[Pdns-users] API listening address/port
Hi, the API docs shows that it listens at 127.0.0.1:8081 I only see 3 api config vars-- is there any settings for API listening port or interfaces? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNS UPDATE failing (Failed PreReqqisites check)
On 2019-02-04 10:40, MRob wrote: On 2019-02-04 10:21, Ruben d'Arco wrote: Hi MRob, The DNS Update specification (RFC2136) has a section that allows a DNS update to do check (pre-requisites) before applying the update. PDNS performs these checks, and it seems that the current records of your domain do not comply with those pre-requisites. Is there a set of things I should check for the records or the dns update? Can you show us the records from your domain and the dns update that you're sending? Thank you for responding. I will try first to upgrade pdns version as Remi said. If I need send dns update command for inspection is the best way to capture it using tcpdump? I'll send current domain records also, but it's nothing, just the SOA. Do I need a SOA for reverse DNS too? On Mon, Feb 04, 2019 at 10:11:39AM +, MRob wrote: Trying to use DNS updates but seeing the error in our logs "Failed PreReqqisites check, returning 6". Could someone explain what "prerequisites check" is and what can cause it to fail? What things should I check? Here is pdns log from one instance Feb 3 03:20:17 test pdns[20989]: Query: begin Feb 3 03:20:17 test pdns[20989]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name=? Feb 3 03:20:17 test pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed PreRequisites check, returning 6 Feb 3 03:20:17 test pdns[20989]: Query: rollback Here is sql log from same time, seems normal: 2019-02-03T08:20:17.424815Z 16 Reset stmt 2019-02-03T08:20:17.424946Z 16 ExecuteSELECT id FROM domains WHERE id = -1 OR name = 'lan' 2019-02-03T08:20:17.425130Z 16 Reset stmt 2019-02-03T08:20:17.425226Z 16 Executeselect id,name,master,last_check,notified_serial,type,account from domains where name='lan' 2019-02-03T08:20:17.425418Z 16 Reset stmt 2019-02-03T08:20:17.425540Z 16 ExecuteSELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='lan' 2019-02-03T08:20:17.425853Z 16 Reset stmt 2019-02-03T08:20:17.425987Z 16 Query begin 2019-02-03T08:20:17.426196Z 16 ExecuteSELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='wrkstn12.lan' 2019-02-03T08:20:17.426370Z 16 Reset stmt 2019-02-03T08:20:17.426411Z 16 Query rollback Version is 4.0.0-alpha2 from repo where nothing newer available. Would it be productive to use repo supplied by powerdns.com, I mean is it possible a bug is in this version and has been fixed. Or is pdns innocent and problem with the DDNSUPDATE client? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNS UPDATE failing (Failed PreReqqisites check)
On 2019-02-04 10:21, Ruben d'Arco wrote: Hi MRob, The DNS Update specification (RFC2136) has a section that allows a DNS update to do check (pre-requisites) before applying the update. PDNS performs these checks, and it seems that the current records of your domain do not comply with those pre-requisites. Can you show us the records from your domain and the dns update that you're sending? Thank you for responding. I will try first to upgrade pdns version as Remi said. If I need send dns update command for inspection is the best way to capture it using tcpdump? I'll send current domain records also, but it's nothing, just the SOA. Do I need a SOA for reverse DNS too? On Mon, Feb 04, 2019 at 10:11:39AM +, MRob wrote: Trying to use DNS updates but seeing the error in our logs "Failed PreReqqisites check, returning 6". Could someone explain what "prerequisites check" is and what can cause it to fail? What things should I check? Here is pdns log from one instance Feb 3 03:20:17 test pdns[20989]: Query: begin Feb 3 03:20:17 test pdns[20989]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name=? Feb 3 03:20:17 test pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed PreRequisites check, returning 6 Feb 3 03:20:17 test pdns[20989]: Query: rollback Here is sql log from same time, seems normal: 2019-02-03T08:20:17.424815Z 16 Reset stmt 2019-02-03T08:20:17.424946Z 16 ExecuteSELECT id FROM domains WHERE id = -1 OR name = 'lan' 2019-02-03T08:20:17.425130Z 16 Reset stmt 2019-02-03T08:20:17.425226Z 16 Executeselect id,name,master,last_check,notified_serial,type,account from domains where name='lan' 2019-02-03T08:20:17.425418Z 16 Reset stmt 2019-02-03T08:20:17.425540Z 16 ExecuteSELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='lan' 2019-02-03T08:20:17.425853Z 16 Reset stmt 2019-02-03T08:20:17.425987Z 16 Query begin 2019-02-03T08:20:17.426196Z 16 ExecuteSELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='wrkstn12.lan' 2019-02-03T08:20:17.426370Z 16 Reset stmt 2019-02-03T08:20:17.426411Z 16 Query rollback Version is 4.0.0-alpha2 from repo where nothing newer available. Would it be productive to use repo supplied by powerdns.com, I mean is it possible a bug is in this version and has been fixed. Or is pdns innocent and problem with the DDNSUPDATE client? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNS UPDATE failing (Failed PreReqqisites check)
