Re: [Pdns-users] Systemctl Daemon Problem After each pdns upgrade

2023-09-29 Thread Michael Loftis via Pdns-users 
On Thu, Sep 28, 2023 at 14:30 IHI IHI via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Hello
> When upgrading to a new version(PowerDNS Recursor v4.7-->4.8-->4.9-->5),
> despite choosing to keep the current configuration file,but its tuning
> parameters at
> pdns-recursor.service(/lib/systemd/system/pdns-recursor.service) will
> return to its default values!
> for example:
> # my Tuning
> LimitNOFILE=65536
> returns to the default value--->16384
>

The correct way to make these changes is with an override, not to the
service file itself.
Use systemctl edit or create the override yourself and daemon-reload.


This problem causes the pdns-recursive daemon to be reconfigured and
> restarted again after each new version upgrading.
> Is this normal behavior or can it be fixed?
> Many Thanks for your efforts.
> Habibi
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSLink or IPFS Support in PowerDNS

2023-01-20 Thread Michael Loftis via Pdns-users 
On Fri, Jan 20, 2023 at 12:28 Tom Barrett via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> I would be interested in speaking with anyone who has experimented with
> customizing PowerDNS to support IPFS or the DNSLink TXT record type.
>

There’s not anything for PowerDNS to do here. They’re just TXT records in
DNS.

>
> Thanks
>
> Tom
>
> --
> Thomas Barrett
> President
> EnCirca, Inc
> +1.781.942.9975 (office)
> 400 W. Cummings Park, Suite 1725
> 
> Woburn, MA 01801 USA
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns master notify lag

2022-11-30 Thread Michael Loftis via Pdns-users 
On Wed, Nov 30, 2022 at 10:47 lovi via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Hello,
>
> Ive setup a pdns lab with 1 pdn/pgsql/master and a slave/named config.
>
> When I update a record pdns logs show that it takes about 40s before Ive
> this message :
> 1 domain for which we are master needs notifications
> And transfert start and succed.
>
> If I update record and do a  pdns_control notify myzone with no wait : the
> named slave is notified and transfert is done with no time.
>
> Do I miss something ? Or should I send notify after every updates ?
>

See
https://doc.powerdns.com/authoritative/settings.html#setting-xfr-cycle-interval
or the older slave-cycle-interval

That said I wouldn’t expect even at one minute things to always work
because of caches, you really can not rely on DNS updates being super quick.



> Thanks your help,
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Select default type for new zones

2022-11-28 Thread Michael Hallager via Pdns-users 

On 2022-11-29 07:13, Andrea Biancalani via Pdns-users wrote:

Is there a way to select default zone type for a server instead
specify it everytime I enter a new zone in my master? I'd like to
pre-select type:master everytime instead asking for
native/master/slave options (with native pre-selected).


Are you using a DB backend? You could set a default value for the field.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What are the differences between PowerDNS Authoritative Server and Recursor?

2022-11-25 Thread Michael Hallager (personal) via Pdns-users 

On 2022-11-26 02:01, Raghvendra Choudhary via Pdns-users wrote:

Hi Team,

I  followed this article. Now I can see the powerAdmin UI and also be
able to add the domain as well. Can anyone help me how I can install
the recursive server in this container. Because this is a
authoritative DNS server.

This is a article link
https://computingforgeeks.com/running-powerdns-and-powerdns-admin-in-docker-containers/


I second the below response from Jan-Piet:
On 2022-11-26 05:46, Jan-Piet Mens via Pdns-users wrote:
You aren't reading what you're repeatedly being told; this list cannot 
offer

the level of knowledge you require.


This mailing list, like all the other industry ones, is a place for 
people with some background experience to come and ask a specific and 
clearly stated question.


The context and terms of this list are clearly stated here - where you 
joined:

https://www.powerdns.com/mailing-lists.html

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What are the differences between PowerDNS Authoritative Server and Recursor?

2022-11-22 Thread Michael Hallager (personal) via Pdns-users 

On 2022-11-23 01:18, Raghvendra Choudhary wrote:

I am aware of basic networking.

But I am not aware of the powerDNS tool.

So I want to explore this tool . So anyone can help me how to use this
tool after installing the server and admin UI both.

I add the domain and the record through the admin UI.


It has been repeatedly explained your needs are outside of what this 
list can offer you.


I recommend you unsubscribe here:
https://mailman.powerdns.com/mailman/listinfo/pdns-users

and find something more appropriate like a Udemy course or Youtube.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What are the differences between PowerDNS Authoritative Server and Recursor?

2022-11-22 Thread Michael Hallager (personal) via Pdns-users 

On 2022-11-23 00:46, Raghvendra Choudhary wrote:

Hi Team,

I installed the powerDNS server and PowerDNS admin in container and it
works fine. I also added the domain through the UI.

Now i want to know how to resolve the DNS that present in the backend
of the powerDNS.


This makes no sense. You sure you even want a DNS server? That's not a 
question I need an answer to btw.


Also, we are not your "team". Many of us are industry professionals who 
help each other out but we should not be treated like your fellow 
employees or friends. Unless you want to cross our palms with silver, 
however, the fact you are here indicates the answer is not.


Please consider your posts within the context and scope of this list. It 
is assumed anyone present here already has a good working knowledge of 
DNS fundamentals, networking and Linux.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What are the differences between PowerDNS Authoritative Server and Recursor?

2022-11-18 Thread Michael Hallager via Pdns-users 
On 2022-11-19 02:55, Turritopsis Dohrnii Teo En Ming via Pdns-users 
wrote:

Subject: What are the differences between PowerDNS Authoritative
Server and Recursor?

Good day from Singapore,
https://wm.nettrust.nz/?_task=mail&_action=compose&_id=88998096563780c1f5dde9#
May I know what are the differences between PowerDNS Authoritative
Server and Recursor?


On 2022-11-19 03:04, Raghvendra Choudhary via Pdns-users wrote:

I have the same question

 Raghvendra Choudhary
 DevOps Engineer | www.digivalet.com [1]


An authoritative server holds the DNS records and for a given domain and 
a recursor (aka caching) server requests these on behalf of a client 
host. Have you ever registered a domain name? You were likely asked to 
specify the authoritative servers during the process.


I second what Jan-Piet said. At this point the both of you are asking 
questions which fall within basic networking. In general the questions 
are OK, but they are not where this mailing list is at. If this subject 
interests you, you should strongly consider getting a job working in a 
team with others who can mentor you.


The days of being able to "fake it till you make it" are long gone. In 
the 1990's there was more of a hacker culture on the internet but these 
days clients and employers expect competency. This does not mean we all 
have to know everything (none of us do) but having the fundamentals in 
place is a prerequisite.


Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-18 Thread Michael Hallager via Pdns-users 

On 2022-11-18 23:11, Raghvendra Choudhary wrote:

can you please help me out the step. As I checked the articles and I
found the step to install recursive server but it was totally
indepedence.


PDNS Authoritative and Recursor are 2 separate pieces of software.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-18 Thread Michael Hallager via Pdns-users 

On 2022-11-18 23:05, Raghvendra Choudhary wrote:

Hi Thank for your valauble response.

Can we install authorative server and recursive server both in a same
machine.


Yes you can though you will need to bind them to different IP addresses 
with the 'local-address' option.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-18 Thread Michael Hallager via Pdns-users 
I will give you a sample SOA answer section because this can be 
confusing for folks who are not familar with PowerDNS. But I am not 
going to cover every possible situation for free on a mailing list. If 
you are using PowerDNS you need to understand DNS or hire someone who 
does.


ns1.domain.tld dns.domain.tld 2020122701 10800 3600 604800 3600

The fields in order are:
Primary name server
Hostmaster email
Serial number

The following numbers you can leave as is:
SOA refresh 10800
TTL 3600
SOA expire 604800
SOA minimum TTL 3600

On 2022-11-18 22:42, Raghvendra Choudhary wrote:

share me some sample entries  which is insert to the databases.  so it
wll easy for me I want to copy all the domain entries which is present
in the my hosts file.

 Raghvendra Choudhary
 DevOps Engineer | www.digivalet.com [3]

 T:  +91.731.6667891

 M: +91.96307.90947

 E:  raghvendra.choudh...@digivalet.com

On Fri, Nov 18, 2022 at 3:07 PM Michael Hallager via Pdns-users
 wrote:


Add your domain into table 'domains' with type MASTER or SLAVE as
appropriate. In the instance of SLAVE you will also need to specify
a
master IP address.

Then add records with the relevant 'domain_id' into table 'records'.

Every domain will require a minimum of SOA and 2x NS records.

On 2022-11-18 22:29, Raghvendra Choudhary wrote:

How to enter the host entry in the bakend of PowerDns As I am

using

mariadb as a backend.

Raghvendra Choudhary
DevOps Engineer | www.digivalet.com [1] [2]

T:  +91.731.6667891

M: +91.96307.90947

E:  raghvendra.choudh...@digivalet.com

On Thu, Nov 17, 2022 at 2:38 PM Raghvendra Choudhary
 wrote:


Thank for the help.

Raghvendra Choudhary
DevOps Engineer | www.digivalet.com [1] [2]

T:  +91.731.6667891

M: +91.96307.90947

E:  raghvendra.choudh...@digivalet.com

On Thu, Nov 17, 2022 at 1:36 PM Michael Hallager
 wrote:


Your signature states your role as "DevOps Engineer".

Based on this, I can not fathom why you are asking what PowerDNS
can be
used for. I suggest reading the website at
https://www.powerdns.com

If you are not even aware of the basic use cases for PDNS Auth

and

PDNS
Resolver, then its the wrong product for you.

On 2022-11-17 21:01, Raghvendra Choudhary wrote:

Hi Michael,

Can you let me know the uses of PowerDNS . Why Power DNS is

used. can

we achieved whatever I said in the mail trail.

Raghvendra Choudhary
DevOps Engineer | www.digivalet.com [1] [1] [3]



Links:
--
[1] http://www.digivalet.com
[2] https://digivalet.com


--
Net Trust Ltd
Internet Servers and Network Systems Administration
p: (06) 374 0880 | (09) 839 1000
m: 021 963 878
e: mich...@nettrust.nz
w: nettrust.nz [2]
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users



Links:
--
[1] http://www.digivalet.com
[2] http://nettrust.nz
[3] https://digivalet.com


--
Net Trust Ltd
Internet Servers and Network Systems Administration
p: (06) 374 0880 | (09) 839 1000
m: 021 963 878
e: mich...@nettrust.nz
w: nettrust.nz
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-18 Thread Michael Hallager via Pdns-users 
Add your domain into table 'domains' with type MASTER or SLAVE as 
appropriate. In the instance of SLAVE you will also need to specify a 
master IP address.


Then add records with the relevant 'domain_id' into table 'records'.

Every domain will require a minimum of SOA and 2x NS records.


On 2022-11-18 22:29, Raghvendra Choudhary wrote:

How to enter the host entry in the bakend of PowerDns As I am using
mariadb as a backend.

 Raghvendra Choudhary
 DevOps Engineer | www.digivalet.com [2]

 T:  +91.731.6667891

 M: +91.96307.90947

 E:  raghvendra.choudh...@digivalet.com

On Thu, Nov 17, 2022 at 2:38 PM Raghvendra Choudhary
 wrote:


Thank for the help.

Raghvendra Choudhary
DevOps Engineer | www.digivalet.com [2]

T:  +91.731.6667891

M: +91.96307.90947

E:  raghvendra.choudh...@digivalet.com

On Thu, Nov 17, 2022 at 1:36 PM Michael Hallager
 wrote:


Your signature states your role as "DevOps Engineer".

Based on this, I can not fathom why you are asking what PowerDNS
can be
used for. I suggest reading the website at
https://www.powerdns.com

If you are not even aware of the basic use cases for PDNS Auth and
PDNS
Resolver, then its the wrong product for you.

On 2022-11-17 21:01, Raghvendra Choudhary wrote:

Hi Michael,

Can you let me know the uses of PowerDNS . Why Power DNS is

used. can

we achieved whatever I said in the mail trail.

Raghvendra Choudhary
DevOps Engineer | www.digivalet.com [1] [3]



Links:
--
[1] http://www.digivalet.com
[2] https://digivalet.com


--
Net Trust Ltd
Internet Servers and Network Systems Administration
p: (06) 374 0880 | (09) 839 1000
m: 021 963 878
e: mich...@nettrust.nz
w: nettrust.nz
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SNAT and notify messages

2022-11-17 Thread Michael Hallager via Pdns-users 

Are you using double NAT? If so then its likely to double your issues.

I recommend you fix your underlying issues now by getting all your 
servers onto the same net block or net blocks which can route between 
each other without NAT.


On 2022-11-18 11:37, ch via Pdns-users wrote:

Hi PDNS users, I need your advice:  (Note: there's a TL;DR: section at
the bottom)

We've set up three nameservers (ns1, ns2 and ns3) with two ip
addresses each: an internal 10.x.x.x and an external public ip.

Each server runs dnsdist, pdns_recursor, and two copies of
pdns_server, like this:

dnsdist -> pdns_recursor -> pdns_server [internal]
\
  pdns_server [external]

* Dnsdist is listening on 127.0.0.1, 10.x.x.x, and the external
public ip, all on port 53.
* pdns_recursor is listening on 127.0.0.2
* pdns_server (internal) is listening on 127.0.0.3
* pdns_server (external) is listening on 127.0.0.4
* systemd_resolved is listening on 127.0.0.53 to satisfy local dns
requests (Ubuntu 20.04 default configuration, with 127.0.0.2 as its
resolver)

Requests come in to dnsdist, and based on their source address they're
forwarded to 127.0.0.2 (internal) or 127.0.0.4 (external).
Pdns_recursor forwards requests to 127.0.0.3 (pdns_server internal)
for zones listed in the forward zones file and recursively answers the
rest.

So far, so good; requests come in, replies go out, and external
clients can't abuse our recursor or see our internal dns entries,
yayyy!

=

Here's where things start go off the rails:

Our internal network grew "organically", and for reasons lost in the
mists of time, we've got NAT gateways in our network, one of which is
between ns3 and the other two name servers.

* When a zone is updated on ns1, it sends a notify to ns3, but the
source ip is changed by the NAT gateway.
* The notify-acknowledgement is sent back through the NAT gateway
and ns1 gets it, since the gateway expected the response.
* Ns3 then sends an SOA request to the NAT gateway (as that's where
the notify came from), but it's lost because it's not related to the
previous conversation.
* Pdns_recursor seems to eat Notify and AXFR messages, so we've told
Dnsdist to direct those to 127.0.0.3

We've temporarily worked around the problem by adding an iptables rule
to ns3 that says 'redirect packets sent to "port 53 on the gateway" to
ns1', and it works.

==

Things are now going further off the rails here:

* Now we've added a bunch of independent sub-zones on small name
servers in different parts of our company, and they're going to be
using ns1, ns2 and ns3 as their secondary servers, whichever is
closest.
* Notifies are going to be flying all over, and packets from some of
them will be going through the same NAT gateway that ns1 uses to get
to ns3.
* Because of that, the iptables rule is going to mess things up, as
it assumes outgoing DNS requests to the NAT gateway should really go
to ns1's internal address.

Is there a way to get the SOA request from ns3 to go to the right
place using pdns or dnsdist?

==

Now we're so far off the rails, we're in the middle of a cornfield:

* The internal and external pdns servers have different zone files
(internal/external ip addresses, some hosts not listed in the external
zones).
* We're using the internal ips on ns1,2,3 for transferring internal
zones, and the external ips for external ones.
* We're attempting to use NetmaskGroupRule [1] with src=false to
have dnsdist direct requests internally/externally based on that.
* The independent sub-zone name servers will be notifying the
ns1,2,3 on both internal and external ips, and the NAT is going to
mess up the source ips, iptables can't handle this.

Can we use DoH/DoT to establish a TCP connection for the NOTIFY and
reuse it for the SOA and AXFR?  The NAT respects open TCP connections
much more than UDP conversations.

Should we manually add entries to the zone metadata to specify where
zones are really hosted?  I really wanted to use the auto-secondary
feature, but sometimes we can't have nice things.  :-/

Oh god, please don't tell me I have to set up a VPN between all the
name servers :-(

Anyhow, I'd love to hear someone write a happy ending to this story.

==

TL;DR: How do you get notifies + zone transfers to work when the
source ip addresses of NOTIFY packets are unreliable?

Thanks!

--
CH (ch-and-pdns-us...@ch.pkts.ca)

Links:
--
[1] https://dnsdist.org/rules-actions.html#NetmaskGroupRule
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


--
Net Trust Ltd
Internet Servers and Network Systems Administration
p: (06) 374 0880 | (09) 839 1000
m: 021 963 878
e: mich...@nettrust.nz
w: nettrust.nz
___
Pdns-users mailing list

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-17 Thread Michael Hallager via Pdns-users 

Your signature states your role as "DevOps Engineer".

Based on this, I can not fathom why you are asking what PowerDNS can be 
used for. I suggest reading the website at https://www.powerdns.com


If you are not even aware of the basic use cases for PDNS Auth and PDNS 
Resolver, then its the wrong product for you.


On 2022-11-17 21:01, Raghvendra Choudhary wrote:

Hi Michael,

Can you let me know the uses of PowerDNS . Why Power DNS is used. can
we achieved whatever I said in the mail trail.

