Re: [Pdns-users] Systemctl Daemon Problem After each pdns upgrade

2023-09-29 Thread Michael Loftis via Pdns-users 
On Thu, Sep 28, 2023 at 14:30 IHI IHI via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Hello
> When upgrading to a new version(PowerDNS Recursor v4.7-->4.8-->4.9-->5),
> despite choosing to keep the current configuration file,but its tuning
> parameters at
> pdns-recursor.service(/lib/systemd/system/pdns-recursor.service) will
> return to its default values!
> for example:
> # my Tuning
> LimitNOFILE=65536
> returns to the default value--->16384
>

The correct way to make these changes is with an override, not to the
service file itself.
Use systemctl edit or create the override yourself and daemon-reload.


This problem causes the pdns-recursive daemon to be reconfigured and
> restarted again after each new version upgrading.
> Is this normal behavior or can it be fixed?
> Many Thanks for your efforts.
> Habibi
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSLink or IPFS Support in PowerDNS

2023-01-20 Thread Michael Loftis via Pdns-users 
On Fri, Jan 20, 2023 at 12:28 Tom Barrett via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> I would be interested in speaking with anyone who has experimented with
> customizing PowerDNS to support IPFS or the DNSLink TXT record type.
>

There’s not anything for PowerDNS to do here. They’re just TXT records in
DNS.

>
> Thanks
>
> Tom
>
> --
> Thomas Barrett
> President
> EnCirca, Inc
> +1.781.942.9975 (office)
> 400 W. Cummings Park, Suite 1725
> 
> Woburn, MA 01801 USA
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns master notify lag

2022-11-30 Thread Michael Loftis via Pdns-users 
On Wed, Nov 30, 2022 at 10:47 lovi via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Hello,
>
> Ive setup a pdns lab with 1 pdn/pgsql/master and a slave/named config.
>
> When I update a record pdns logs show that it takes about 40s before Ive
> this message :
> 1 domain for which we are master needs notifications
> And transfert start and succed.
>
> If I update record and do a  pdns_control notify myzone with no wait : the
> named slave is notified and transfert is done with no time.
>
> Do I miss something ? Or should I send notify after every updates ?
>

See
https://doc.powerdns.com/authoritative/settings.html#setting-xfr-cycle-interval
or the older slave-cycle-interval

That said I wouldn’t expect even at one minute things to always work
because of caches, you really can not rely on DNS updates being super quick.



> Thanks your help,
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] gmysql: Is latin1 really necessary? What are the consequences of using UTF-8?

2020-10-30 Thread Michael Loftis via Pdns-users 
On Fri, Oct 30, 2020 at 8:17 AM Michael Loftis  wrote:
>
> On Fri, Oct 30, 2020 at 8:15 AM Nicholas Williams via Pdns-users
>  wrote:
> >
> > I thought domain names have supported unicode characters for several years 
> > now.
>
> Not at the protocol level they're not.   They're punycode.


And more explicitly, it's not UTF.  It's IDN
https://unicode.org/faq/idn.html
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] gmysql: Is latin1 really necessary? What are the consequences of using UTF-8?

2020-10-30 Thread Michael Loftis via Pdns-users 
On Fri, Oct 30, 2020 at 8:15 AM Nicholas Williams via Pdns-users
 wrote:
>
> I thought domain names have supported unicode characters for several years 
> now.

Not at the protocol level they're not.   They're punycode.


>
> On Oct 30, 2020, at 7:53 AM, Frank Louwers  wrote:
>
> Hi Nick,
>
> I guess the main reason why it's latin1, is that DNS records are supposed to 
> be ascii, certainly not utf-8. Also probably the "lowest common denominator" 
> between various (My)SQL versions, flavours etc.
>
> Frank
>
>
>
> On 30 Oct 2020, at 13:43, Nicholas Williams via Pdns-users 
>  wrote:
>
> Nobody has any thoughts here?
>
> Thanks,
>
> Nick
>
> On Oct 25, 2020, at 11:51 AM, Nicholas Williams 
>  wrote:
>
> In the past 4-5 years, I’ve gotten into the habit of defaulting all MySQL 
> tables to this:
>
>   DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_520_ci
>
> Looking at the latest PowerDNS schema (I’m about to start up a second 
> environment), I noticed that the entire schema has this:
>
>   CHARACTER SET ‘latin1'
>
> I did some searching through the archives, but couldn’t readily find an 
> answer about this: Is there a specific reason why LATIN-1 was chosen and must 
> be used? What are the consequences of using UTF-8 instead of LATIN-1?
>
> One consequence that I know of is that `records.content` can’t be 
> VARCHAR(64000) and also be UTF-8, so it must either be made explicitly 
> LATIN-1, or it must be shortened to VARCHAR(16383), or it must be converted 
> to a TEXT column. Are there are negative consequences of making it a TEXT 
> column?
>
> Thanks,
>
> Nick
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] gmysql: Is latin1 really necessary? What are the consequences of using UTF-8?

2020-10-30 Thread Michael Loftis via Pdns-users 
I was hoping someone who knew more about PDNS authoritative server
itself would chime in

For MySQL server+client, if the character set in the libmysqlclient
and server side tables/etc match, it doesn't matter except for server
side sorts (collations).  If it is latin1 all the way through then
it's actually treated as binary.  This is to avoid the performance
penalty of character set conversions.  DNS itself is more
difficult...labels are ASCII.  PowerDNS internally for example has an
upper case conversion routine that blatantly assumes ASCII/latin1.
When it checks for spaces, it's checking for 0x20, not for any UTF-8
formation that might mean whitespace.  Content/RDATA, type, etc, are
all binary and so what is in the content is defined by the content
type.  In the cases where there is expected to be non ASCII data, it's
translated by PowerDNS itself, based on the relevant RFCs - which
often have their own way to represent non-ascii data such as for TXT
records.  PowerDNS Auth itself I don't believe pays any mind to what
the underlying database clients do WRT character sets and fields, as
long as the data is as expected after it comes out of the backend.  So
if it's backed by a TEXT field, it doesn't actually care, at least in
the MySQL case.

So...yeah you could, but...why?  What problem are you trying to solve?
 What advantage are you looking for?

On Fri, Oct 30, 2020 at 6:44 AM Nicholas Williams via Pdns-users
 wrote:
>
> Nobody has any thoughts here?
>
> Thanks,
>
> Nick
>
> > On Oct 25, 2020, at 11:51 AM, Nicholas Williams 
> >  wrote:
> >
> > In the past 4-5 years, I’ve gotten into the habit of defaulting all MySQL 
> > tables to this:
> >
> >DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_520_ci
> >
> > Looking at the latest PowerDNS schema (I’m about to start up a second 
> > environment), I noticed that the entire schema has this:
> >
> >CHARACTER SET ‘latin1'
> >
> > I did some searching through the archives, but couldn’t readily find an 
> > answer about this: Is there a specific reason why LATIN-1 was chosen and 
> > must be used? What are the consequences of using UTF-8 instead of LATIN-1?
> >
> > One consequence that I know of is that `records.content` can’t be 
> > VARCHAR(64000) and also be UTF-8, so it must either be made explicitly 
> > LATIN-1, or it must be shortened to VARCHAR(16383), or it must be converted 
> > to a TEXT column. Are there are negative consequences of making it a TEXT 
> > column?
> >
> > Thanks,
> >
> > Nick
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] "HTTP/1.1 422 Unprocessable Entity" when creating a zone

2020-06-30 Thread Michael Loftis via Pdns-users 
On Tue, Jun 30, 2020 at 08:52 Tomasz Chmielewski via Pdns-users <
pdns-users@mailman.powerdns.com> wrote:

> Unfortunately I'm not able to find what I'm doing wrong.
>
> The error is returned no matter if I have "master=yes" set in pdns.conf
> or not, and no matter if I use "masters": [] or not.