Trying to use DNS updates but seeing the error in our logs "Failed PreReqqisites check, returning 6". Could someone explain what "prerequisites check" is and what can cause it to fail? What things should I check? Here is pdns log from one instance Feb 3 03:20:17 test pdns[20989]: Query: begin Feb 3 03:20:17 test pdns[20989]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name=? Feb 3 03:20:17 test pdns[20989]: UPDATE (50855) from 10.10.1.254 for lan.: Failed PreRequisites check, returning 6 Feb 3 03:20:17 test pdns[20989]: Query: rollback Here is sql log from same time, seems normal: 2019-02-03T08:20:17.424815Z 16 Reset stmt 2019-02-03T08:20:17.424946Z 16 ExecuteSELECT id FROM domains WHERE id = -1 OR name = 'lan' 2019-02-03T08:20:17.425130Z 16 Reset stmt 2019-02-03T08:20:17.425226Z 16 Executeselect id,name,master,last_check,notified_serial,type,account from domains where name='lan' 2019-02-03T08:20:17.425418Z 16 Reset stmt 2019-02-03T08:20:17.425540Z 16 ExecuteSELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and type='SOA' and name='lan' 2019-02-03T08:20:17.425853Z 16 Reset stmt 2019-02-03T08:20:17.425987Z 16 Query begin 2019-02-03T08:20:17.426196Z 16 ExecuteSELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name='wrkstn12.lan' 2019-02-03T08:20:17.426370Z 16 Reset stmt 2019-02-03T08:20:17.426411Z 16 Query rollback Version is 4.0.0-alpha2 from repo where nothing newer available. Would it be productive to use repo supplied by powerdns.com, I mean is it possible a bug is in this version and has been fixed. Or is pdns innocent and problem with the DDNSUPDATE client? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] NOTIFY response timeout value? (repeat NOTIFY slave error)
On 2018-12-11 16:03, Remi Gacogne wrote: On 12/7/18 6:10 PM, MRob wrote: NOTIFY 3sec timeout is hardcoded? ANyone please confirm? At a quick glance, it looks like the first attempt has a 3s timeout, the second one 5s, the third one 9s and the last one 17s: https://github.com/PowerDNS/pdns/blob/master/pdns/communicator.hh#L106 Thanks maybe some day it will have configured base value. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] NOTIFY response timeout value? (repeat NOTIFY slave error)
Hello, when supermaster send NOTIFY for large number of domain I think some NOTIFYs get re-sent. On first time slave setup that cause errors so I was looking do pdns have setting to delay re-NOTIFY timeout? Loglevel 6 doesnt say "no response so I will re-notify" however I see hint of two notify response in master: 01:19:53 Queued notification of domain 'example.org' to 2.2.2.2:53 01:19:57 Removed from notification list: 'example.org' to 2.2.2.2:53 (was acknowledged) 01:20:13 Received spurious notify answer for 'example.org' from 2.2.2.2:53 01:20:31 AXFR happen successfully 01:20:45 Received unsuccessful notification report for 'example.org' from 2.2.2.2:53, error: Server Failure 01:20:45 Received spurious notify answer for 'example.org' from 2.2.2.2:53 Slave show in logs 2 NOTIFY, notice time of number 2 is 1sec before than which master said "removed from notify list (acknowledged)": 01:19:54 Received NOTIFY for example.org from 1.1.1.1 for which we are not authoritative 01:19:56 Received NOTIFY for example.org from 1.1.1.1 for which we are not authoritative 01:20:13 Created new slave zone 'example.org' from supermaster 1.1.1.1 01:20:31 AXFR happen successfully 01:20:44 Database error trying to create example.org for potential supermaster 1.1.1.1: Database error trying to insert new domain 'example.org.': Could not execute mysql statement: insert into domains (type,name,master,account,last_check,notified_serial) values(?,?,?,?,NULL,NULL): Duplicate entry 'example.org' for key 'name_index' So I guess master wait 3sec for NOTIFY acknowledge then send re-NOTIFY. On slave setup causing database error. Look like operation is normal after so I can ignore but I wonder if there may be setting to increase timeout? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to understand cause of rejected notify
All supermaster problems I know of can be resolved by checking the checklist: https://doc.powerdns.com/authoritative/modes-of-operation.html?highlight=supermaster#supermaster-automatic-provisioning-of-slaves * supermaster support must be enabled I already asked about this on unanswered inquiry over a week ago. Master is version 4.1 where I think the setting is not recognized (according to docs, added in 4.2) thus no- I didn't use it. Would appreciate to have clarification the use of that setting, how 4.1 works without it and what it adds to 4.2. Also if you have supermaster=yes then should master=yes be removed? Documentation does not make it clear * The supermaster must carry a SOA record for the notified domain Yes it does * The supermaster IP must be present in the ‘supermaster’ table Yes, I said in my last email it exists and can assume this is working because as I explained the supermaster causes an entry to the ``domains'' table on the slave if I use 4.1 slave. 4.2 slave alone is refusing the NOTIFY. * The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table dig shows me this is true, both @ the master and without @ to local resolver * If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well When slave is 4.1 yes it added entry to ``domainmetadata'' table as well as ``domains''. So appears working good. Just not adding to ``records'' with no error expressed. Only v4.2 just refusing the NOTIFY with no error to help diagnose. * If you turn off allow-unsigned-supermaster, then your supermaster(s) are required to sign their notifications. Per above I think this is ok ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] How to understand cause of rejected notify
As I have had no luck to understand why supermaster only create entry in ``domains'' table but not in ``records'' and AXFR never happen again (https://mailman.powerdns.com/pipermail/pdns-users/2018-November/025624.html) I think maybe it's a bug in pdns 4.1 so I install 4.2 on slave (master still 4.1) to hope that can fix the bug. Now problem is worse, slave won't even set up ``domains'' table, only see this: Received NOTIFY for example.com from 1.1.1.1:2101 for which we are not authoritative (Refused) How do I know the reason? Config is still same as before when version 4.1 was populated ``domains'' table (supermaster db table has correct setup) Master log also not helpful: Received unsuccessful notification report for 'example.com' from 2.2.2.2:53, error: Query Refused loglevel=6 on both slave/master, nothing else coming to the logs to explain refused reason ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pipe backend logging
You should reaply to the list too.