 Raghvendra Choudhary
 DevOps Engineer | www.digivalet.com [3]

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-16 Thread Michael Hallager via Pdns-users 
By default Linux will use hosts file first and then DNS servers listed 
in /etc/resolv.conf (If the specific application uses Glibc functions 
for name resolution) but dig is a DNS specific command.


So maybe you want to use the ping command?

At this time your question sounds more like a Linux user question rather 
then a PowerDNS one. If you are an end user host its unlikely you will 
need PowerDNS for anything.


On 2022-11-17 20:46, Raghvendra Choudhary wrote:

My requirement is when I dig any DNS first it goes to the hosts file
in which all the host entry in linux the host file path is /etc/hosts.
First check the host entry if the DNS found in the Host it resolve. If
in case the DNS not found in the host Entry it redirect to the google
the DNS of the goofle is 8.8.8.8.So [3] this is my requirement. I hope
this is much clear.

 Raghvendra Choudhary
 DevOps Engineer | www.digivalet.com [4]

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure Powerdns and check if the domain which is not present in Powerdns is tranferring the traffic to 8.8.8.8 .

2022-11-16 Thread Michael Hallager via Pdns-users 
Your request is very vague. When posting to a free forum like a mailing 
list you are far more likely to get a useful response by giving tangible 
information on what you are doing, what you wish to achieve and what you 
have done so far to diagnose the issue.


On 2022-11-17 18:54, Raghvendra Choudhary via Pdns-users wrote:

Hi Team,

I already installed the poweDNS  admin in the my local machine. My
requirement is to Configure Powerdns and check if the domain which is
not present in Powerdns is transferring the traffic to 8.8.8.8 .

I am unable to find a resolution and I am not aware about how to use
the powerDNS.

Please advise and do the needful.

Waiting for your reply.

 Raghvendra Choudhary
 DevOps Engineer | www.digivalet.com [1]

 T:  +91.731.6667891

 M: +91.96307.90947

 E:  raghvendra.choudh...@digivalet.com



Links:
--
[1] https://digivalet.com
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users


--
Net Trust Ltd
Internet Servers and Network Systems Administration
p: (06) 374 0880 | (09) 839 1000
m: 021 963 878
e: mich...@nettrust.nz
w: nettrust.nz
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS-over-TLS option

2022-11-14 Thread Michael Hallager via Pdns-users 

On 2022-11-14 19:29, Otto Moerbeek wrote:

The upgrade guide has pointers, but in this case there's also a blog 
post:


https://blog.powerdns.com/2022/06/13/probing-dot-support-of-authoritative-servers-just-try-it/

More detains in:

https://docs.powerdns.com/recursor/settings.html#max-busy-dot-probes
https://docs.powerdns.com/recursor/settings.html#dot-to-port-853
https://docs.powerdns.com/recursor/settings.html#dot-to-auth-names


Thanks for this, Otto.

It also needs an authoritative server which supports TLS. I see an 
option for this at compile time for PowerDNS but no obvious mention in 
the documents.


Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNS-over-TLS option

2022-11-13 Thread Michael Hallager via Pdns-users 


Hi all,

I am seeing the following option during compilation of PowerDNS 
Recursor, however, can't find any documentation on its configuration.


configure: Features enabled
configure: 
configure: Lua: luajit
configure: OpenSSL ECDSA: yes
configure: ed25519: yes
configure: ed448: yes
configure: Protobuf: yes
configure: SNMP: yes
configure: systemd: no
configure: nod: yes
configure: dnstap: no
configure: DNS over TLS: yes
configure: OpenSSL: yes
configure: libcurl: yes
configure: Context library: Boost Context
configure:

Can someone point me in the right direction, please?

Kind regards,

Michael Hallager___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] [LdapBackend] avoid writing PdnsDomainNotifiedSerial

2022-01-21 Thread Michael Ströder via Pdns-users 

HI!

I have a very tiny and simple setup of PowerDNS Authorative server(s) 
4.5.3 with LDAP backend using native OpenLDAP replication. Each pdns 
instance asks a single local LDAP server (via ldapi://). No need for 
AXFR or IXFR or anything similar fancy in this setup. Also no LDAP 
fail-over to multiple replicas.


pdns tries to write attribute PdnsDomainNotifiedSerial even though it is 
IMHO not needed in my setup. It fails because the LDAP server is 
deliberately configured to not allow write access from the pdns service. 
Also a pure read-only consumer replica does not accept write operations.


Which configuration setting can I tweak to suppress writing 
PdnsDomainNotifiedSerial?


Many thanks in advance.

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] BIND-mode vs. Hybrid BIND-mode

2021-12-02 Thread Fox, Michael E. via Pdns-users 
Howdy,

I'd like to use BIND zone files and DNSSEC.

I'm reading:  
https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#bind-mode-operation

I don't understand the difference between BIND-mode and Hybrid BIND-mode.
BIND-mode says the zone records are stored in BIND files and an sqlite3 
database is required for the keys and other DNSSEC related data.
Hybrid BIND-mode says the zone records and keying material are stored in 
different backends.  Isn't that the same thing?
If there's a distinction here, I don't know what it is.
Can someone explain?

Thanks much!

Michael E Fox

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-18 Thread Fox, Michael E. via Pdns-users 
Thanks Frank,

You’re trying to troubleshoot my config.  That is *NOT* what I’m asking.  BTW, 
there’s nothing secret in my config.  But:

  1.  It is in a lab and not accessible from outside (mostly because I don’t 
know how to secure it yet, but also because it has no useful purpose outside 
the lab so we keep the threat surface as small as possible)
  2.  It is irrelevant to the question.

Again, my question is simple:  what is the proper syntax for enabling TSIG 
using BIND backend on master and slave?

Once I know what I’m *supposed* to do, then if I try it and it fails, that’s 
the time to figure out what’s wrong.  Right now, I don’t even know the proper 
way to set it up.


Michael E Fox
Sr. Assoc. Director, ITEC
Texas A University
979-862-4036 (Office)
michael@tamu.edu<mailto:michael@tamu.edu>
https://itec.tamu.edu<https://itec.tamu.edu/>

Join us for Interoperability Institute ’22:  May 2-6, 2022
https://itec.tamu.edu/interop22/

From: frank+p...@tembo.be 
Sent: Wednesday, November 17, 2021 2:56 AM
To: Fox, Michael E. 
Cc: pdns-users-ml 
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, First up: tsig, DNSSEC etc way easier with a "database" backend 
(even a lightweight one) so you might want to reconsider your backend choice. 
The reason I am asking for the pdns.conf is twofold: First up, there's this 
message: ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

First up: tsig, DNSSEC etc way easier with a "database" backend (even a 
lightweight one) so you might want to reconsider your backend choice.

The reason I am asking for the pdns.conf is twofold:

First up, there's this message:

> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR 
> chunk error: Server Not Authoritative for zone / Not Authorized (This was the 
> first time. Excluding zone from slave-checks until 1636827466)

Which might be caused by a more fundamental issue in the config.

Secondly, as mentioned in the docs, TSIG usually requires dnssec infrastructure 
in the backend. Your pdns.conf might indicate incorrect setups there.

I completely understand you're not willing to communicate your configuration, 
or that that information can only be shared after signing an NDA. And I am 
perfectly fine to sign one and look at your very specific problem in the scope 
of a consulting engagement, I am sure others on this list can provide you that 
same service. However, this pdns-users-ml mailinglist won't give you much 
answers if we don't have access to full config.

Kind Regards,

Frank

Frank Louwers
PowerDNS Certified Consultant @ 
Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!UqYq6e79z_hb7J6duax09izRZcqQdCixuhVY3KNkvYDtlZqZtT70us0kfLVtNpU2Irs$>






On 16 Nov 2021, at 21:20, Fox, Michael E. 
mailto:michael@tamu.edu>> wrote:

Frank,

Again, I’m not asking what is wrong with my config.
I’m asking for the proper syntax to configure TSIG between two PowerDNS systems 
(master/primary and slave/secondary), both with a BIND backend.

The existing documentation page seems to apply only (or mostly) to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!UqYq6e79z_hb7J6duax09izRZcqQdCixuhVY3KNkvYDtlZqZtT70us0kfLVtswi3h88$>
From what I can tell, the ‘pdnsutil’ commands are acting on the database.
And the example BIND config on that page only shows the slave side of the 
config (and it says it’s a slave to itself [master=127.0.0.1]).

An example config snipit, using example IPs and domain name, is what I’m 
looking for.
Specifically, what should go in named.conf and pdns.conf for the master and the 
slave?

Can someone help with that?

Thanks much.

Michael E Fox
Sr. Assoc. Director, ITEC
Texas A University
979-862-4036 (Office)
michael@tamu.edu<mailto:michael@tamu.edu>
https://itec.tamu.edu<https://itec.tamu.edu/>

Join us for Interoperability Institute ’22:  May 2-6, 2022
https://itec.tamu.edu/interop22/

From: frank+p...@tembo.be<mailto:frank+p...@tembo.be> 
mailto:frank+p...@tembo.be>>
Sent: Monday, November 15, 2021 8:25 AM
To: Fox, Michael E. mailto:michael@tamu.edu>>
Cc: pdns-users-ml 
mailto:pdns-users@mailman.powerdns.com>>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Your pens.conf files seem to be missing and could be very relevant.

Frank







On 15 Nov 2021, at 14:39, Fox, Michael E. 
mailto:michael@tamu.edu>> wrote:

You want me to post the TSIG keys?

Also, the DNS servers thems

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-17 Thread Fox, Michael E. via Pdns-users 
Frank,

Again, I’m not asking what is wrong with my config.
I’m asking for the proper syntax to configure TSIG between two PowerDNS systems 
(master/primary and slave/secondary), both with a BIND backend.

The existing documentation page seems to apply only (or mostly) to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr
From what I can tell, the ‘pdnsutil’ commands are acting on the database.
And the example BIND config on that page only shows the slave side of the 
config (and it says it’s a slave to itself [master=127.0.0.1]).

An example config snipit, using example IPs and domain name, is what I’m 
looking for.
Specifically, what should go in named.conf and pdns.conf for the master and the 
slave?

Can someone help with that?

Thanks much.

Michael E Fox
Sr. Assoc. Director, ITEC
Texas A University
979-862-4036 (Office)
michael@tamu.edu<mailto:michael@tamu.edu>
https://itec.tamu.edu<https://itec.tamu.edu/>

Join us for Interoperability Institute ’22:  May 2-6, 2022
https://itec.tamu.edu/interop22/

From: frank+p...@tembo.be 
Sent: Monday, November 15, 2021 8:25 AM
To: Fox, Michael E. 
Cc: pdns-users-ml 
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Your pens.conf files seem to be missing and could be very relevant. 
Frank On 15 Nov 2021, at 14:39, Fox, Michael E. 
mailto:michael@tamu.edu>> wrote: You want me to post 
the TSIG keys? Also, the DNS servers themselves are in a 
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Your pens.conf files seem to be missing and could be very relevant.

Frank






On 15 Nov 2021, at 14:39, Fox, Michael E. 
mailto:michael@tamu.edu>> wrote:

You want me to post the TSIG keys?

Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t 
see the relevance of specific domain names to my question.

Let me just ask the question a different way:  What is the proper syntax for 
configuring TSIG when using the BIND backend?

Michael

From: frank+p...@tembo.be<mailto:frank+p...@tembo.be> 
mailto:frank+p...@tembo.be>>
Sent: Monday, November 15, 2021 5:27 AM
To: Fox, Michael E. mailto:michael@tamu.edu>>
Cc: pdns-users-ml 
mailto:pdns-users@mailman.powerdns.com>>
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$>
 for more information.

Frank





On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users 
mailto:pdns-users@mailman.powerdns.com>> wrote:

Howdy,

I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend 
for some testing.  (Don’t need power or complexity of a DB backend).

Fake IPs:
  11.11.11.11 master
  22.22.22.22 slave

I’ve got a master and slave configured with three zones and doing zone 
transfers.  Initially, I didn’t have TSIGs and have the following configured in 
pdns.conf on the master:

allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22

Now I’d like to configure TSIG.  But the instructions here seem to be related 
to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$>

I’d like to stick to the BIND backend.  But I get errors when trying the same 
type of configuration options in named.conf that work in regular BIND.

Here’s what I did:

On the master:

key “keyname” {
algorithm hmac-sha256;
secret “…”;
};

zone “zonename” {
file …;
type master;
allow-transfer { 22.22.22.22 key “keyname”; };
};

On the slave:

key “keyname” {
algorithm hmac-sha256;
secret “…”;
};

zone “zonename” {
file …;
type slave;
masters { 11.11.11.11 key “keyname”; };   <-- I get a syntax error on this, 
even though it works in regular BIND.
};

So, I changed the slave to:

server 11.11.11.11 {
keys { “keyname”; };
};

zone “zonename” {
file …;
type slave;
masters { 11.11.11.11 };  <-- no more syntax error.
};

And, in pdns.conf, I set “allow-axfr-ips” back to the default:

allow-axfr-ips=127.0.0.0/8,::1

But when I restart the slave, I get the following error:

Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-15 Thread Fox, Michael E. via Pdns-users 
You want me to post the TSIG keys?

Also, the DNS servers themselves are in a lab, behind a firewall.  But I don’t 
see the relevance of specific domain names to my question.

Let me just ask the question a different way:  What is the proper syntax for 
configuring TSIG when using the BIND backend?

Michael

From: frank+p...@tembo.be 
Sent: Monday, November 15, 2021 5:27 AM
To: Fox, Michael E. 
Cc: pdns-users-ml 
Subject: Re: [Pdns-users] How to configure TSIG with BIND backend

Hi Michael, Can you provide full (unedited) config files please? A lot of info 
is missing to be able to help you fix this problem. Please see 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ for 
more information. ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd
Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/<https://urldefense.com/v3/__https:/blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicwkNgVpw$>
 for more information.

Frank




On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users 
mailto:pdns-users@mailman.powerdns.com>> wrote:

Howdy,

I’m new to PowerDNS.  I’m using the authoritative server with the BIND backend 
for some testing.  (Don’t need power or complexity of a DB backend).

Fake IPs:
  11.11.11.11 master
  22.22.22.22 slave

I’ve got a master and slave configured with three zones and doing zone 
transfers.  Initially, I didn’t have TSIGs and have the following configured in 
pdns.conf on the master:

allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22

Now I’d like to configure TSIG.  But the instructions here seem to be related 
to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr<https://urldefense.com/v3/__https:/doc.powerdns.com/authoritative/tsig.html*tsig-provision-signed-notify-axfr__;Iw!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuic75NZPWY$>

I’d like to stick to the BIND backend.  But I get errors when trying the same 
type of configuration options in named.conf that work in regular BIND.

Here’s what I did:

On the master:

key “keyname” {
algorithm hmac-sha256;
secret “…”;
};

zone “zonename” {
file …;
type master;
allow-transfer { 22.22.22.22 key “keyname”; };
};

On the slave:

key “keyname” {
algorithm hmac-sha256;
secret “…”;
};

zone “zonename” {
file …;
type slave;
masters { 11.11.11.11 key “keyname”; };   <-- I get a syntax error on this, 
even though it works in regular BIND.
};

So, I changed the slave to:

server 11.11.11.11 {
keys { “keyname”; };
};

zone “zonename” {
file …;
type slave;
masters { 11.11.11.11 };  <-- no more syntax error.
};

And, in pdns.conf, I set “allow-axfr-ips” back to the default:

allow-axfr-ips=127.0.0.0/8,::1

But when I restart the slave, I get the following error:

Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR chunk 
error: Server Not Authoritative for zone / Not Authorized (This was the first 
time. Excluding zone from slave-checks until 1636827466)

Any help would be greatly appreciated!

Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com<mailto:Pdns-users@mailman.powerdns.com>
https://mailman.powerdns.com/mailman/listinfo/pdns-users<https://urldefense.com/v3/__https:/mailman.powerdns.com/mailman/listinfo/pdns-users__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuicNv4ZqME$>

Frank Louwers
PowerDNS Certified Consultant @ 
Kiwazo.be<https://urldefense.com/v3/__http:/Kiwazo.be__;!!KwNVnqRv!XoMd8TaBnMokW9_jt6lK5qkk6JNfZz0qEo3ugMh0nBPhbPzQTP-lAGCxLuichoWnJXE$>



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] How to configure TSIG with BIND backend

2021-11-13 Thread Fox, Michael E. via Pdns-users 
Howdy,

I'm new to PowerDNS.  I'm using the authoritative server with the BIND backend 
for some testing.  (Don't need power or complexity of a DB backend).

Fake IPs:
  11.11.11.11 master
  22.22.22.22 slave

I've got a master and slave configured with three zones and doing zone 
transfers.  Initially, I didn't have TSIGs and have the following configured in 
pdns.conf on the master:

allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22

Now I'd like to configure TSIG.  But the instructions here seem to be related 
to DB backends:
https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr

I'd like to stick to the BIND backend.  But I get errors when trying the same 
type of configuration options in named.conf that work in regular BIND.