Take a look at the object properties description at the bottom of the
documentation that Frank linked you. The documentation I know doesn't
include an example for zone creation. You're missing the type key. I don't
think that there are any other issues with the post data you're sending.
Just missing the type.


>
> The query I'm sending:
>
> # curl --data '{"name":"example.org.", "kind": "Native", "nameservers":
> ["ns1.example.org.", "ns2.example.org."]}' -v -H 'X-API-Key: my-api-key'
> http://10.58.150.164:8081/api/v1/servers/localhost/zones
> *   Trying 10.58.150.164:8081...
> * TCP_NODELAY set
> * Connected to 10.58.150.164 (10.58.150.164) port 8081 (#0)
> > POST /api/v1/servers/localhost/zones HTTP/1.1
> > Host: 10.58.150.164:8081
> > User-Agent: curl/7.68.0
> > Accept: */*
> > X-API-Key: my-api-key
> > Content-Length: 98
> > Content-Type: application/x-www-form-urlencoded
> >
> * upload completely sent off: 98 out of 98 bytes
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 422 Unprocessable Entity
> < Access-Control-Allow-Origin: *
> < Connection: close
> < Content-Length: 50
> < Content-Security-Policy: default-src 'self'; style-src 'self'
> 'unsafe-inline'
> < Content-Type: application/json
> < Server: PowerDNS/4.2.1
> < X-Content-Type-Options: nosniff
> < X-Frame-Options: deny
> < X-Permitted-Cross-Domain-Policies: none
> < X-Xss-Protection: 1; mode=block
> <
> * Closing connection 0
> {"error": "Creating domain 'example.org.' failed"}
>
>
>
> Tomasz
>
>
> On 2020-06-30 22:38, Frank Louwers wrote:
> > Please find the docs for 4.2.x at
> >
> https://docs.powerdns.com/authoritative/http-api/index.html#endpoints-and-objects-in-the-api
> >
> > In particular, note that the "masters" string must only be set if the
> > type is Slave.
> >
> > Regards,
> >
> > Frank
> >
> > On 30 Jun 2020, at 15:20, Tomasz Chmielewski  wrote:
> >
> >> I'm using pdns 4.2.1.
> >>
> >> Tomasz
> >>
> >> On 2020-06-30 22:17, Frank Louwers wrote:
> >> Hi Tomasz,
> >> What version are you using? The docs you mention, refer to an old
> >> version of PowerDNS Auth...
> >> Frank
> >> On 30 Jun 2020, at 15:09, Tomasz Chmielewski via Pdns-users
> >>  wrote:
> >> I did it exactly as in PowerDNS README:
> >> https://doc.powerdns.com/md/httpapi/README/
> >> Does it mean README is buggy?
> >> But it also fails without "masters" attribute:
> >> # echo '{"name":"example.org [1].", "kind": "Native", "nameservers":
> >> ["ns1.example.org [2].", "ns2.example.org [3]."]}' | jq
> >> {
> >> "name": "example.org [1].",
> >> "kind": "Native",
> >> "nameservers": [
> >> "ns1.example.org [2].",
> >> "ns2.example.org [3]."
> >> ]
> >> }
> >> Tomasz
> >> On 2020-06-14 23:52, Kevin P. Fleming via Pdns-users wrote:
> >> Have you doing this without specifying the 'masters' attribute at
> >> all?
> >> Native zones don't support masters, so it's possible that supplying
> >> the attribute, even with an empty list, is causing a failure.
> >> On Sun, Jun 14, 2020 at 9:29 AM Tomasz Chmielewski via Pdns-users
> >>  wrote:
> >> Using 4.2.1, I'm getting "HTTP/1.1 422 Unprocessable Entity" when
> >> trying
> >> to create a zone as described on
> >> https://doc.powerdns.com/md/httpapi/README/
> >> What am I doing wrong?
> >> '{"name":"example.org.", "kind": "Native", "masters": [],
> >> "nameservers":
> >> ["ns1.example.org.", "ns2.example.org."]}' validates fine with jq:
> >> # echo '{"name":"example.org.", "kind": "Native", "masters": [],
> >> "nameservers": ["ns1.example.org.", "ns2.example.org."]}' | jq
> >> {
> >> "name": "example.org.",
> >> "kind": "Native",
> >> "masters": [],
> >> "nameservers": [
> >> "ns1.example.org.",
> >> "ns2.example.org."
> >> ]
> >> }
> >> # curl -X POST --data '{"name":"example.org.", "kind": "Native",
> >> "masters": [], "nameservers": ["ns1.example.org.",
> >> "ns2.example.org."]}'
> >> -v -H 'X-API-Key: my-key'
> >> http://10.58.150.164:8081/api/v1/servers/localhost/zones
> >> Note: Unnecessary use of -X or --request, POST is already inferred.
> >> *   Trying 10.58.150.164:8081...
> >> * TCP_NODELAY set
> >> * Connected to 10.58.150.164 (10.58.150.164) port 8081 (#0)
> >> POST /api/v1/servers/localhost/zones HTTP/1.1
> >> Host: 10.58.150.164:8081
> >> User-Agent: curl/7.68.0
> >> Accept: */*
> >> X-API-Key: my-key
> >> Content-Length: 113
> >> Content-Type: application/x-www-form-urlencoded
> >> * upload completely sent off: 113 out of 113 bytes
> >> * Mark bundle as not supporting multiuse
> >> < HTTP/1.1 422 Unprocessable Entity
> >> < Access-Control-Allow-Origin: *
> >> < Connection: close
> >> < Content-Length: 50
> >> < Content-Security-Policy: default-src 'self'; style-src 'self'
> >> 'unsafe-inline'
> >> < Content-Type:

Re: [Pdns-users] BIND-Zonefiles: @ vs blank

2019-08-08 Thread Michael Loftis 
On Thu, Aug 8, 2019 at 07:01 Bjoern Franke  wrote:

> Hi,
>
> we have a zonefile which got recently added TXT entries for SPF and DMARC:
>
> _dmarc  IN  TXT "v=DMARC1; p=none; rua=mailto:foo;
> IN  MX  10 mx.domain.tld.
> IN  TXT "v=spf1 include:spf1.domain.tld ?all"
>
> Since then, requests for the MX record were not answered any more,
> adding a @ fixed it.
>
> I'm wondering now why this happens, as in other zonefiles without TXT
> records the blank substitution works.


I've always had the understanding that blank meant "reuse last" so by
adding the _dmarc TXT record ahead of the blank records you inadvertently
moved them to be _dmarc.ZONE

I could certainly be wrong because I haven't looked at the man page for
bind zone files in the last decade.



>
> Kind regards
> Bjoern
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

2016-01-06 Thread Michael Loftis 
(inline)

On Wed, Jan 6, 2016 at 11:42 AM, Nicholas Williams
 wrote:
> I'll look into that other script. Thanks, Bert.
>
>> How about a creating a separate sub-zone with a broken presigned DNSSEC
>
>> You can set presigned for just that single zone using the PRESIGNED domain
>> metadata[1] int your database.
>
> I really like this idea in combination. That documentation that Pieter sent
> me should help me get set up with presigning. But, Leen, how would I set up
> a subzone delegated to the same authoritative server (or can I, even?)? Can
> you point me to that documentation?

