-loglevel=none
> webserver-password=
> webserver-port=8082
> write-pid=yes
> hint-file=/etc/named.root.txt
> log-common-errors=no
> lua-config-file=/etc/proxy-map.lua
> max-busy-dot-probes=50
> proxy-protocol-from=
> 
> *LUA script for proxy maps:*
> 
> addProxyMapping("private subnet 1", "mapped public IP")
> 
> There are 2 requirements:
> 
> 1. accurately enable ACLs via allow-from

As far as I know, the ACL are checked accurately, i.e. as defined in
the docs. 

> 2. use proxy-mapped public address from addProxyMapping for ecs/edns queries
> 
> Currently, the proxy mapped address is being used to match against
> allow-from rather than the source/original address.

I have the feeling there is some form of miscommunication going on.

As documented, see:

"M is used for incoming ACL checking (allow-from) and to determine the
ECS processing (ecs-add-for)."

where M is "the source address mapped by Table Based Proxy Mapping" in

https://docs.powerdns.com/recursor/lua-config/proxymapping.html#table-based-proxy-mapping

The first section of the page tries to explain what address is used in
what circumstances. 

The point of proxyMapping is to use the mapped address as ECS and for
ACL checking.

If that is not what you want, maybe proxyMapping is not the answer to
your question?

-Otto

> 
> I'm hoping proxy-protocol-from does not affect ecs/edns function but the
> docs don't discuss anything around this - I would assume not.
> 
> Update and per your replies:
> 
> "I think proxyMapping and the use of ECS is explained in
> https://docs.powerdns.com/recursor/lua-config/proxymapping.html.;
> 
> I understand proxymapping - this is not my issue, I'm just mentioning
> it to provide context.
> 
> (My logging is still not working in my docker container. I'll request
> separate assistance with this.)
> Regards and thank you
> 
> 
> Robby
> 
> 
> 
> 
> 
> On Fri, 20 Jan 2023 at 17:58, Otto Moerbeek  wrote:
> 
> > Please show your full configuration, including versions etc. Also, it
> > is not clear which product you are using.
> >
> > The recursor docs say:
> >
> > "Note that once a Proxy Protocol header has been received, the source
> > address from the proxy header instead of the address of the proxy will
> > be checked against the allow-from ACL."
> >
> > https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
> >
> > -Otto
> >
> >
> > On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users
> > wrote:
> >
> > > Hi all,
> > >
> > > I'm not sure if this is a change in behaviour or I simply haven't noticed
> > > this before but after upgrading my docker image today, I've seen queries
> > > being dropped due to the mapped address in my proxy mappings being used
> > for
> > > allow-from rather than the src/original address. I use a private-public
> > > address mapping in the proxy maps because I use the mapped public IP as
> > > part of ecs/edns.
> > >
> > > I've now set:
> > >
> > > proxy-protocol-from= (or should this be the src IP?)
> > >
> > > but this doesn't appear to have changed anything and queries are still
> > > being dropped.
> > >
> > > Can anyone advise where I'm going wrong? I don't mind putting the mapped
> > > (public) IP in allow-from but would prefer not to do it if not required.
> > >
> > > Regards
> > >
> > > --
> > > Robby Pedrica
> > >
> > > c: +27 82 416 8696
> >
> > > ___
> > > Pdns-users mailing list
> > > Pdns-users@mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> >
> 
> -- 
> Robby Pedrica
> XStore
> c: +27 82 416 8696
> f: +27 86 538 5810
> m: rpedr...@xstore.co.za
> w: http://.xstore.co.za/

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursor issue

[Otto Moerbeek via Pdns-users]

Hi,

Please show your configuration.

I do not think your analysis is to the point.
If I repeat a scenario, I see a correct retrieval of the A record.

So we have to find out what is different in your case.

-Otto


On Thu, Jan 26, 2023 at 01:30:54PM +0100, Arien Vijn via Pdns-users wrote:

> Greetings,
> 
> We recently upgraded pdns_recursor from version 4.4.5 to 4.8.0. It seems that 
> we run in into the following issue ever since.
> 
> 1/ Client queries for an A-record for xdsl-serviceweb.kpn.com.
> 2/ Recursor queries the domain tree and receives the CNAME-record that points 
> to: xdsl-c-serviceweb.gslb.kpn.com. from the authoritative DNS server.
> 3/ Recursor queries and receives the subsequent an A-record from the 
> authoritative DNS server for that A-record.
> 4/ Recursor answers the client mentioned in 1/.
> 
> So far so good, until the A-record of xdsl-c-serviceweb.gslb.kpn.com. expires 
> out of the 'main record cache' but not from the 'main packet cache'. The 
> CNAME remains in both caches. Please note this excerpt from: rec_control 
> dump-cache below:
> 
>; main record cache dump follows
>;
>xdsl-serviceweb.kpn.com. 300 -224 IN CNAME xdsl-c-serviceweb.gslb.kpn.com. 
> ; (Secure) auth=1 zone=kpn.com from=194.151.228.10 nm= rtag= ss=0
>; negcache dump follows
> 
>[...]
> 
>; main packet cache dump from thread follows
>;
>xdsl-c-serviceweb.gslb.kpn.com. -1803 A  ; tag 0 udp
> 
>[...]
> 
>; main packet cache dump from thread follows
>;
>xdsl-serviceweb.kpn.com. -470 A  ; tag 0 udp
>xdsl-serviceweb.kpn.com. 111 A  ; tag 0 udp
>xdsl-serviceweb.kpn.com. 111   ; tag 0 udp
> 
> 
> From that point on, pdns_recursor replies on queries for the A-record with 
> the SOA-record of the domain of the said A-record:
> 
>; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> 
> xdsl-c-serviceweb.gslb.kpn.com. @localhost
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36347
>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 512
>;; QUESTION SECTION:
>;xdsl-c-serviceweb.gslb.kpn.com.IN  A
> 
>;; AUTHORITY SECTION:
>gslb.kpn.com.   79407   IN  SOA ns2gslb.kpn.com. 
> netmaster.gslb.kpn.com. 2023011702 10800 3600 604800 86400
> 
>;; Query time: 0 msec
>;; SERVER: ::1#53(::1)
>;; WHEN: Thu Jan 26 12:10:13 CET 2023
>;; MSG SIZE  rcvd: 113
> 
> 
> This situation causes actual people to complain and is being resolved by 
> removing the domain tree for the subdomain gslb.kpn.com. out of the caches. 
> From then on the story starts again.
> 
> That the A-record xdsl-c-serviceweb.gslb.kpn.com. remains in the packet cache 
> seems not good to me, but I don't know enough about DNS and pdns_recursor be 
> sure. What could trigger this behaviour or is it perhaps a configuration 
> issue because we made such a large jump in versions when we upgraded? Last 
> but not least we see the same behaviour with at least one other hostname
> 
> -- Ari??n
> 



> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Proxy mapped address used for allow-from

[Otto Moerbeek via Pdns-users]

Please show your full configuration, including versions etc. Also, it
is not clear which product you are using.

The recursor docs say:

"Note that once a Proxy Protocol header has been received, the source
address from the proxy header instead of the address of the proxy will
be checked against the allow-from ACL."

https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from

-Otto


On Fri, Jan 20, 2023 at 05:48:31PM +0200, Robby Pedrica via Pdns-users wrote:

> Hi all,
> 
> I'm not sure if this is a change in behaviour or I simply haven't noticed
> this before but after upgrading my docker image today, I've seen queries
> being dropped due to the mapped address in my proxy mappings being used for
> allow-from rather than the src/original address. I use a private-public
> address mapping in the proxy maps because I use the mapped public IP as
> part of ecs/edns.
> 
> I've now set:
> 
> proxy-protocol-from= (or should this be the src IP?)
> 
> but this doesn't appear to have changed anything and queries are still
> being dropped.
> 
> Can anyone advise where I'm going wrong? I don't mind putting the mapped
> (public) IP in allow-from but would prefer not to do it if not required.
> 
> Regards
> 
> -- 
> Robby Pedrica
> 
> c: +27 82 416 8696

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0

[Otto Moerbeek via Pdns-users]

   Hello,

   Today we have released PowerDNS Recursor 4.8.1 due to a high severity
   issue found.

   Please find the full text of the advisory below.

   The [1]changelog is available.

   The [2]tarball ([3]signature) is available from our download [4]server.
   Patches are available at [5]patches. Packages for various distributions
   are available from our [6]repository.

   Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
   Consult the [7]EOL policy for more details.
 __

PowerDNS Security Advisory 2023-01: unbounded recursion results in program
termination

 * CVE: CVE-2023-22617
 * Date: 20th of January 2023
 * Affects: PowerDNS Recursor 4.8.0
 * Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
 * Severity: High
 * Impact: Denial of service
 * Exploit: This problem can be triggered by a remote attacker with
   access to the recursor by querying names from specific
   mis-configured domains
 * Risk of system compromise: None
 * Solution: Upgrade to patched version

   CVSS 3.0 score: 8.2 (High)
   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/
   S:U/C:N/I:L/A:H/E:H/RL:U/RC:C

   Thanks to applied-privacy.net for reporting this issue and their assistance 
in diagnosing it.

References

   1. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1
   2. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2
   3. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2.sig
   4. https://downloads.powerdns.com/releases/
   5. https://downloads.powerdns.com/patches/2023-01/
   6. https://repo.powerdns.com/
   7. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Reloading metadata with bind-backend & sqlite

[Otto Moerbeek via Pdns-users]

Hello,

You did not explain what you seeing and what you expect.

The warning concerns performance. But your questions suggests you are
seeing wrong data. Please be explicit.

-Otto



On Mon, Dec 19, 2022 at 11:02:34AM +0100, Thib D via Pdns-users wrote:

> Hi Chris,
> 
> I missed this warning note on the sqlite3 backend page (
> https://doc.powerdns.com/authoritative/backends/generic-sqlite3.html)
> I'm scared this looks like the exact same behaviour we are seeing with a
> bind+sqlite setup
> 
> After adding/modifying cryptokeys or metadata in the database, we are still
> able to see the changes with *pdnsutil show-zone* though
> 
> Is this something that can be implemented or are there limitations that
> make this impossible to do so?
> 
> Best regards,
> Thibaud
> 
> Le sam. 17 d??c. 2022 ?? 12:07, Chris Hofstaedtler | Deduktiva <
> chris.hofstaedt...@deduktiva.com> a ??crit :
> 
> > Hello Thibauld,
> >
> > * Thib D via Pdns-users  [221216 14:19]:
> > > On bind / sqlite systems there is currently no way to reload metadata and
> > > cryptokeys provided through a read only sqlite3 database, correct ?
> > >
> > > pdns_control commands like bind-reload-now / bind-add-zone / reload do
> > not
> > > seem to fetch content from the sqlite database.
> > >
> > > Is there something I am missing or reloading metadata in this case is
> > only
> > > possible by restarting the pdns process ?
> >
> > From my understanding, these things are not cached. It should work
> > similar to a "normal" gsql setup: cryptokeys, metadata, ... are
> > loaded on-access, and thus become effective immediately.
> >
> > If you see something else, please clarify your setup and what
> > behavior you are seeing.
> >
> > Chris
> >
> > --
> > Chris Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien)
> > www.deduktiva.com / +43 1 353 1707
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.8.0 Released

[Otto Moerbeek via Pdns-users]

   Hello!