Here's what I did:

On the master:

key "keyname" {
algorithm hmac-sha256;
secret "...";
};

zone "zonename" {
file ...;
type master;
allow-transfer { 22.22.22.22 key "keyname"; };
};

On the slave:

key "keyname" {
algorithm hmac-sha256;
secret "...";
};

zone "zonename" {
file ...;
type slave;
masters { 11.11.11.11 key "keyname"; };   <-- I get a syntax error on this, 
even though it works in regular BIND.
};

So, I changed the slave to:

server 11.11.11.11 {
keys { "keyname"; };
};

zone "zonename" {
file ...;
type slave;
masters { 11.11.11.11 };  <-- no more syntax error.
};

And, in pdns.conf, I set "allow-axfr-ips" back to the default:

allow-axfr-ips=127.0.0.0/8,::1

But when I restart the slave, I get the following error:

Unable to AXFR zone 'zonename' from remote 11.11.11.11' (resolver): AXFR chunk 
error: Server Not Authoritative for zone / Not Authorized (This was the first 
time. Excluding zone from slave-checks until 1636827466)

Any help would be greatly appreciated!

Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Server Hostname not visible

2021-09-02 Thread SOLIT | Michael via Pdns-users 
I fixed it myself. Thank you.

The key was to add a PTR record on the PowerDNS locally.

Windows checks the PTR record  on the local server itself instead of the 
authorative server.

[cid:image001.png@01D79FDE.A265DDE0]


[SOLIT Network Solutions B.V]<https://Solit.nl>     Michael van der Worp

SOLIT Network Solutions B.V | Zuiddijk 255A | 1501 CK | Zaandam
+31 (0)75 6315601 | mvdw...@solit.nl<mailto:mvdw...@solit.nl> | 
www.solit.nl<https://www.solit.nl>

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u 
verzocht dat aan de afzender te melden en het bericht te verwijderen. SOLIT 
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband 
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. SOLIT accepts no 
liability for damage of any kind resulting from the risks inherent in the 
electronic transmission of messages.

Van: Brian Candler 
Verzonden: donderdag 2 september 2021 08:23
Aan: SOLIT | Michael ; pdns-users@mailman.powerdns.com
Onderwerp: Re: [Pdns-users] Server Hostname not visible

On 02/09/2021 07:12, SOLIT | Michael via Pdns-users wrote:
I’m trying to add the server hostname to PowerDNS. This does not seem to work.

When I do an nslookup to the specific PowerDNS server I get back that the 
server hostname is Unknown.

Sorry, but this question has nothing to do with PowerDNS at all.

Firstly, nslookup is part of the bind suite of tools, and the behaviour is 
local to nslookup.  Secondly, you are using Windows, which has Microsoft's 
obsolete and forked version of bind/nslookup.

Try using the Linux version of nslookup and you'll see the difference:
# nslookup solit.nl ns1.globe.hosting
Server:ns1.globe.hosting
Address:5.44.79.65#53

Name:solit.nl
Address: 5.44.79.60



The above example was run on Ubuntu 18.04.5 LTS, which has the nslookup from 
bind 9.11.3

# which nslookup
/usr/bin/nslookup
# dpkg-query -S /usr/bin/nslookup
dnsutils: /usr/bin/nslookup
# dpkg-query -l dnsutils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name   VersionArchitecture  
 Description
+++-==-==-==-=
ii  dnsutils   1:9.11.3+dfsg-1ubuntu1 amd64 
 Clients provided with BIND

HTH,

Brian.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Server Hostname not visible

2021-09-02 Thread SOLIT | Michael via Pdns-users 
Hello,

I’m trying to add the server hostname to PowerDNS. This does not seem to work.

When I do an nslookup to the specific PowerDNS server I get back that the 
server hostname is Unknown.

Can someone please explain me how to put a name here instead of “UnKnown”

[cid:image001.png@01D79FD2.3D5FDC40]

With the application “bind” its a matter of adding “hostname” to the 
configuration file.

Perhaps anyone can help me, thanks in advance.

Best regards,
Michael van der Worp

[SOLIT Network Solutions B.V]<https://Solit.nl>     Michael van der Worp

SOLIT Network Solutions B.V | Zuiddijk 255A | 1501 CK | Zaandam
+31 (0)75 6315601 | mvdw...@solit.nl<mailto:mvdw...@solit.nl> | 
www.solit.nl<https://www.solit.nl>

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u 
verzocht dat aan de afzender te melden en het bericht te verwijderen. SOLIT 
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband 
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. SOLIT accepts no 
liability for damage of any kind resulting from the risks inherent in the 
electronic transmission of messages.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1

2021-05-20 Thread Michael Ströder via Pdns-users 
On 5/21/21 12:49 AM, Nikolaos Milas via Pdns-users wrote:
> However, I am now trying to start the upgraded server and I get the
> message (in journal):
> 
>    Caught an exception instantiating a backend: launch= suffixes are
>    not supported on the bindbackend
> 
> launch=ldap:bkend1,bind:bkend2

This just works:

  launch=ldap:bkend1,bind

Do you really need the launch suffix 'bkend2' for the bindbackend
parameters?

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)

2021-05-11 Thread Michael Ströder via Pdns-users 
On 5/11/21 7:22 PM, Otto Moerbeek wrote:
> On Tue, May 11, 2021 at 07:01:08PM +0200, Michael Ströder via Pdns-users 
> wrote:
>> Was support for running on 32-bit platforms dropped?
> 
> Yes, as you can read further down below in the announcement.

Arrgh! Missed that. Sorry for the noise.

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)

2021-05-11 Thread Michael Ströder via Pdns-users 
HI!

Was support for running on 32-bit platforms dropped?

configure fails with:

configure: error: size of time_t is 4, which is not large enough to fix
the y2k38 bug

See build system:

https://build.opensuse.org/package/show/home:stroeder:network/pdns-recursor

Ciao, Michael.

On 5/11/21 11:49 AM, Otto Moerbeek via Pdns-users wrote:
>  Hello!
> 
>We are proud to announce the release of PowerDNS Recursor 4.5.1.
>Compared to the release candidate, this release contains two bug fixes.
>Note that 4.5.0 was never released publicly, since an issue was found
>during QA.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

2021-02-19 Thread Michael Ströder via Pdns-users 
On 2/19/21 10:31 AM, Dario García Díaz-Miguel via Pdns-users wrote:
> I had to add to the /etc/openldap/ldap.conf the following parameter:
> 
> SASL_MECH GSSAPI

FYI: If you don't want to set this globally you can set env var LDAPRC
or LDAPCONF to point to a service-specific ldap.conf.

See the details in man-page ldap.conf(5).

> GSSAPI Error: Unspecified GSS failure. Minor code may provide more 
> information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) 
> )
> [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2
> [LDAP GSSAPI] No TGT found, trying to acquire a new one
> [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported 
> by protocol

Do you have a correctly configured /etc/krb5.conf? Again you can point
to a service-specific Kerberos config with env var KRB5_CONFIG.

Also check ownership and permissions of your keytab file whether pdns
can read it.

I'd also check whether it works to get a TGT with the keytab for the
expected client principal name. Assuming you're running pdns as user pdns:

runuser -u pdns kinit -t /etc/pdns.keytab
pdns-service-princi...@realm.example.com

I don't have a kerberized setup so all of the above is just from memory.

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dnstap and kafka

2021-01-14 Thread Michael Chisina via Pdns-users 
OK. Thanks for clarification.



On Thu, Jan 14, 2021, 4:00 PM Brian Candler  wrote:

> On 14/01/2021 13:11, Michael Chisina wrote:
> > Thanks for the info
> >
> > # is there any need for middleware software if I use dtap (dnstap
> > favoured) following from github
> >
> > https://github.com/mimuret/dtap#kafka
> > <https://github.com/mimuret/dtap#kafka>
> >
> That *is* the middleware software.
>
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dnstap and kafka

2021-01-14 Thread Michael Chisina via Pdns-users 
Thanks for the info

# is there any need for middleware software if I use dtap (dnstap favoured)
following from github

https://github.com/mimuret/dtap#kafka

And also  configure the following:
Kafka

Make flatting DNSTAP message,And it forawrd to kafka host.

[[OutputKafks]]
Hosts = ["kafka.example.jp:9092"]
Topic  = "dnstap_message"



# the dataflow will be as follows:
 DNS message --->dnstap--->middleware--->Kafka producer connector --->
Kafka streaming---> Kafka consumer connector---> debezium connector
--->timescaledb(postgresql favoured)


Regards
Michael Chisina

On Wed, Jan 13, 2021, 5:27 PM Brian Candler  wrote:

> On 13/01/2021 14:58, Michael Chisina via Pdns-users wrote:
>
> I want to frame stream powerdns  recursor DNS query and response using
> dnstap to an apache kafka remote server (202.20.20.1).
> # what are the configurations needed on recursor?
>
> dnstap doesn't talk to kafka.
>
> You'll need to run some middleware software which accepts dnstap
> <https://dnstap.info/>-formatted messages, and writes them to kafka -
> which could be in raw dnstap form, or decoded into some other form (e.g.
> JSON).  Google "dnstap kafka" for some options, or write your own.
>
> Then you configure pdns-recursor to send dnstap messages to this
> middleware server.
>
> If you run the middleware on the same server as pdns-recursor, then they
> can communicate over a unix domain socket.  If you want to communicate to a
> remote server over TCP, then you will need a sufficiently new version of
> libfstrm which supports this. In practice this means that if you are using
> Ubuntu then you need 20.04 not 18.04. See this thread:
>
> https://mailman.powerdns.com/pipermail/pdns-users/2020-June/026724.html
>
>
> # what is dns message schema(s) format for the database creation?
>
> kafka isn't a database.  If you want to write these messages to a
> database, then that's an additional step.  You'll need some more software
> which reads messages from kafka, decodes them, and writes to a database in
> some schema that you define.  Beware that a busy recursor can generate a
> very large volume of messages, so you might want to aggregate them first.
>
> HTH,
>
> Brian.
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Dnstap and kafka

2021-01-13 Thread Michael Chisina via Pdns-users 
:

Hello,

I want to frame stream powerdns  recursor DNS query and response using
dnstap to an apache kafka remote server (202.20.20.1).
# what are the configurations needed on recursor?
# what is dns message schema(s) format for the database creation?

Regards

Michael Chisina
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] gmysql: Is latin1 really necessary? What are the consequences of using UTF-8?

2020-10-30 Thread Michael Loftis via Pdns-users 
On Fri, Oct 30, 2020 at 8:17 AM Michael Loftis  wrote:
>
> On Fri, Oct 30, 2020 at 8:15 AM Nicholas Williams via Pdns-users
>  wrote:
> >
> > I thought domain names have supported unicode characters for several years 
> > now.
>
> Not at the protocol level they're not.   They're punycode.


And more explicitly, it's not UTF.  It's IDN
https://unicode.org/faq/idn.html
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] gmysql: Is latin1 really necessary? What are the consequences of using UTF-8?

2020-10-30 Thread Michael Loftis via Pdns-users 
On Fri, Oct 30, 2020 at 8:15 AM Nicholas Williams via Pdns-users
 wrote:
>
> I thought domain names have supported unicode characters for several years 
> now.

Not at the protocol level they're not.   They're punycode.


>
> On Oct 30, 2020, at 7:53 AM, Frank Louwers  wrote:
>
> Hi Nick,
>
> I guess the main reason why it's latin1, is that DNS records are supposed to 
> be ascii, certainly not utf-8. Also probably the "lowest common denominator" 
> between various (My)SQL versions, flavours etc.
>
> Frank
>
>
>
> On 30 Oct 2020, at 13:43, Nicholas Williams via Pdns-users 
>  wrote:
>
> Nobody has any thoughts here?
>
> Thanks,
>
> Nick
>
> On Oct 25, 2020, at 11:51 AM, Nicholas Williams 
>  wrote:
>
> In the past 4-5 years, I’ve gotten into the habit of defaulting all MySQL 
> tables to this:
>
>   DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_520_ci
>
> Looking at the latest PowerDNS schema (I’m about to start up a second 
> environment), I noticed that the entire schema has this:
>
>   CHARACTER SET ‘latin1'
>
> I did some searching through the archives, but couldn’t readily find an 
> answer about this: Is there a specific reason why LATIN-1 was chosen and must 
> be used? What are the consequences of using UTF-8 instead of LATIN-1?
>
> One consequence that I know of is that `records.content` can’t be 
> VARCHAR(64000) and also be UTF-8, so it must either be made explicitly 
> LATIN-1, or it must be shortened to VARCHAR(16383), or it must be converted 
> to a TEXT column. Are there are negative consequences of making it a TEXT 
> column?
>
> Thanks,
>
> Nick
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] gmysql: Is latin1 really necessary? What are the consequences of using UTF-8?

2020-10-30 Thread Michael Loftis via Pdns-users 
I was hoping someone who knew more about PDNS authoritative server
itself would chime in

For MySQL server+client, if the character set in the libmysqlclient
and server side tables/etc match, it doesn't matter except for server
side sorts (collations).  If it is latin1 all the way through then
it's actually treated as binary.  This is to avoid the performance
penalty of character set conversions.  DNS itself is more
difficult...labels are ASCII.  PowerDNS internally for example has an
upper case conversion routine that blatantly assumes ASCII/latin1.
When it checks for spaces, it's checking for 0x20, not for any UTF-8
formation that might mean whitespace.  Content/RDATA, type, etc, are
all binary and so what is in the content is defined by the content
type.  In the cases where there is expected to be non ASCII data, it's
translated by PowerDNS itself, based on the relevant RFCs - which
often have their own way to represent non-ascii data such as for TXT
records.  PowerDNS Auth itself I don't believe pays any mind to what
the underlying database clients do WRT character sets and fields, as
long as the data is as expected after it comes out of the backend.  So
if it's backed by a TEXT field, it doesn't actually care, at least in
the MySQL case.

So...yeah you could, but...why?  What problem are you trying to solve?
 What advantage are you looking for?

On Fri, Oct 30, 2020 at 6:44 AM Nicholas Williams via Pdns-users
 wrote:
>
> Nobody has any thoughts here?
>
> Thanks,
>
> Nick
>
> > On Oct 25, 2020, at 11:51 AM, Nicholas Williams 
> >  wrote:
> >
> > In the past 4-5 years, I’ve gotten into the habit of defaulting all MySQL 
> > tables to this:
> >
> >DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_520_ci
> >
> > Looking at the latest PowerDNS schema (I’m about to start up a second 
> > environment), I noticed that the entire schema has this:
> >
> >CHARACTER SET ‘latin1'
> >
> > I did some searching through the archives, but couldn’t readily find an 
> > answer about this: Is there a specific reason why LATIN-1 was chosen and 
> > must be used? What are the consequences of using UTF-8 instead of LATIN-1?
> >
> > One consequence that I know of is that `records.content` can’t be 
> > VARCHAR(64000) and also be UTF-8, so it must either be made explicitly 
> > LATIN-1, or it must be shortened to VARCHAR(16383), or it must be converted 
> > to a TEXT column. Are there are negative consequences of making it a TEXT 
> > column?
> >
> > Thanks,
> >
> > Nick
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns master-slave replication issue

2020-10-16 Thread Michael Rommel via Pdns-users 
Hi,

you could look at the config whether you have whitelisted the ip of the slave 
on the master for zone transfers (AXFR).

Secondly, if you have configured, that only signed transfers are allowed, look 
whether the correct TSIG keys are configured on master and slave.

HTH,

  Michael.

-- 
Michael Rommel, Erlangen, Germany

> On 16. Oct 2020, at 20:36, Satish Patel via Pdns-users 
>  wrote:
> 
> Folks,
> 
> I have installed fresh PowerDNS version pdns-4.3.1-1 on centOS8 and
> setup master-slave for replication. when i added a new zone on master
> i got the following error on slave server logs, any idea what is
> wrong?
> 
> I did add a supermaster entry and SOA NS record etc so i can confirm
> they are good and correct.
> 
> Oct 16 14:01:23 pdns-2.foo.example.net pdns_server[27983]: 1 slave
> domain needs checking, 0 queued for AXFR
> Oct 16 14:01:23 pdns-2.foo.example.net pdns_server[27983]: Received
> serial number updates for 1 zone, had 0 timeouts
> Oct 16 14:01:23 pdns-2.foo.example.net pdns_server[27983]: Domain
> 'foo.example.net' is empty, master serial 2020101603
> Oct 16 14:01:23 pdns-2.foo.example.net pdns_server[27983]: Initiating
> transfer of 'foo.example.net' from remote '10.64.0.10'
> Oct 16 14:01:23 pdns-2.foo.example.net pdns_server[27983]: Starting
> AXFR of 'foo.example.net' from remote 10.64.0.10
> Oct 16 14:01:23 pdns-2.foo.example.net pdns_server[27983]: Unable to
> AXFR zone 'foo.example.net' from remote '10.64.0.10' (resolver): AXFR
> chunk error: Server Failure (This was the first time. Excluding zone
> from slave-checks until 1602871343)
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

2020-09-09 Thread Michael Ströder via Pdns-users 
On 9/9/20 11:48 AM, Otto Moerbeek via Pdns-users wrote:
> On 2020-09-09 11:39, Otto Moerbeek via Pdns-users wrote:
>> I do not know what I was doing when I previously looked at this,
>> but this seem to be the minimal patch for the rel/rec-4.3.x branch.
>> Can you check if it works for you?>
> And now with the corretc version of the diff, sorry.