On 2018-11-30 22:58, Randall Diffenderfer wrote:
we have packaged installs of vm's for a given class of function. the
simple function i'm using presents me a CentOS 7 box with enough stuff
layered on to do "generic" webservices. i'm getting gripes about
"priority" , too, so that may be blocking what i can do
# yum update pdns
. . .
72 packages excluded due to repository priority protections
Thats a lot, the pdns repo alone won't block so many packages tho you
may have other repos to cause this.
. . .
Resolving Dependencies
Error: Package: pdns-4.1.5-1pdns.el7.x86_64 (powerdns-auth-41)
Requires: libsodium.so.23()(64bit)
I have installed libsodium 1.0.16 but it provides with libsodium.so.23
# ll /usr/lib64/*sodi*
lrwxrwxrwx. 1 root root 19 Nov 14 18:32 /usr/lib64/libsodium.so.13
-> libsodium.so.13.3.0
-rwxr-xr-x. 1 root root 357992 Oct 26 2015
/usr/lib64/libsodium.so.13.3.0
# yum info libsodium
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
72 packages excluded due to repository priority protections
Installed Packages
Name: libsodium
Arch: x86_64
Version : 1.0.5
Thats out of deate. Probably to ask somewhere why you are not pulling
newest epel packaging.
Release : 1.el7
Size: 350 k
Repo: installed
From repo : epel
Summary : The Sodium crypto library
URL : http://libsodium.org/
On 11/30/18, 12:33, "MRob" wrote:
On 2018-11-30 20:24, Randall Diffenderfer wrote:
> i had followed the instructions there for centos 7, but get a
> libsodium conflict (need .23, have .13, again -- what comes
with...)
where do you get libsodium from? Mine worked with this from epel --
from
``yum info libsodium''
Name: libsodium
Arch: x86_64
Version : 1.0.16
Release : 1.el7
Size: 335 k
Repo: installed
From repo : epel
> haven't chased the update for libsodium to ground yet.
>
>
>
> On 11/30/18, 12:20, "MRob" wrote:
>
> On 2018-11-30 19:37, Randall Diffenderfer via Pdns-users
wrote:
> > using centos rpm for powerdns, version 3.4.11 (this would
seem to
> be
> > old, but it's what they supply).
>
> you can update just use pdns repo to save headaches
>
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__repo.powerdns.com_=DwICAg=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg=9sXs16LkSD1MzhoJxgyl7R_tait1dEXqvyD3NCT1wEA=-TOZm0ZhkN7b5Mx8xuGCqKPWBMMcfOihb2NXBQBd9o8=RPQWglklp2lmtniPdKEPOavnpBmahqXhM9exVqUywVU=
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pipe backend logging
On 2018-11-30 19:37, Randall Diffenderfer via Pdns-users wrote: using centos rpm for powerdns, version 3.4.11 (this would seem to be old, but it's what they supply). you can update just use pdns repo to save headaches https://repo.powerdns.com/ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] AXFR queued but not executing
FYI I remove TSIG, still same problem. Summary: 1 - superslave create only entry in ``domains'' table but no records 2 - AXFR never retry, just reapeat ``No new unfresh slave domains, 1 queued for AXFR already, 0 in progress'' No error in logs. Can you please help, I'm out of ideas? On 2018-11-30 18:55, MRob wrote: On 2018-11-30 17:22, MRob wrote: On 2018-11-30 16:55, MRob wrote: I see this reapeat in logs: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress can I please ask which timers is this waiting on? I should say original there was a error on the slave which fixed and restarted pdns. slave-cycle-interval is default and no more errors can i find, the master say it working normal i think: pdns_server: Queued notification of domain 'example.com' to 1.2.3.4:53 pdns_server: Removed from notification list: 'example.com' to 1.2.3.4:53 (was acknowledged) slave log has no error pdns_server: Received serial number updates for 1 zone, had 0 timeouts pdns_server: Domain 'example.com' is stale, master serial 8, our serial 0 pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress ... but axfr never starts even with restart on both slave and master Set loglevel=6 I find a hint: No serial for 'example.com' found - zone is missing? What is problem here? Its a superslave, so I delete everything for domain in database and try again. Logs no error: pdns_server: Received secure NOTIFY for example.com from 4.3.2.1, allowed by TSIG key 'tsigkey' pdns_server: Received NOTIFY for example.com from 4.3.2.1 for which we are not authoritative pdns_server: Created new slave zone 'example.com' from supermaster 4.3.2.1 pdns_server: 1 slave domain needs checking, 0 queued for AXFR pdns_server: Received serial number updates for 1 zone, had 0 timeouts pdns_server: Domain 'example.com' is stale, master serial 8, our serial 0 It put a entry in database table ``domains'' but nothing for ``records'' but i dont know why. So I send notify from master, back to the same problem: pdns_server: Received secure NOTIFY for example.com from 4.3.2.1, allowed by TSIG key 'tsigkey' pdns_server: No serial for 'example.com' found - zone is missing? pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress ...every minute ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] AXFR queued but not executing
On 2018-11-30 17:22, MRob wrote: On 2018-11-30 16:55, MRob wrote: I see this reapeat in logs: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress can I please ask which timers is this waiting on? I should say original there was a error on the slave which fixed and restarted pdns. slave-cycle-interval is default and no more errors can i find, the master say it working normal i think: pdns_server: Queued notification of domain 'example.com' to 1.2.3.4:53 pdns_server: Removed from notification list: 'example.com' to 1.2.3.4:53 (was acknowledged) slave log has no error pdns_server: Received serial number updates for 1 zone, had 0 timeouts pdns_server: Domain 'example.com' is stale, master serial 8, our serial 0 pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress ... but axfr never starts even with restart on both slave and master Set loglevel=6 I find a hint: No serial for 'example.com' found - zone is missing? What is problem here? Its a superslave, so I delete everything for domain in database and try again. Logs no error: pdns_server: Received secure NOTIFY for example.com from 4.3.2.1, allowed by TSIG key 'tsigkey' pdns_server: Received NOTIFY for example.com from 4.3.2.1 for which we are not authoritative pdns_server: Created new slave zone 'example.com' from supermaster 4.3.2.1 pdns_server: 1 slave domain needs checking, 0 queued for AXFR pdns_server: Received serial number updates for 1 zone, had 0 timeouts pdns_server: Domain 'example.com' is stale, master serial 8, our serial 0 It put a entry in database table ``domains'' but nothing for ``records'' but i dont know why. So I send notify from master, back to the same problem: pdns_server: Received secure NOTIFY for example.com from 4.3.2.1, allowed by TSIG key 'tsigkey' pdns_server: No serial for 'example.com' found - zone is missing? pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress ...every minute ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] AXFR queued but not executing