B/C the server is the same you don't necessarily need to setup the
delegation in the zone with records table.  You just need to have it
in the domains table.  That said you *can* totally do a full
delegation.  You just insert NS records into the parent zone records
w/ the parent domain_id, and do SOA+NS/whatever you normally do
(synthetic SOA/generated SOA comes to mind) inside the delegated zone
(child) domain_id...there's no magic to delegations.  You'll have like
2x the NS records for a self delegated zone (as the parent zone will
have the same records with a the parent/delegating domain_id)


>
> Google really hasn't indexed this documentation very well at all...
>
> Thanks,
>
> Nick

-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-03 Thread Michael Loftis 
Two people have answered your question and told you what you're missing.
I'm not going to try to guess at whatever misconfiguration or
misunderstanding resulted in you getting (or seemingly getting) recursive
results from bind when you were attempting to disable them. PowerDNS fully
and completely separates all authoritative functionality from recursive
 functionality (and any associated caches). This is in contrast to bind
which merges all such functionality.


On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> No because in bind, when you turn off recursive resolution it resolves. I
> can't figure out the missing part to have the same behavior.
> Le 3 janv. 2016 2:39 PM, "Michael Loftis" <mlof...@wgops.com
> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit :
>
>> Again not a resolver. Sorry but you're the one misunderstanding. If you
>> want answers for data not present you need a recursive resolver.
>>
>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>> luis.daniel.lu...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote:
>>
>>> Host command does not do that as well. It off on the sample output
>>> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi> a écrit :
>>>
>>>> That is because dig is not a resolver.
>>>>
>>>>
>>>>
>>>> ---
>>>> Aki Tuomi
>>>>
>>>>
>>>>  Original message 
>>>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com>
>>>> Date: 03/01/2016 20:56 (GMT+02:00)
>>>> To: Michael Loftis <mlof...@wgops.com>
>>>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi>,
>>>> pdns-users@mailman.powerdns.com
>>>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative?
>>>>
>>>> You don't pay attention.
>>>> My question is why the resolver doesn't continue the iterative query.
>>>> It just stops when it gets the ns answer
>>>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com> a
>>>> écrit :
>>>>
>>>>> Then quit asking it for information it doesn't have. Responding with
>>>>> the root NS set is correct when you're asking for Google.com which it 
>>>>> knows
>>>>> nothing about.
>>>>>
>>>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>>>>> luis.daniel.lu...@gmail.com> wrote:
>>>>>
>>>>>> Thanks. But that's the way u don't want to use. I know how.
>>>>>>
>>>>>> I need to make it work in non recursive mode.
>>>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a
>>>>>> écrit :
>>>>>>
>>>>>>> If you want to use auth as recursor, you need to configure
>>>>>>>
>>>>>>> recursor=
>>>>>>> allow-recursion=
>>>>>>>
>>>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote:
>>>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does
>>>>>>> > authoritative which is your problem here.
>>>>>>> >
>>>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
>>>>>>> > luis.daniel.lu...@gmail.com> wrote:
>>>>>>> >
>>>>>>> > > Hello
>>>>>>> > >
>>>>>>> > > Wat am I missing? I have this:
>>>>>>> > > launch=pipe,bind
>>>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin
>>>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
>>>>>>> > > bind-config=/etc/named.pdns.conf
>>>>>>> > > bind-check-interval=300
>>>>>>> > > bind-ignore-broken-records=no
>>>>>>> > > send-root-referral=lean
>>>>>>> > > allow-recursion=192.168.7.0/24
>>>>>>> > >
>>>>>>> > > /etc/named.pdns.conf looks like this
>>>>>>> > > zone "mylocaldomain.net" IN {
>>>>>>> > >type master;
>>>>>>> > >file "/var/named/data/mylocaldomain.net";
>>>>&g

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-03 Thread Michael Loftis 
Again not a resolver. Sorry but you're the one misunderstanding. If you
want answers for data not present you need a recursive resolver.

On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> Host command does not do that as well. It off on the sample output
> Le 3 janv. 2016 2:00 PM, "Aki Tuomi" <cmo...@cmouse.fi
> <javascript:_e(%7B%7D,'cvml','cmo...@cmouse.fi');>> a écrit :
>
>> That is because dig is not a resolver.
>>
>>
>>
>> ---
>> Aki Tuomi
>>
>>
>>  Original message 
>> From: Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com
>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>>
>> Date: 03/01/2016 20:56 (GMT+02:00)
>> To: Michael Loftis <mlof...@wgops.com
>> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>>
>> Cc: Aki Tuomi <cmo...@youzen.ext.b2.fi
>> <javascript:_e(%7B%7D,'cvml','cmo...@youzen.ext.b2.fi');>>,
>> pdns-users@mailman.powerdns.com
>> <javascript:_e(%7B%7D,'cvml','pdns-users@mailman.powerdns.com');>
>> Subject: Re: [Pdns-users] PDNS to answer as NON-authoritative?
>>
>> You don't pay attention.
>> My question is why the resolver doesn't continue the iterative query.
>> It just stops when it gets the ns answer
>> Le 3 janv. 2016 12:59 PM, "Michael Loftis" <mlof...@wgops.com
>> <javascript:_e(%7B%7D,'cvml','mlof...@wgops.com');>> a écrit :
>>
>>> Then quit asking it for information it doesn't have. Responding with the
>>> root NS set is correct when you're asking for Google.com which it knows
>>> nothing about.
>>>
>>> On Sunday, January 3, 2016, Luis Daniel Lucio Quiroz <
>>> luis.daniel.lu...@gmail.com
>>> <javascript:_e(%7B%7D,'cvml','luis.daniel.lu...@gmail.com');>> wrote:
>>>
>>>> Thanks. But that's the way u don't want to use. I know how.
>>>>
>>>> I need to make it work in non recursive mode.
>>>> Le 3 janv. 2016 9:29 AM, "Aki Tuomi" <cmo...@youzen.ext.b2.fi> a
>>>> écrit :
>>>>
>>>>> If you want to use auth as recursor, you need to configure
>>>>>
>>>>> recursor=
>>>>> allow-recursion=
>>>>>
>>>>> On Sat, Jan 02, 2016 at 09:55:54PM -0800, Michael Loftis wrote:
>>>>> > PowerDNS is not the same as PowerDNS Recursor. The former only does
>>>>> > authoritative which is your problem here.
>>>>> >
>>>>> > On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
>>>>> > luis.daniel.lu...@gmail.com> wrote:
>>>>> >
>>>>> > > Hello
>>>>> > >
>>>>> > > Wat am I missing? I have this:
>>>>> > > launch=pipe,bind
>>>>> > > pipe-command=/usr/local/libexec/latency.pdns.plugin
>>>>> > > pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
>>>>> > > bind-config=/etc/named.pdns.conf
>>>>> > > bind-check-interval=300
>>>>> > > bind-ignore-broken-records=no
>>>>> > > send-root-referral=lean
>>>>> > > allow-recursion=192.168.7.0/24
>>>>> > >
>>>>> > > /etc/named.pdns.conf looks like this
>>>>> > > zone "mylocaldomain.net" IN {
>>>>> > >type master;
>>>>> > >file "/var/named/data/mylocaldomain.net";
>>>>> > > };
>>>>> > >
>>>>> > > zone "root-servers.net" IN {
>>>>> > >type master;
>>>>> > >file "/var/named/data/named.ca";
>>>>> > > };
>>>>> > >
>>>>> > >
>>>>> > > when I do a dig, or a host, i get this:
>>>>> > >
>>>>> > > dig google.com @PUBLICIP
>>>>> > >
>>>>> > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP
>>>>> > > ;; global options: +cmd
>>>>> > > ;; Got answer:
>>>>> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059
>>>>> > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
>>>>> > > ;; WARNING: recursion requested but not available
>>>>> &g

Re: [Pdns-users] PDNS to answer as NON-authoritative?