Another package maintainer already applied a back-port patch and it
seems to build:

https://build.opensuse.org/package/show/server:dns/pdns-recursor

Could you please check whether that's the correct one?

It's tracked downstream here:

https://bugzilla.opensuse.org/show_bug.cgi?id=1176312

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

2020-09-09 Thread Michael Ströder via Pdns-users 
On 9/8/20 11:49 AM, Remi Gacogne via Pdns-users wrote:
> On 9/8/20 11:39 AM, Michael Ströder via Pdns-users wrote:
> 
>> Currently building PowerDNS Recursor fails building on openSUSE
>> Tumbleweed/Factory:
> 
> It's an issue caused by Boost >= 1.73, see [1]. We should probably
> backport that patch, at least to 4.3.x, but we have not done so yet.
> 
> [1]: https://github.com/PowerDNS/pdns/pull/9070

Thanks for your quick answer.
It seems also pdns auth is affected.

Any chance to get fixed releases?
Or should package maintainers apply back-port patches?

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

2020-09-08 Thread Michael Ströder via Pdns-users 
HI!

Currently building PowerDNS Recursor fails building on openSUSE
Tumbleweed/Factory:

https://build.opensuse.org/package/live_build_log/home:stroeder:branches:server:dns/pdns-recursor/openSUSE_Tumbleweed/x86_64

Note that openSUSE Tumbleweed/Factory uses

gcc version 10.2.1 20200825 [revision
c0746a1beb1ba073c7981eb09f55b3d993b32e5c] (SUSE Linux)

As you can see it builds on openSUSE Leap:

https://build.opensuse.org/package/show/home:stroeder:branches:server:dns/pdns-recursor

Is this an issue with newer gcc?

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] "HTTP/1.1 422 Unprocessable Entity" when creating a zone

2020-06-30 Thread Michael Loftis via Pdns-users 
On Tue, Jun 30, 2020 at 08:52 Tomasz Chmielewski via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Unfortunately I'm not able to find what I'm doing wrong.
>
> The error is returned no matter if I have "master=yes" set in pdns.conf
> or not, and no matter if I use "masters": [] or not.


Take a look at the object properties description at the bottom of the
documentation that Frank linked you. The documentation I know doesn't
include an example for zone creation. You're missing the type key. I don't
think that there are any other issues with the post data you're sending.
Just missing the type.


>
> The query I'm sending:
>
> # curl --data '{"name":"example.org.", "kind": "Native", "nameservers":
> ["ns1.example.org.", "ns2.example.org."]}' -v -H 'X-API-Key: my-api-key'
> http://10.58.150.164:8081/api/v1/servers/localhost/zones
> *   Trying 10.58.150.164:8081...
> * TCP_NODELAY set
> * Connected to 10.58.150.164 (10.58.150.164) port 8081 (#0)
> > POST /api/v1/servers/localhost/zones HTTP/1.1
> > Host: 10.58.150.164:8081
> > User-Agent: curl/7.68.0
> > Accept: */*
> > X-API-Key: my-api-key
> > Content-Length: 98
> > Content-Type: application/x-www-form-urlencoded
> >
> * upload completely sent off: 98 out of 98 bytes
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 422 Unprocessable Entity
> < Access-Control-Allow-Origin: *
> < Connection: close
> < Content-Length: 50
> < Content-Security-Policy: default-src 'self'; style-src 'self'
> 'unsafe-inline'
> < Content-Type: application/json
> < Server: PowerDNS/4.2.1
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: deny
> < X-Permitted-Cross-Domain-Policies: none
> < X-Xss-Protection: 1; mode=block
> <
> * Closing connection 0
> {"error": "Creating domain 'example.org.' failed"}
>
>
>
> Tomasz
>
>
> On 2020-06-30 22:38, Frank Louwers wrote:
> > Please find the docs for 4.2.x at
> >
> https://docs.powerdns.com/authoritative/http-api/index.html#endpoints-and-objects-in-the-api
> >
> > In particular, note that the "masters" string must only be set if the
> > type is Slave.
> >
> > Regards,
> >
> > Frank
> >
> > On 30 Jun 2020, at 15:20, Tomasz Chmielewski  wrote:
> >
> >> I'm using pdns 4.2.1.
> >>
> >> Tomasz
> >>
> >> On 2020-06-30 22:17, Frank Louwers wrote:
> >> Hi Tomasz,
> >> What version are you using? The docs you mention, refer to an old
> >> version of PowerDNS Auth...
> >> Frank
> >> On 30 Jun 2020, at 15:09, Tomasz Chmielewski via Pdns-users
> >>  wrote:
> >> I did it exactly as in PowerDNS README:
> >> https://doc.powerdns.com/md/httpapi/README/
> >> Does it mean README is buggy?
> >> But it also fails without "masters" attribute:
> >> # echo '{"name":"example.org [1].", "kind": "Native", "nameservers":
> >> ["ns1.example.org [2].", "ns2.example.org [3]."]}' | jq
> >> {
> >> "name": "example.org [1].",
> >> "kind": "Native",
> >> "nameservers": [
> >> "ns1.example.org [2].",
> >> "ns2.example.org [3]."
> >> ]
> >> }
> >> Tomasz
> >> On 2020-06-14 23:52, Kevin P. Fleming via Pdns-users wrote:
> >> Have you doing this without specifying the 'masters' attribute at
> >> all?
> >> Native zones don't support masters, so it's possible that supplying
> >> the attribute, even with an empty list, is causing a failure.
> >> On Sun, Jun 14, 2020 at 9:29 AM Tomasz Chmielewski via Pdns-users
> >>  wrote:
> >> Using 4.2.1, I'm getting "HTTP/1.1 422 Unprocessable Entity" when
> >> trying
> >> to create a zone as described on
> >> https://doc.powerdns.com/md/httpapi/README/
> >> What am I doing wrong?
> >> '{"name":"example.org.", "kind": "Native", "masters": [],
> >> "nameservers":
> >> ["ns1.example.org.", "ns2.example.org."]}' validates fine with jq:
> >> # echo '{"name":"example.org.", "kind": "Native", "masters": [],
> >> "nameservers": ["ns1.example.org.", "ns2.example.org."]}' | jq
> >> {
> >> "name": "example.org.",
> >> "kind": "Native",
> >> "masters": [],
> >> "nameservers": [
> >> "ns1.example.org.",
> >> "ns2.example.org."
> >> ]
> >> }
> >> # curl -X POST --data '{"name":"example.org.", "kind": "Native",
> >> "masters": [], "nameservers": ["ns1.example.org.",
> >> "ns2.example.org."]}'
> >> -v -H 'X-API-Key: my-key'
> >> http://10.58.150.164:8081/api/v1/servers/localhost/zones
> >> Note: Unnecessary use of -X or --request, POST is already inferred.
> >> *   Trying 10.58.150.164:8081...
> >> * TCP_NODELAY set
> >> * Connected to 10.58.150.164 (10.58.150.164) port 8081 (#0)
> >> POST /api/v1/servers/localhost/zones HTTP/1.1
> >> Host: 10.58.150.164:8081
> >> User-Agent: curl/7.68.0
> >> Accept: */*
> >> X-API-Key: my-key
> >> Content-Length: 113
> >> Content-Type: application/x-www-form-urlencoded
> >> * upload completely sent off: 113 out of 113 bytes
> >> * Mark bundle as not supporting multiuse
> >> < HTTP/1.1 422 Unprocessable Entity
> >> < Access-Control-Allow-Origin: *
> >> < Connection: close
> >> < Content-Length: 50
> >> < Content-Security-Policy: default-src 'self'; style-src 'self'
> >> 'unsafe-inline'
> >> < Content-Type:

Re: [Pdns-users] LUA createForward() records and improvement suggestions

2020-06-23 Thread Michael Rommel via Pdns-users 
Hi Otto,

thanks for the pointer! AFAICT it covers my patches as well, looks a lot more 
complicated, though. I'll take a closer look at it.

Is there any reason, why it hasn't been merged yet? Any cases that would break 
that needed to be avoided?

Thanks,

  Michael.

-- 
Michael Rommel, Erlangen, Germany

> On 23 Jun 2020, at 08:16, Otto Moerbeek  wrote:
> 
> On Mon, Jun 22, 2020 at 10:11:30PM +0200, Michael Rommel via Pdns-users 
> wrote:
> 
>> 
>> Dear all,
>> 
>> a while ago (2020-03-01) I asked about setting up domains with LUA 
>> createForward()
>> records.
>> 
>> I suceeded in setting it up and found some peculiarities, which I would like 
>> to
>> discuss here (in parallel I consider to submit PRs for some issues in Github 
>> and 
>> would appreciate guidance, whether it makes sense to open them).
>> 
>> There are four (4) questions in this mail and sorry for the length, but I 
>> wanted 
>> to make it explicit with all possible information provided from the get-go.
>> 
>> The setup for the proof-of-concept is a MASTER/SLAVE setup with sqlite3 as
>> backend. The used version is 4.3.0-1pdns.bionic from
>> http://repo.powerdns.com/ubuntu bionic-auth-43. 
>> 
>> The demo setup has essentially these domains and records (taken from the 
>> master):
>> 
>> sqlite> select * from records;
>> 1|1|example.com|SOA|ns1.example.com ra-dns-admin.example.com 3 10380 3600 
>> 604800 3600|86400|||0||1
>> 2|1|example.com|NS|ns1.example.com|86400|||0||1
>> 3|1|example.com|NS|ns2.example.com|86400|||0||1
>> 4|1|ns1.example.com|A|104.41.128.19|86400|||0||1
>> 5|1|ns2.example.com|A|52.148.215.179|86400|||0||1
>> 7|1|*..1001.example.com|LUA|A "createForward()"|60|||0||1
>> 8|1|*.-2002.example.com|LUA|A "createForward()"|60|||0||1
>> 9|2|-3003.example.com|SOA|ns1.example.com ra-dns-admin.example.com 2 
>> 10380 3600 604800 3600|86400|||0||1
>> 10|2|*.-3003.example.com|LUA|A "createForward()"|60|||0||1
>> 
>> sqlite> select * from domains;
>> 1|example.com|||MASTER|2|
>> 2|-3003.example.com|||MASTER|2|
>> 
>> Other tables available on request, I'll try to be as brief as possible.
>> 
>> The intended use is a DNS resolver for approx. 200.000 devices (more
>> later), each device shall have one of those wildcard createForward()
>> records and an accompanying _acme-challenge TXT record to obtain a Let's
>> Encrypt certificate for that record.
>> 
>> 
>> Q 1: Structure of the domain/subdomains / current implementation limitations
>> 
>> 
>> Currently the implementation of the LUA createForward() is in a way that
>> accepts the wildcard only as being directly underneath the domain in
>> question. In the example setup above, the 4.3 version:
>> 
>> - will not resolve the record ip10203040.-2002.example.com
>> - will resolve the record ip10203040.-3003.example.com
>> 
>> because only the latter one is directly beneath the domain. In my use case
>> that would mean to create 200. additional entries in the domain table
>> (the NS records for a proper DNS delegation can be omitted here, because
>> all live on the same server). Each domain would only have two entries.
>> 
>> Even with a less aggressive SOA refresh time, that would mean, that pdns
>> would check all of those 200K domains within one hour. Since they mostly
>> stay the same, there is no AXFR involved, but the checking imposes a load
>> on the database and logging (tuneable of course). With PGSQL later this
>> will certainly bearable, but I think a multi-level structure might be
>> better suited. Hence the first patch:
>> 
>> I suggest changing the line 616 in lua-record.cc to
>> 
>>if(parts.size()<4) {
>> 
>> This would retain the behaviour of accepting questions like:
>> 
>>  192.168.1.1.-3003.example.com
>> 
>> but would enable additionally questions like:
>> 
>>  ip10203040.-2002.example.com
>>  ip10203040..1001.example.com
>> 
>> letting me subdivide the domain without the need for separate subdomains
>> just for the resolution purpose.
>> 
>> It would be breaking for setups where the top level domain also has a
>> wildcard record and it is not wished that subdomains are resolved:
>> 
>> *.example.com|LUA|A "createForward()"
>> 
>> And ip10203040.test.example.com shall NOT be resolved. With the patch, it
>> would.
>> 
>> Shall I submit a P

[Pdns-users] LUA createForward() records and improvement suggestions

2020-06-22 Thread Michael Rommel via Pdns-users 
ne asks a question like

192-168-3-4.-3003.example.com

which leads to a SERVFAIL, because the string returned from the function is 
2.4294967295.104.4294967293 = 2 . -1 . 0x68 . -3
which then cannot be put into the answer packet.

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> +norecurse @172.24.46.11 
192-168-3-4.-3003.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10082
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;192-168-3-4.-3003.example.com. IN A

;; Query time: 1 msec
;; SERVER: 172.24.46.11#53(172.24.46.11)
;; WHEN: Mon Jun 22 19:46:50 UTC 2020
;; MSG SIZE  rcvd: 66

root:/home/rommel/configuration# tail -100 /var/log/syslog |grep pdns
Jun 22 19:46:50 CertifVM01 pdns_server[1276]: Remote 172.24.46.11 wants 
'192-168-3-4.-3003.example.com|A', do = 0, bufsize = 1232 (4096): 
packetcache MISS
Jun 22 19:46:50 CertifVM01 pdns_server[1276]: Lua record 
(192-168-3-4.-3003.example.com|A) reported: Parsing record content (try 
'pdnsutil check-zone'): unable to parse IP address
Jun 22 19:46:50 CertifVM01 pdns_server[1276]: Exception building answer packet 
for 192-168-3-4.-3003.example.com/A (Parsing record content (try 
'pdnsutil check-zone'): unable to parse IP address) sending out servfail

My patch suggestion would be to add in the check for values above 255, like:
  if(sscanf(parts[0].c_str()+2, "%02x%02x%02x%02x", , , , )==4) {
if(x1<=0xff && x2<=0xff && x3<=0xff && x4<=0xff)
  return 
std::to_string(x1)+"."+std::to_string(x2)+"."+std::to_string(x3)+"."+std::to_string(x4);
  }

Would you agree that this might be better to fall through to returning 
"0.0.0.0" 
rather than SERVFAIL?


Q 4: Adding the (forgotten) ability to parse the dash delimited decimal 
questions


In addition to the hexadecimal notation, I would really like to see the
proper resolving of entries like 192-168-3-4.-3003.example.com.

These additional lines below the hex portion would allow this:

if(sscanf(parts[0].c_str(), "%u-%u-%u-%u", , , , )==4) {
  if(x1<=0xff && x2<=0xff && x3<=0xff && x4<=0xff)
return 
std::to_string(x1)+"."+std::to_string(x2)+"."+std::to_string(x3)+"."+std::to_string(x4);
}

Anyone interested in this PR?


Thanks everybody, who has read through this monster to this point. Any
suggestions or corrections or improvements.

  Michael.



-- 
Michael Rommel, Erlangen, Germany

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] why CAP_CHOWN?

2020-05-16 Thread Michael Ströder via Pdns-users 
On 5/16/20 10:25 PM, bert hubert wrote:
> On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users 
> wrote:
>> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and
>> AmbientCapabilities= and I could not find a reason in the git history of
>> that file.
> 
> We chown the UNIX domain control socket to the 'setgid' and 'setuid'
> setting.
> 
> This is likely why we need CAP_CHOWN.

It seems to create the control socket just fine because the User= and
Group= are set:

srwxr-xr-x 1 pdns pdns 0 May 16 22:39
/run/pdns-recursor/pdns_recursor.controlsocket=

Anything more I could test to ensure that it's safe to remove CAP_CHOWN?

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] why CAP_CHOWN?

2020-05-16 Thread Michael Ströder via Pdns-users 
HI!

I appreciate that
pdns/recursordist/pdns-recursor.service.in
already contains some of systemd's hardening options.

But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and
AmbientCapabilities= and I could not find a reason in the git history of
that file.

It seems to run without that capability.

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Best way to setup pdns for ACME challenges and "virtual" entries

2020-03-01 Thread Michael Rommel via Pdns-users 
> On 1. Mar 2020, at 21:13, Brian Candler  wrote:
> 
> Depends on what your letsencrypt software uses.   I use the bind backend with 
> DDNS updates, with dehydrated.  There are some sample challenge hooks for 
> dehydrated here <https://github.com/dehydrated-io/dehydrated/wiki>, and I see 
> all your options covered:
> One which uses DDNS updates: 
> https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script
>  
> <https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script>
> One which uses the API: https://github.com/silkeh/pdns_api.sh 
> <https://github.com/silkeh/pdns_api.sh>
> One which uses mysql updates: 
> https://github.com/antoiner77/dehyrated-pdns/blob/master/pdns.sh 
> <https://github.com/antoiner77/dehyrated-pdns/blob/master/pdns.sh>Thanks - 
> that is a good hint to look at dehydrated - I was vaguely aware of the 
> project, but haven't installed it since I scripted certbot.  So from your 
> response I gather it is just a matter of preference, there are no real 
> drawbacks. So I will reseach the ddns updates further, since that is, what I 
> already implemented and it saves me from enabling the HTTP API, which would 
> increase complexity...

