Re: [Pdns-users] MySQL backend and connection reuse
On 02/04/2018 11:15 PM, Xan Charbonnet wrote: Hello, I'm working on migrating an installation from PowerDNS 3.1 on Debian 7 "Wheezy" to PowerDNS 4.0.3 on Debian 9 "Stretch". I'm using the MySQL backend, connected to MariaDB 10.1.30, which is not the Stretch default, but the one from the MariaDB repository. I've tried the Stretch default PowerDNS 4.0.3, as well as PowerDNS 4.0.5 and PowerDNS 4.1.0 from the PowerDNS repository, and had the same problem. I think fundamentally the problem I'm having boils down to this: the first time PowerDNS makes a basic-query, everything is fine. Subsequent times, the response is somehow truncated, and/or a previously-seen SOA is returned. It looks like the issue is between MariaDB and PowerDNS. I set up socat as a logging proxy and observed that the first time I trigger a PowerDNS basic-query via dig, the exchanged traffic is ~10K. The second time, it's ~4K. If I kill the connection between PowerDNS and MariaDB, either by restarting MariaDB or simply by ordering MariaDB to kill the connection in use by PowerDNS, then the subsequent attempt fails because of the missing connection, but from then it's the same as the beginning: the next query after that will succeed and subsequent ones will fail. From the MariaDB command line I can make the exact queries that PowerDNS is making, verified by the MariaDB query log. No problems there: no matter how many times I do that, I always get the full results. I should mention that all my queries are stored procedures, in case that matters. This all has worked perfectly on 3.1. Any tips on what I should try next? Thanks! I believe this is the same issue resolved by this patch: https://github.com/PowerDNS/pdns/pull/6134/commits/4fd90e75d47d6ec43d10c94ea260b08e50806442 I'll be porting that to Debian's 4.0.3 and recompiling. I'll update here if it doesn't work, but I expect it will. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Problem with stored procedure pdns 4.1.6-3
I believe I am having the same problem as you, Masood. It seems to not be related to the PowerDNS version but rather to the version of MySQL. Using stored procedures with the pdns MySQL backend works fine for me on Debian Stretch with MariaDB 10.1 on pdns versions 4.0.3, 4.1.6, and 4.3.0. I should note that the Debian version of 4.0.3 contains a backported fix for dealing with stored procedures, which is native in 4.1.6 and 4.3.0: https://github.com/Habbie/pdns/commit/d64a77e368495132d92833f4ab2bc91b647d2beb Without this fix, 4.0.3 wouldn't be able to deal with stored procedures at all. I believe that Masood is also using this Debian version of 4.0.3. The other two versions, 4.1.6 and 4.3.0, I compiled myself on Stretch (oldstable) from sources in Debian Buster (stable) and Debian Bullseye (testing), respectively. When I move from MariaDB 10.1 to MariaDB 10.2 (or greater), all three pdns versions fail with the "Prepared statement contains no metadata" error. Masood's experience leads me to believe that the same breakage happened between MySQL 5.6 and 5.7. There are two places in smysql.cc where the same error, "Could not bind parameters to mysql statement", can be thrown. I have found that in this case, it's the second one (the one near the comment "For some reason mysql_stmt_result_metadata returns NULL here") which is causing the problem. I'm afraid I don't know enough about MySQL development in C++ to know what to do here. Can anyone shine any light? This is the relevant code (pardon the word wrapping): #if MYSQL_VERSION_ID >= 50500 if (d_residx >= d_resnum) { mysql_stmt_free_result(d_stmt); while(!mysql_stmt_next_result(d_stmt)) { if ((err = mysql_stmt_store_result(d_stmt))) { string error(mysql_stmt_error(d_stmt)); releaseStatement(); throw SSqlException("Could not store mysql statement while processing additional sets: " + d_query + string(": ") + error); } d_resnum = mysql_stmt_num_rows(d_stmt); // XXX: For some reason mysql_stmt_result_metadata returns NULL here, so we cannot // ensure row field count matches first result set. if (d_resnum > 0) { // ignore empty result set if (d_res_bind != nullptr && (err = mysql_stmt_bind_result(d_stmt, d_res_bind))) { string error(mysql_stmt_error(d_stmt)); releaseStatement(); throw SSqlException("Could not bind parameters to mysql statement: " + d_query + string(": ") + error); } d_residx = 0; break; } mysql_stmt_free_result(d_stmt); } } #endif ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Problem with stored procedure pdns 4.1.6-3
Apologies for the out-of-context post: I was attempting to respond to this message: https://mailman.powerdns.com/pipermail/pdns-users/2020-July/026762.html and clearly I messed up! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Problem with stored procedure pdns 4.1.6-3
Hello Peter, On 8/27/20 2:19 PM, Peter van Dijk via Pdns-users wrote: ? It would be great if you could include the definition of a stored procedure that works with our default schema, and the pdns.conf query override to use that procedure. Thanks! I've put some detailed steps-to-reproduce in this bug: https://github.com/PowerDNS/pdns/issues/9421 I think it can be duplicated by converting any query into a stored procedure, as I did with the basic query in my example. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Recursor - custom TTL for particular domain