On 2018-11-30 16:55, MRob wrote: I see this reapeat in logs: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress can I please ask which timers is this waiting on? I should say original there was a error on the slave which fixed and restarted pdns. slave-cycle-interval is default and no more errors can i find, the master say it working normal i think: pdns_server: Queued notification of domain 'example.com' to 1.2.3.4:53 pdns_server: Removed from notification list: 'example.com' to 1.2.3.4:53 (was acknowledged) slave log has no error pdns_server: Received serial number updates for 1 zone, had 0 timeouts pdns_server: Domain 'example.com' is stale, master serial 8, our serial 0 pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress pdns_server: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress ... but axfr never starts even with restart on both slave and master ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] AXFR queued but not executing
I see this reapeat in logs: No new unfresh slave domains, 1 queued for AXFR already, 0 in progress can I please ask which timers is this waiting on? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] supermaster setting purpose?
Running version 4.1, there is no supermaster setting in the main config (doc says it added in 4.2) but I understand supermaster feature should work under 4.1, is that correct? When migrating to 4.2 what feature does ''supermaster=yes'' add for having in config file? Must I remove ''master=yes'' from config file? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
On 2018-11-21 03:49, MRob wrote: On 2018-11-06 08:39, Daniel Miller via Pdns-users wrote: On 11/5/2018 9:15 AM, MRob wrote: still, it didn't work with auto-serial configuration: > pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' could you paste the content of the SOA record for this zone? Same as showed above- ns.example.org cont...@example.org 0 That looks like the problem - SOA records are supposed to have more info. Try: ns.example.org cont...@example.org 2018110601 86400 7200 604800 300 Instead of a simple 0 - suggest using a datestamp and starting with today's config. But the other parameters aren't optional (though you should adjust for your needs). Adding the other SOA fields fixed the problem. Because you told me not to use 0 I could only take to understand your advice not relevant for autoserial use case. I may suggest pdnsutil manpage to update for showing increase-serial command. I use pdns source repo but it's not in my manpage. Also to suggest pdnsutil check-zone to give error on SOA without all fields. It gaves no error so I could think it was correct but it was not. Still one problem though. After pdnsutil increase-serial the serial did increase but in database backend, its still troublesome. Field notified_serial changed from 0 to 1 but last_check is yet as always NULL. How will pdns retain the current SOA serial if rebooted? I think it will reset? Is this bug? well i see now field "notified_serial" is increment every time SOA get increment so I guessing this is ok? I feel confusion because user manual said this for auto-serial: ''The serial in SOA responses is set to what’s provided by zone-lastchange-query. By default, this is the highest value of the change_date field in the “records” table).'' But 'change_date' in records table is also staying NULL, why does that happen? i have no custom queries set. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
On 2018-11-06 08:39, Daniel Miller via Pdns-users wrote: On 11/5/2018 9:15 AM, MRob wrote: still, it didn't work with auto-serial configuration: > pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' could you paste the content of the SOA record for this zone? Same as showed above- ns.example.org cont...@example.org 0 That looks like the problem - SOA records are supposed to have more info. Try: ns.example.org cont...@example.org 2018110601 86400 7200 604800 300 Instead of a simple 0 - suggest using a datestamp and starting with today's config. But the other parameters aren't optional (though you should adjust for your needs). Adding the other SOA fields fixed the problem. Because you told me not to use 0 I could only take to understand your advice not relevant for autoserial use case. I may suggest pdnsutil manpage to update for showing increase-serial command. I use pdns source repo but it's not in my manpage. Also to suggest pdnsutil check-zone to give error on SOA without all fields. It gaves no error so I could think it was correct but it was not. Still one problem though. After pdnsutil increase-serial the serial did increase but in database backend, its still troublesome. Field notified_serial changed from 0 to 1 but last_check is yet as always NULL. How will pdns retain the current SOA serial if rebooted? I think it will reset? Is this bug? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdnsutil increase-serial not working for mysql with autoserial
in fact after reboot looks like old serial is lost for all domains. why is change_date not kept up to date? all domains have it to be NULL, I think its where the serial is derived from when using autoserial On 2018-11-07 20:18, MRob wrote: Please some help for this? Looks like pdnsutil increase-serial not made to work for mysql backend with autoserial, so how to programmatically request increase serial? pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' pdnsutil check-zone example.org Checked 21 records of 'example.org', 0 errors, 0 warnings. Related, where is serial stored in auto-serial case? I find "change_date" field NULL on all records and "notified_serial" NULL on this domain (but its 0 on the other domains, not sure why). In this situation what happens if server reboot, SOA has to be reclaimed from somewhere?? As far as I know this can be found in the table "records", column "content", for every entry of the type "SOA". It corresponds to the provided serial number you get with "dig SOA" (if no DNSSEC is active). Well for auto-serial you must set that value as 0 so my question being where the serial is kept in this special case and carried across reboot situation. _ ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] pdnsutil increase-serial not working for mysql with autoserial