2016-01-02 Thread Michael Loftis 
PowerDNS is not the same as PowerDNS Recursor. The former only does
authoritative which is your problem here.

On Saturday, January 2, 2016, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> Hello
>
> Wat am I missing? I have this:
> launch=pipe,bind
> pipe-command=/usr/local/libexec/latency.pdns.plugin
> pipe-regex=^.*\.(mylocaldomain)\.(net);.*$
> bind-config=/etc/named.pdns.conf
> bind-check-interval=300
> bind-ignore-broken-records=no
> send-root-referral=lean
> allow-recursion=192.168.7.0/24
>
> /etc/named.pdns.conf looks like this
> zone "mylocaldomain.net" IN {
>type master;
>file "/var/named/data/mylocaldomain.net";
> };
>
> zone "root-servers.net" IN {
>type master;
>file "/var/named/data/named.ca";
> };
>
>
> when I do a dig, or a host, i get this:
>
> dig google.com @PUBLICIP
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> . @PUBLICIP
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29059
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;.  IN  A
>
> ;; AUTHORITY SECTION:
> .   518400  IN  NS  a.root-servers.net.
> .   518400  IN  NS  b.root-servers.net.
> .   518400  IN  NS  c.root-servers.net.
> .   518400  IN  NS  d.root-servers.net.
> .   518400  IN  NS  e.root-servers.net.
> .   518400  IN  NS  f.root-servers.net.
> .   518400  IN  NS  g.root-servers.net.
> .   518400  IN  NS  h.root-servers.net.
> .   518400  IN  NS  i.root-servers.net.
> .   518400  IN  NS  j.root-servers.net.
> .   518400  IN  NS  k.root-servers.net.
> .   518400  IN  NS  l.root-servers.net.
> .   518400  IN  NS  m.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 360 IN  A   198.41.0.4
> a.root-servers.net. 360 IN  2001:503:ba3e::2:30
> b.root-servers.net. 360 IN  A   192.228.79.201
> c.root-servers.net. 360 IN  A   192.33.4.12
> d.root-servers.net. 360 IN  A   199.7.91.13
> d.root-servers.net. 360 IN  2001:500:2d::d
> e.root-servers.net. 360 IN  A   192.203.230.10
> f.root-servers.net. 360 IN  A   192.5.5.241
> f.root-servers.net. 360 IN  2001:500:2f::f
> g.root-servers.net. 360 IN  A   192.112.36.4
> h.root-servers.net. 360 IN  A   128.63.2.53
> h.root-servers.net. 360 IN  2001:500:1::803f:235
> i.root-servers.net. 360 IN  A   192.36.148.17
>
> ;; Query time: 24 msec
> ;;
> ;; WHEN: Sun Jan  3 05:10:27 2016
> ;; MSG SIZE  rcvd: 484
>
>
> or
>
> host google.com PUBLICIP
> Using domain server:
> Name: PUBLICIP
> Address: PUBLICIP#53
> Aliases:
>
>
> As you see, there is no answer. I only get the root NS servers.
>
> --
> Luis Daniel Lucio Quiroz
> CISSP, CISM, CISA
> Linux, VoIP and much more fun
> www.okay.com.mx
>
> Need LCR? Check out LCR for FusionPBX with FreeSWITCH
> Need Billing? Check out Billing for FusionPBX with FreeSWITCH
>


-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Why was content length increased?

2015-02-19 Thread Michael Loftis 
DNSSEC and DKIM.

On Thursday, February 19, 2015, Nick Williams nicho...@nicholaswilliams.net
wrote:

 I'm upgrading to authoritative 3.4 and noticed that the records.content
 column has been increased from 255 characters to 64000 characters. Because
 my table is UTF-8, I get the following error:

 mysql ALTER TABLE records MODIFY content VARCHAR(64000);
 ERROR 1074 (42000): Column length too big for column 'content' (max =
 21845); use BLOB or TEXT instead

 I know I can use latin1, but I tend to avoid any non-Unicode character
 sets completely, and would prefer to stick with UTF-8. Given that:

 - What changed that required the increase from 255 to 64,000 characters?
 - Is there any reason that I couldn't just use VARCHAR(21845)?
 - Are there any performance implications to using TEXT instead of
 VARCHAR(64000)?

 Thanks,

 Nick
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com javascript:;
 http://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursion issue--SERVFAIL then NOERROR totally at random

2014-09-09 Thread Michael Loftis 
On Tue, Sep 9, 2014 at 9:55 AM, Brian Menges bmen...@gogrid.com wrote:
 I’d say it’s on Toyota’s end:



Same here gslb-ns1.toyota-na.com not responding (Comcast, Seattle, WA)

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-16 Thread Michael Loftis 
I can't replicate with 3.0.1 so I don't think its in any current code.
Barring a regression of course. Idk what he is running but it is possible
that its old and affected. Can't be sure since I can't investigate directly.
On Dec 15, 2013 11:40 PM, Peter van Dijk peter.van.d...@netherlabs.nl
wrote:

 Hello folks,

 I have not followed this thread (I saw it was full of helpful people
 already!), but I would just like to point out that that bug is actually 8
 years old -- our github migration could not copy the timestamps reliably.
 The fix was in version 2.9.20, released March 2006.

 That said, if anybody does think a bug has been found in a recent
 PowerDNS, we're happy to look into it!

 Kind regards,
 --
 Peter van Dijk
 Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

 On Dec 13, 2013, at 23:54 , Michael Loftis wrote:

  Ah...You actually *may* have hit a bug.  What version of powerdns and
  what backend?  There's an issue on github, number 49, fixed in commit
  number 549 according to the bug where PDNS was behaving similar to
  this...if you dig for things *under* that subdomain eg
  test.labisilon.lab.domain.com you get the correct response (NS and A
  records w/ no AA bit indicating you must chase the delegation) -- but
  when querying for the delegated domain, it returns the SOA and an AA
  bit w/ NXDOMAIN indicating no such record.
  https://github.com/PowerDNS/pdns/issues/49



 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis 
So there is no A record for labisilon.lab.example.com in the pdns01 name
server? (What's the dig output when you request the A record for the
delegated domain?)
Michael,

You are correct - my typo - it is labisilon (not simply isilon).

When I do “dig @pdns01 NS labisilon.lab.example.com I get the following:

$ dig @psl-pdns01 ns pslisilon.lab.securustech.net

;  DiG 9.8.3-P1  @psl-pdns01 ns pslisilon.lab.securustech.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 53684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;labisilon.lab.example.com. IN NS

;; AUTHORITY SECTION:
labisilon.lab.example.com. 900 IN NS lab-isilon.lab.example.com.

;; ADDITIONAL SECTION:
lab-isilon.lab.example.com. 900 IN A x.x.x.x

;; Query time: 59 msec

I don’t believe the records are overlapping according to this output but
please correct me if I’m wrong on this.

-- 
Drew Decker
Sent with Airmail http://airmailapp.com/tracking

On December 13, 2013 at 12:35:02 AM, Michael Loftis
(mlof...@wgops.com//mlof...@wgops.com)
wrote:

Is the delegated zone isilon or labisilon? I think you need to check the A,
and NS records as you've mixed them up even in the email there. I would
delegate a completely different sub domain than I would name the A record
just to avoid such confusion, it sounds like you've got an NS and A records
for the same name, which is why you're getting the static A record from
powerdns.

In your typed example you are using labisilon as the sub domain and
lab-isilon as the A record and NS delegation...  What does dig NS
labisilon.lab.example.com @1.2.3.4 give you? (Replace 1.2.3.4 with the pdns
auth server ip address) you should get back two records, one NS type
pointing to lab-isilon and one A type giving the address to send UDP/TCP
queries to.