Hello all, I'm setting up an instance of the PowerDNS Recursor. I would like to override the TTL for particular queries of particular domains: I need any CNAME from one particular domain to have an overridden, very low TTL. I wrote a Lua script which does this via "postresolve", however, it only works halfway. It succeeds in getting clients to see the low TTL. But what I also need is for the Recursor to honor this lower TTL when it decides whether or not to check for updates. I've experimented with "preresolve" but I don't seem to be finding any way to modify the returned query, as that executes before the query takes place. And nothing I do in "postresolve" affects the Recursor's /internal/ opinion of the TTL. Basically, preresolve is too early and postresolve is too late. If anyone can think of a way to get the Recursor to behave this way, I would appreciate it. Thanks. -Xan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSSEC and
Hello everyone, We've been successfully using PowerDNS for some time, and are looking into enabling DNSSEC. If two PowerDNS authoritative servers are set up for native replication, sharing a single MariaDB backend where the database is replicated using MariaDB's replication, how would DNSSEC be enabled? If I just turn it on, wouldn't the two servers step on each other's toes when it came time to do a key rollover? Or is that not a problem? Thanks in advance. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC and
Thank you, Frank. I am aiming to do online signing, but my concern is the weekly key rollover. Wouldn't both PowerDNS instances attempt to perform key rollover on the same database at the same time? Do they not step on each other's toes? -Xan On 8/22/23 07:03, Frank Louwers via Pdns-users wrote: Hi Xan, It depends which DNSSEC you choose. If you would pick "Online Signing" for instance (great unless you have very busy servers with lots of domains), the "keying data" is stored in the database as well, so both servers would use the same data to sign the zone, resulting in consistent signatures (as long as your MariaDB replication isn't broken). See https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing> for more info and other ways of turning on DNSSEC on PowerDNS. Frank Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users wrote: Hello everyone, We've been successfully using PowerDNS for some time, and are looking into enabling DNSSEC. If two PowerDNS authoritative servers are set up for native replication, sharing a single MariaDB backend where the database is replicated using MariaDB's replication, how would DNSSEC be enabled? If I just turn it on, wouldn't the two servers step on each other's toes when it came time to do a key rollover? Or is that not a problem? Thanks in advance. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC and
Frank, I so appreciate your help. It sounds like my intended configuration should be fine, then. I might suggest to the powers that be that the documentation address this question. The reason I have two servers is for redundancy, so I'll probably give both instances write access, but as you say that should work fine. Thanks again, Xan On 8/22/23 07:45, Frank Louwers wrote: Hi Xan, The weekly changes are not key rollovers, they are RRSIG updates/resignings. These are done on the fly (in online mode), and not stored in the database. The backend only contains the ZSK/KSK/CSK, which will only change if you issue a command to roll them. Even if you would issue the change command on both servers, the new keys would be stored in the unique database if you have just 1 backend database, so both would use the new key (there might be short-term caching issues). Personally, I would only configure 1 of the PowerDNS servers to have write access to the backend DB, the other ones would just have SELECT privileges on the db. Cheers, Frank On 22 Aug 2023, at 14:25, Xan Charbonnet wrote: Thank you, Frank. I am aiming to do online signing, but my concern is the weekly key rollover. Wouldn't both PowerDNS instances attempt to perform key rollover on the same database at the same time? Do they not step on each other's toes? -Xan On 8/22/23 07:03, Frank Louwers via Pdns-users wrote: Hi Xan, It depends which DNSSEC you choose. If you would pick "Online Signing" for instance (great unless you have very busy servers with lots of domains), the "keying data" is stored in the database as well, so both servers would use the same data to sign the zone, resulting in consistent signatures (as long as your MariaDB replication isn't broken). Seehttps://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing><https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing <https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing>> for more info and other ways of turning on DNSSEC on PowerDNS. Frank Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be On 21 Aug 2023, at 17:03, Xan Charbonnet via Pdns-users wrote: Hello everyone, We've been successfully using PowerDNS for some time, and are looking into enabling DNSSEC. If two PowerDNS authoritative servers are set up for native replication, sharing a single MariaDB backend where the database is replicated using MariaDB's replication, how would DNSSEC be enabled? If I just turn it on, wouldn't the two servers step on each other's toes when it came time to do a key rollover? Or is that not a problem? Thanks in advance. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users> ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users