Please some help for this? Looks like pdnsutil increase-serial not made to work for mysql backend with autoserial, so how to programmatically request increase serial? pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' pdnsutil check-zone example.org Checked 21 records of 'example.org', 0 errors, 0 warnings. Related, where is serial stored in auto-serial case? I find "change_date" field NULL on all records and "notified_serial" NULL on this domain (but its 0 on the other domains, not sure why). In this situation what happens if server reboot, SOA has to be reclaimed from somewhere?? As far as I know this can be found in the table "records", column "content", for every entry of the type "SOA". It corresponds to the provided serial number you get with "dig SOA" (if no DNSSEC is active). Well for auto-serial you must set that value as 0 so my question being where the serial is kept in this special case and carried across reboot situation. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
So... any to help on this below keeping in mind I use autoserial? I use mysql backend and SOA serial set to 0 in datebase for auto-serial features. But sometime come occasion we must update one record in database directly, not using DNSUPDATE. In this case how to tell pdns please update SOA serial? I cant find pdns_control, pdnsutil command for this. Hi, if you execute pdnsutil w/o any options it lists all available commands. There you can find: "increase-serial ZONEIncreases the SOA-serial by 1. Uses SOA-EDIT" oh Thanks! The manpage is out of date :) still, it didn't work with auto-serial configuration: pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' pdnsutil check-zone example.org Checked 21 records of 'example.org', 0 errors, 0 warnings. Related, where is serial stored in auto-serial case? I find "change_date" field NULL on all records and "notified_serial" NULL on this domain (but its 0 on the other domains, not sure why). In this situation what happens if server reboot, SOA has to be reclaimed from somewhere?? As far as I know this can be found in the table "records", column "content", for every entry of the type "SOA". It corresponds to the provided serial number you get with "dig SOA" (if no DNSSEC is active). Well for auto-serial you must set that value as 0 so my question being where the serial is kept in this special case and carried across reboot situation. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
On 2018-11-06 08:39, Daniel Miller via Pdns-users wrote: On 11/5/2018 9:15 AM, MRob wrote: still, it didn't work with auto-serial configuration: > pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' could you paste the content of the SOA record for this zone? Same as showed above- ns.example.org cont...@example.org 0 That looks like the problem - SOA records are supposed to have more info. Try: ns.example.org cont...@example.org 2018110601 86400 7200 604800 300 Instead of a simple 0 - suggest using a datestamp and starting with today's config. But the other parameters aren't optional (though you should adjust for your needs). No, it's autoserial feature https://doc.powerdns.com/authoritative/backends/generic-sql.html#autoserial SOA records are served normal ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
On 2018-11-05 16:49, Nico CARTRON wrote: Hi MRob, On 05-nov-2018 17:34 CET, wrote: On 2018-11-05 10:57, Torsten Hantzsche wrote: > On Sun, 4 Nov 2018, MRob wrote: > > > > I use mysql backend and SOA serial set to 0 in datebase for > > auto-serial features. But sometime come occasion we must update one > > record in database directly, not using DNSUPDATE. In this case how > > to tell pdns please update SOA serial? I cant find pdns_control, > > pdnsutil command for this. > > > > Hi, > > if you execute pdnsutil w/o any options it lists all available commands. > There you can find: > > "increase-serial ZONEIncreases the SOA-serial by 1. Uses SOA-EDIT" oh Thanks! The manpage is out of date :) still, it didn't work with auto-serial configuration: > pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' could you paste the content of the SOA record for this zone? Same as showed above- ns.example.org cont...@example.org 0 > pdnsutil check-zone example.org Checked 21 records of 'example.org', 0 errors, 0 warnings. > > Related, where is serial stored in auto-serial case? I find > > "change_date" field NULL on all records and "notified_serial" NULL on > > this domain (but its 0 on the other domains, not sure why). In this > > situation what happens if server reboot, SOA has to be reclaimed from > > somewhere?? > > > As far as I know this can be found in the table "records", column > "content", > for every entry of the type "SOA". It corresponds to the provided serial > number > you get with "dig SOA" (if no DNSSEC is active). Well for auto-serial you must set that value as 0 so my question being where the serial is kept in this special case and carried across reboot situation. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
On 2018-11-05 10:57, Torsten Hantzsche wrote: On Sun, 4 Nov 2018, MRob wrote: I use mysql backend and SOA serial set to 0 in datebase for auto-serial features. But sometime come occasion we must update one record in database directly, not using DNSUPDATE. In this case how to tell pdns please update SOA serial? I cant find pdns_control, pdnsutil command for this. Hi, if you execute pdnsutil w/o any options it lists all available commands. There you can find: "increase-serial ZONEIncreases the SOA-serial by 1. Uses SOA-EDIT" oh Thanks! The manpage is out of date :) still, it didn't work with auto-serial configuration: pdnsutil increase-serial example.org Error: Parsing record content (try 'pdnsutil check-zone'): missing field at the end of record content 'ns.example.org cont...@example.org 0' pdnsutil check-zone example.org Checked 21 records of 'example.org', 0 errors, 0 warnings. Related, where is serial stored in auto-serial case? I find "change_date" field NULL on all records and "notified_serial" NULL on this domain (but its 0 on the other domains, not sure why). In this situation what happens if server reboot, SOA has to be reclaimed from somewhere?? As far as I know this can be found in the table "records", column "content", for every entry of the type "SOA". It corresponds to the provided serial number you get with "dig SOA" (if no DNSSEC is active). Well for auto-serial you must set that value as 0 so my question being where the serial is kept in this special case and carried across reboot situation. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Increment SOA programmatically?