   We are proud to announce the release of PowerDNS Recursor 4.8.0.

   Compared to the previous major (4.7) release of PowerDNS Recursor, this
   release contains the following major changes:

 * [1]Structured Logging has been implemented for almost all
   subsystems. This allows for improved (automated) analysis of
   logging information. We've posted a [2]blog about this feature
   recently.
 * Optional [3]Serve Stale functionality has been implemented,
   providing resilience against connectivity problems towards
   authoritative servers.
 * Optional [4]Record Locking has been implemented, providing an extra
   layer of protection against spoofing attempts at the price of
   reduced cache efficiency.
 * Internal tables used to track information about authoritative
   servers are now [5]shared instead of per-thread, resulting in
   better performance and lower memory usage.
 * EDNS padding of outgoing DoT queries has been implemented,
   providing better privacy protection.
 * Metrics have been added about the protobuf and dnstap logging
   [6]subsystems and the [7]rcodes received from authoritative
   servers.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [8]changelog for additional details. When upgrading
   do not forget to check the [9]upgrade guide.

   We are also announcing the removal of [10]XPF support. If you are using
   this feature, switch to the [11]Proxy Protocol.

   Please send us all feedback and issues you might have via
   the [12]mailing list, or in case of a bug, via [13]GitHub.

   The [14]tarball ([15]signature) is available from our download
   [16]server and packages for several distributions are available from
   our [17]repository.

   With the 4.8.0 release, the 4.5.x releases will be marked "End of Life"
   and the 4.6.x and 4.7.x releases will go into critical fixes only mode.
   Consult the EOL [18]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

- Otto and the PowerDNS Team

References

   1. 
https://docs.powerdns.com/recursor/settings.html#structured-logging-backend
   2. 
https://blog.powerdns.com/2022/10/03/structured-logging-in-powerdns-recursor/
   3. https://docs.powerdns.com/recursor/appendices/internals.html#serve-stale
   4. 
https://docs.powerdns.com/recursor/settings.html#record-cache-locked-ttl-perc
   5. 
https://blog.powerdns.com/2022/08/29/sharing-data-between-threads-in-powerdns-recursor/
   6. https://docs.powerdns.com/recursor/manpages/rec_control.1.html
   7. https://docs.powerdns.com/recursor/metrics.html#auth-xxx-answers
   8. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.0
   9. https://docs.powerdns.com/recursor/upgrade.html
  10. https://docs.powerdns.com/recursor/settings.html#xpf-allow-from
  11. https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
  12. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  13. https://github.com/PowerDNS/pdns/issues/new/choose
  14. https://downloads.powerdns.com/releases/pdns-recursor-4.8.0.tar.bz2
  15. https://downloads.powerdns.com/releases/pdns-recursor-4.8.0.tar.bz2.sig
  16. https://downloads.powerdns.com/releases/
  17. https://repo.powerdns.com/
  18. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
PowerDNS Developer


Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] why different parameters syntax on forward-zones and forward-zones-file

[Otto Moerbeek via Pdns-users]

On Tue, Nov 29, 2022 at 09:55:54AM -0500, Kevin P. Fleming via Pdns-users wrote:

> On Tue, Nov 29, 2022, at 08:45, Victor Hugo dos Santos via Pdns-users wrote:
> > hello there,
> >
> > today we have to migrate an old configuration (what was using the
> > forward-zones-file) to a new server using the ansible recursor
> > playbook (https://github.com/PowerDNS/pdns_recursor-ansible), but some
> > internal domains didn't worked well and after some debug we got that
> > there is a difference using the "+" on the  forward-zones and
> > forward-zones-file.
> >
> > https://docs.powerdns.com/recursor/settings.html#forward-zones
> > https://docs.powerdns.com/recursor/settings.html#forward-zones-file
> >
> > ```Zones prefixed with a ???+??? are treated as with
> > forward-zones-recurse. Default behaviour without ???+??? is as with
> > forward-zones.```
> >
> > So, why this two parameters need to have different syntax (not only
> > the +, but the use of ; and , as separator:
> 
> The "+" (and other markers) are necessary in order to avoid requiring a 
> configuration for every combination of forward-zones optional behaviors; it 
> would be much more difficult to manage a configuration which had 
> forward-zones-file, forward-zones-recurse-file, forward-zones-notify-file, 
> forward-zones-recurse-notify-file, etc.
> 
> If you'd like forward-zones to accept the same "+" and "^" markers as 
> forward-zones-file does, and then there would be no need for 
> forward-zones-recurse/etc., that would be a reasonable feature request.

Additionally, the lines in forward-zones-file do support space, comma
and semicolon as separator for addresses. 

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor Cache entries per record

[Otto Moerbeek via Pdns-users]

Hello

What Winfried says is true, with the note that a few more bits of the
query are included in the hash, while some other pats are skipped;
e.g. the recursor skips the EDSN ECS and Cookie bits when computing
the hash.

Also note that while the packet cache is per thread, the other cache
(record cache) is shared between all threads since a few releases.
The latter is used to lookup packet hash misses, to retrieve infra
data to find auths and a few more things).

-Otto

On Mon, Nov 28, 2022 at 07:01:12PM +0100, abang--- via Pdns-users wrote:

> Hi Giovanni,
> 
> As far as I know, the Recursor is exactly doing what you want. IP addresses 
> are not part of the hash. Only the query name is base of the hash.
> 
> Identical query names are routed to the same thread and thus to the same 
> cache.
> 
> Winfried
> 
> 
> Am 28. November 2022 18:37:19 MEZ schrieb Giovanni Vecchi via Pdns-users 
> :
> >Hi guys,
> >
> >I'm doing some tests on recursor 4.7.4 and I would some confirmation from
> >you about caching behaviour: I understood that
> >enabling pdns-distributes-queries, cached entries are served only in case
> >of matching query hash, so different clients (with different source ip)
> >will not hit cache for the same record in their first queries, isn't it?
> >
> >Let's do an example, starting from time 0:
> >- time 0+1 -> client1 ask for my.domain -> cache miss
> >- time 0+2 -> client2 ask for my.domain -> cache miss
> >- time 0+3 -> client1 ask for my.domain -> cache hit
> >- time 0+4 -> client2 ask for my.domain -> cache hit
> >If it's true, is it possible to configure recursor cache by record and not
> >by hash?
> >My ultimate goal is to take advantage from cached entries regardless client
> >query hash, in this way:
> >- time 0+1 -> client1 ask for my.domain -> cache miss
> >- time 0+2 -> client2 ask for my.domain -> cache hit
> >- time 0+3 -> client1 ask for my.domain -> cache hit
> >- time 0+4 -> client2 ask for my.domain -> cache hit
> >
> >Thanks
> >
> >
> >
> >-- 
> >
> >Giovanni Vecchi
> >Infrastructure Lead Engineer, Certego
> >+39-059-735
> >
> >  
> >
> >
> >Use of the information within this document constitutes acceptance for use
> >in an "as is" condition. There are no warranties with regard to this
> >information; Certego has verified the data as thoroughly as possible. Any
> >use of this information lies within the user's responsibility. In no event
> >shall Certego be liable for any consequences or damages, including direct,
> >indirect, incidental, consequential, loss of business profits or special
> >damages, arising out of or in connection with the use or spread of this
> >information.

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.5.12, 4.6.5 and 4.7.4 Released

[Otto Moerbeek via Pdns-users]

   Hello,

   Today we have released a maintenance release of PowerDNS Recursor
   4.5.12, 4.6.5 and 4.7.4, containing fixes for a few minor issues. In
   particular, RPZ IXFRs now time out if the server becomes
   unresponsive. For more details on the other fixes, consult the
   changelogs available at [1]4.5.12, [2]4.6.5, [3]4.7.4.

   The source tarballs ([4]4.5.12, [5]4.6.5, [6]4.7.4) and signatures
   ([7]4.5.12, [8]4.6.5, [9]4.7.4) are available from our download
   [10]server. Packages for various distributions are available from our
   [11]repository.

   Note that PowerDNS Recursor 4.4.x and older releases are End of Life.
   Consult the [12]EOL policy for more details.

   We would also like to repeat that starting with the 4.5 release branch
   we stopped supporting systems using 32-bit time. This includes most
   32-bit Linux platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

   Please send us all feedback and issues you might have via the
   [13]mailing list, or in case of a bug, via [14]GitHub.

References

   1. https://docs.powerdns.com/recursor/changelog/4.5.html#change-4.5.12
   2. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.6.5
   3. https://docs.powerdns.com/recursor/changelog/4.7.html#change-4.7.4
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.5.12.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.6.5.tar.bz2
   6. https://downloads.powerdns.com/releases/pdns-recursor-4.7.4.tar.bz2
   7. https://downloads.powerdns.com/releases/pdns-recursor-4.5.12.tar.bz2.sig
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.6.5.tar.bz2.sig
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.7.4.tar.bz2.sig
  10. https://downloads.powerdns.com/releases/
  11. https://repo.powerdns.com/
  12. https://docs.powerdns.com/recursor/appendices/EOL.html
  13. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  14. https://github.com/PowerDNS/pdns/issues/new/choose


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First Release Candidate of PowerDNS Recursor 4.8.0

[Otto Moerbeek via Pdns-users]

Hello!

   We are proud to announce the first release candidate of PowerDNS
   Recursor 4.8.0. We invite all users to test this release candidate, so
   that we can release the final PowerDNS Recursor 4.8.0 soon.

   Compared to the previous major (4.7) release of PowerDNS Recursor, this
   release contains the following major changes:

 * [1]Structured Logging has been implemented for almost all
   subsystems. This allows for improved (automated) analysis of
   logging information. We've posted a [2]blog about this feature
   recently.
 * Optional [3]Serve Stale functionality has been implemented,
   providing resilience against connectivity problems towards
   authoritative servers.
 * Optional [4]Record Locking has been implemented, providing an extra
   layer of protection against spoofing attempts at the price of
   reduced cache efficiency.
 * Internal tables used to track information about authoritative
   servers are now [5]shared instead of per-thread, resulting in
   better performance and lower memory usage.
 * EDNS padding of outgoing DoT queries has been implemented,
   providing better privacy protection.
 * Metrics have been added about the protobuf and dnstap logging
   [6]subsystems and the [7]rcodes received from authoritative
   servers.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [8]changelog for additional details. When upgrading
   do not forget to check the [9]upgrade guide.