Sounds like that's where the problem is still. Your delegation shouldn't
have any overlapping A records labisilon should be just an NS which
points to lab-isilon, otherwise you get the behavior you described. Which
is a broken delegation.
On Dec 12, 2013 9:54 PM, Drew Decker drewrocksh...@gmail.com wrote:

  Michael,

  I think  you only read a few posts on this thread, so I’ll give you some
 details of what had/has been done up to this point, as I read your entire
 email and from what you are saying, I’ve already done (which is why I’m
 reaching out to the community) - correct me if I’m wrong.

  I have a single zone: *lab.example.com http://lab.example.com*

  The isilon needs a delegated zone for it to use, so we simply chose 
 *isilon.lab.example.com
 http://isilon.lab.example.com*

  From a PowerDNS perspective, *lab.example.com http://lab.example.com*lives 
 on a single server
 *pdns01* and the database server runs on its own dedicated hardware
 *pdnsdb01*.

  A single zone was created - *lab.example.com http://lab.example.com*

  We added the following DNS records to PowerDNS (in the *lab.example.com
 http://lab.example.com* zone):

 labisilon.lab.example.com. 900 IN NS 
 lab-isilon.lab.example.com.lab-isilon.lab.example.com. 900 IN A x.x.x.x

 Once we added this, it still does not work; when we ping 
 labisilon.lab.example.com, it returns the IP from lab-isilon.lab.example.com, 
 which would be as expected, but since the “x.x.x.x” IP is a SmartConnect IP 
 on the Isilon, it actually takes that IP gives a random IP (depends on how 
 the Isilon is configured) back to the client.  So, in our case, we basically 
 round-robin it, so each new request to the isilon should give us a new IP, 
 until we get to the end, and then we start over.

 I just need to know if I’m missing something here, and if not, maybe it is an 
 issue with the Isilon, in this case.  I just want to make sure that I’m 
 setting up DNS delegation correctly in PowerDNS, or if I’m missing something 
 PowerDNS specific.

  Thanks for your continued input.

 --
 Drew Decker


 On December 12, 2013 at 9:32:33 PM, Michael Loftis 
 (mlof...@wgops.com//mlof...@wgops.com)
 wrote:

  The most common and obvious example of glue is when you have a TLD
 such as GOV, COM, or EDU delegate your domain, your NS records usually
 exist within your domain so glue must exist higher up, exact same
 principal applies at every level where a delegation occurs. Say
 isil.lab.example.com is served by the isilon. This is the delegated
 subdomain. lab.example.com is served by other nameservers. The A
 record you're using could be ns1.isil.lab.example.com, and so must
 exist in both the isil.lab.example.com domain, AND the lab.example.com
 domain, in two seperate nameservers.

 You must have on BOTH the lab.example.com and the isil.lab.example.com
 domains and nameservers A records for out of zone nameservers in
 subdomains are called glue. Nothing magical. Everyone has some in
 COM, GOV, EDU, ORG, etc. If you take a look at google.com, you'll see
 ns1 through ns4.google.com -- those four A records exist in the COM
 zone

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis 
No you definitely do not want to add an A record for
labisilon.lab.domain.com to the powerdns server, that would cause it
to always serve the A record.  From the response information I take it
the powerdns server isn't your recursive resolver (IE it's not whats
in the /etc/resolv.conf or equivalent for your platform) - but from
the output you've shown me the first half of the delegation is fine.
The second half of the delegation must also exist or BIND in
particular won't count it as valid (though the validation is lazy so
you'll sometimes get an answer, but most of the time not) -- and hte
second half is the matching NS record on the isilon, and the SOA
(though the SOA is less important) -- you'll want to do the same dig
@x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A
labisilon.lab.domain.com - this is all part of diagnosing what
actually *is* happening with this delegation. If the NS records aren't
being returned from the isilon or the A or SOA isn't I can't really
help you out there if those aren't there as I've never used the
smartconnect product though there's a small chance I can get some
information since we used their storage boxes at my present day job
years back before I started (We literally have a couple racks worth of
them sitting around after being decommissioned).


... reading a bit in...is securustech.net the actual domain?  It has
wild cards which would be causing all manner of hell for you, if the A
record you're getting back is the same as I'm seeing from the outside
- 69.43.161.163 - then that would explain your problems.  Your
recursive resolver is getting the wildcard answers from your outside
nameservers.

On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com wrote:
 Same output -

 dig @psl-pdns01 A pslisilon.lab.securustech.net

 ;  DiG 9.8.3-P1  @pdns01 A labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN A

 ;; AUTHORITY SECTION:
 labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com.

 ;; ADDITIONAL SECTION:
 lab-isilon.lab.domain.com. 900 IN A x.x.x.x

 ;; Query time: 2 msec

 Do I need to specifically add an “A” record of labisilon.lab.domain.com -
 x.x.x.x?
 --
 Drew Decker
 Sent with Airmail

 On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com)
 wrote:

 labisilon.lab.example.com



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

2013-12-13 Thread Michael Loftis 
Ah...You actually *may* have hit a bug.  What version of powerdns and
what backend?  There's an issue on github, number 49, fixed in commit
number 549 according to the bug where PDNS was behaving similar to
this...if you dig for things *under* that subdomain eg
test.labisilon.lab.domain.com you get the correct response (NS and A
records w/ no AA bit indicating you must chase the delegation) -- but
when querying for the delegated domain, it returns the SOA and an AA
bit w/ NXDOMAIN indicating no such record.
https://github.com/PowerDNS/pdns/issues/49

Might actually be that bug you're seeing!  Sorry for the run around if
so, I didn't even know the bug existed until now.

This of course assumes correct records and all...which is why I had
you run all those digs...

On Fri, Dec 13, 2013 at 10:22 AM, Drew Decker drewrocksh...@gmail.com wrote:
 Michael,

 the PowerDNS server IS the main recursor resolver and the IP of the PowerDNS
 server is actually in /etc/resolv.conf for all of the platform servers.  We
 no longer have any BIND servers in our infrastructure.

 Here are the dig outputs:

 $ dig @pdns01 NS labisilon.lab.domain.com

 ;  DiG 9.8.3-P1  @pdns01 NS labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 9680
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN NS

 ;; AUTHORITY SECTION:
 lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com.
 2013073047 86400 7200 604800 3600

 ;; Query time: 1 msec

 [~]
 ddecker$ dig @pdns01 A labisilon.lab.domain.com

 ;  DiG 9.8.3-P1  @pdns01 A labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 1337
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN A

 ;; AUTHORITY SECTION:
 lab.domain.com. 900 IN SOA pdns01.lab.domain.com. linuxadmins.domain.com.
 2013073047 86400 7200 604800 3600

 ;; Query time: 0 msec


 --
 Drew Decker
 Sent with Airmail

 On December 13, 2013 at 12:08:35 PM, Michael Loftis (mlof...@wgops.com)
 wrote:

 No you definitely do not want to add an A record for
 labisilon.lab.domain.com to the powerdns server, that would cause it
 to always serve the A record. From the response information I take it
 the powerdns server isn't your recursive resolver (IE it's not whats
 in the /etc/resolv.conf or equivalent for your platform) - but from
 the output you've shown me the first half of the delegation is fine.
 The second half of the delegation must also exist or BIND in
 particular won't count it as valid (though the validation is lazy so
 you'll sometimes get an answer, but most of the time not) -- and hte
 second half is the matching NS record on the isilon, and the SOA
 (though the SOA is less important) -- you'll want to do the same dig
 @x.x.x.x NS labisilon.lab.domain.com and dig @x.x.x.x A
 labisilon.lab.domain.com - this is all part of diagnosing what
 actually *is* happening with this delegation. If the NS records aren't
 being returned from the isilon or the A or SOA isn't I can't really
 help you out there if those aren't there as I've never used the
 smartconnect product though there's a small chance I can get some
 information since we used their storage boxes at my present day job
 years back before I started (We literally have a couple racks worth of
 them sitting around after being decommissioned).