> To minimise the number of moving parts, I'd start by seeing if LUA records 
> can do what you want: 
> https://doc.powerdns.com/authoritative/lua-records/index.html 
> <https://doc.powerdns.com/authoritative/lua-records/index.html>I missed that 
> part of the documentation or better skipped it, because I have no experience 
> with LUA, But if that gets me around running a backend, I'll look deeper into 
> that.

> There are existing functions for working with dynamic forward and reverse:
> 
> https://doc.powerdns.com/authoritative/lua-records/functions.html#reverse-dns-functions
>  
> <https://doc.powerdns.com/authoritative/lua-records/functions.html#reverse-dns-functions>
> The documentation says that createReverse with %5% will support the A-B-C-D 
> format you want; but createForward doesn't.  Confusingly, there is a comment 
> in the code 
> <https://github.com/PowerDNS/pdns/blob/master/pdns/lua-record.cc#L612> which 
> says it does:
> 
>   if(parts.size()==1) {
> // either hex string, or 12-13-14-15
> //cout< unsigned int x1, x2, x3, x4;
> if(sscanf(parts[0].c_str()+2, "%02x%02x%02x%02x", , , , 
> )==4) {
>   return 
> std::to_string(x1)+"."+std::to_string(x2)+"."+std::to_string(x3)+"."+std::to_string(x4);
> }
> 
> 
>   }
>   return std::string("0.0.0.0");
> });
> 
> ... but I can't see anything in the code which actually parses this format.  
> So either this is an oversight in the code, or the comment is wrong.  It 
> looks like it would be a pretty straightforward feature to add.
> 
> If there's no way round this, then you can use the full LUA backend instead: 
> https://doc.powerdns.com/authoritative/backends/lua2.html 
> <https://doc.powerdns.com/authoritative/backends/lua2.html>
Nice! thanks for the pointer, Brian!

  Michael.

-- 
Michael Rommel, Erlangen, Germany___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Best way to setup pdns for ACME challenges and "virtual" entries

2020-03-01 Thread Michael Rommel via Pdns-users 
Dear all,

I have an application that would benefit from a setup like Plex' Secure Server 
connections. In short words, they use wildcard DNS records where the name of 
the resource record conforms to a syntax conveying the IP address, the record 
shall resolve to, for instance 
10-0-1-13.someuuidforthedevice-abcdef.example.com.

The device gets a certificate for *. someuuidforthedevice-abcdef.example.com
When someone asks the DNS for 
10-0-1-13.someuuidforthedevice-abcdef.example.com. they get an A record for 
10.0.1.13 back.

In order to make this setup work with letsencrypt, two challenges arise:

1. the easy one: put the challenge of ACME into the DNS at runtime. Now, I did 
this previously with isc-bind and used the dynamic dns update feature for the 
relevant zone. Since I have not yet hands-on-experience with pdsn, I am asking 
for the correct way to implement this. I read that I can use three different 
ways to accomplish that:
a) dynamic DNS updates 
b) the HTTP API
c) inserting the record directly into the backend database, but I would have to 
make sure that no previous query to that record had been sent to pdns, 
otherwise it could respond from the cache.
What is the best way to do it?

2. the hard one: how can an answer to a A RR query be synthesized from the 
queried name? My current way of thinking is to use the remote backend and write 
a node.js application (with ZeroMQ, as that's what I am familiar with) that 
answers these questions.
My question to you all would here be: is this a stable setup with pdns? Is the 
remote backend interface widely used and battle tested? Or is this an uncommon 
thing and I am probably running into trouble? The scale of my application is, 
that there would be something like 500.000 devices out there, not more.

Thank you in advance for your insights!

  Michael.

-- 
Michael Rommel, Erlangen, Germany___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor Permissions Error

2020-01-07 Thread Michael Ströder 
On 1/7/20 3:00 PM, Sharone Bakara wrote:
> On 7 Jan 2020, at 16:55, Remi Gacogne  wrote:
>> On 1/7/20 2:41 PM, Sharone wrote:
>>> '/var/run/pdns-recursor': Permission denied"*
>> I'm not sure of what your SNMP setup is, but it looks like the user
>> invoking rec_control does not have the rights to create a new file in
>> /var/run/pdns-recursor. What happens if you invoke the rec_control
>> command directly as the 'pdns' user?
>
> I get the same error as when I run it root.

Whenever "permissions denied" happens while running an action as root
I'd check whether SELinux or AppArmor blocks some access.
=> check your audit log (assuming you're running auditd)

Ciao, Michael.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Contents of Pdns-users digest

2019-11-13 Thread Michael Chisina 
I think  load balancer  is the best option and configure the policy(ies) on
it.

Michael Chisina

On Wed, Nov 13, 2019, 2:00 PM 
wrote:

> Send Pdns-users mailing list submissions to
> pdns-users@mailman.powerdns.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> or, via email, send a message with subject or body 'help' to
> pdns-users-requ...@mailman.powerdns.com
>
> You can reach the person managing the list at
> pdns-users-ow...@mailman.powerdns.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pdns-users digest..."
>
>
> Today's Topics:
>
>1. Re: Forward client request (Thomas Mieslinger)
>
>
> --
>
> Message: 1
> Date: Tue, 12 Nov 2019 15:37:32 +0100
> From: Thomas Mieslinger 
> To: pdns-users@mailman.powerdns.com
> Subject: Re: [Pdns-users] Forward client request
> Message-ID: <78ad5583-6f4e-a150-86c0-eece65eee...@mail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> If you are familiar with policy based routing or multiple vrfs and
> running multiple pdns_recursor instances you could create two (or more)
> pdns_recursor services and configure the routing to send the dns
> requests to the desired recursor.
>
> On 11/12/19 12:05 PM, mendisobal via Pdns-users wrote:
> > How i can forward recursive DNS requests based on source address of the
> > client. To do this need to have ability to return address of the next NS
> > from preresove function (instead of NS-records).
> > Is there any example on lua?
> >
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
>
>
> --
>
> Subject: Digest Footer
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> --
>
> End of Pdns-users Digest, Vol 202, Issue 7
> **
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Log all zone changes

2019-09-27 Thread Michael Ströder 
On 9/27/19 8:30 PM, Vitali Quiering via Pdns-users wrote:
> I just started using PowerDNS Authoritative Server recently and got
> to the point where I need all changes logged. Is there an option I
> missed? If there is none: How do you log your changes?
Probably not exactly the answer you're looking for:

I'm using PowerDNS with LDAP backend and write operations to OpenLDAP
server(s) are logged with accesslog overlay. My personal setup is very
small but the components should easily scale up.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] BIND-Zonefiles: @ vs blank

2019-08-08 Thread Michael Loftis 
On Thu, Aug 8, 2019 at 07:01 Bjoern Franke  wrote:

> Hi,
>
> we have a zonefile which got recently added TXT entries for SPF and DMARC:
>
> _dmarc  IN  TXT "v=DMARC1; p=none; rua=mailto:foo;
> IN  MX  10 mx.domain.tld.
> IN  TXT "v=spf1 include:spf1.domain.tld ?all"
>
> Since then, requests for the MX record were not answered any more,
> adding a @ fixed it.
>
> I'm wondering now why this happens, as in other zonefiles without TXT
> records the blank substitution works.


I've always had the understanding that blank meant "reuse last" so by
adding the _dmarc TXT record ahead of the blank records you inadvertently
moved them to be _dmarc.ZONE

I could certainly be wrong because I haven't looked at the man page for
bind zone files in the last decade.



>
> Kind regards
> Bjoern
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Question about PDNS SOA presentation.

2019-03-07 Thread Michael Van Der Beek 
Hi Peter,

That's interesting. My pdns.conf did not have default-soa-edit line.
Also didn't even know about that option. Don't have any domain specific soa 
meta configs in the mysql database.

Looking into the database I found.

MariaDB [powerdns]> select * from domainmetadata
-> ;
++---++-+
| id | domain_id | kind   | CONTENT |
++---++-+
|  1 | 1 | NSEC3PARAM | 1 0 1 ab|
|  2 | 1 | SOA-EDIT   | INCREMENT-WEEKS |
++---++-+
2 rows in set (0.00 sec)

Didn't setup the fields. Either it was when I signed the domain. No matter..
Setting the SOA-EDIT to "" I get back the correct values.

Thanks Peter!
Been scratching my head about this for a while.

Regards,

Michael




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Question about PDNS SOA presentation.

2019-03-07 Thread Michael Van Der Beek 
Hi Frank,

After removing the recursor option in pdns.conf

 dig @72.14.187.43 cyber-mage.com SOA

; <<>> DiG 9.2.4 <<>> @72.14.187.43 cyber-mage.com SOA
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22124
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cyber-mage.com.IN  SOA

;; ANSWER SECTION:
cyber-mage.com. 86400   IN  SOA ns1.linode.com. 
hostmaster.cyber-mage.com. 2019033067 28800 7200 1209600 86400

;; Query time: 200 msec
;; SERVER: 72.14.187.43#53(72.14.187.43)
;; WHEN: Thu Mar  7 16:16:19 2019
;; MSG SIZE  rcvd: 90


It still wrong.
Read in this mailing list that somebody complained about the pdnsutils increase 
soa record time also results in a random last 4 digits instead of increasing it 
sequentially. But nobody replied to him. His version was 4.1.x. I presume that 
in his case the first setup was correct. Maybe it was partially fixed from 
4.0.6 to 4.1.x


Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Question about PDNS SOA presentation.

2019-03-06 Thread Michael Van Der Beek 
Hi Frank,

Currently not using dnsdist.. just installed that in case I want to try special 
splitting of traffic.

Currently
Pdns Auth (72.14.187.43:53) -> Recursor (127.0.0.1:53)

Yes I know, I know eventually need to change config so that Auth is standalone 
and not forward recursion traffic to recursor. Traffic is not high so not 
really urgent at the moment.

So currently querying my server is direct to PdnsAuth not going through the 
recursor (which is for recursion traffic).

Eventually, when traffic goes high, will use dnsdist to load balance multiple 
Auths and recursors.
That is why I installed dnsdist as an eventual progression.

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Question about PDNS SOA presentation.

2019-03-05 Thread Michael Van Der Beek 
Forgot to mention I am running.

rpm -qa | grep pdns
pdns-4.0.6-1pdns.el7.x86_64
dnsdist-1.1.0-1pdns.el7.x86_64
pdns-recursor-4.0.9-1pdns.el7.x86_64
pdns-backend-mysql-4.0.6-1pdns.el7.x86_64

And
MariaDB-server-10.1.38-1.el7.centos.x86_64

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Question about PDNS SOA presentation.

2019-03-05 Thread Michael Van Der Beek 
Opps wrong thread.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] MariaDB-server-10.1.38-1.el7.centos.x86_64

2019-03-05 Thread Michael Van Der Beek 
Opps wrong thread.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PDNS recursor dnssec settings

2019-03-05 Thread Michael Van Der Beek 
Forgot to mention I am running.

rpm -qa | grep pdns
pdns-4.0.6-1pdns.el7.x86_64
dnsdist-1.1.0-1pdns.el7.x86_64
pdns-recursor-4.0.9-1pdns.el7.x86_64
pdns-backend-mysql-4.0.6-1pdns.el7.x86_64

And
MariaDB-server-10.1.38-1.el7.centos.x86_64


Thanks

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Question about PDNS SOA presentation.

2019-03-05 Thread Michael Van Der Beek 
Hi All,

I'm a bit confused about my SOA record.
When I query it.
dig @server1.cyber-mage.com SOA cyber-mage.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @server1.cyber-mage.com SOA 
cyber-mage.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5232
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;cyber-mage.com.IN  SOA

;; ANSWER SECTION:
cyber-mage.com. 86400   IN  SOA ns1.linode.com. 
hostmaster.cyber-mage.com. 2019033066 28800 7200 1209600 86400

;; Query time: 219 msec
;; SERVER: 72.14.187.43#53(72.14.187.43)
;; WHEN: Wed Mar 06 14:49:45 +08 2019
;; MSG SIZE  rcvd: 101

But my mysql records are:
MariaDB [powerdns]> select * from records where type="SOA";
++---++--+--+---+--+-+--+--+--+
| id | domain_id | name   | type | content  
| ttl   | prio | change_date | 
disabled | ordername| auth |
++---++--+--+---+--+-+--+--+--+
|  1 | 1 | cyber-mage.com | SOA  | ns1.linode.com 
hostmaster.cyber-mage.com 2019030501 28800 7200 1209600 86400 | 86400 |0 |  
  NULL |0 | rvms80ecrvpfkr7n6a3ksp4tc5f2g9bk |1 |
| 23 | 2 | 187.14.72.in-addr.arpa | SOA  | ns1.linode.com 
hostmaster.cyber-mage.com 2019022501 28800 7200 1209600 86400 | 86400 |0 |  
  NULL |0 |  |1 |
++---++--+--+---+--+-+--+--+--+

And
MariaDB [powerdns]> select * from domains;
++++++-+-+
| id | name   | master | last_check | type   | notified_serial 
| account |
++++++-+-+
|  1 | cyber-mage.com | NULL   |   NULL | MASTER |  2019030501 
| NULL|
|  2 | 187.14.72.in-addr.arpa | NULL   |   NULL | MASTER |  2019022501 
| NULL|
++++++-+-+

How come the values are different? What am I doing wrong?


Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Spoof MX records

2018-12-15 Thread Bit World Computing - Michael Mertel 

> Am 15.12.2018 um 09:50 schrieb bert hubert :
> 
> On Sat, Dec 15, 2018 at 09:42:21AM +0100, Bit World Computing - Michael 
> Mertel wrote:
>> Hi Aleksandr,
>> 
>> I’am somewhat lost, I’am able to set a rule to have the Lua function called 
>> for MX requests, but how do I return a response? Spoof ist just for 
>> A-records, but not for MX.
>> addLuaAction(QTypeRule(dnsdist.MX), luarule)
> 
> Hi Michael,
> 
> As far as I know, dnsdist can't generate MX records, so you'll have to do
> this in the PowerDNS Recursor. Sorry!
> 
> In the Recursor it is not very hard to do though, use postResolve to
> override all MX records you see in responses.
> 
> This makes sure you don't invent MX records for domains that don't have
> them.
> 
> Also be aware that if there is no MX record for a domain, a mail server
> might decide to send email directly to the A record.
> 
> Good luck!
> 
>   Bert

Thanks Bert you saved my day, will switch over to recursor.

—Michael___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Spoof MX records

2018-12-15 Thread Bit World Computing - Michael Mertel 
Hi Aleksandr,

I’am somewhat lost, I’am able to set a rule to have the Lua function called for 
MX requests, but how do I return a response? Spoof ist just for A-records, but 
not for MX.
addLuaAction(QTypeRule(dnsdist.MX), luarule)

Do I have to generate an Answer, but how? Is it possible to use 
dq::addAnswer(), which I have found in the recursor documentation, is this 
valid for dnsdist too?

Best regards.


> Am 14.12.2018 um 17:16 schrieb Aleksandr Rogozin :
> 
> Hi Michael,
> 
> You should be able to load the file (if the list of zones is large enough and 
> warrants a file) or initialize array of subzones (if there are few zones you 
> want to test) once, when the process starts and loads the Lua script. Loading 
> the file on every request would definitely become a performance issue.
> 
> Best Regards,
> 
> On Fri, Dec 14, 2018 at 10:50 AM Bit World Computing - Michael Mertel 
> mailto:michael.mer...@bwc.de>> wrote:
> Hi Aleksandr,
> 
> ja Lua was the way I’m planning to go. But just wasn’t sure to use dnsdist or 
> recursor, but probably does not matter in that case.
> 
> Does the file gets loaded for every request with io.open and could this 
> become a performance issue in your opinion? All DNS requests from a fairly 
> good used mail gateway would be sent to this resolver.
> 
> I think I’ll give it a try with dnsdist and see what happens.
> 
> Best regards.
> 
> 
> 
>> Am 14.12.2018 um 12:55 schrieb Aleksandr Rogozin > <mailto:arogo...@squarespace.com>>:
>> 
>> Hi Michael,
>> 
>> I recommend using Lua to intercept the DNS queries. Both dnsdist and 
>> recursor should be able to support it. In Lua you can check for query type 
>> to be MX and load a list of domains from a file using ‘io.open’. Provide 
>> necessary DNS response if the query matches your list of zones. 
>> Additionally, you might want to limit this operation to specific networks 
>> with NetMask or NetMaskGroup.
>> 
>> 
>> On Fri, Dec 14, 2018 at 01:53 Bit World Computing - Michael Mertel 
>> mailto:michael.mer...@bwc.de>> wrote:
>> Hi,
>> 
>> I’am looking for the most efficent way to spoof the answer of a MX query. I 
>> need to redirect outgoing e-mails (specific domains only) to a smtp gateway 
>> for further processing before it leaves the local network. I cannot use any 
>> kind of transport tables at the MTA, so my approach was to use dns therefore.
>> 
>> The number of zones to spoof is currently not defined, could be dozens if 
>> not hundreds.
>> 
>> I would usually do this kind of stuff with dnsdist (which I love), but would 
>> the recursor a better choice here?
>> 
>> Thanks for any advice.
>> 
>> —Michael
>> 
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>


—
IT-Security und Infrastruktur-Lösungen optimal für Ihre Umgebung


Befine / bintec elmeg / Deepnet Security / DELL / Hewlett Packard / Microsoft
Mikrotik / NAKIVO / SonicWall / SOPHOS / STARFACE / VMware / ZyXEL
sowie das Beste der Open-Source-Welt (NGiNX, PowerDNS, phpIPAM, Postfix, 
ZABBIX, zimbra)


Michael Mertel
Inhaber / company owner


Bit World Computing e.K.
Wredestr. 18
97082 Wuerzburg
Deutschland / Germany

Fon: +49 (0)931 45335-0
Fax: +49 (0)931 45335-99

E-Mail: michael.mer...@bwc.de <mailto:michael.mer...@bwc.de>
Skype: bwc.michael
Web: http://www.bwc.de <http://www.bwc.de/>

Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065
Inhaber / company owner: Michael Mertel


BWC ... one bit ahead ... since 1993

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Spoof MX records

2018-12-14 Thread Bit World Computing - Michael Mertel 
Hi Aleksandr,

ja Lua was the way I’m planning to go. But just wasn’t sure to use dnsdist or 
recursor, but probably does not matter in that case.