   We are also announcing the removal of [10]XPF support. If you are using
   this feature, switch to the [11]proxy protocol.

   Please send us all feedback and issues you might have via
   the [12]mailing list, or in case of a bug, via [13]GitHub.

   The [14]tarball ([15]signature) is available from our download
   [16]server and packages for several distributions are available from
   our [17]repository.

   With the final 4.8 release, the 4.5.x releases will be marked "End of
   Life" and the 4.6.x and 4.7.x releases will go into critical fixes only
   mode. Consult the EOL [18]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#structured-logging-backend
   2. 
https://blog.powerdns.com/2022/10/03/structured-logging-in-powerdns-recursor/
   3. https://docs.powerdns.com/recursor/appendices/internals.html#serve-stale
   4. 
https://docs.powerdns.com/recursor/settings.html#record-cache-locked-ttl-perc
   5. 
https://blog.powerdns.com/2022/08/29/sharing-data-between-threads-in-powerdns-recursor/
   6. https://docs.powerdns.com/recursor/manpages/rec_control.1.html
   7. https://docs.powerdns.com/recursor/metrics.html#auth-xxx-answers
   8. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.0-rc1
   9. https://docs.powerdns.com/recursor/upgrade.html
  10. https://docs.powerdns.com/recursor/settings.html#xpf-allow-from
  11. https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
  12. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  13. https://github.com/PowerDNS/pdns/issues/new/choose
  14. https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-rc1.tar.bz2
  15. 
https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-rc1.tar.bz2.sig
  16. https://downloads.powerdns.com/releases/
  17. https://repo.powerdns.com/
  18. https://docs.powerdns.com/recursor/appendices/EOL.html

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

[Otto Moerbeek via Pdns-users]

You start complaining within the hour. That is not thay way to get a
response. I just lost all the motivation to help you.

 -Otto



On Thu, Nov 17, 2022 at 12:17:01PM +0530, Raghvendra Choudhary via Pdns-users 
wrote:

> any update on this?
> 
> *Raghvendra Choudhary*
> DevOps Engineer | www.digivalet.com 
> 
> [image: Logo]
> 
> T:  +91.731.6667891
> 
> M: +91.96307.90947
> 
> E:  raghvendra.choudh...@digivalet.com 
> 
> [image: Banner]
> 
> 
> On Thu, Nov 17, 2022 at 11:24 AM Raghvendra Choudhary <
> raghvendra.choudh...@digivalet.com> wrote:
> 
> > Hi Team,
> >
> > I already installed the poweDNS  admin in the my local machine. My
> > requirement is to Configure Powerdns and check if the domain which is not
> > present in Powerdns is transferring the traffic to 8.8.8.8 .
> >
> > I am unable to find a resolution and I am not aware about how to use the
> > powerDNS.
> >
> > Please advise and do the needful.
> >
> > Waiting for your reply.
> >
> > *Raghvendra Choudhary*
> > DevOps Engineer | www.digivalet.com 
> >
> > [image: Logo]
> >
> > T:  +91.731.6667891
> >
> > M: +91.96307.90947
> >
> > E:  raghvendra.choudh...@digivalet.com
> > 
> >
> > [image: Banner]
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS-over-TLS option

[Otto Moerbeek via Pdns-users]

On Tue, Nov 15, 2022 at 11:36:44AM +1300, Michael Hallager wrote:

> On 2022-11-14 19:29, Otto Moerbeek wrote:
> 
> > The upgrade guide has pointers, but in this case there's also a blog
> > post:
> > 
> > https://blog.powerdns.com/2022/06/13/probing-dot-support-of-authoritative-servers-just-try-it/
> > 
> > More detains in:
> > 
> > https://docs.powerdns.com/recursor/settings.html#max-busy-dot-probes
> > https://docs.powerdns.com/recursor/settings.html#dot-to-port-853
> > https://docs.powerdns.com/recursor/settings.html#dot-to-auth-names
> 
> Thanks for this, Otto.
> 
> It also needs an authoritative server which supports TLS. I see an option
> for this at compile time for PowerDNS but no obvious mention in the
> documents.
> 
> Michael

The support on the authoritative side only enables DoT for the sdig
tool at the moment. A dnsdist in front of auth can provide incoming
DoT to an auth.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS-over-TLS option

[Otto Moerbeek via Pdns-users]

On Mon, Nov 14, 2022 at 11:26:41AM +1300, Michael Hallager via Pdns-users wrote:

> 
> Hi all,
> 
> I am seeing the following option during compilation of PowerDNS Recursor,
> however, can't find any documentation on its configuration.
> 
> configure: Features enabled
> configure: 
> configure: Lua: luajit
> configure: OpenSSL ECDSA: yes
> configure: ed25519: yes
> configure: ed448: yes
> configure: Protobuf: yes
> configure: SNMP: yes
> configure: systemd: no
> configure: nod: yes
> configure: dnstap: no
> configure: DNS over TLS: yes
> configure: OpenSSL: yes
> configure: libcurl: yes
> configure: Context library: Boost Context
> configure:
> 
> Can someone point me in the right direction, please?
> 
> Kind regards,
> 
> Michael Hallager

The upgrade guide has pointers, but in this case there's also a blog post:

https://blog.powerdns.com/2022/06/13/probing-dot-support-of-authoritative-servers-just-try-it/

More detains in:

https://docs.powerdns.com/recursor/settings.html#max-busy-dot-probes
https://docs.powerdns.com/recursor/settings.html#dot-to-port-853
https://docs.powerdns.com/recursor/settings.html#dot-to-auth-names

-Otto


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor: NS selection logic, multiple IPs in forward-zones statement

[Otto Moerbeek via Pdns-users]

On Wed, Nov 09, 2022 at 09:00:12PM +0300, Andrey Vishnyakov via Pdns-users 
wrote:

> Hi!
> 
> What is the logic of pdns recursor choosing NS server when multiple items
> are available like multiple IP addresses in a forward-zones statement?
> 
> Looking through the source code I see that NS servers are being ordered by
> speed or response time (usec).  What is the overall algorithm? How often
> resolver does a probing of multiple NS, etc.? Can we somehow configure this
> logic?
> 
> Best regards,
> Andrey

This is briefly described in

https://docs.powerdns.com/recursor/appendices/internals.html#some-of-the-things-we-glossed-over

It applies to both selecting a forwarder and selectin an authoritative
server.

The recursor computes an exponentially weighted moving average per IP,
and it will use the fastest IP available from all candidates,
processes the new response time to compute a new average response time
for that IP.

Over time, the average values for all IP will be reduced, so that
unused IPs will be used again because they have lower average value,
which will result in a new avaraged response time value for those IP.

This mechanism cannot be tuned or modified.

-Otto





___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor ecs support config designs

[Otto Moerbeek via Pdns-users]

On Tue, Nov 08, 2022 at 09:44:22AM +, Brian Candler via Pdns-users wrote:

> On 08/11/2022 09:20, Robby Pedrica via Pdns-users wrote:
> 
> > The CDN services work correctly when a branch uses the ISP-assigned DNS
> > for that specific branch/link. But as mentioned, it's difficult to
> > manage these DNS entries when you have many branches across the world
> > (180 sites with 2 different ISP links at each site). It would be much
> > easier if we had a central recursor that could use ecs to determine
> > geo-located services for each branch.
> 
> The central recursor would be able to see the source IP addresses of all the
> clients, correct?  Would it see the public (post NAT) or internal address
> (e.g. site-to-site VPN)?
> 
> The recursor itself doesn't "use ecs" as such, but it could *pass* the
> client's IP address via ecs to the authoritative servers.  However, whether
> the authoritative servers use that information or not is not within your
> control.  They may ignore it, and look at the source IP address of the
> request only (i.e. the IP address of your recursor).  In which case, you're
> stuck.
> 
> In any case, getting clients to use a local DNS cache would be much better
> for resilience and performance than routing all queries via a central
> recursor.

Agreed, running a local recursor per office is certainly something to consider.
If you run those yourself you are not/less dependent on ISP setups.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor ecs support config designs

[Otto Moerbeek via Pdns-users]

On Tue, Nov 08, 2022 at 08:35:33AM +0200, Robby Pedrica via Pdns-users wrote:

> Hi all,
> 
> I've searched pdns docs as well as threads here but can find nothing about
> how to deploy ecs or more specifically, under which circumstance ecs can be
> used.
> 
> From what I understand of ecs, the recursor will forward the client's IP
> with the request to the auth (or intermediate) servers so that the auth
> server can respond with a result that is local (if possible) to the client.
> I'm going to assume then that a public address is needed from the client as
> you can't determine location info from an rfc1918 address.
> 
> Consider the following setup:
> 
> branch1 (client with private address) -> firewall/NAT+VPN (branch) ->
> internet -> firewall/NAT+VPN (head office) -> recursor -> auth query ...
> branch2 (client with private address) -> firewall/NAT+VPN (branch) |
> etc.
> 
> In this scenario, clients at branches have their queries forwarded over
> site-to-site VPN tunnels to the recursor at a head office. The client IP the
> recursor sees is the client's private IP address.
> 
> Is there any possibility of getting a design like this to work with ecs? If
> not, any alternatives?
> 
> Notes:
> 
> The specific pdns-recursor settings I'm looking at are:
> 
> ends-subnet-allow-list
> ecs-add-for
> use-incoming-edns-subnet
> 
> Regards, Robby

It is not 100% clear what you are trying to achieve,. But here's some
general info.

Auths use incoming ECS data to hand out IPs matched to the query
source by some rules. The assumptionm is that the actual (often https)
traffic comes from the same source.

As for the recursor: by default private addresses will not be used
for outgoing ECS (as governed by ecs-add-for).

If the clients use private addresses from multiple locations via VPNs
and all client traffic goes through the VPN as well, it makes sense
for a recursor to use for an outgoing ECS the public gateway address
used by the VPN clients, as the queries *and* traffic are then coming
the same source.  You can use ecs-scope-zero-address to achieve that.

If the actual client traffic goes on the net using a different public
gateway than used by the recursor, e.g., the public address used by
the remote office location, you want an outging ECS to use that. You
might take a look into proxy mapping:

https://docs.powerdns.com/recursor/lua-config/proxymapping.html

On a general note: only if you observe actual inefficient CDN use I
would bother with ECS, as it complicates your configuration, makes the
recursor's cache less efficient, and is not guaranteed to proivide
actual gain.