 ... reading a bit in...is securustech.net the actual domain? It has
 wild cards which would be causing all manner of hell for you, if the A
 record you're getting back is the same as I'm seeing from the outside
 - 69.43.161.163 - then that would explain your problems. Your
 recursive resolver is getting the wildcard answers from your outside
 nameservers.

 On Fri, Dec 13, 2013 at 8:23 AM, Drew Decker drewrocksh...@gmail.com
 wrote:
 Same output -

 dig @psl-pdns01 A pslisilon.lab.securustech.net

 ;  DiG 9.8.3-P1  @pdns01 A labisilon.lab.domain.com
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24930
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 ;; QUESTION SECTION:
 ;labisilon.lab.domain.com. IN A

 ;; AUTHORITY SECTION:
 labisilon.lab.domain.com 900 IN NS lab-isilon.lab.domain.com.

 ;; ADDITIONAL SECTION:
 lab-isilon.lab.domain.com. 900 IN A x.x.x.x

 ;; Query time: 2 msec

 Do I need to specifically add an “A” record of labisilon.lab.domain.com -
 x.x.x.x?
 --
 Drew Decker
 Sent with Airmail

 On December 13, 2013 at 10:18:10 AM, Michael Loftis (mlof...@wgops.com)
 wrote:

 labisilon.lab.example.com



 --

 Genius might be described as a supreme capacity for getting its possessors
 into trouble of all kinds.
 -- Samuel Butler



-- 

Genius might be described as a supreme capacity for getting its possessors

Re: [Pdns-users] Can the zone data be edited from passing mysql queries?

2013-07-23 Thread Michael Loftis 
PowerDNS is database driven. Read the docs, or even just the features.

On Monday, July 22, 2013, Manish Rane wrote:

 Hi Folks,

 Wondering if I can edit/change the static zone file as a result of certain
 bash script. Since the backend is Mysql can we really  pass mysql statement
 by which I can update the zone file?

 Well, I am trying to write a script which will monitor the server on
 certain ports and it if fails to connect to the server it will delete or
 add the entry from zone file so that traffic will be routed to another
 server, possible? I am thinking same possibility with BIND but let me know
 if this can be possible with pdns

 OR does any one aware of such solution available in open source?



-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Power Dns Server As A Domain Name Registry(Parent Name Server)

2013-07-23 Thread Michael Loftis 
You're making several mistakes in setting up your delegation.  First
you've included an SOA in your PowerDNS records.  Start Of Authority
is exactly that.  The etc zone needs to have only NS records and (if
necessary) A glue records inside of the delegating server. The PDNS
server is being given a record that indicates *IT* has authority for
the forum.etc zone.  Secondly you delegate to ns1.forum.etc but
forum.etc has ns1. as it's listed delegate, which would be a
zone/record that would not exist.  Either add glue, or change that to
correctly read ns1 or ns1.forum.etc. (note the trailing dot, VERY
important)  The PDNS server may also need an SOA for etc as well as
depending on the resolver/resolver lib being used you might even need
to have delegation in your PDNS for . (the root).





On Tue, Jul 23, 2013 at 5:19 PM, Önem Özgülgen onemozgul...@gmail.com wrote:
 Hello,

 Ip Address Of PowerDNS Server with MySQL Backend(Both Authoritative and
 Recursive) :

 188.132.241.151

 Ip Address Of Bind9 Server:

 188.132.250.197

 Here's the MySQL dump of domains table;

 mysql select * from domains;
 ++--++++-+-+
 | id | name | master | last_check | type   | notified_serial | account |
 ++--++++-+-+
 |  5 | etc  | yes|  1 | master |   1 | vixen   |
 ++--++++-+-+
 1 row in set (0.00 sec)


 Here's the MySQL dump of records table;

 mysql select * from records;
 ++---+---+--+-+--+--+-+
 | id | domain_id | name  | type | content | ttl  | prio |
 change_date |
 ++---+---+--+-+--+--+-+
 | 41 | 5 | forum.etc | NS   | ns1.forum.etc   |1 |1 |
 1 |
 | 43 | 5 | ns1.forum.etc | A| 188.132.250.197 |1 |1 |
 1 |
 | 39 | 5 | forum.etc | SOA  | 45325325325 |1 |1 |
 1 |
 ++---+---+--+-+--+--+-+
 3 rows in set (0.00 sec)


 Here's the records file input for the master zone of forum.etc created in
 Bind9 Server;

 $ttl 38400
 forum.etc.INSOAns1. info.forum.etc. (
 1374623190
 10800
 3600
 604800
 38400 )
 forum.etc.INNSns1.
 ns1 IN  A   188.132.250.197
 www IN  A   94.101.88.30


 After i've replaced my pc's dns server ip to PowerDns Server, here's the
 nslookup dump for both forum.etc and ns1.forum.etc;

 C:\Users\vixennslookup forum.etc
 Server:static-151-241-132-188.sadecehosting.net
 Address: 188.132.241.151

 Name: forum.etc

 C:\Users\vixennslookup ns1.forum.etc
 Server: static-151-241-132-188.sadecehosting.net
 Address: 188.132.241.151

 Name: ns1.forum.etc
 Address: 188.132.250.197

 On the web browser of my pc, when i typed http://ns1.forum.etc i'm getting
 an Apache test page of the Bind9 Server and it' ok.

 But, if i type http://www.forum.etc it can't connect to the ip address which
 i've added in zone records of Bind9 Server.

 If you need anything more, please let me know.

 Thanks.






 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-25 Thread Michael Loftis 
On Tuesday, June 25, 2013, Shamus Smith wrote:

 Hello all,

 thanks for all your answers, but I'm still stuck. Below is the full output
 for dig for pdns and dnsmasq.
 The query time is 2 ms for the first uncached request and 0 ms for pdns
 and dnsmasq. However, the
 whole execution of the dig command takes over 1 second for pdns and below
 30 ms for dnsmasq. The
 same for nslookup.

 For the second request trace just shows: 1 question answered from packet
 cache from 127.0.0.1
 But it still takes more than 1 second.

 - /etc/pdns-recursor/recursor.conf (default-config from package plus own
 forward-zone, removed comments)
 forward-zones=.=8.8.8.8
 setgid=pdns-recursor
 setuid=pdns-recursor

 - /etc/dnsmasq.conf (default-config from package, removed comments)
 bogus-priv
 cache-size=1500
 domain-needed
 no-hosts

 - /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4
 localhost4.localdomain4
 ::1 localhost localhost.localdomain localhost6
 localhost6.localdomain6

 /etc/nsswitch.conf was not modified and there is absolutely no load on the
 machine.
 I do not have a LDAP user database, this is just a minimum install of
 CentOS 6.5.

 Any ideas?



Someone else mentioned use  forward-zones-recurse instead. Try that.
There's obviously an issue between your OS resolver and pdns-recursor. That
well be the cause.