I use mysql backend and SOA serial set to 0 in datebase for auto-serial features. But sometime come occasion we must update one record in database directly, not using DNSUPDATE. In this case how to tell pdns please update SOA serial? I cant find pdns_control, pdnsutil command for this. Related, where is serial stored in auto-serial case? I find "change_date" field NULL on all records and "notified_serial" NULL on this domain (but its 0 on the other domains, not sure why). In this situation what happens if server reboot, SOA has to be reclaimed from somewhere?? Thank you I appreciate pdns ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to reload RPZ from file?
On 2018-04-28 21:25, MRob wrote:
On 2018-04-18 01:04, MRob wrote:
With:
rpzFile("dblfilename", {defpol=Policy.Custom,
defcontent="badserver.example.com"})
Is there a 'nice' way to make Recursor reload this file?
Does rec_control reload-zones do it?
Must I restart recursor?
`rec_control reload-zones` didn't reload the rpz file so unfortunately
I had to restart the recursor. Is there a better way without that
drastic action?
I'll understand no feedback to mean that full restart is the only way to
reload rpz from file?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Error with rec_control reload
On 2018-05-07 09:19, Remi Gacogne wrote:
On 05/07/2018 11:02 AM, Aki Tuomi wrote:
Can you run sudo strace -econnect,bind rec_control reload-lua-script
and
post the result?
yes, thanks for your help
bind(3, {sa_family=AF_LOCAL, sun_path="/var/run/lsock6hPxMw"}, 110) =
0
connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/pdns_recursor.controlsocket"}, 110) = 0
Fatal: Timeout waiting for answer from control channel
+++ exited with 1 +++
Yet in the log I still see the error
pdns_recursor: 0 (Re)loaded lua script from
'/etc/pdns-recursor/blocklist.lua'
...
pdns_recursor: Error dealing with control socket request: Unable to
send message over control channel '/var/run/lsock6hPxMw': No such
file
or directory
Is the problem caused/related to the timeout?
What's happening is that the recursor is taking more than the default
timeout of rec_control (5s) to do the actual reload, so rec_control
stops waiting, delete its socket and exits.
The recursor is still completing the reload, and tries to reply to the
rec_control process over the socket afterwards, except the socket is
now
gone, hence the error.
So yes, the reload is done as indicated by the "(Re)loaded lua script
from ..." line in the logs. If you want to avoid the "Unable to send
message over control channel" line in your logs, just use a longer
timeout value for rec_control using the --timeout parameter.
great thanks!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Error with rec_control reload
On 2018-05-07 07:16, Aki Tuomi wrote:
On 07.05.2018 09:58, MRob wrote:
On 2018-05-07 06:50, Aki Tuomi wrote:
On 07.05.2018 09:48, MRob wrote:
Hi can anyone explain what this means and if it is important or can
be
ignored? I only find unanswered mailing list posts about it.
$ sudo rec_control reload-lua-script
pdns_recursor: Error dealing with control socket request: Unable to
send message over control channel '/var/run/lsockl2eLnQ': No such
file
or directory
Because of this error do I presume reload failed? Must I execute
service restart of recursor?
This sounds like you are using chroot?
Not that I know of.
If so, you need to configure the
control socket to /var/run/pdns and then make sure you symlink or
bind-mount it to outside the chroot under /var/run/pdns. Otherwise it
won't work.
Aki
Can you run sudo strace -econnect,bind rec_control reload-lua-script
and
post the result?
yes, thanks for your help
bind(3, {sa_family=AF_LOCAL, sun_path="/var/run/lsock6hPxMw"}, 110) = 0
connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/pdns_recursor.controlsocket"}, 110) = 0
Fatal: Timeout waiting for answer from control channel
+++ exited with 1 +++
Yet in the log I still see the error
pdns_recursor: 0 (Re)loaded lua script from
'/etc/pdns-recursor/blocklist.lua'
...
pdns_recursor: Error dealing with control socket request: Unable to send
message over control channel '/var/run/lsock6hPxMw': No such file or
directory
Is the problem caused/related to the timeout?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Error with rec_control reload
On 2018-05-07 06:50, Aki Tuomi wrote: On 07.05.2018 09:48, MRob wrote: Hi can anyone explain what this means and if it is important or can be ignored? I only find unanswered mailing list posts about it. $ sudo rec_control reload-lua-script pdns_recursor: Error dealing with control socket request: Unable to send message over control channel '/var/run/lsockl2eLnQ': No such file or directory Because of this error do I presume reload failed? Must I execute service restart of recursor? This sounds like you are using chroot? Not that I know of. If so, you need to configure the control socket to /var/run/pdns and then make sure you symlink or bind-mount it to outside the chroot under /var/run/pdns. Otherwise it won't work. Aki ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Error with rec_control reload
Hi can anyone explain what this means and if it is important or can be ignored? I only find unanswered mailing list posts about it. $ sudo rec_control reload-lua-script pdns_recursor: Error dealing with control socket request: Unable to send message over control channel '/var/run/lsockl2eLnQ': No such file or directory Because of this error do I presume reload failed? Must I execute service restart of recursor? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to reload RPZ from file?
On 2018-04-18 01:04, MRob wrote:
With:
rpzFile("dblfilename", {defpol=Policy.Custom,
defcontent="badserver.example.com"})
Is there a 'nice' way to make Recursor reload this file?
Does rec_control reload-zones do it?
Must I restart recursor?
`rec_control reload-zones` didn't reload the rpz file so unfortunately I
had to restart the recursor. Is there a better way without that drastic
action?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] How to reload RPZ from file?
With:
rpzFile("dblfilename", {defpol=Policy.Custom,
defcontent="badserver.example.com"})
Is there a 'nice' way to make Recursor reload this file?
Does rec_control reload-zones do it?