-Otto

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Second Beta Release of PowerDNS Recursor 4.8.0

[Otto Moerbeek via Pdns-users]

Hello,

   We are proud to announce the second beta release of PowerDNS Recursor
   4.8.0.

   Compared to the previous major (4.7) release of PowerDNS Recursor, this
   release contains the following major changes:

 * [1]Structured Logging has been implemented for almost all
   subsystems. This allows for improved (automated) analysis of
   logging information. We've posted a [2]blog about this feature
   recently.
 * Optional [3]Serve Stale functionality has been implemented,
   providing resilience against connectivity problems towards
   authoritative servers.
 * Optional [4]Record Locking has been implemented, providing an extra
   layer of protection against spoofing attempts at the price of
   reduced cache efficiency.
 * Internal tables used to track information about authoritative
   servers are now [5]shared instead of per-thread, resulting in
   better performance and lower memory usage.
 * EDNS padding of outgoing DoT queries has been implemented,
   providing better privacy protection.
 * Metrics have been added about the protobuf and dnstap logging
   [6]subsystems and the [7]rcodes received from authoritative
   servers.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [8]changelog for additional details. When upgrading
   do not forget to check the [9]upgrade guide.

   We are also announcing the removal of [10]XPF support. If you are using
   this feature, switch to the [11]proxy protocol.

   Please send us all feedback and issues you might have via
   the [12]mailing list, or in case of a bug, via [13]GitHub.

   The [14]tarball ([15]signature) is available from our download
   [16]server and packages for several distributions are available from
   our [17]repository.

   With the final 4.8 release, the 4.5.x releases will be marked "End of
   Life" and the 4.6.x and 4.7.x releases will go into critical fixes only
   mode. Consult the EOL [18]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#structured-logging-backend
   2. 
https://blog.powerdns.com/2022/10/03/structured-logging-in-powerdns-recursor/
   3. https://docs.powerdns.com/recursor/appendices/internals.html#serve-stale
   4. 
https://docs.powerdns.com/recursor/settings.html#record-cache-locked-ttl-perc
   5. 
https://blog.powerdns.com/2022/08/29/sharing-data-between-threads-in-powerdns-recursor/
   6. https://docs.powerdns.com/recursor/manpages/rec_control.1.html
   7. https://docs.powerdns.com/recursor/metrics.html#auth-xxx-answers
   8. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.0-beta2
   9. https://docs.powerdns.com/recursor/upgrade.html
  10. https://docs.powerdns.com/recursor/settings.html#xpf-allow-from
  11. https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
  12. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  13. https://github.com/PowerDNS/pdns/issues/new/choose
  14. https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-beta2.tar.bz2
  15. 
https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-beta2.tar.bz2.sig
  16. https://downloads.powerdns.com/releases/
  17. https://repo.powerdns.com/
  18. https://docs.powerdns.com/recursor/appendices/EOL.html

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor query logging of cached requests

[Otto Moerbeek via Pdns-users]

On Thu, Nov 03, 2022 at 02:08:53PM +0100, Marco Kleefman via Pdns-users wrote:

> Hi,
> 
> For compliancy reasons we are configuring query logging on our PowerDNS
> recursor instances (running 4.7.3).
> 
> For normal queries I see source-ip and content of DNS question. Example
> logging:
> 
> pdns_recursor[12056]: 2 [395002/1] question for 'www.exampledomain.com|A'
> from 10.11.12.13:56765
> 
> For a cached query I only see this in my (journald + syslog) logging:
> 
> pdns_recursor[12056]: 3 question answered from packet cache tag=0 from
> 173.172.171.170:51200
> 
> I tried increasing loglevel parameter to 7 (debug) but no additional
> logging becomes available for cached requests.
> 
> Does anybody have any tips how to log the content of a query which gets
> answered from the cache?
> 
> Regards,
> 
> Marco
> 
> OS: CentOS 7.9.200
> PDNS: pdns-recursor.x86_64 4.7.3-1pdns.el7
> @powerdns-rec-47
> 
> related config in /etc/pdns-recursor/recursor.conf:
> 
> disable-syslog=no
> logging-facility=0
> loglevel=4
> quiet=no

The text logging is indeed limited. 4.8 (to be released in December)
will improve on that. You could try a beta version:

https://blog.powerdns.com/2022/10/05/first-beta-release-of-powerdns-recursor-4-8-0/

But in general, text logging is quite CPU intensive. I would use
protobuf logging, which is much easier on the CPU. See

https://docs.powerdns.com/recursor/lua-config/protobuf.html#configuring-protocol-buffer-logs

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Help with "simple" config please

[Otto Moerbeek via Pdns-users]

Hello,

Please read the [1]link below and post unedited config files. It also
helps to explictly state the problem you are trying to solve, what
commands you used to investigate, what you expected to see and what
you actually saw.

-Otto

[1] https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

On Mon, Oct 31, 2022 at 10:04:31AM -0500, Slacker T via Pdns-users wrote:

> I'm working though upgrading from 4.4 to the latest version. Tackling
> issues one at a time. I'm trying to get usable log info on who I'm getting
> queries from. I've never used ECS/EDNS before, I think it's what I need to
> use to get what I want. I use dnsdist in front of both my recursor and auth
> server all on the name server, same for my secondary. Please look at my
> config and tell me what you think. I understand that the logs are showing
> what's actually happening, as the query is from 127.0.0.1. I'd just like to
> be able to get the originator ip too if possible.
> 
> Another thing, I'm not sure zone updates are being accepted by the
> secondary. Is there anything different you have to do that changed since
> 4.4? It's like it sees the update from the loopback rather than from the
> primary. Not sure if it's related to any of the ECS/EDNS options.
> 
> Thanks.
> 
> Running:
> 
> > openbsd-7.2
> > dnsdist-1.7.2
> > powerdns-4.6.3
> > powerdns-recursor-4.7.3
> 
> 
> Log showing dnsdist IP rather than originating client:
> 
> > pdns_recursor[67506]: 3 [1230/1] question for '
> > chat-e2ee-mini.c10r.facebook.com|A' from 127.0.0.1:34556
> >
> 
> pdns.conf:
> 
> > setuid=_powerdns
> 
> launch=gsqlite3
> > gsqlite3-database=/var/db/pdns/pdns.sqlite3
> > gsqlite3-dnssec
> > allow-axfr-ips=192.168.100.14
> > also-notify=192.168.100.14
> > daemon=yes
> > edns-subnet-processing=yes
> > guardian=yes
> > local-address=127.0.0.1:5300
> > loglevel=5
> > primary=yes
> > secondary=no
> 
> 
> recursor.conf:
> 
> > setuid=_pdns_recursor
> > setgid=_pdns_recursor
> > chroot=/var/pdns_recursor
> > allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16,
> > 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
> > daemon=yes
> > disable-syslog=no
> > dnssec-log-bogus=yes
> > forward-zones=mydomain.com=127.0.0.1:5300
> > forward-zones+=sub.mydomain.com=127.0.0.1:5300
> > forward-zones+=sub.otherdomain.org=127.0.0.1:5300
> > local-address=127.0.0.1:5301
> > log-common-errors=yes
> > log-rpz-changes=yes
> > logging-facility=0
> > loglevel=4
> > quiet=no
> 
> 
> dnsdist.conf:
> 
> > setLocal('192.168.100.13:53')
> > addLocal('127.0.0.1:53')
> > setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
> 
> setECSOverride(true)
> > setECSSourcePrefixV4(32)
> > setECSSourcePrefixV6(128)
> > newServer({address='127.0.0.1:5300', pool='auth', useClientSubnet=true})
> > newServer({address='127.0.0.1:5301', pool='recursor',
> > useClientSubnet=true})
> > recursive_ips = newNMG()
> > recursive_ips:addMask('10.0.0.0/8') -- These network masks are the ones
> > from allow-recursion in the Authoritative Server
> > recursive_ips:addMask('192.168.0.0/16')
> > recursive_ips:addMask('172.16.0.0/12')
> > recursive_ips:addMask('127.0.0.0/24')
> > addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> > addAction(AllRule(), PoolAction('auth'))

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Repeating log file entry for root server

[Otto Moerbeek via Pdns-users]

Hello,

a.root-servers.net is the default name used by the dnsdist health checks.
So no worries.

With respect to pdns_recursor: logging all queries (with quiet=no)
hurts performance. In general, you do not want to enable it on a
production machine.

-Otto

On Fri, Oct 28, 2022 at 08:55:04AM -0500, Slacker T via Pdns-users wrote:

> Hello! I'm running the release versions of dnsdist, recursor and server on
> OpenBSD 7.2. Currently that is:
> dnsdist-1.7.2
> powerdns-4.6.3
> powerdns-recursor-4.7.3
> 
> I'm upgrading the OS and pdns from older versions, 4.4.x. I'm attempting to
> use the previous config files soi that might be the issue.
> 
> I'm seeing the following entries repeated in the log files. I'm wondering
> if it's from the 'hint-file' config file for the recursor entry. I don't
> have that in the config, but I see in the docs that it changed in 4.6.2.
> 
> Oct 28 08:49:57 dns01 pdns[37599]: Remote 127.0.0.1 wants '
> > a.root-servers.net|A', do = 0, bufsize = 512: packetcache HIT
> > Oct 28 08:49:57 dns01 pdns_recursor[8731]: 3 question answered from packet
> > cache tag=0 from 127.0.0.1:47349
> > Oct 28 08:49:58 dns01 pdns[37599]: Remote 127.0.0.1 wants '
> > a.root-servers.net|A', do = 0, bufsize = 512: packetcache HIT
> > Oct 28 08:49:58 dns01 pdns_recursor[8731]: 3 question answered from packet
> > cache tag=0 from 127.0.0.1:10793
> >
> 
> So is this from some internal piece to update the root servers? loglevel is
> 6 on both the recursor and the server. I just wanted to make sure this is
> normal and not a sign of misconfiguration. Rarely the log will show a MISS.

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Warning in syslog after upgrade to PowerDNS Authoritative Server 4.7

[Otto Moerbeek via Pdns-users]

Hello,

4.7.0 introduced (optional) GSS-TSIG support. Even with that support
not compiled in will report about GSS-TSIG requests it could not
handle. That might generate too much log spam, will discuss if this
message should stay, maybe the level should be Debug. There is also a
typo there: an extra `not'.

So what happens is that the server sees GSS-TSIG enabled requests but
is not prepared to deal with them. Do you have clients or other
servers that send these GSS-TSIG enabled queries?

As for the failing SOA retrieval: does the primary log anything why it
isn't willing to serve the SOA? Perhaps a packet capture will shed
some light on why the SOA retrieval fails. Increasin the loglevel
might also help.