Does the file gets loaded for every request with io.open and could this become 
a performance issue in your opinion? All DNS requests from a fairly good used 
mail gateway would be sent to this resolver.

I think I’ll give it a try with dnsdist and see what happens.

Best regards.



> Am 14.12.2018 um 12:55 schrieb Aleksandr Rogozin :
> 
> Hi Michael,
> 
> I recommend using Lua to intercept the DNS queries. Both dnsdist and recursor 
> should be able to support it. In Lua you can check for query type to be MX 
> and load a list of domains from a file using ‘io.open’. Provide necessary DNS 
> response if the query matches your list of zones. Additionally, you might 
> want to limit this operation to specific networks with NetMask or 
> NetMaskGroup.
> 
> 
> On Fri, Dec 14, 2018 at 01:53 Bit World Computing - Michael Mertel 
> mailto:michael.mer...@bwc.de>> wrote:
> Hi,
> 
> I’am looking for the most efficent way to spoof the answer of a MX query. I 
> need to redirect outgoing e-mails (specific domains only) to a smtp gateway 
> for further processing before it leaves the local network. I cannot use any 
> kind of transport tables at the MTA, so my approach was to use dns therefore.
> 
> The number of zones to spoof is currently not defined, could be dozens if not 
> hundreds.
> 
> I would usually do this kind of stuff with dnsdist (which I love), but would 
> the recursor a better choice here?
> 
> Thanks for any advice.
> 
> —Michael
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Spoof MX records

2018-12-13 Thread Bit World Computing - Michael Mertel 
Hi,

I’am looking for the most efficent way to spoof the answer of a MX query. I 
need to redirect outgoing e-mails (specific domains only) to a smtp gateway for 
further processing before it leaves the local network. I cannot use any kind of 
transport tables at the MTA, so my approach was to use dns therefore.

The number of zones to spoof is currently not defined, could be dozens if not 
hundreds.

I would usually do this kind of stuff with dnsdist (which I love), but would 
the recursor a better choice here?

Thanks for any advice.

—Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] RRSet

2018-04-23 Thread Michael Van Der Beek 
Hi All,

I have a question.
In PDNS Server, there is an option no-shuffle which if turned on records with 
multiple records always return in order.
For example.
A.test.com  A 192.168.1.1
A.test.com  A 192.168.1.2

If queried for A.test.com it returns in order of records as stored in the DB ( 
I am using mysql).

Now, my question, is it possible to do this on specific URL basis vs global.

In named, there is a rrset-order(A.test.com) in which only A.test.com returns 
in order and the rest of the records return in random order.

How can I achieve something similar to this with pdns-server?

Thanks for your time.

I've research the mailing list way back 8+  years ago. There was a discussion 
on this. But the links to the solution no longer exists.
Can anyway tell me if there is a new solution?

Regards,

Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Meltdown impact on PowerDNS/dnsdist

2018-01-06 Thread Michael Ströder 
bert hubert wrote:
> We have done some very tentative measurements on the Linux Meltdown
> workaround & impact on DNS performance.

Besides the performance impact of the "fixes" doesn't this mean that
people should stop doing DNSSEC signing on-the-fly on the authorative
server and move DNSSEC signing to isolated systems?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about logging changes

2017-11-28 Thread Michael Ströder 
Dirk Bartley wrote:
> You could log the who of who is logged into the database, but if the database
> connection is done from a front end, it would always be the users the front 
> end
> connects to the database as.  But if you have a front end, just manage it by 
> who
> is logged into the Front end.

Depends on the frontend. If it lets the user impersonate as personal
user account on the DB connection you get the real who.

It would be nice if the PowerDNS API would have a config option like
"connect-as-user" to avoid using a hard-coded API password/key. In this
case you could also let the database backend enforce access control even
for API requests.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about logging changes

2017-11-28 Thread Michael Ströder 
Dirk Bartley wrote:
> I have been asked to look at some options for assisting my employer to
> alter the way our internal dns is served.  One of the features being
> requested is the ability to log the who, what and when of all changes
> to the data that dns is serving.  Of course when I search for change
> logging, I get the change logs of the code.  Would there be a better
> phrase than "change log" to search for.  Is this the kind of feature
> that already exists, or is this the kind of feature that would be
> better accomplished by writing a front end that we would force everyone
> here to use that does the update.  We are considering using LDAP as a
> backend for the dns service.

How do you plan to maintain the data?

E.g. if you're using LDAP server as backend *and* you're going to
maintain the data via LDAP it more boils down how to audit write
operations on the LDAP server. And this depends on the features of the
LDAP server you're planning to use. Personally I love accesslog overlay
(originally implemented for delta-replication) in OpenLDAP because it
automatigally gives you a perfect audit trail in a separate database.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] GUI with LDAP backend ?

2017-05-15 Thread Michael Ströder 
r0m5 wrote:
> So here is my question : what do you think would be a convenient way to 
> manage zone and
> records using the LDAP backend ? How do you guys proceed ?

For managing DNS zones in a pdns LDAP backend I've added some plugin classes to 
my own
client: https://web2ldap.de/
Be warned it's still not an ideal DNS UI. But once you get used to it it's IMHO 
not much
worse than poweradmin. (You can contact me off-list if you have issues 
installing/using it.)

Hmm, so far I did not see an intuitive DNS management UI anyway. I guess it's 
the generic
flexibility of DNS RRs which put so much burden on the UI.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-ldap <-> Rudder-ldap

2016-11-15 Thread Michael Ströder 
StanC wrote:
> Is there a method of translating the ldap schema that Rudder uses for
> its node inventory and using this in a pdns ldap backend?

More or less you're asking for same feature like me:

https://github.com/PowerDNS/pdns/issues/1832

> I had this fantasy that one could connect to Rudder's ldap server from
> psdn and use it directly as a backend, but I cannot imagine that the
> schemas could possible align 

For tight integration with my Æ-DIR I plan to use the remote-backend:

https://doc.powerdns.com/md/authoritative/backend-remote/

http://jpmens.net/2015/11/03/powerdns-with-the-remote-back-end-and-dnssec/

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

2016-08-18 Thread Michael 

Quoting Pieter Lexis <pieter.le...@powerdns.com>:


Hi Michael,

On Thu, 18 Aug 2016 14:20:25 +
Michael <m...@michi.su> wrote:


Last week I updated to Ubuntu 16.04. So I have a new Postfix version
(3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).

Since this update Postfix does not receive correct answers for a
particular query anymore. Concretely, queries for A entries of
Office365 mail servers.

For example if Postfix asks for the A entry of
nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix
that there does not exists a A record.
However, if I manually do this query with dig, I do get an correct
answer. Please see the logs at the end of the mail.

Besides the queries of Office365 mail servers, the rest is working
fine. I have no idea how to track down that issue? Is there any
setting in pdns_recursor I have to change?


Postfix might be asking for DNSSEC, which is finiky in the alpha  
version Ubuntu pulled in. Can you install 4.0.1 from our  
repositories[1] and try again? 4.0.1 has about 5 months more  
development time in it.


Thanks a lot!
Updating to 4.0.1 solved the problem for me.

Regards,
Michael

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

2016-08-18 Thread Michael 

Hi,

thanks for the answer.

Since I can see the query from Postfix in the logs of PDNS_recursor, I  
assume Postfix is communicating with the recursor correctly.


Here is the content of /var/spool/postfix/etc/resolv.conf

root@mx0:~# cat /var/spool/postfix/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

Thanks,
Michael

Quoting Leen Besselink <l...@consolejunkie.net>:


Hi,

Sounds like a strange problem.

Just to make sure it's set up correctly.

Could you check that Postfix is talking to PowerDNS Recursor ?  
Because Postifx has a seperate resolv.conf (which gets updated when  
starting Postfix):


/var/spool/postfix/etc/resolv.conf

On Thu, Aug 18, 2016 at 02:20:25PM +, Michael wrote:

Hi all,

I have been using pdns_recursor package on my Ubuntu 14.04 quite
some time to resolve host names locally. That worked fine for the
entire system.

Last week I updated to Ubuntu 16.04. So I have a new Postfix version
(3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).

Since this update Postfix does not receive correct answers for a
particular query anymore. Concretely, queries for A entries of
Office365 mail servers.

For example if Postfix asks for the A entry of
nxp-com.mail.protection.outlook.com, pdns_recursor returns to
Postfix that there does not exists a A record.
However, if I manually do this query with dig, I do get an correct
answer. Please see the logs at the end of the mail.

Besides the queries of Office365 mail servers, the rest is working
fine. I have no idea how to track down that issue? Is there any
setting in pdns_recursor I have to change?

Thanks,
Michael


Postfix log
=
Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2:
from=<m...@michi.su>, size=865, nrcpt=1 (queue active)
Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for
nxp.com has a valid address record
Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2:
to=<t...@nxp.com>, relay=none, delay=1492, delays=1492/0.12/0.81/0,
dsn=4.4.3, status=deferred (Host or domain name not found. Name
service error for name=nxp-com.mail.protection.outlook.com type=A:
Host not found, try again)
=

pdns_recursor log after Postfix query
=
Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for
'nxp.com.|MX' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question
'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms,
0 throttled, 0 timeouts, 0 tcp connections, rcode=0
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question
'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional,
took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp
connections, rcode=2
=

pdns_log after dig query
=
Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question
'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional,
took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp
connections, rcode=0
=

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Recursor does not provide correct answer to Postfix

2016-08-18 Thread Michael 

Hi all,

I have been using pdns_recursor package on my Ubuntu 14.04 quite some  
time to resolve host names locally. That worked fine for the entire  
system.


Last week I updated to Ubuntu 16.04. So I have a new Postfix version  
(3.1.0) as well as a new pdns_recursor version (4.0.0-alpha2).


Since this update Postfix does not receive correct answers for a  
particular query anymore. Concretely, queries for A entries of  
Office365 mail servers.


For example if Postfix asks for the A entry of  
nxp-com.mail.protection.outlook.com, pdns_recursor returns to Postfix  
that there does not exists a A record.
However, if I manually do this query with dig, I do get an correct  
answer. Please see the logs at the end of the mail.


Besides the queries of Office365 mail servers, the rest is working  
fine. I have no idea how to track down that issue? Is there any  
setting in pdns_recursor I have to change?


Thanks,
Michael


Postfix log
=
Aug 15 18:21:07 mx0 postfix/qmgr[2715]: 39EF2A40EA2:  
from=<m...@michi.su>, size=865, nrcpt=1 (queue active)
Aug 15 18:21:08 mx0 postfix/smtp[2907]: warning: no MX host for  
nxp.com has a valid address record
Aug 15 18:21:08 mx0 postfix/smtp[2907]: 39EF2A40EA2:  
to=<t...@nxp.com>, relay=none, delay=1492, delays=1492/0.12/0.81/0,  
dsn=4.4.3, status=deferred (Host or domain name not found. Name  
service error for name=nxp-com.mail.protection.outlook.com type=A:  
Host not found, try again)

=

pdns_recursor log after Postfix query
=
Aug 15 18:21:07 mx0 pdns_recursor[2512]: 1 [16/1] question for  
'nxp.com.|MX' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 1 [16/2] answer to question  
'nxp.com.|MX': 1 answers, 0 additional, took 2 packets, 147.186 ms, 0  
throttled, 0 timeouts, 0 tcp connections, rcode=0
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] question for  
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 18:21:08 mx0 pdns_recursor[2512]: 2 [9/2] answer to question  
'nxp-com.mail.protection.outlook.com.|A': 0 answers, 1 additional,  
took 9 packets, 595.218 ms, 3 throttled, 0 timeouts, 0 tcp  
connections, rcode=2

=

pdns_log after dig query
=
Aug 15 17:52:20 mx0 pdns_recursor[2520]: 2 [53/1] question for  
'nxp-com.mail.protection.outlook.com.|A' from 127.0.0.1
Aug 15 17:52:21 mx0 pdns_recursor[2520]: 2 [53/1] answer to question  
'nxp-com.mail.protection.outlook.com.|A': 2 answers, 1 additional,  
took 2 packets, 111.056 ms, 0 throttled, 0 timeouts, 0 tcp  
connections, rcode=0

=

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [Pdns-announce] PowerDNS Authoritative Server 4.0.0 released

2016-07-11 Thread Michael Ströder 
Pieter Lexis wrote:
>  * A revived and supported LDAP backend (ldap).

Thanks! :-)

CIao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-20 Thread Bit World Computing - Michael Mertel 
Hi Leen,

thanks for clearing this up. My approach was a bit to naive but my recursor is 
now returning whats expected.

The +dnssec Parameter is the essential trick, and depending on dnssec=off or 
=process in my recursor.conf the recursor is returning the correct information.

Thanks for your feedback.

—Michael


> Am 19.05.2016 um 17:36 schrieb Leen Besselink <l...@consolejunkie.net>:
> 
> On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael 
> Mertel wrote:
>> Hi,
>> 
> 
> Hi,
> 
>> I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
>> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
>> answer from it. What do I’am doing wrong here, I’am somewhat lost?
>> 
>> —
>> --- direct query 
>> dig @ns1.denic.de ANY www.denic.de
>> ;; ANSWER SECTION:
>> www.denic.de.3600IN  A   81.91.170.12
>> www.denic.de.3600IN  RRSIG   A 8 3 3600 
>> 2016060209 2016051909 26155 denic.de. 
>> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
>> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
>> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
>> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
>> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
>> 
>> ;; AUTHORITY SECTION:
>> denic.de.3600IN  NS  ns2.denic.de.
>> denic.de.3600IN  NS  ns3.denic.de.
>> denic.de.3600IN  NS  ns1.denic.de.
>> 
>> ;; ADDITIONAL SECTION:
>> ns1.denic.de.3600IN  A   81.91.170.1
>> ns1.denic.de.3600IN  2a02:568:121:6:2::2
>> ns2.denic.de.3600IN  A   78.104.145.26
>> ns3.denic.de.3600IN  A   81.91.173.19
> 
> 
> DENIC can return whatever they want with an ANY-query, but that doesn't mean 
> it's DNSSEC.
> 
>> 
>> —
>> — query through dnsdist —
>> dig @192.168.1.5 ANY www.denic.de
>> 
>> ;; ANSWER SECTION:
>> www.denic.de.2083IN  A   81.91.170.12
>> www.denic.de.2083IN  RRSIG   A 8 3 3600 
>> 2016060109 2016051809 26155 denic.de. 
>> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
>> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
>> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
>> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
>> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
>> 
>> —
>> — query through recursor (no forwarders, dnssec=process) —
>> dig -p 5153 @192.168.1.5 ANY www.denic.de
>> 
>> ;; ANSWER SECTION:
>> www.denic.de.2724IN  A   81.91.170.12
>> 
>> —
>> 
>> Thanks in advance.
>> 
> 
> This would be the usual way to check DNSSEC. Without:
> 
> $ dig @d.ns.nic.cz labs.nic.cz A
> 
> ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;labs.nic.cz.   IN  A
> 
> ;; ANSWER SECTION:
> labs.nic.cz.1800IN  A   217.31.205.52
> 
> ;; AUTHORITY SECTION:
> nic.cz. 1800IN  NS  a.ns.nic.cz.
> nic.cz. 1800IN  NS  b.ns.nic.cz.
> nic.cz. 1800IN  NS  d.ns.nic.cz.
> 
> ;; ADDITIONAL SECTION:
> a.ns.nic.cz.1800IN  A   194.0.12.1
> a.ns.nic.cz.1800IN  2001:678:f::1
> b.ns.nic.cz.1800IN  A   194.0.13.1
> b.ns.nic.cz.1800IN  2001:678:10::1
> d.ns.nic.cz.1800IN  A   193.29.206.1
> d.ns.nic.cz.1800IN  2001:678:1::1
> 
> With DNSSEC:
> 
> $ dig +dnssec @d.ns.nic.cz labs.nic.cz A
> 
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
> ;; WARNING: recursio

[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?

2016-05-19 Thread Bit World Computing - Michael Mertel 
Hi,

I’am currently trying to get a better unterstanding of DNSSEC. But even if I 
enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related 
answer from it. What do I’am doing wrong here, I’am somewhat lost?