Must I restart recursor?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-17 05:24, MRob wrote: On 2018-04-16 10:55, MRob wrote: On 2018-04-16 10:09, Remi Gacogne wrote: On 04/16/2018 12:03 PM, MRob wrote: According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? It shouldn't crash the recursor and if you can reproduce the crash and share the reproduction method I would be happy to look into it. ok maybe I will try it but can any people comment is there pros or cons to implementing a block list using Policy Zones instead comparing to loading the file direct into a big list? I have policy zone based blocklisting working but only with a few test domains in zone file I tested with over 500.000 domain list using both methods. RPZ pauses at startup while loading the zone, using Lua domain list pauses when first query comes and the server forks its workers. RPZ pause feels a couple seconds slower, but not scientific measurement. Only RPZ gave this error: Unable to load RPZ zone from '.rpz': name too long I had to comment out long domain lines. Can someone indicate what the maximum domain name length should be? Max full domain name should be 253 but RPZ refuses to load a domain in my list that is 246 chars. What is pdns max length? After startup, responsiveness seems normal using both methods but it's just one person test visiting a few different sites so I can't give solid data. Still wonder on this question: Are there another reasons to consider why or why not to use RPZ vs. loading domain list direct in Lua? Is the mechanism to look up domain in RPZ different than lookup in a Lua Domain Set? Any factors to consider? Thanks. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] dp.variable when changing RPZ policy action?
On 2018-04-17 05:42, MRob wrote: PowerDNS blog recommends setting dq.variable when a domain response is part of the loaded block list. https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ But this example for modifying policy actions does not set dq.variable: https://doc.powerdns.com/md/recursor/scripting/#modifying-policy-decisions Is that oversight, should I set dq.variable if the policy action is liable to changing? After all, it does affect the returned result. Though in testing, I find the correct response for both cases of client requested blocking or not blocking (how does it respond correct with the wrong value in cache?) I see the reason dq.variable is not used in this example is that there is not optional function. Never the less I want to pose the question: If I change policy action, is the original query result cached or the result after the policy action is considered? Thus should I need to consider setting dq.variable in this scenarios? As you read in my last msg above, I see response is correct for both blocked client and non blocked client when assumedly only one answer is cached this makes me think that the policy action is not considered when applying a value to cache. Can you comment? PS, when dq.variable is set is this forcing referral to authoritative name server on every query? Is there performance implications to consider? And that? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] dp.variable when changing RPZ policy action?
PowerDNS blog recommends setting dq.variable when a domain response is part of the loaded block list. https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ But this example for modifying policy actions does not set dq.variable: https://doc.powerdns.com/md/recursor/scripting/#modifying-policy-decisions Is that oversight, should I set dq.variable if the policy action is liable to changing? After all, it does affect the returned result. Though in testing, I find the correct response for both cases of client requested blocking or not blocking (how does it respond correct with the wrong value in cache?) By the way, this example has typo, Lua uses ~= but the example uses != PS, when dq.variable is set is this forcing referral to authoritative name server on every query? Is there performance implications to consider? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-16 10:55, MRob wrote: On 2018-04-16 10:09, Remi Gacogne wrote: On 04/16/2018 12:03 PM, MRob wrote: According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? It shouldn't crash the recursor and if you can reproduce the crash and share the reproduction method I would be happy to look into it. ok maybe I will try it but can any people comment is there pros or cons to implementing a block list using Policy Zones instead comparing to loading the file direct into a big list? I have policy zone based blocklisting working but only with a few test domains in zone file I tested with over 500.000 domain list using both methods. RPZ pauses at startup while loading the zone, using Lua domain list pauses when first query comes and the server forks its workers. RPZ pause feels a couple seconds slower, but not scientific measurement. Only RPZ gave this error: Unable to load RPZ zone from '.rpz': name too long I had to comment out long domain lines. Can someone indicate what the maximum domain name length should be? After startup, responsiveness seems normal using both methods but it's just one person test visiting a few different sites so I can't give solid data. Are there another reasons to consider why or why not to use RPZ vs. loading domain list direct in Lua? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] How to make Policy.NODATA response in policy zone?
On 2018-04-16 11:40, bert hubert wrote: On Mon, Apr 16, 2018 at 11:33:17AM +, MRob wrote: I can make NXDOMAIN applied policy for a domain in policy zone with this: example.com CNAME . But how to cause NODATA response? Hello "MRob", We recommend that you read the documentation we wrote for you on https://doc.powerdns.com/recursor/lua-scripting/index.html RPZ doxs are here https://doc.powerdns.com/recursor/lua-config/rpz.html With no information how to make the policy responses in the zone file. I had to spend plenty of time wandering around your docs until I find this examples: https://github.com/PowerDNS/pdns/blob/master/pdns/basic.rpz but it has no information about causing a NODATA response ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] How to make Policy.NODATA response in policy zone?