-Otto

On Thu, Oct 27, 2022 at 11:07:29AM +, Giorgio Lardone via Pdns-users wrote:

> Dear all,
> after updating my secondary PowerDNS to version 4.7, I see a myriad of these 
> messages in the syslog:
> 
> "pdns_server[7658]: GSS-TSIG request but not feature not compiled in"
> 
> and
> 
> "pdns_server[7658]: Unable to retrieve SOA for domainname.tld, this was the 
> first time. NOTE: For every subsequent failed SOA check the domain will be 
> suspended from freshness checks for 'num-errors x 60 seconds', with a maximum 
> of 3600 seconds. Skipping SOA checks until 1666868614"
> 
> What do you think they depend on?
> 
> Thanks for your opinion,
> Giorgio

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative Server 4.7.0

[Otto Moerbeek via Pdns-users]

This is known, a 4.7.1 will be released very soon with this fixed.

-Otto

On Fri, Oct 28, 2022 at 07:12:03AM +, Henri Nougayrede via Pdns-users wrote:

> Hi
> 
> Same for ubuntu 4.7 .deb package.
> I ran the SQL script 
> here.
> 
> Regards
> 
> HNO
> 
> De : Pdns-users  de la part de 
> Florian Obser via Pdns-users 
> Envoyé : vendredi 28 octobre 2022 09:07
> À : Peter van Dijk via Pdns-users 
> Objet : Re: [Pdns-users] PowerDNS Authoritative Server 4.7.0
> 
> Hi,
> 
> On 2022-10-20 11:02 +02, Peter van Dijk via Pdns-users 
>  wrote:
> > Please make sure to read the [3]Upgrade Notes before upgrading.
> >
> 
> | The new Catalog Zones feature comes with a mandatory schema change for
> | the gsql database backends. See files named
> | 4.3.x_to_4.7.0_schema.X.sql for your database backend in our Git repo,
> | tarball, or distro-specific documentation path.
> 
> Looks like https://downloads.powerdns.com/releases/pdns-4.7.0.tar.bz2
> misses the 4.3.x_to_4.7.0_schema.X.sql files.
> 
> Cheers,
> Florian
> 
> --
> I'm not entirely sure you are real.
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First Beta Release of PowerDNS Recursor 4.8.0

[Otto Moerbeek via Pdns-users]

Hello,

   We are proud to announce the first beta release of PowerDNS Recursor
   4.8.0. Compared to the previous major (4.7) release of PowerDNS
   Recursor, this release contains the following major changes:
 * [1]Structured Logging has been implemented for almost all
   subsystems. This allows for improved (automated) analysis of
   logging information. We've posted a [2]blog about this feature
   recently.
 * Optional [3]Serve Stale functionality has been implemented,
   providing resilience against connectivity problems towards
   authoritative servers.
 * Optional [4]Record Locking has been implemented, providing an extra
   layer of protection against spoofing attempts at the price of
   reduced cache efficiency.
 * Internal tables used to track information about authoritative
   servers are now [5]shared instead of per-thread, resulting in
   better performance and lower memory usage.
 * EDNS padding of outgoing DoT queries has been implemented,
   providing better privacy protection.
 * Metrics have been added about the protobuf and dnstap logging
   [6]subsystems and the [7]rcodes received from authoritative
   servers.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [8]changelog for additional details. When upgrading
   do not forget to check the [9]upgrade guide. We are also announcing the
   removal of [10]XPF support. If you are using this feature, switch to
   the [11]proxy protocol. Please send us all feedback and issues you
   might have via the [12]mailing list, or in case of a bug,
   via [13]GitHub. The [14]tarball ([15]signature) is available from our
   download [16]server and packages for several distributions are
   available from our [17]repository. With the final 4.8 release, the
   4.5.x releases will be marked "End of Life" and the 4.6.x and 4.7.x
   releases will go into critical fixes only mode. Consult the EOL
   [18]policy for more details. We would also like to mention that with
   the 4.5 release we stopped supporting systems using 32-bit time. This
   includes many 32-bit Linux platforms. We are grateful to the PowerDNS
   community for the reporting of bugs, issues, feature requests, and
   especially to the submitters of fixes and implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#structured-logging-backend
   2. 
https://blog.powerdns.com/2022/10/03/structured-logging-in-powerdns-recursor/
   3. https://docs.powerdns.com/recursor/appendices/internals.html#serve-stale
   4. 
https://docs.powerdns.com/recursor/settings.html#record-cache-locked-ttl-perc
   5. 
https://blog.powerdns.com/2022/08/29/sharing-data-between-threads-in-powerdns-recursor/
   6. https://docs.powerdns.com/recursor/manpages/rec_control.1.html
   7. https://docs.powerdns.com/recursor/metrics.html#auth-xxx-answers
   8. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.0-beta1
   9. https://docs.powerdns.com/recursor/upgrade.html
  10. https://docs.powerdns.com/recursor/settings.html#xpf-allow-from
  11. https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from
  12. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  13. https://github.com/PowerDNS/pdns/issues/new/choose
  14. https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-beta1.tar.bz2
  15. 
https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-beta1.tar.bz2.sig
  16. https://downloads.powerdns.com/releases/
  17. https://repo.powerdns.com/
  18. https://docs.powerdns.com/recursor/appendices/EOL.html

-Otto and the PowerDNS team

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Protobuf - Telegraf

[Otto Moerbeek via Pdns-users]

On Sat, Oct 01, 2022 at 12:56:45AM +0100, Djerk Geurts via Pdns-users wrote:

> Hi,
> 
> Has anyone managed to get Protobuf output logged through Telegraf? Telegraf 
> is supposed to support Protobuf input but I’m getting the following error:
> 
> … E! [inputs.socket_listener] Unable to parse incoming line: proto: cannot 
> parse invalid wire-format data
> 
> The Telegraf config I’m using:
> 
> [[inputs.socket_listener]]
>   ## Protobuf listener for RPZ matched query logging
>   service_address = "tcp://127.0.0.1:8000"
>   data_format = "xpath_protobuf"
>   xpath_protobuf_type = "PBDNSMessage"
>   xpath_protobuf_file = "/etc/telegraf/dnsmessage.proto"
>   xpath_print_document = true
> 
> I’m aware of a Protobuf listener written in Go that can output to InfluxDB, 
> but I was hoping to avoid another piece of software when we’re already 
> running Telegraf for the pdns-recursor stats. I just want to add logging of 
> RPZ filtered queries.
> 
> Thanks,
> Djerk

The protobuf streams add a framing header of two bytes of length per protobuf 
message.
The receiving side has to take that into account.

The dnstap streams use the framestream format. In the recursor, they
are only implented to report on outgoing queries and their replies though,.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] structured logging [was: First Alpha Release of PowerDNS Recursor 4.8.0]

[Otto Moerbeek via Pdns-users]

On Fri, Sep 23, 2022 at 12:48:06PM +0200, Jan-Piet Mens via Pdns-users wrote:

> > * [1]Structured Logging has been implemented for almost all
> >   subsystems. This allows for improved (automated) analysis of
> >   logging information.
> 
> Is there any further documentation about this other than the link you added 
> and the "Logging" [2] section in the documentation?
> 
> What exactly does "structured" mean? Is this JSON? Are there any examples?
> 
>   -JP
> 
> 
> [2] https://docs.powerdns.com/recursor/running.html#logging

It means the information is deliverd as key-value pairs instead of
free-format strings.  The default bakcend sends this as formatting
strings with proper quoting rules to the existing logging system
(either systemd-journal in text mode or syslog). In that case, it
looks like this:

Sep 23 13:21:50 msg="trying DoT" subsystem="taskq" level="0"
prio="Warning" tid="6" ts="1663932110.773" ip="188.166.104.87:853"
method="tryDoT" name="powerdns.com" qtype="SOA"

This allows alreayd for more robust log line scanning.

When configured, the information can also be sent to journald using
"native" format. In that case, tye key-value pairs are stored in a log
database by journald and journalctl can be used to convert it to e.g.
json, allowing further automated processing.

In the future we might implement other backends, e.g. to other sytem
that like to store key-value pairs.

Hope this helps.

-Otto
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First Alpha Release of PowerDNS Recursor 4.8.0

[Otto Moerbeek via Pdns-users]

Hello!

   We are proud to announce the first alpha release of PowerDNS Recursor
   4.8.0.

   Compared to the previous major (4.7) release of PowerDNS Recursor, this
   release contains the following major changes:
 * [1]Structured Logging has been implemented for almost all
   subsystems. This allows for improved (automated) analysis of
   logging information.
 * Optional [2]Serve Stale functionality has been implemented,
   providing resilience against connectivity problems towards
   authoritative servers.
 * Optional [3]Record Locking has been implemented, providing an extra
   layer of protection against spoofing attempts at the price of
   reduced cache efficiency.
 * Internal tables used to track information about authoritative
   servers are now [4]shared instead of per-thread, resulting in
   better performance and lower memory usage.
 * EDNS padding of outgoing DoT queries has been implemented,
   providing better privacy protection.

   As always, there are also many smaller bug fixes and improvements,
   please refer to the [5]changelog for additional details. When upgrading
   do not forget to check the [6]upgrade guide.

   Please send us all feedback and issues you might have via
   the [7]mailing list, or in case of a bug, via [8]GitHub.

   The [9]tarball ([10]signature) is available from our download
   [11]server and packages for several distributions are available from
   our [12]repository.

   With the final 4.8 release, the 4.5.x releases will be EOL and the
   4.6.x and 4.7.x releases will go into critical fixes only mode. Consult
   the EOL [13]policy for more details.

   We would also like to mention that with the 4.5 release we stopped
   supporting systems using 32-bit time. This includes many 32-bit Linux
   platforms.