 Thanks,
 Shamus






-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-23 Thread Michael Loftis 
What about giving the full dig output too?  My bet is you're actually
experiencing some sort of huge delay starting up dig or resolving
localhost, use @127.0.0.1 instead and see if the time goes away.
Does your /etc/hosts contain 'localhost'?  Have you modified your
nsswitch.conf? (Assuming standard *nix like system)

On Sun, Jun 23, 2013 at 3:58 AM, Shamus Smith smithsha...@yahoo.de wrote:
 Hello Bert,

  Any ideas why it takes so long?

 Rerun with --trace enabled and check what is happening. With some study,
 it should be clear what it is waiting for.

 did that already before, but still did not found anything helpful there.
 Below is a new trace.
 btw, I am using 3.5.1 (package pdns-recursor-3.5.1-1.el6.x86_64).

 Thanks,
  Shamus

 - /etc/init.d/pdns-recursor start
 Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS recursor 3.5.1 (C)
 2001-2013 PowerDNS.COM BV (May  3 2013, 20:04:33, gcc 4.4.7 20120313 (Red
 Hat 4.4.7-3)) starting up
 Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS comes with ABSOLUTELY
 NO WARRANTY. This is free software, and you are welcome to redistribute it
 according to the terms of the GPL version 2.
 Jun 23 12:30:12 server pdns_recursor[11064]: Operating in 64 bits mode
 Jun 23 12:30:12 server pdns_recursor[11064]: Reading random entropy from
 '/dev/urandom'
 Jun 23 12:30:12 server pdns_recursor[11064]: Only allowing queries from:
 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
 172.16.0.0/12, ::1/128, fe80::/10
 Jun 23 12:30:12 server pdns_recursor[11064]: Will not send queries to:
 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
 172.16.0.0/12, ::1/128, fe80::/10, 0.0.0.0, ::
 Jun 23 12:30:12 server pdns_recursor[11064]: NOT using IPv6 for outgoing
 queries - set 'query-local-address6=::' to enable
 Jun 23 12:30:12 server pdns_recursor[11064]: Redirecting queries for zone
 '.' to: 8.8.8.8:53
 Jun 23 12:30:12 server pdns_recursor[11064]: Inserting rfc 1918 private
 space zones
 Jun 23 12:30:12 server pdns_recursor[11064]: Not decreasing socket buffer
 size from 229376 to 20
 Jun 23 12:30:12 server pdns_recursor[11064]: Listening for UDP queries on
 127.0.0.1:53
 Jun 23 12:30:12 server pdns_recursor[11064]: Enabled TCP data-ready filter
 for (slight) DoS protection
 Jun 23 12:30:12 server pdns_recursor[11064]: Listening for TCP queries on
 127.0.0.1:53
 Jun 23 12:30:12 server pdns_recursor[11064]: Calling daemonize, going to
 background
 Jun 23 12:30:12 server pdns_recursor[11065]: Set effective group id to 497
 Jun 23 12:30:12 server pdns_recursor[11065]: Set effective user id to 497
 Jun 23 12:30:12 server pdns_recursor[11065]: Launching 2 threads
 Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root
 hints
 Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root
 hints
 Jun 23 12:30:12 server pdns_recursor[11065]: Enabled 'epoll' multiplexer
 Jun 23 12:30:12 server pdns_recursor[11065]: .: No cache hit for '.|NS',
 trying to find an appropriate NS record
 Jun 23 12:30:12 server pdns_recursor[11065]: .: No cache hit for '.|NS',
 trying to find an appropriate NS record
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Cache consultations done,
 have 1 NS to contact
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Cache consultations done,
 have 1 NS to contact
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Nameservers:
 -8.8.8.8:53(0.00ms)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying to resolve NS
 '-8.8.8.8:53' (1/1)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Domain has hardcoded
 nameserver(s)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Resolved '.' NS -8.8.8.8:53
 to: 8.8.8.8
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Nameservers:
 -8.8.8.8:53(0.00ms)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying to resolve NS
 '-8.8.8.8:53' (1/1)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Domain has hardcoded
 nameserver(s)
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Resolved '.' NS -8.8.8.8:53
 to: 8.8.8.8
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying IP 8.8.8.8:53, asking
 '.|NS'
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Trying IP 8.8.8.8:53, asking
 '.|NS'
 Jun 23 12:30:12 server pdns_recursor[11065]: .: Got 13 answers from
 -8.8.8.8:53 (8.8.8.8), rcode=0, aa=0, in 6ms
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|d.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|l.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|c.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|g.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer
 '.|NS|h.root-servers.net.' from '.' nameservers? YES!
 Jun 23 12:30:12 server pdns_recursor[11065]: .: accept answer

Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-23 Thread Michael Loftis 
On Sunday, June 23, 2013, Shamus Smith wrote:

 Thanks for your answer. The full dig output was in the first posting.
 I have not modified nsswitch.conf and /etc/hosts contains only this:


No, only the +short is in any of your responses, when I say full output I
mean without +short - there's a hint of timing information in the full dig
output.  We have teh time it took for the entire command to execute but we
don't have the actual RTT of the DNS query.  It'll indicate the query time,
as well as whom it sent the query too IE what @localhost was resolved to
prior to dig starting it's own query - which I think it uses gethostent or
one of the other get* calls.




 127.0.0.1   localhost localhost.localdomain localhost4
 localhost4.localdomain4
 ::1 localhost localhost.localdomain localhost6
 localhost6.localdomain6

 And you were right! When using dig www.google.com @127.0.0.1 it takes
 just
 0.021 seconds. But I still do not have a clue why, do you?


My *guess* or hunch is that your internal OS stack gethostent, getaddrinfo,
etc, is failing/falling over somehow or in some form.  It shouldn't be
talking to anything in resolv.conf but if it is  then the later response
about correctly having the RD bit set or not because of the configuration
could explain the different behavior with dnsmasq.  Normally it should be
consulting your local files first, finding an answer, and immediately
returning.  But if there's something funny going on it might not be.  Other
issues can occur if you have LDAP user databases/etc, or even if you've got
some heavy swapping/paging going on it'll take a while to start up any
command that isn't already fully in cache/RAM.  All that is why I asked for
the timing information from dig, which it runs *after* any of that could
get into the way.



 When using another recursor (Dnsmasq) there is no time difference when
 using
 @localhost or @127.0.0.1.

 Thanks,
 Shamus

I don't think anything other than /etc/hosts should get involved but your
stall pretty clearly appears to be happening during the resolution of the
@localhost and not the round trip to the world and through the pdns
recursor.




 What about giving the full dig output too?  My bet is you're actually
 experiencing some sort of huge delay starting up dig or resolving
 localhost, use @127.0.0.1 instead and see if the time goes away.
 Does your /etc/hosts contain 'localhost'?  Have you modified your
 nsswitch.conf? (Assuming standard *nix like system)

 On Sun, Jun 23, 2013 at 3:58 AM, Shamus Smith smithsha...@yahoo.de
 wrote:
  Hello Bert,
 
   Any ideas why it takes so long?
 
  Rerun with --trace enabled and check what is happening. With some study,
  it should be clear what it is waiting for.
 
  did that already before, but still did not found anything helpful there.
  Below is a new trace.
  btw, I am using 3.5.1 (package pdns-recursor-3.5.1-1.el6.x86_64).
 