—
--- direct query 
dig @ns1.denic.de ANY www.denic.de
;; ANSWER SECTION:
www.denic.de.   3600IN  A   81.91.170.12
www.denic.de.   3600IN  RRSIG   A 8 3 3600 2016060209 
2016051909 26155 denic.de. 
rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG 
lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO 
ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG 
AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp 
ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS

;; AUTHORITY SECTION:
denic.de.   3600IN  NS  ns2.denic.de.
denic.de.   3600IN  NS  ns3.denic.de.
denic.de.   3600IN  NS  ns1.denic.de.

;; ADDITIONAL SECTION:
ns1.denic.de.   3600IN  A   81.91.170.1
ns1.denic.de.   3600IN  2a02:568:121:6:2::2
ns2.denic.de.   3600IN  A   78.104.145.26
ns3.denic.de.   3600IN  A   81.91.173.19

—
— query through dnsdist —
dig @192.168.1.5 ANY www.denic.de

;; ANSWER SECTION:
www.denic.de.   2083IN  A   81.91.170.12
www.denic.de.   2083IN  RRSIG   A 8 3 3600 2016060109 
2016051809 26155 denic.de. 
CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 
oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 
n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm 
YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z 
RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa

—
— query through recursor (no forwarders, dnssec=process) —
dig -p 5153 @192.168.1.5 ANY www.denic.de

;; ANSWER SECTION:
www.denic.de.   2724IN  A   81.91.170.12

—

Thanks in advance.

—Michael
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

2016-03-09 Thread Bit World Computing - Michael Mertel 
Hi Pieter,

dnssec=off did the trick indeed. Hope you can fix this, because dnssec was the 
reason I went to 4.x in the first place :)

If I can be of any help here, just let me know.

Best regards.
 
> Am 09.03.2016 um 10:05 schrieb Pieter Lexis <pieter.le...@powerdns.com>:
> 
> Hi Michael,
> 
> Please keep replies on the mailinglist (mails reproduced below).
> 
> Judging by your log and some of my testing, I think you uncovered a bug in 
> the DNSSEC implementation. Could you try this with `dnssec=off` in the 
> recursor.conf?
> 
> Best regards,
> 
> Pieter
> 
> On Wed, 9 Mar 2016 07:46:49 +0100
> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote:
> 
>> Hello Pieter,
>> 
>> thanks for helping me out on this.
>> 
>>> Am 08.03.2016 um 18:57 schrieb Pieter Lexis <pieter.le...@powerdns.com>:
>>> 
>>> Hello Michael,
>>> 
>>> On Tue, 8 Mar 2016 16:32:26 +0100
>>> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote:
>>> 
>>>> I was wondering why an apt-get update cannot resolve repo.powerdns.com, 
>>>> but a ping is able to do so. This only happens if /etc/resolv.conf points 
>>>> to my recursor. If I use 8.8.8.8 as nameserver everything works as 
>>>> expected.
>>>> 
>>>> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my 
>>>> local recursor.
>>> 
>>> Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? 
>>> When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is 
>>> needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This 
>>> will set the Recursion Desired-bit on the query sent out. Google sends 
>>> SERVFAIL to clients without the RD-bit set.
>>> 
>> I currently use this forward statements in my recursor.conf:
>> 
>> forward-zones-file=/etc/powerdns/forward-zones
>> forward-zones-recurse=.=8.8.8.8
>> 
>> The forward-zones file points to some internal nameservers, all 8.8.8.8 
>> related is done through forward-zones-recurse.
>> 
>> 
>>> If this is the case and you still have these issues, could you enable the 
>>> `trace`[3] option and query your local resolver for repo.powerdns.com and 
>>> email the traces?
>>> 
>> I attached the trace log, hope it includes everything you need. I tried to 
>> kept the noise as low as possible, but some other systems queried the 
>> recursor as well.
>> 
>>>> Maybe it’s how the apt-get tries to resolve the name? The only thing I 
>>>> found was, that getent is not returning the correct results.
>>> 
>>> apt, ping and getent all seem to use the getaddrinfo(3) call.
>>> 
>> I was 100% sure that a ping worked, but it do not work now, 
>> repo.powerdns.com is not resolving anywhere. repo1.powerdns.com is a 
>> different story:
>> 
>> root@dns-1:/var/log# ping repo.powerdns.com
>> ping: unknown host repo.powerdns.com
>> root@dns-1:/var/log# getent hosts repo1.poerdns.com
>> root@dns-1:/var/log# ping repo1.powerdns.com
>> PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data.
>> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 
>> time=42.9 ms
>> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 
>> time=42.9 ms
> 
> 
> On Wed, 9 Mar 2016 08:28:05 +0100
> Bit World Computing - Michael Mertel <michael.mer...@bwc.de> wrote:
> 
>> Hi Pieter,
>> 
>> sorry I overlooked a typo.
>> 
>> root@dns-1:/var/log# getent  hosts repo.powerdns.com
>> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com
>> root@dns-1:/var/log# getent  hosts repo1.powerdns.com
>> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com
>> 
>> Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at 
>> all.
>> 
>> 
> -- 
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com



--
IT-Security Lösungen von DELL SonicWALL und Sophos von Ihrem zertifizierten 
Partner Bit World Computing.





Michael Mertel
Inhaber / company owner


Bit World Computing e.K.
Wredestraße 18
97082 Wuerzburg
Deutschland / Germany

Fon: +49 (0)931 45335-0
Fax: +49 (0)931 45335-99

E-Mail: michael.mer...@bwc.de <mailto:michael.mer...@bwc.de>
GoogleTalk / Skype: bwc.michael
Web: http://www.bwc.de <http://www.bwc.de/>

Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065
Geschäftsführer / company owner: Michael Mertel


BWC ... one bit ahead ... since 1993




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: pdns-recursor 4.0.0alpha1 crashes at startup

2016-01-30 Thread Bit World Computing - Michael Mertel 
Hello Pieter,

thanks for the clarification, the master branch fixed the problem indeed, but 
it crashes very often. 

For some odd reason I’am not able to do a wget from 
http://download.powerdns.com, it complains about not being able to resolve the 
name, but a 'host download.powerdns.com' returns successfully. I changed my dns 
from local recursor to 8.8.8.8 in /etc/resolv.conf and the problem with wget 
went away.

Meanwhile I returned to 3.7.3, but I will give it another shot later because of 
the DNSSEC functionality.

—Michael


smime.p7s
Description: S/MIME cryptographic signature
___
Pdns-users mailing list
pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/listinfo/pdns-users@mailman.powerdns.com

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread Michael Loftis 
(inline)

On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
 wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
>
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)


>
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick

-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-03 Thread Michael Loftis 
Two people have answered your question and told you what you're missing.
I'm not going to try to guess at whatever misconfiguration or
misunderstanding resulted in you getting (or seemingly getting) recursive
results from bind when you were attempting to disable them. PowerDNS fully
and completely separates all authoritative functionality from recursive
 functionality (and any associated caches). This is in contrast to bind
which merges all such functionality.


On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> No because in bind, when you turn off recursive resolution it resolves. I
> can't figure out the missing part to have the same behavior.
> Le 3 janv. 2016 2:39 PM, "Michael Loftis" <mlof...@wgops.com
> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit :
>
>> Again not a resolver. Sorry but you're the one misunderstanding. If you
>> want answers for data not present you need a recursive resolver.
>>
>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>> luis.daniel.lu...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote:
>>
>>> Host command does not do that as well. It off on the sample output
>>> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi> a écrit :
>>>
>>>> That is because dig is not a resolver.
>>>>
>>>>
>>>>
>>>> ---
>>>> Aki Tuomi
>>>>
>>>>
>>>>  Original message 
>>>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com>
>>>> Date: 03/01/2016 20:56 (GMT+02:00)
>>>> To: Michael Loftis <mlof...@wgops.com>
>>>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi>,
>>>> pdns-users@mailman.powerdns.com
>>>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative?
>>>>
>>>> You don't pay attention.
>>>> My question is why the resolver doesn't continue the iterative query.
>>>> It just stops when it gets the ns answer
>>>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com> a
>>>> écrit :
>>>>
>>>>> Then quit asking it for information it doesn't have. Responding with
>>>>> the root NS set is correct when you're asking for Google.com which it 
>>>>> knows
>>>>> nothing about.
>>>>>
>>>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>>>>> luis.daniel.lu...@gmail.com> wrote:
>>>>>
>>>>>> Thanks. But that's the way u don't want to use. I know how.
>>>>>>
>>>>>> I need to make it work in non recursive mode.
>>>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a
>>>>>> écrit :
>>>>>>
>>>>>>> If you want to use auth as recursor, you need to configure
>>>>>>>
>>>>>>> recursor=
>>>>>>> allow-recursion=
>>>>>>>
>>>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote:
>>>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does
>>>>>>> > authoritative which is your problem here.
>>>>>>> >
>>>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
>>>>>>> > luis.daniel.lu...@gmail.com> wrote:
>>>>>>> >
>>>>>>> > > Hello
>>>>>>> > >
>>>>>>> > > Wat am I missing? I have this:
>>>>>>> > > launch=pipe,bind
>>>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin
>>>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
>>>>>>> > > bind-config=/etc/named.pdns.conf
>>>>>>> > > bind-check-interval=300
>>>>>>> > > bind-ignore-broken-records=no
>>>>>>> > > send-root-referral=lean
>>>>>>> > > allow-recursion=192.168.7.0/24
>>>>>>> > >
>>>>>>> > > /etc/named.pdns.conf looks like this
>>>>>>> > > zone "mylocaldomain.net" IN {
>>>>>>> > >type master;
>>>>>>> > >file "/var/named/data/mylocaldomain.net";
>>>>&g

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-03 Thread Michael Loftis 
Again not a resolver. Sorry but you're the one misunderstanding. If you
want answers for data not present you need a recursive resolver.

On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> Host command does not do that as well. It off on the sample output
> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi
> <javascript:_e(%7B%7D,'cvml','cmo...@cmouse.fi');>> a écrit :
>
>> That is because dig is not a resolver.
>>
>>
>>
>> ---
>> Aki Tuomi
>>
>>
>>  Original message 
>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>>
>> Date: 03/01/2016 20:56 (GMT+02:00)
>> To: Michael Loftis <mlof...@wgops.com
>> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>>
>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi
>> <javascript:_e(%7B%7D,'cvml','cmo...@youzen.ext.b2.fi');>>,
>> pdns-users@mailman.powerdns.com
>> <javascript:_e(%7B%7D,'cvml','pdns-users@mailman.powerdns.com');>
>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative?
>>
>> You don't pay attention.
>> My question is why the resolver doesn't continue the iterative query.
>> It just stops when it gets the ns answer
>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com
>> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit :
>>
>>> Then quit asking it for information it doesn't have. Responding with the
>>> root NS set is correct when you're asking for Google.com which it knows
>>> nothing about.
>>>
>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>>> luis.daniel.lu...@gmail.com
>>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote:
>>>
>>>> Thanks. But that's the way u don't want to use. I know how.
>>>>
>>>> I need to make it work in non recursive mode.
>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a
>>>> écrit :
>>>>
>>>>> If you want to use auth as recursor, you need to configure
>>>>>
>>>>> recursor=
>>>>> allow-recursion=
>>>>>
>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote:
>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does
>>>>> > authoritative which is your problem here.
>>>>> >
>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
>>>>> > luis.daniel.lu...@gmail.com> wrote:
>>>>> >
>>>>> > > Hello
>>>>> > >
>>>>> > > Wat am I missing? I have this:
>>>>> > > launch=pipe,bind
>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin
>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
>>>>> > > bind-config=/etc/named.pdns.conf
>>>>> > > bind-check-interval=300
>>>>> > > bind-ignore-broken-records=no
>>>>> > > send-root-referral=lean
>>>>> > > allow-recursion=192.168.7.0/24
>>>>> > >
>>>>> > > /etc/named.pdns.conf looks like this
>>>>> > > zone "mylocaldomain.net" IN {
>>>>> > >type master;
>>>>> > >file "/var/named/data/mylocaldomain.net";
>>>>> > > };
>>>>> > >
>>>>> > > zone "root-servers.net" IN {
>>>>> > >type master;
>>>>> > >file "/var/named/data/named.ca";
>>>>> > > };
>>>>> > >
>>>>> > >
>>>>> > > when I do a dig, or a host, i get this:
>>>>> > >
>>>>> > > dig google.com @PUBLICIP
>>>>> > >
>>>>> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP
>>>>> > > ;; global options: +cmd
>>>>> > > ;; Got answer:
>>>>> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059
>>>>> > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
>>>>> > > ;; WARNING: recursion requested but not available
>>>>> &g

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-02 Thread Michael Loftis 
PowerDNS is not the same as PowerDNS Recursor. The former only does
authoritative which is your problem here.

On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> Hello
>
> Wat am I missing? I have this:
> launch=pipe,bind
> pipe-command=/usr/local/libexec/latency.pdns.plugin
> pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
> bind-config=/etc/named.pdns.conf
> bind-check-interval=300
> bind-ignore-broken-records=no
> send-root-referral=lean
> allow-recursion=192.168.7.0/24
>
> /etc/named.pdns.conf looks like this
> zone "mylocaldomain.net" IN {
>type master;
>file "/var/named/data/mylocaldomain.net";
> };
>
> zone "root-servers.net" IN {
>type master;
>file "/var/named/data/named.ca";
> };
>
>
> when I do a dig, or a host, i get this:
>
> dig google.com @PUBLICIP
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;.  IN  A
>
> ;; AUTHORITY SECTION:
> .   518400  IN  NS  a.root-servers.net.
> .   518400  IN  NS  b.root-servers.net.
> .   518400  IN  NS  c.root-servers.net.
> .   518400  IN  NS  d.root-servers.net.
> .   518400  IN  NS  e.root-servers.net.
> .   518400  IN  NS  f.root-servers.net.
> .   518400  IN  NS  g.root-servers.net.
> .   518400  IN  NS  h.root-servers.net.
> .   518400  IN  NS  i.root-servers.net.
> .   518400  IN  NS  j.root-servers.net.
> .   518400  IN  NS  k.root-servers.net.
> .   518400  IN  NS  l.root-servers.net.
> .   518400  IN  NS  m.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 360 IN  A   198.41.0.4
> a.root-servers.net. 360 IN  2001:503:ba3e::2:30
> b.root-servers.net. 360 IN  A   192.228.79.201
> c.root-servers.net. 360 IN  A   192.33.4.12
> d.root-servers.net. 360 IN  A   199.7.91.13
> d.root-servers.net. 360 IN  2001:500:2d::d
> e.root-servers.net. 360 IN  A   192.203.230.10
> f.root-servers.net. 360 IN  A   192.5.5.241
> f.root-servers.net. 360 IN  2001:500:2f::f
> g.root-servers.net. 360 IN  A   192.112.36.4
> h.root-servers.net. 360 IN  A   128.63.2.53
> h.root-servers.net. 360 IN  2001:500:1::803f:235
> i.root-servers.net. 360 IN  A   192.36.148.17
>
> ;; Query time: 24 msec
> ;;
> ;; WHEN: Sun Jan  3 05:10:27 2016
> ;; MSG SIZE  rcvd: 484
>
>
> or
>
> host google.com PUBLICIP
> Using domain server:
> Name: PUBLICIP
> Address: PUBLICIP#53
> Aliases:
>
>
> As you see, there is no answer. I only get the root NS servers.
>
> --
> Luis Daniel Lucio Quiroz
> CISSP, CISM, CISA
> Linux, VoIP and much more fun
> www.okay.com.mx
>
> Need LCR? Check out LCR for FusionPBX with FreeSWITCH
> Need Billing? Check out Billing for FusionPBX with FreeSWITCH
>


-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-25 Thread Michael Ströder 

l...@consolejunkie.net wrote:

On 2015-04-24 21:35, Michael Ströder wrote:

Michael Ströder wrote:

We're currently testing DNSSEC validation with libunbound 1.5.3 with all
the RRs
retrieved through a pdns-recursor (also tested 3.7.2).

It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype ANY).
(Explicitly requesting RRSIG works.)

= validation in libunbound fails


Did further testing with python-unbound (thin wrapper module on top
of libunbound) with simple script almost equal to this:

http://www.unbound.net/documentation/pyunbound/examples/example4.html

Looking at PCAP dumps with Wireshark the requests sent by libunbound
contain the D0 bit:

1...    = DO bit: Accepts DNSSEC security RRs

It seems to me that unbound and Google's 8.8.8.8 therefore return
RRSIG RRs while pdns-recursor does not.

I have to admit that looking at [1] rather confuses me. ;-)

Sniffing the out-going requests sent by pdns-recursor the D0 bit is
missing. Obviously the DNS servers then do not respond with RRSIG RRs.

Ciao, Michael.

[1] http://tools.ietf.org/html/rfc4035#section-3.2.1


It's to bad nobody replied to you yet.


Given my last posting was late in the evening your response is pretty quick. :-)


Let me tell how it is:

The DO-bit in the request to the recursor means: please include DNSSEC
information.


Yes.


Then if the recursor you are requesting it from does validation and it fails
it will return an error similar to domain not found.


Actually I'm using python-unbound (mainly libunbound) for the validation but 
would like to use the existing pdns-recursor for simply retrieving the RRs.