   We also like to announce the upcoming removal of [14]XPF support. If
   you are using this feature, plan switching to the [15]proxy protocol.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. 
https://docs.powerdns.com/recursor/settings.html#structured-logging-backend
   2. https://docs.powerdns.com/recursor/appendices/internals.html#serve-stale
   3. 
https://docs.powerdns.com/recursor/settings.html#record-cache-locked-ttl-perc
   4. 
https://blog.powerdns.com/2022/08/29/sharing-data-between-threads-in-powerdns-recursor/
   5. https://doc.powerdns.com/recursor/changelog/4.8.html#change-4.8.0-alpha1
   6. https://docs.powerdns.com/recursor/upgrade.html
   7. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   8. https://github.com/PowerDNS/pdns/issues/new/choose
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-alpha1.tar.bz2
  10. 
https://downloads.powerdns.com/releases/pdns-recursor-4.8.0-alpha1.tar.bz2.sig
  11. https://downloads.powerdns.com/releases/
  12. https://repo.powerdns.com/
  13. https://docs.powerdns.com/recursor/appendices/EOL.html
  14. https://docs.powerdns.com/recursor/settings.html#xpf-allow-from
  15. https://docs.powerdns.com/recursor/settings.html#proxy-protocol-from


--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

[Otto Moerbeek via Pdns-users]

On Thu, Sep 22, 2022 at 11:40:35AM +0200, Leeflangetje via Pdns-users wrote:

> Thank you for digging into the issue with that domain :)
> 
> The reason we never encountered this before the upgrade to 4.6 must be
> the change in default behaviour regarding dnssec , which went from
> "process-no-validate"  to "process", I assume.
> (We came from 4.2)

In combination with the aggressive NSEC cache:

https://docs.powerdns.com/recursor/settings.html#aggressive-nsec-cache-size

-Otto

> 
> 
> On Thu, 2022-09-22 at 10:26 +0200, abang--- via Pdns-users wrote:
> > True, TCP is broken as well.
> > 
> > Am 22. September 2022 10:01:58 MESZ schrieb Otto Moerbeek
> > :
> > > On Thu, Sep 22, 2022 at 09:41:57AM +0200, abang--- via Pdns-users
> > > wrote:
> > > 
> > > > The "NSEC3 proving non-existence" of this zone is broken. See
> > > >  https://dnsviz.net/d/riecis.nl/dnssec/?rr=all=all=all=o
> > > > n=.=
> > > > 
> > > > You can workaround this issue by setting a NTA for it on your
> > > > Recursors. It is recommended to inform the owner of the zone in
> > > > order to fix the root cause.
> > > > 
> > > > Winfried 
> > > > 
> > > 
> > > Agreed, but given my findings in the other post I'm not convinced
> > > it
> > > will solve *all* issues with that domain.
> > > 
> > > -Otto
> > > 
> > > > 
> > > > 
> > > > 
> > > > Am 22. September 2022 09:27:20 MESZ schrieb Leeflangetje via
> > > > Pdns-users :
> > > > > Hi,
> > > > > 
> > > > > Since we upgraded to pdns-recursor 4.6 we sometimes experience
> > > > > some
> > > > > weird behaviour with queries via pdns-recursor.
> > > > > 
> > > > > Sometimes, when a previously queried record expires through
> > > > > it's TTL,
> > > > > the recursor does not provide an answer anymore, until it's
> > > > > restarted.
> > > > > 
> > > > > Unfortunately I am not able to reproduce this. It happens
> > > > > occasionally.
> > > > > When it happens, we see this: 
> > > > > 
> > > > > Faulty server:
> > > > > 
> > > > > dig @ns1 riecis.nl A
> > > > > 
> > > > > ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
> > > > > ; (1 server found)
> > > > > ;; global options: +cmd
> > > > > ;; Got answer:
> > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
> > > > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> > > > > ADDITIONAL: 1
> > > > > 
> > > > > ;; OPT PSEUDOSECTION:
> > > > > ; EDNS: version: 0, flags:; udp: 512
> > > > > ;; QUESTION SECTION:
> > > > > ;riecis.nl. IN A
> > > > > 
> > > > > ;; AUTHORITY SECTION:
> > > > > riecis.nl. 2828 IN SOA ns1.minvenj.nl.
> > > > > hostmaster.solvinity.com. 2022010301 1800 300 604800 3600
> > > > > 
> > > > > ;; Query time: 2 msec
> > > > > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> > > > > ;; WHEN: Tue Sep 20 12:16:55 CEST 2022
> > > > > ;; MSG SIZE rcvd: 110
> > > > > 
> > > > > other server:
> > > > > 
> > > > > dig @ns2 riecis.nl A
> > > > > 
> > > > > ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
> > > > > ; (1 server found)
> > > > > ;; global options: +cmd
> > > > > ;; Got answer:
> > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
> > > > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> > > > > ADDITIONAL: 1
> > > > > 
> > > > > ;; OPT PSEUDOSECTION:
> > > > > ; EDNS: version: 0, flags:; udp: 512
> > > > > ;; QUESTION SECTION:
> > > > > ;riecis.nl. IN A
> > > > > 
> > > > > ;; ANSWER SECTION:
> > > > > riecis.nl. 224 IN A 159.46.204.40
> > > > > 
> > > > > ;; Query time: 1 msec
> > > > > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> > > > > ;; WHEN: Tue Sep 20 12:17:03 CEST 2022
> > > > > ;; MSG SIZE rcvd: 54
> > > > > 
> > > > > 
> > > > > We have a fairly simple configuration, just on what address and
> > > > > port to
> > > > >  listen on, to use the same address for outgoing queries, en a
> > > > > short li
> > > > > st of addresses that are allowed to query.
> > > > > 
> > > > > I have confirmed this problem upto and including version 4.6.3
> > > > > 
> > > > > Anyone an idea on how to approach this matter?
> > > > > 
> > > > > Regards
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > 
> > > > Pdns-users mailing list
> > > > Pdns-users@mailman.powerdns.com
> > > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > > > 
> > > 
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

[Otto Moerbeek via Pdns-users]

On Thu, Sep 22, 2022 at 09:41:57AM +0200, abang--- via Pdns-users wrote:

> The "NSEC3 proving non-existence" of this zone is broken. See
>  https://dnsviz.net/d/riecis.nl/dnssec/?rr=all=all=all=on=.=
> 
> You can workaround this issue by setting a NTA for it on your Recursors. It 
> is recommended to inform the owner of the zone in order to fix the root cause.
> 
> Winfried 

Agreed, but given my findings in the other post I'm not convinced it
will solve *all* issues with that domain.

-Otto

> 
> 
> 
> Am 22. September 2022 09:27:20 MESZ schrieb Leeflangetje via Pdns-users 
> :
> >Hi,
> >
> >Since we upgraded to pdns-recursor 4.6 we sometimes experience some
> >weird behaviour with queries via pdns-recursor.
> >
> >Sometimes, when a previously queried record expires through it's TTL,
> >the recursor does not provide an answer anymore, until it's restarted.
> >
> >Unfortunately I am not able to reproduce this. It happens occasionally.
> >When it happens, we see this: 
> >
> >Faulty server:
> >
> >dig @ns1 riecis.nl A
> >
> >; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
> >; (1 server found)
> >;; global options: +cmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
> >;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> >
> >;; OPT PSEUDOSECTION:
> >; EDNS: version: 0, flags:; udp: 512
> >;; QUESTION SECTION:
> >;riecis.nl. IN  A
> >
> >;; AUTHORITY SECTION:
> >riecis.nl.  2828IN  SOA ns1.minvenj.nl. hostmaster.solvinity.com. 
> >2022010301 1800 300 604800 3600
> >
> >;; Query time: 2 msec
> >;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> >;; WHEN: Tue Sep 20 12:16:55 CEST 2022
> >;; MSG SIZE  rcvd: 110
> >
> >other server:
> >
> >dig @ns2  riecis.nl A
> >
> >; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
> >; (1 server found)
> >;; global options: +cmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
> >;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> >;; OPT PSEUDOSECTION:
> >; EDNS: version: 0, flags:; udp: 512
> >;; QUESTION SECTION:
> >;riecis.nl. IN  A
> >
> >;; ANSWER SECTION:
> >riecis.nl.  224 IN  A   159.46.204.40
> >
> >;; Query time: 1 msec
> >;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> >;; WHEN: Tue Sep 20 12:17:03 CEST 2022
> >;; MSG SIZE  rcvd: 54
> >
> >
> >We have a fairly simple configuration, just on what address and port to
> > listen on, to use the same address for outgoing queries, en a short li
> >st of addresses that are allowed to query.
> >
> >I have confirmed this problem upto and including version 4.6.3
> >
> >Anyone an idea on how to approach this matter?
> >
> >Regards
> >
> >
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

[Otto Moerbeek via Pdns-users]

When trying to check this domain I get an occasinal error:

$ dig  @1.1.1.1 riecis.nl   

; <<>> dig 9.10.8-P1 <<>> @1.1.1.1 riecis.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30228
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 3 (Stale Answer)
; EDE: 22 (No Reachable Authority): 74 69 6d 65 20 6c 69 6d 69 74 20
65 78 63 65 65 64 65 64 ("time limit exceeded")
;; QUESTION SECTION:
;riecis.nl. IN  A

;; ANSWER SECTION:
riecis.nl.  0   IN  A   159.46.204.40

;; Query time: 859 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 22 09:46:26 CEST 2022
;; MSG SIZE  rcvd: 85

Same for 8.8.8.8

Also zonemaster.net not 100% happy with it.

Lookint at a --trace run I see:

Sep 22 09:51:02 [2] Nameserver ns2.minvenj.nl IPs:
159.46.194.12(0.00ms), 2a04:9a04:18ad:8a04::3:0(0.00ms)
Sep 22 09:51:02 [2] riecis.nl: Resolved 'riecis.nl' NS ns2.minvenj.nl
to: 159.46.194.12, 2a04:9a04:18ad:8a04::3:0
Sep 22 09:51:02 [2] riecis.nl: Trying IP 159.46.194.12:53, asking 'riecis.nl|A'
Sep 22 09:51:02 [2] riecis.nl: truncated bit set, over UDP
Sep 22 09:51:02 [2] riecis.nl: using TCP with 159.46.194.12:53
Sep 22 09:51:03 [1] riecis.nl: timeout resolving after 1857.92msec
over TCP
Sep 22 09:51:03 [1] riecis.nl: Trying IP 159.46.194.12:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: timeout resolving after 1538.18msec
over TCP
Sep 22 09:51:03 [2] riecis.nl: Trying IP
[2a04:9a04:18ad:8a04::3:0]:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: query throttled
2a04:9a04:18ad:8a04::3:0, riecis.nl; A
Sep 22 09:51:03 [2] riecis.nl: Trying to resolve NS 'ns1.minvenj.nl' (2/2)
Sep 22 09:51:03 [2] Nameserver ns1.minvenj.nl IPs:
2a04:9a04:18ad:8a04::2:0(920.59ms), 159.46.194.11(920.59ms)
Sep 22 09:51:03 [2] riecis.nl: Resolved 'riecis.nl' NS ns1.minvenj.nl
to: 2a04:9a04:18ad:8a04::2:0, 159.46.194.11
Sep 22 09:51:03 [2] riecis.nl: Trying IP
[2a04:9a04:18ad:8a04::2:0]:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: query throttled
2a04:9a04:18ad:8a04::2:0, riecis.nl; A
Sep 22 09:51:03 [2] riecis.nl: Trying IP 159.46.194.11:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: query throttled 159.46.194.11,
riecis.nl; A
Sep 22 09:51:03 [2] riecis.nl: Failed to resolve via any of the 2
offered NS at level 'riecis.nl'

Which confirms zonemaster's finding.