I can make NXDOMAIN applied policy for a domain in policy zone with this: example.com CNAME . But how to cause NODATA response? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-16 10:09, Remi Gacogne wrote: On 04/16/2018 12:03 PM, MRob wrote: According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? It shouldn't crash the recursor and if you can reproduce the crash and share the reproduction method I would be happy to look into it. ok maybe I will try it but can any people comment is there pros or cons to implementing a block list using Policy Zones instead comparing to loading the file direct into a big list? I have policy zone based blocklisting working but only with a few test domains in zone file ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua errors finding global objects in recent version
On 2018-04-16 07:45, Remi Gacogne wrote: Hi, On 04/16/2018 01:41 AM, MRob wrote: I have strange errors in LUA script like this: Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL Exception: [string "chunk"]:2: attempt to call global 'pdnslog' (a nil value) Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL Exception: [string "chunk"]:6: attempt to call global 'newNMG' (a nil value) Strange because I get pdns-recursor from pdns repo. Version 4.1.2 so why is this errors? You are using lua-config-file instead of lua-dns-script to load your file. Thank you for your help. I am try to load a policy zone and over-ride the zone using LUA. A little confused but can you confirm I need both? rpzFile has tobe in lua-config-file Other things, prerecurse must be in lua-dns-script This cvorrect understanding? Thank you ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-16 07:01, Brian Candler wrote: On 15/04/2018 22:08, MRob wrote: I read about how recursor can be used to block queries for tracking domains: https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ You may find this interesting: https://www.powerdns.com/resources/2016%20UKNOF%20filtering%20bert%20hubert.pdf According to this, you *should* be able to load a million domains into LUA without problem. That's the same method this person said crashed recursor with much less https://git.mauras.ch/Various/powerdns_recursor_ads_blocking Are there other people who have experience? But you can also do lookups in a CDB file. Do you know where I can find info about this? There is tinydns backend, maybe there is a way in LUA preresolve function to do lookup to different backend? Ignore backend otherwise. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Lua errors finding global objects in recent version
I have strange errors in LUA script like this: Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL Exception: [string "chunk"]:2: attempt to call global 'pdnslog' (a nil value) Unable to load Lua script from '/etc/pdns-recursor/luaScript.lua': STL Exception: [string "chunk"]:6: attempt to call global 'newNMG' (a nil value) Strange because I get pdns-recursor from pdns repo. Version 4.1.2 so why is this errors? Thank you. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lua control of config settings?
On 2018-04-15 21:08, MRob wrote: I read about how recursor can be used to block queries for tracking domains: https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ But I also read it chokes recursor if the list is many thousands domains: https://git.mauras.ch/Various/powerdns_recursor_ads_blocking So using forward-zones-file is a good solution but I want to use the optional solution provided in the PDNS Blog where some client IP address are filtered some are not. Can I turn "forward-zones-file" on/off in Lua preresolve function? Maybe another option to use "etc-hosts-file" but same questions can it be turn on/off and does it handle say 500.000 domains? Also I found response policy zones, maybe this is a best solution. Does RPZ stand up to example 500.000 domains in a local RPZ file? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Lua control of config settings?
I read about how recursor can be used to block queries for tracking domains: https://blog.powerdns.com/2016/01/19/efficient-optional-filtering-of-domains-in-recursor-4-0-0/ But I also read it chokes recursor if the list is many thousands domains: https://git.mauras.ch/Various/powerdns_recursor_ads_blocking So using forward-zones-file is a good solution but I want to use the optional solution provided in the PDNS Blog where some client IP address are filtered some are not. Can I turn "forward-zones-file" on/off in Lua preresolve function? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Authority not refreshing stale mysql connections?
On 2016-11-24 12:49, bert hubert wrote: MRob, It is tremendously helpful if you let us know which version of PowerDNS you are running and on which platform. We are aware of some versions of PowerDNS having this issue but we need to know what you are running. I'm sorry I left that out. I installed using apt-get on Ubuntu. Package is called: pdns-server 4.0.0~alpha2-3build1 pdns_server --version reports "Authoritative Server 4.0.0-alpha2" Since you have heard reports of this before, do you know if the problem only happens on lightly used systems? In other words, if I move it to production where queries happen on a regular basis, will the DB connection not go stale? On Thu, Nov 24, 2016 at 12:46:42PM -0800, MRob wrote: I have a mysql-backed authority set up locally serving the internal LAN domain on a test platform (very lightly used at the moment). It appears that after some time (hours), the DB connection goes stale and queries return with dig reporting status SERVFAIL. If I wait (not sure how long, but I think more than 5 minutes, if not a lot longer), the queries will start working normally again (status NOERROR). It appears I can cause the same problem prematurely by restarting the mysql service, which is what leads me to believe PDNS is not refreshing stale database connections right away (though eventually it does). Restarting the authority of course fixes the problem, but I'm looking for a better solution. Help? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Authority not refreshing stale mysql connections?
I have a mysql-backed authority set up locally serving the internal LAN domain on a test platform (very lightly used at the moment). It appears that after some time (hours), the DB connection goes stale and queries return with dig reporting status SERVFAIL. If I wait (not sure how long, but I think more than 5 minutes, if not a lot longer), the queries will start working normally again (status NOERROR). It appears I can cause the same problem prematurely by restarting the mysql service, which is what leads me to believe PDNS is not refreshing stale database connections right away (though eventually it does). Restarting the authority of course fixes the problem, but I'm looking for a better solution. Help? ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DDNS with TSIG not working, need assistance
On 2016-11-13 21:21, Aki Tuomi wrote: On Sun, Nov 13, 2016 at 05:56:50PM -0800, mro...@insiberia.net wrote: I'm having a hard time knowing how to debug this message: Packet for domain 'local.' denied: can't find TSIG key with name 'tsig.key.local.' and algorithm 'hmac-sha512.' Is that a small bug that is reporting the algorithm with a dot at the end? Or is it my problem? I double-checked that the algorithm is not being specified with a dot on either side, so if that's the problem, I don't know how to fix it. I have a single TSIG entry: id | name| algorithm | secret 1 | tsig.key.local. | hmac-sha512 | x Silly thing but the algorithm is actually a DNSName too, so it needs to be hmac-sha512. with a dot. I see. That's a bit confusing and it is probably important to make clear that this does not mean one's configuration should be set to "hmac-sha512." - only that this is how it gets used internally and presented in the logs. My problem turned out to be there also should not have been a trailing dot in the name field. Though now I am experiencing Failed PreRequisites check, returning 6 Can anyone point me in the right direction? After the update processing is authenticated, only one query happens: SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE disabled=0 and name=? The server seems to be handling an add request - does it expect to find no rows returned from that query? If so, is there any configuration that ensures existing records are purged before adding the new one? Thank you for the response ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