But since the D0 bit is not forwarded it does not get the RRSIG RRs back and 
returns the result with validation status bogus.



http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/

If I understand correctly the PowerDNS developers have put in some of the time
to add DNSSEC to their recursor but it isn't done yet.


Already saw this blog article before. I'm looking forward to pdns-recursor 4.x 
because I like its logging more than that of other recursors.



In the past I've requested from the PowerDNS developers, would it be possible
to at least include the DNSSEC-information so Unbound do the validation.

I told them you can leave the validation out of PowerDNS-recursor, I care less
about that.

The answer I got was:

The validation is in comparison the easy part, changing the recursor to return
the DNSSEC-information is more work.


Hmm, but if explicitly requested in the query pdns-recursor does actually 
retrieve the RRSIG RRs.


Wouldn't it be possible to also send the D0 bit in the out-going query if the 
incoming query had it set?


Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-24 Thread Michael Ströder 

HI!

We're currently testing DNSSEC validation with libunbound 1.5.3 with all 
the RRs

retrieved through a pdns-recursor (also tested 3.7.2).

It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype 
ANY).

   (Explicitly requesting RRSIG works.)

= validation in libunbound fails

Did anybody else try such a setup before? Did it work?

Most people doing DNSSEC validation simply use bind9 or unbound for 
recursing
and as validating resolver but for now that's likely not an option in 
this

infrastructure.

Any hint is appreciated. Thanks in advance.

Ciao, Michael.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-24 Thread Michael Ströder 

Michael Ströder wrote:

We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs
retrieved through a pdns-recursor (also tested 3.7.2).

It seems that

1. libunbound does not explicitly retrieve the RRSIG RRs and

2. pdns-recursor does not return them when not explicitly request (qtype ANY).
(Explicitly requesting RRSIG works.)

= validation in libunbound fails


Did further testing with python-unbound (thin wrapper module on top of 
libunbound) with simple script almost equal to this:


http://www.unbound.net/documentation/pyunbound/examples/example4.html

Looking at PCAP dumps with Wireshark the requests sent by libunbound contain 
the D0 bit:


1...    = DO bit: Accepts DNSSEC security RRs

It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs 
while pdns-recursor does not.


I have to admit that looking at [1] rather confuses me. ;-)

Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. 
Obviously the DNS servers then do not respond with RRSIG RRs.


Ciao, Michael.

[1] http://tools.ietf.org/html/rfc4035#section-3.2.1



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] LargeScaleDNSSECBCP / versions

2015-04-16 Thread Michael Ströder 

HI!

It seems this wiki page mentions rather old pdns versions:

http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP

Are there more recent insight to consider regarding versions?
Especially when thinking about pdns upgrade 3.3.x - 3.4.1 for DNSSEC?

Ciao, Michael.

--
Michael Ströder
E-Mail: mich...@stroeder.com
http://www.stroeder.com



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

2015-03-28 Thread Michael Ströder 

Nikolaos Milas wrote:

If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend)
for the Linux-Tage, could you please post this work here or a link to a page
where it is available?


Basically it boils down to this ACL:

access to
  dn.subtree=cn=pdns,ou=services,ou=infra-dir
  filter=(objectClass=dNSDomain2)
by set=user/memberOf  this/seeAlso read
by * none

Attribute 'seeAlso' contains DN(s) of group entries of service accounts of 
powerdns instances.


Could not extensively test it though due to time constraints.

And a nicer schema for not (ab)using attribute 'seeAlso' would be better.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

2015-03-04 Thread Michael Ströder 
Nikolaos Milas wrote:
 On 3/3/2015 2:44 μμ, Nikolaos Milas wrote:
 
 Ideally, we would like pdns to be configured to reply to requests *for
 particular names* (under a specific subdomain, say internal.example.com) by
 only providing  records (if available, otherwise no results) and hide A
 records.

 This way we could specify (for names under a specific domain), A records
 which will contain a Private IP Address, so as to  not be visible to the
 Internet but only locally.
 
 Corrections/Clarifications:
 
 Ideally, we would like pdns to be configured to reply to requests *for
 particular names* (under a specific subdomain, say internal.example.com) by
 only providing  records (if available, otherwise no results) and hide A
 records to all requests, except to those from our own networks (as would be
 configured), to which full replies would be provided.
 
 This way we could specify (for names under a specific domain), A records
 which will contain a Private IP Address, so as to  not be visible to the
 Internet but only locally (to our own networks, which would be specified
 explicitly).

This sounds a bit like a special case for split horizon DNS.

I promised to configure a demo using powerdns with LDAP backend for this based
on OpenLDAP ACLs and several powerdns instances using different LDAP identities.

Feel free to come here and ask whether I managed to get it working in time:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Slave DNSKeys

2015-03-02 Thread Michael Ströder 
Peter van Dijk wrote:
 (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we
 recommend increasing the size of the ‘content’ column in the records table
 (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/
 )

(Sigh!) I really wonder why the LDAP backend is not improved to support
DNSSEC. It's so much easier to setup a LDAP server with multi-master and
two-tier replication than a mySQL server. And attributes are of variable
length by default.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] ANY+Reflection Attacks?

2015-02-25 Thread Michael Ströder 
Ciro Iriarte wrote:
 2015-02-24 17:49 GMT-03:00 Ciro Iriarte cyru...@gmail.com:
 
 Hi!, I'm seeing a lot of messages of type Timeout from remote TCP client
 10.XXX.XXX.XXX, it seems to be an attack given we have any-to-tcp = yes.

 Is this usual?, is there anyway to identify the attackers?. The service is
 working fine and we have in our roadmap constant packed capture for data
 mining but I find this behaviour new/interesting today :)

 Any comments?

 Regards,
 
 Well, never mind. After all, those are legitimate clients and there seems
 to be a firewall with connection tracking issues. What's unexpected to me
 is having TCP requests, I was expecting only UDP traffic from end users.

DNSSEC used?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)

2015-02-23 Thread Michael Ströder 
bert hubert wrote:
 In this post, we’d like to share our current plans for .. PowerDNS 4.x!

Glad to read all your plans.

* We treat DNS names as ASCII strings, which we escape and unescape
  repeatedly.  DNS names are not ascii strings, and we keep finding
  issues related to us treating them like strings.

Unfortunately the term string is used in many different ways.
Could you please elaborate on what that means exactly?
E.g. will this affect the way NON-ASCII DNS names are stored in backend files?

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Why was content length increased?

2015-02-19 Thread Michael Loftis 
DNSSEC and DKIM.

On Thursday, February 19, 2015, Nick Williams nicho...@nicholaswilliams.net
wrote:

 I'm upgrading to authoritative 3.4 and noticed that the records.content
 column has been increased from 255 characters to 64000 characters. Because
 my table is UTF-8, I get the following error:

 mysql ALTER TABLE records MODIFY content VARCHAR(64000);
 ERROR 1074 (42000): Column length too big for column 'content' (max =
 21845); use BLOB or TEXT instead

 I know I can use latin1, but I tend to avoid any non-Unicode character
 sets completely, and would prefer to stick with UTF-8. Given that:

 - What changed that required the increase from 255 to 64,000 characters?
 - Is there any reason that I couldn't just use VARCHAR(21845)?
 - Are there any performance implications to using TEXT instead of
 VARCHAR(64000)?

 Thanks,

 Nick
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com javascript:;
 http://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Currently using distro packages, want to update

2015-02-12 Thread Michael Ströder 
Nick Williams wrote:
 I try to always use software packages from my distro package managers 
 (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it 
 resolves all my dependencies for me.
 
 But my distro

Which is your distro? Vendor and exact version number?

For openSUSE I'm trying to keep up with powerdns releases and my submissions
most times end up here pretty soon:

https://build.opensuse.org/package/show/server:dns/pdns
(currently pdns-3.4.2)

https://build.opensuse.org/package/show/server:dns/pdns-recursor
(currently pdns-recursor-3.6.2, 3.7.1 is in my home project but not built yet)

Sooner or later this will be passed downstream in openSUSE Factory for the
next openSUSE release.

You can see here which platforms are enabled for default builds:
https://build.opensuse.org/project/repositories/server:dns

There you will also find the direct download links to zypper repo for your
openSUSE version.  In my OBS home project I'm also building openSUSE
Factory_ARM for running the packages on rasperry pi.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC with LDAP backend

2015-01-17 Thread Michael Ströder 
Jan-Piet Mens wrote:
 Would it be possible to setup a authorative PowerDNS server with DNSSEC
 support using the LDAP backend?
 
 The LDAP back-end doesn't support DNSSEC.

I'm aware that the LDAP back-end is not fully supported.

Let me be more precise:

I don't need auto-signing or support by other PowerDNS tools.

I'd implement generating DNSSEC related RRs with own custom scripts writing
LDAP entries.

All I need is that powerdns delivers the RRs needed for DNSSEC read from LDAP
entries. Is that possible?

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNSSEC with LDAP backend

2015-01-16 Thread Michael Ströder 
HI!

Would it be possible to setup a authorative PowerDNS server with DNSSEC
support using the LDAP backend?

Do I have to extend some DNSSEC-related RRs in the list ldap_attrany in file
modules/ldapbackend/ldapbackend.hh ? As it seems to me the attribute name is
derived from qtype name string and not from content of ldap_attrany if qtype
is set.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] RFE LDAP backend: Filter template

2014-10-18 Thread Michael Ströder 
HI!

I know that the LDAP backend is not very high on the list of powerdns
development. But I'd like to propose a small enhancement which would make some
unusual LDAP-related setups easier.

Simple new config item 'ldap-filter-template':

Default:
ldap-filter-template = '(associatedDomain={0})'

Which could be replaced when using DHCP server with LDAP backend by:

ldap-filter-template = '((objectClass=)(dhcpAssignedHostName={0}))'

Even more nice would be a configurable filter map.
The {} syntax is inspired by Python's string formatting syntax only used as
example.

Of course I can use the pipe-backend to implement whatever is needed for LDAP
integration.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursion issue--SERVFAIL then NOERROR totally at random

2014-09-09 Thread Michael Loftis 
On Tue, Sep 9, 2014 at 9:55 AM, Brian Menges bmen...@gogrid.com wrote:
 I’d say it’s on Toyota’s end:



Same here gslb-ns1.toyota-na.com not responding (Comcast, Seattle, WA)

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)

2014-06-26 Thread Michael Ströder 
k...@rice.edu wrote:
 On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
 For the DNSSEC part, is there a way to create the DNSSEC information just by 
 SQL ?

 If not, the solution is to run pdnssec secure-zone ZONE in a loop on a 
 cron script, am I right?
 
 I do not know about a SQL only solution for MySQL DNSSEC signing, but I
 know that there is a sample schema for Oracle that includes the needed
 triggers and functions and that I have a basically complete version of
 the same for PostgreSQL that I will be submitting to the PDNS folks once
 we have it vetted for production.

Hmm, am I the only one who is concerned about the security of the signing 
process?

Please don't get me wrong. But people are advocating DANE nowadays and aim to
completely replace X.509 certs with that. So security of the signed RRs is
crucial just like issuing X.509 certs. And yes, I know that it's hard to
achieve a higher level of operational security.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] RaspPi Syslog Error

2014-02-28 Thread Michael Schaffer 
Hi All

I have a version up and running on my RaspPi and it works fine.
However in the syslog I have the following error and wonder if you can
provide some direction.  The download site offers no insight:

Feb 27 22:55:12 raspbmc pdns[1152]: Recursive query for remote
192.168.15.160:3127 with internal id 8 was not answe red by
backend within timeout, reusing id

Feb 27 22:55:12 raspbmc pdns[1152]: Unable to send a packet to our
recursing backend: Invalid argument

My allow-recursion line looks like this:
allow-recursion=127.0.0.1,192.168.15.0/24,192.168.15.155
recursor=8.8.8.8

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-16 Thread Michael Loftis 
I can't replicate with 3.0.1 so I don't think its in any current code.
Barring a regression of course. Idk what he is running but it is possible
that its old and affected. Can't be sure since I can't investigate directly.
On Dec 15, 2013 11:40 PM, Peter van Dijk peter.van.d...@netherlabs.nl
wrote:

 Hello folks,

 I have not followed this thread (I saw it was full of helpful people
 already!), but I would just like to point out that that bug is actually 8
 years old -- our github migration could not copy the timestamps reliably.
 The fix was in version 2.9.20, released March 2006.

 That said, if anybody does think a bug has been found in a recent
 PowerDNS, we're happy to look into it!

 Kind regards,
 --
 Peter van Dijk
 Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

 On Dec 13, 2013, at 23:54 , Michael Loftis wrote:

  Ah...You actually *may* have hit a bug.  What version of powerdns and
  what backend?  There's an issue on github, number 49, fixed in commit
  number 549 according to the bug where PDNS was behaving similar to
  this...if you dig for things *under* that subdomain eg
  test.labisilon.lab.domain.com you get the correct response (NS and A
  records w/ no AA bit indicating you must chase the delegation) -- but
  when querying for the delegated domain, it returns the SOA and an AA
  bit w/ NXDOMAIN indicating no such record.
  https://github.com/PowerDNS/pdns/issues/49



 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis 
So there is no A record for labisilon.lab.example.com in the pdns01 name
server? (What's the dig output when you request the A record for the
delegated domain?)
Michael,

You are correct - my typo - it is labisilon (not simply isilon).

When I do “dig @pdns01 NS labisilon.lab.example.com I get the following:

$ dig @psl-pdns01 ns pslisilon.lab.securustech.net

;  DiG 9.8.3-P1  @psl-pdns01 ns pslisilon.lab.securustech.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;labisilon.lab.example.com. IN NS

;; AUTHORITY SECTION:
labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.

;; ADDITIONAL SECTION:
lab-isilon.lab.example.com. 900 IN A x.x.x.x

;; Query time: 59 msec

I don’t believe the records are overlapping according to this output but
please correct me if I’m wrong on this.

-- 
Drew Decker
Sent with Airmail http://airmailapp.com/tracking

On December 13, 2013 at 12:35:02 AM, Michael Loftis
(mlof...@wgops.com//mlof...@wgops.com)
wrote:

Is the delegated zone isilon or labisilon? I think you need to check the A,
and NS records as you've mixed them up even in the email there. I would
delegate a completely different sub domain than I would name the A record
just to avoid such confusion, it sounds like you've got an NS and A records
for the same name, which is why you're getting the static A record from
powerdns.

In your typed example you are using labisilon as the sub domain and
lab-isilon as the A record and NS delegation...  What does dig NS
labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns
auth server ip address) you should get back two records, one NS type
pointing to lab-isilon and one A type giving the address to send UDP/TCP
queries to.

Sounds like that's where the problem is still. Your delegation shouldn't
have any overlapping A records labisilon should be just an NS which
points to lab-isilon, otherwise you get the behavior you described. Which
is a broken delegation.
On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote:

  Michael,

  I think  you only read a few posts on this thread, so I’ll give you some
 details of what had/has been done up to this point, as I read your entire
 email and from what you are saying, I’ve already done (which is why I’m
 reaching out to the community) - correct me if I’m wrong.

  I have a single zone: *lab.example.com http://lab.example.com*

  The isilon needs a delegated zone for it to use, so we simply chose 
 *isilon.lab.example.com
 http://isilon.lab.example.com*

  From a PowerDNS perspective, *lab.example.com http://lab.example.com*lives 
 on a single server
 *pdns01* and the database server runs on its own dedicated hardware
 *pdnsdb01*.

  A single zone was created - *lab.example.com http://lab.example.com*

  We added the following DNS records to PowerDNS (in the *lab.example.com
 http://lab.example.com* zone):

 labisilon.lab.example.com. 900 IN NS 
 lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x

 Once we added this, it still does not work; when we ping 
 labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, 
 which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP 
 on the Isilon, it actually takes that IP gives a random IP (depends on how 
 the Isilon is configured) back to the client.  So, in our case, we basically 
 round-robin it, so each new request to the isilon should give us a new IP, 
 until we get to the end, and then we start over.

 I just need to know if I’m missing something here, and if not, maybe it is an 
 issue with the Isilon, in this case.  I just want to make sure that I’m 
 setting up DNS delegation correctly in PowerDNS, or if I’m missing something 
 PowerDNS specific.

  Thanks for your continued input.

 --
 Drew Decker


 On December 12, 2013 at 9:32:33 PM, Michael Loftis 
 (mlof...@wgops.com//mlof...@wgops.com)
 wrote:

  The most common and obvious example of glue is when you have a TLD
 such as GOV, COM, or EDU delegate your domain, your NS records usually
 exist within your domain so glue must exist higher up, exact same
 principal applies at every level where a delegation occurs. Say
 isil.lab.example.com is served by the isilon. This is the delegated
 subdomain. lab.example.com is served by other nameservers. The A
 record you're using could be ns1.isil.lab.example.com, and so must
 exist in both the isil.lab.example.com domain, AND the lab.example.com
 domain, in two seperate nameservers.

 You must have on BOTH the lab.example.com and the isil.lab.example.com
 domains and nameservers A records for out of zone nameservers in
 subdomains are called glue. Nothing magical. Everyone has some in
 COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see
 ns1 through ns4.google.com -- those four A records exist in the COM
 zone

  1   2   >