NOte that this does not happen all the time, but often enough.

Conclusion: the auths for riecis.nl are flakey. They (sometimes) respond with
TC=1 but fail to do TCP.

-Otto


On Thu, Sep 22, 2022 at 09:27:20AM +0200, Leeflangetje via Pdns-users wrote:

> Hi,
> 
> Since we upgraded to pdns-recursor 4.6 we sometimes experience some
> weird behaviour with queries via pdns-recursor.
> 
> Sometimes, when a previously queried record expires through it's TTL,
> the recursor does not provide an answer anymore, until it's restarted.
> 
> Unfortunately I am not able to reproduce this. It happens occasionally.
> When it happens, we see this: 
> 
> Faulty server:
> 
> dig @ns1 riecis.nl A
> 
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;riecis.nl. IN  A
> 
> ;; AUTHORITY SECTION:
> riecis.nl.  2828IN  SOA ns1.minvenj.nl. hostmaster.solvinity.com. 
> 2022010301 1800 300 604800 3600
> 
> ;; Query time: 2 msec
> ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> ;; WHEN: Tue Sep 20 12:16:55 CEST 2022
> ;; MSG SIZE  rcvd: 110
> 
> other server:
> 
> dig @ns2  riecis.nl A
> 
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;riecis.nl. IN  A
> 
> ;; ANSWER SECTION:
> riecis.nl.  224 IN  A   159.46.204.40
> 
> ;; Query time: 1 msec
> ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> ;; WHEN: Tue Sep 20 12:17:03 CEST 2022
> ;; MSG SIZE  rcvd: 54
> 
> 
> We have a fairly simple configuration, just on what address and port to
>  listen on, to use the same address for outgoing queries, en a short li
> st of addresses that are allowed to query.
> 
> I have confirmed this problem upto and including version 4.6.3
> 
> Anyone an idea on how to approach this matter?
> 
> Regards
> 
> 
> 

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor 4.5.11, 4.6.4 and 4.7.3 Released

[Otto Moerbeek via Pdns-users]

   Hello,

   Today we have released a maintenance release of PowerDNS Recursor
   4.5.11, 4.6.4 and 4.7.3, containing fixes for a few minor issues and
   performance enhancements in the case Recursor is confronted with
   connectivity issues to authoritative servers.

   The changelogs are available at [1]4.5.11, [2]4.6.4, [3]4.7.3.

   The source tarballs ([4]4.5.11, [5]4.6.4, [6]4.7.3) and signatures
   ([7]4.5.11, [8]4.6.4, [9]4.7.3) are available from our download
   [10]server. Packages for various distributions are available from our
   [11]repository.

   Note that PowerDNS Recursor 4.4.x and older releases are End of Life.
   Consult the [12]EOL policy for more details.

   We would also like to repeat that starting with the 4.5 release branch
   we stopped supporting systems using 32-bit time. This includes most
   32-bit Linux platforms.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

   Please send us all feedback and issues you might have via the
   [13]mailing list, or in case of a bug, via [14]GitHub.

References

   1. https://docs.powerdns.com/recursor/changelog/4.5.html#change-4.5.11
   2. https://docs.powerdns.com/recursor/changelog/4.6.html#change-4.6.4
   3. https://docs.powerdns.com/recursor/changelog/4.7.html#change-4.7.3
   4. https://downloads.powerdns.com/releases/pdns-recursor-4.5.11.tar.bz2
   5. https://downloads.powerdns.com/releases/pdns-recursor-4.6.4.tar.bz2
   6. https://downloads.powerdns.com/releases/pdns-recursor-4.7.3.tar.bz2
   7. https://downloads.powerdns.com/releases/pdns-recursor-4.5.11.tar.bz2.sig
   8. https://downloads.powerdns.com/releases/pdns-recursor-4.6.4.tar.bz2.sig
   9. https://downloads.powerdns.com/releases/pdns-recursor-4.7.3.tar.bz2.sig
  10. https://downloads.powerdns.com/releases/
  11. https://repo.powerdns.com/
  12. https://docs.powerdns.com/recursor/appendices/EOL.html
  13. https://mailman.powerdns.com/mailman/listinfo/pdns-users
  14. https://github.com/PowerDNS/pdns/issues/new/choose

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Will DoT disappear in favor of DoQ for recursor to auth?

[Otto Moerbeek via Pdns-users]

No plans.

Currently, Recursor does not support outgoing DoQ. If/when we start
supporting outgoing DoQ it would not *imply* dropping outgoing DoT.

BTW, lookingt at https://talk.desec.io/t/dot-support-status/502:
when I grep for desec I see this:

45.54.76.1  desec.io.   6   Good2022-09-21T15:35:38
157.53.224.1desec.io.   5   Good2022-09-21T15:37:32
2607:f740:e00a:deec::2  desec.io.   6   Bad 2022-09-19T15:35:35
2607:f740:e633:deec::2  desec.io.   5   Bad 2022-09-19T15:35:42

So it seems DoT is only supported on v4. Also not that the domain
listed for an IP is the first name the lead to a DoT probe. Other
names might be served by the same IP. 

-Otto

On Sun, Sep 18, 2022 at 12:21:11PM +0200, Christoph via Pdns-users wrote:

> Hi,
> 
> does the PowerDNS team have any specific plans to
> remove DoT support for recursor to authoritative queries
> in favor of DoQ in PowerDNS Recursor?
> 
> thanks,
> Christoph
> 
> related links:
> https://blog.powerdns.com/2022/06/13/probing-dot-support-of-authoritative-servers-just-try-it/
> https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/
> https://github.com/PowerDNS/pdns/issues/9897
> https://talk.desec.io/t/dot-support-status/502
> https://github.com/desec-io/desec-ns/pull/49
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

[Otto Moerbeek via Pdns-users]

Cache maintenace is alreayd quite a complex part of any recursor.  IMO
adding cache syncing would introduce way too much complexity te be
worth the trouble to solve what in essense is a questionable firewall
rule design. 

Maybe dnsdist with a packet cache in front of two recursors might
be worth considering.

-Otto

On Sat, Sep 17, 2022 at 05:41:14PM +0100, Djerk Geurts wrote:

> Hi Otto,
> 
> Thank you for the clarification. Yes, I'm aware that the source may change, 
> but TTL exists for that. So I don't think this is a valid reason to not sync 
> cache. As the current situation is worse:
> 
> Resolver A caches IP address 1.1.1.1 and resolver B caches IP address 
> 2.2.2.2. Subsequently a user types to navigate to the site, but the firewall 
> happened to resolve the domain via the other resolver. This ends up causing 
> intermittent issues as it ends up being pot luck whether a user happens to 
> use the same resolver that the firewall used.
> 
> A cache sync would at least cause the same behaviour for all users. And using 
> a single resolver is too risky.
> 
> On 17 Sept 2022, 15:44, at 15:44, Otto Moerbeek  wrote:
> >Hello,
> >
> >cachs syncing is not something we have and even with it (or using a
> >single resolver) there is an issue that records can change:
> >the scenario:
> >
> > - a client asks the record, record gets cached
> > - client A asks and gets cached value,
> > - publisher of records changes the record
> > - record expires from cache
> > - client B (firewall) asks and record resolves to different value.
> >
> >
> >On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users
> >wrote:
> >
> >> Just ran into an issue with recursive DNS servers where the two
> >servers have cached a different A record for mirror.centos.org.
> >>
> >> This is a problem as the firewalls permit access to the FQDN, which
> >presumes that both the client and the firewall end up with the same A
> >record for the domain.
> >>
> >> I'm intending to swap these recursors out with PowerDNS servers, but
> >am wondering if there's a way to keep the record cache in sync between
> >multiple recursors.
> >>
> >> ⁣--
> >> Best regards,
> >> Djerk Geurts
> >> m: +44-7535-674620
> >>
> >> Maizymoo Ltd
> >> VAT No: GB192 1529 07
> >> Registration Number: 6638104 (registered in England and Wales)​
> >
> >> ___
> >> Pdns-users mailing list
> >> Pdns-users@mailman.powerdns.com
> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS recursor cache sync

[Otto Moerbeek via Pdns-users]

Hello,

cachs syncing is not something we have and even with it (or using a
single resolver) there is an issue that records can change:
the scenario: 

- a client asks the record, record gets cached
- client A asks and gets cached value,
- publisher of records changes the record
- record expires from cache
- client B (firewall) asks and record resolves to different value.


On Sat, Sep 17, 2022 at 01:01:09AM +0100, Djerk Geurts via Pdns-users wrote:

> Just ran into an issue with recursive DNS servers where the two servers have 
> cached a different A record for mirror.centos.org.
> 
> This is a problem as the firewalls permit access to the FQDN, which presumes 
> that both the client and the firewall end up with the same A record for the 
> domain.
> 
> I'm intending to swap these recursors out with PowerDNS servers, but am 
> wondering if there's a way to keep the record cache in sync between multiple 
> recursors.
> 
> ⁣--
> Best regards,
> Djerk Geurts
> m: +44-7535-674620
> 
> Maizymoo Ltd
> VAT No: GB192 1529 07
> Registration Number: 6638104 (registered in England and Wales)​

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache

[Otto Moerbeek via Pdns-users]

Please read 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

-Otto

On Fri, Sep 09, 2022 at 04:22:26PM +, SAMI RAHAL via Pdns-users wrote:

> hi abang
> 
> 
> yes i just changed the values in the email
> for privacy reasons but it's the same value in the config file
> 
> 
> 
> 
> De : Pdns-users  de la part de 
> pdns-users-requ...@mailman.powerdns.com 
> 
> Envoyé : vendredi 9 septembre 2022 18:14
> À : pdns-users@mailman.powerdns.com
> Objet : [EXTERNE]Pdns-users Digest, Vol 236, Issue 6
> 
> ATTENTION:Cet e-mail provient d'une personne externe à TOPNET. Ne pas cliquer 
> sur des liens ou ouvrir des pièces jointes à moins que vous êtes absolument 
> sûr de l'origine de l'e-mail.
> '
> 
> Send Pdns-users mailing list submissions to
> pdns-users@mailman.powerdns.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
> pdns-users-requ...@mailman.powerdns.com
> 
> You can reach the person managing the list at
> pdns-users-ow...@mailman.powerdns.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
> 
> 
> Today's Topics:
> 
>1. Re: [dnsdist] Dnsdist not reading from the cache (SAMI RAHAL)
>2. Re: [dnsdist] Dnsdist not reading from the cache
>   (ab...@t-ipnet.net)
> 
> 
> --
> 
> Message: 1
> Date: Fri, 9 Sep 2022 15:38:10 +
> From: SAMI RAHAL 
> To: "pdns-users@mailman.powerdns.com"
> 
> Subject: Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache
> Message-ID: <2360d48a89bc455e9cc45bfe7b3bd...@topnetpro.tn>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Hi Remi
> 
> The server is in production it receives requests as shown in this summary
> 
> Uptime: 17 days, Number of queries: 2326402346 (2385.00 qps), ACL drops: 0, 
> Dynamic drops: 27076173, Rule drops: 6451838
> Average response time: 9.40 ms, CPU Usage: 26.50%, Cache hitrate: 85.37%, 
> Server selection policy: leastOutstanding
> Listening on: 0.0.0.0:53, ACL: 0.0.0.0/0
> 
> 
> thanks Rahal
> 
> 
> 
> 
> 
> Cordialement, Sami Rahal Service Hosting DNS et Cloud Direction Technique & 
> SI Si?ge Social TOPNET, Centre Urbain Nord T?l. :71185000 GSM :99 459 812
> 
> 
> 
> De : Pdns-users  de la part de 
> pdns-users-requ...@mailman.powerdns.com 
> 
> Envoy? : vendredi 9 septembre 2022 14:00
> ? : pdns-users@mailman.powerdns.com
> Objet : [EXTERNE]Pdns-users Digest, Vol 236, Issue 5
> 
> ATTENTION:Cet e-mail provient d'une personne externe ? TOPNET. Ne pas cliquer 
> sur des liens ou ouvrir des pi?ces jointes ? moins que vous ?tes absolument 
> s?r de l'origine de l'e-mail.
> '
> 
> Send Pdns-users mailing list submissions to
> pdns-users@mailman.powerdns.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
> pdns-users-requ...@mailman.powerdns.com
> 
> You can reach the person managing the list at
> pdns-users-ow...@mailman.powerdns.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
> 
> 
> Today's Topics:
> 
>1. Re: [dnsdist] Dnsdist not reading from the cache (Remi Gacogne)
>2. Re: [EXTERNE]Re: [dnsdist] Dnsdist not reading from the cache
>   (SAMI RAHAL)
>3. Re: [EXT] RE: [EXTERNE]Re: [dnsdist] Dnsdist not reading from
>   the cache (Remi Gacogne)
> 
> 
> --
> 
> Message: 1
> Date: Fri, 9 Sep 2022 09:24:57 +0200
> From: Remi Gacogne 
> To: SAMI RAHAL ,
> "pdns-users@mailman.powerdns.com" 
> Subject: Re: [Pdns-users] [dnsdist] Dnsdist not reading from the cache
> Message-ID: <00726a29-c73a-59e0-c901-a9109f114...@powerdns.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> Hi,
> 
> On 07/09/2022 14:02, SAMI RAHAL via Pdns-users wrote:
> > for those running dnsdist I'm wondering is anyone has set up cache.
> >
> > If you have, I'd appreciate pointers in your strategies (and/or some
> > examples?).
> 
> A lot of installations are using caching in dnsdist, yes. I don't see
> anything immediately wrong after looking at your configuration. What
> makes you think caching is not working?
> 
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> 
> -- next part --
> A non-text attachment was scrubbed...
> Name: OpenPGP_signature
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: OpenPGP digital signature
> URL: 
> 
> 
> 

Re: [Pdns-users] Is there any way to write an LUA record that will apply over multiple query names?

[Otto Moerbeek via Pdns-users]

On Tue, Sep 06, 2022 at 01:18:06AM -0400, Mohammad Ishtiaq Ashiq Khan via 
Pdns-users wrote:

> Hello,
> I am currently using PowerDNS as an authoritative server for my domain and
> was experimenting with dynamic DNS via LUA records. From the documentation,
> it seems like the LUA record is limited to a particular query name only.
> For example, if I add an LUA record like the following, it will apply only
> if the query name is *www.google.com *.
> 
> www.google.comINLUAA"ifportup(443, {'192.0.2.1', 
> '192.0.2.2'})"
> 
> 
> I was wondering whether it is possible to extend this dynamic behavior for
> multiple query names. For example, if the query name has 'www' at the
> beginning (not only for www.google.com but also for .google.com), the
> associated LUA script will be executed.

You can use DNS wildcards:

*.example.net   IN LUA A ""

but be aware DNS wildcards have specific matching properties that
might be surprising. 

For more details on DNS wildcard matching, see

https://en.wikipedia.org/wiki/Wildcard_DNS_record

 -Otto

> 
> Could anyone let me know if this can be done? If it can not be done using
> LUA, is there any way to achieve this using PowerDNS or perhaps any other
> standard DNS server software out there? Would be grateful if anyone could
> help.
> 
> Thanks and best regards,
> 
> -- 
> Mohammad Ishtiaq Ashiq Khan,
> Ph.D. Student,
> Department of Computer Science,
> Virginia Tech

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Sharing data between threads in PowerDNS Recursor

[Otto Moerbeek via Pdns-users]

Hello,

I just posted a new blog post:

https://blog.powerdns.com/2022/08/29/sharing-data-between-threads-in-powerdns-recursor/

It describes some of the work we've done over the last few releases with 
respect to sharing of data between threads in PowerDNS Recursor.

 -Otto

--

kind regards,
Otto Moerbeek
PowerDNS Developer



Email: otto.moerb...@open-xchange.com


-
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 
95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Richard Seibt

PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-


signature.asc
Description: PGP signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursive Forwarders

[Otto Moerbeek via Pdns-users]

On Wed, Aug 24, 2022 at 04:16:49PM -0400, Holmes, Timothy wrote:

> Full(er) log, I dont see any reference to the forwarders..
> Best, Tim

Indeed, no log lin wrt recursive forwarding. You do have in your config:

include-dir=/etc/powerdns/recursor.d  

So it could be a file in there overriding things.

*BUT* you edited the log. Please do not do that. It makes it hard for
us to help you.

Your local address from your posted config is 127.0.0.1. But the log shows
x.x.x.x.

See https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

-Otto


> 
> Aug 24 16:12:17 cache1 systemd[1]: Stopping PowerDNS Recursor...
> Aug 24 16:12:17 cache1 systemd[1]: pdns-recursor.service: Succeeded.
> Aug 24 16:12:17 cache1 systemd[1]: Stopped PowerDNS Recursor.
> Aug 24 16:12:17 cache1 systemd[1]: Starting PowerDNS Recursor...
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Aug 24 16:12:17 Asked to run
> with pdns-distributes-queries set but no distributor threads, raising to 1
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: PowerDNS Recursor 4.2.1 (C)
> 2001-2019 PowerDNS.COM BV
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Using 64-bits mode. Built
> using gcc 9.2.1 20200202.
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: PowerDNS comes with
> ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to
> redistribute it according to the terms of the GPL version 2.
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: NOT using IPv6 for outgoing
> queries - set 'query-local-address6=::' to enable
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Only allowing queries from:
> 10.0.0.0/8, 127.0.0.1/32, 192.133.83.0/24, 192.168.0.0/16, 172.31.8.0/22,
> 172.31.12.0/22, 172.31.32.0/20, 172.31.64.0/20, 172.31.0.0/22,
> 172.31.16.0/20, 172.31.80.0/20, 172.31.48.0/20, 172.31.4.0/22
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Loaded the Public Suffix List
> from '/usr/share/publicsuffix/public_suffix_list.dat'
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Will not send queries to:
> 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
> 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24,
> 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96,
> :::0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: PowerDNS Recursor itself will
> distribute queries over threads
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Redirecting queries for zone '
> holycross.edu' to: x.x.x.x
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Inserting rfc 1918 private
> space zones
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Will not overwrite zone
> '10.in-addr.arpa' already loaded
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Listening for UDP queries on
> x.x.x.x:53
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Enabled TCP data-ready filter
> for (slight) DoS protection
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Listening for TCP queries on
> x.x.x.x:53
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Set effective group id to 121
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Set effective user id to 114
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Launching 1 distributor
> threads
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Launching 2 worker threads
> Aug 24 16:12:17 cache1 systemd[1]: Started PowerDNS Recursor.
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Done priming cache with root
> hints
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Done priming cache with root
> hints
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: message repeated 2 times: [
> Done priming cache with root hints]
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: Enabled 'epoll' multiplexer
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: 199 questions, 1279
> cache entries, 31 negative entries, 3% cache hits
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: throttle map: 0, ns
> speeds: 668, failed ns: 0, ednsmap: 269
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: outpacket/query ratio
> 248%, 0% throttled, 0 no-delegation drops
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: 3 outgoing tcp
> connections, 33 queries running, 0 outgoing timeouts
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: 145 packet cache
> entries, 7% packet cache hits
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: thread 0 has been
> distributed 109 queries
> Aug 24 16:12:17 cache1 pdns_recursor[491939]: stats: thread 1 has been
> distributed 87 queries
> 
> On Wed, Aug 24, 2022 at 4:02 PM Otto Moerbeek via Pdns-users <
> pdns-users@mailman.powerdns.com> wrote:
> 
> > On Wed, Aug 24, 2022 at 09:51:49PM +0200, Leendert Meyer via Pdns-users
> > wrote:
> >
> > > Hello Ti

Re: [Pdns-users] Recursive Forwarders

[Otto Moerbeek via Pdns-users]

On Wed, Aug 24, 2022 at 09:51:49PM +0200, Leendert Meyer via Pdns-users wrote:

> Hello Timothy,
> 
> On Wednesday, 24 August 2022 20:09:11 CEST Holmes, Timothy via Pdns-users 
> wrote:
> 
> 
> 
> > forward-zones-recurse=.=9.9.9.9;149.112.112.112;1.1.1.2;1.0.0.2
> > and also tried forward-zones-recurse=.=9.9.9.9
> > 
> > Each time pushed a restart and verified. Each time the root name hints seem
> > to still be the default behavior including after removing the referenced
> > root hint file entry.
> 
> 
> 
> > Am I missing something obvious, or will the root hints always take
> > precedence?
> 
> Whithout testing, the ‘=.=’ seems odd.
> 
> You probably have to change ‘=.=’ into ‘=’.

Npe, that is the syntax to forward everything:

forward-zones-recurse=.=9.9.9.9;1.1.1.1

Leads to:

Aug 24 22:00:33 Redirecting queries for zone '.' with recursion to: 9.9.9.9:53, 
1.1.1.1:53

It basically turns a full recursor into just a cache. Plus you are now
depdendent on the forwarded-to resolvers. So there are drawbacks.

-Otto

> 
> Kind regards,
> 
> Leen

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users