  Thanks,
   Shamus
 
  - /etc/init.d/pdns-recursor start
  Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS recursor 3.5.1 (C)
  2001-2013 PowerDNS.COM BV (May  3 2013, 20:04:33, gcc 4.4.7 20120313 (Red
  Hat 4.4.7-3)) starting up
  Jun 23 12:30:12 server pdns_recursor[11064]: PowerDNS comes with
 ABSOLUTELY
  NO WARRANTY. This is free software, and you are welcome to redistribute
 it
  according to the terms of the GPL version 2.
  Jun 23 12:30:12 server pdns_recursor[11064]: Operating in 64 bits mode
  Jun 23 12:30:12 server pdns_recursor[11064]: Reading random entropy from
  '/dev/urandom'
  Jun 23 12:30:12 server pdns_recursor[11064]: Only allowing queries from:
  127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
  172.16.0.0/12, ::1/128, fe80::/10
  Jun 23 12:30:12 server pdns_recursor[11064]: Will not send queries to:
  127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
  172.16.0.0/12, ::1/128, fe80::/10, 0.0.0.0, ::
  Jun 23 12:30:12 server pdns_recursor[11064]: NOT using IPv6 for outgoing
  queries - set 'query-local-address6=::' to enable
  Jun 23 12:30:12 server pdns_recursor[11064]: Redirecting queries for zone
  '.' to: 8.8.8.8:53
  Jun 23 12:30:12 server pdns_recursor[11064]: Inserting rfc 1918 private
  space zones
  Jun 23 12:30:12 server pdns_recursor[11064]: Not decreasing socket buffer
  size from 229376 to 20
  Jun 23 12:30:12 server pdns_recursor[11064]: Listening for UDP queries on
  127.0.0.1:53
  Jun 23 12:30:12 server pdns_recursor[11064]: Enabled TCP data-ready
 filter
  for (slight) DoS protection
  Jun 23 12:30:12 server pdns_recursor[11064]: Listening for TCP queries on
  127.0.0.1:53
  Jun 23 12:30:12 server pdns_recursor[11064]: Calling daemonize, going to
  background
  Jun 23 12:30:12 server pdns_recursor[11065]: Set effective group id to
 497
  Jun 23 12:30:12 server pdns_recursor[11065]: Set effective user id to 497
  Jun 23 12:30:12 server pdns_recursor[11065]: Launching 2 threads
  Jun 23 12:30:12 server pdns_recursor[11065]: Done priming cache with root
  hints
  Jun

Re: [Pdns-users] 1 sec delay before DNS-answer at pdns-recursor

2013-06-23 Thread Michael Loftis 
On Sun, Jun 23, 2013 at 5:40 PM, Michael Loftis mlof...@wgops.com wrote:



 I don't think anything other than /etc/hosts should get involved but your
 stall pretty clearly appears to be happening during the resolution of the
 @localhost and not the round trip to the world and through the pdns
 recursor.

Which is to say I don't think that pdns-recursor is at fault for your
slow dig resolution time...your OS stack I believe is failing
elsewhere.


--

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] problems with glue records

2013-02-10 Thread Michael Loftis 
Its the CNAME - think of it like a symbolic link on a file system. It points 
all access towards the given place. For your domain to work at all you'll need 
to remove the yeetta.net CNAME.

Sent from my iPhone

On Feb 10, 2013, at 7:28, Florus Both flo...@yeetta.com wrote:

 Hi, maybe someone can shed a light on this. I have a domain (yeetta.net) and 
 i have 3 pdns server ns1..ns3.yeetta.net.
 My domain provider said that they have created the glue records. I can change 
 ns on for example yeetta.com to ns1..ns3.yeetta.net. But i can make the 
 ns1..ns3.yeetta.net change work for yeetta.net.
 Floruss-MacBook-Air:~ fb$ host -t ns yeetta.net 8.8.4.4
 
 Using domain server:
 
 Name: 8.8.4.4
 
 Address: 8.8.4.4#53
 
 Aliases: 
 
 
 
 yeetta.net is an alias for sloth.dc2.dk.
 
 Floruss-MacBook-Air:~ fb$ host -t ns yeetta.com 8.8.4.4
 
 Using domain server:
 
 Name: 8.8.4.4
 
 Address: 8.8.4.4#53
 
 Aliases: 
 
 
 
 yeetta.com name server ns2.yeetta.net.
 
 yeetta.com name server ns3.yeetta.net.
 
 yeetta.com name server ns1.yeetta.net.
 
 Floruss-MacBook-Air:~ fb$ host -t soa yeetta.net 8.8.4.4
 
 Using domain server:
 
 Name: 8.8.4.4
 
 Address: 8.8.4.4#53
 
 Aliases: 
 
 
 
 yeetta.net is an alias for sloth.dc2.dk.
 
 Floruss-MacBook-Air:~ fb$ host -t soa yeetta.net
 
 yeetta.net has SOA record ns1.yeetta.net. hostmaster.yeetta.net. 2013020916 
 86400 86400 604800 300
 
 Floruss-MacBook-Air:~ fb$ whois yeetta.net | grep -i server
 
 Whois Server Version 2.0
 
Whois Server: whois.joker.com
 
Name Server: NS1.YEETTA.NET
 
Name Server: NS2.YEETTA.NET
 
Name Server: NS3.YEETTA.NET
 
 nserver:  ns1.yeetta.net 188.40.130.134 2a01:4f8:101:2446::10
 
 nserver:  ns2.yeetta.net 213.133.100.34 2a01:4f8:a0:92a1::10
 
 nserver:  ns3.yeetta.net 199.233.228.66 2607:fc50:1:d00::10
 
 
 
 
 
 # data on master pdns:
 
 mysql select * from records where domain_id=(select id from domains where 
 name='yeetta.net') order by type;
 
 +-+---+---+---++---+--+-+---+--+
 
 | id  | domain_id | name  | type  | content   
  | ttl   | prio | change_date | 
 ordername | auth |
 
 +-+---+---+---++---+--+-+---+--+
 
 |  78 |14 | ns1.yeetta.net| A | 188.40.130.134
  |   300 |0 |  1358881107 | ns1   
 |1 |
 
 |  79 |14 | ns2.yeetta.net| A | 213.133.100.34
  |   300 |0 |  1358881107 | ns2   
 |1 |
 
 |  85 |14 | sloth.yeetta.net  | A | 213.133.100.45
  |   300 |0 |  1359117905 | sloth 
 |1 |
 
 | 104 |14 | ns3.yeetta.net| A | 199.233.228.66
  |   300 |0 |  1358938795 | ns3   
 |1 |
 
 | 110 |14 | fiji.yeetta.net   | A | 78.47.100.74  
  |   300 |0 |  1358938752 | fiji  
 |1 |
 
 | 111 |14 | guam.yeetta.net   | A | 78.47.120.205 
  |   300 |0 |  1358938772 | guam  
 |1 |
 
 | 181 |14 | palau.yeetta.net  | A | 82.145.35.117 
  |   600 |0 |  1359364715 | palau 
 |1 |
 
 | 105 |14 | ns3.yeetta.net|   | 2607:fc50:1:d00::10   
  |   300 |0 |  1358932084 | ns3   
 |1 |
 
 | 106 |14 | ns2.yeetta.net|   | 2a01:4f8:a0:92a1::10  
  |   300 |0 |  1358933489 | ns2   
 |1 |
 
 | 148 |14 | ns1.yeetta.net|   | 2a01:4f8:101:2446::10 
  |   600 |0 |  1359105247 | ns1   
 |1 |
 
 |  74 |14 | mail.yeetta.net   | CNAME | yeetta.net
  |   300 |0 |  1358881048 | mail  
 |1 |
 
 |  86 |14 | dnsapi.yeetta.net | CNAME | sloth.yeetta.net  
  | 86400 |0 |  1358881368 | 
 dnsapi|1 |
 
 | 228 |14 | yeetta.net| CNAME | sloth.dc2.dk  
  |   600 |0 |  1360346937 |   
 |1 |
 
 | 235 |14 | www.yeetta.net| CNAME | sloth.dc2.dk  
  |   600 |0 |  1360349998 | www   
 |1 |
 
 |  80 |14 | yeetta.net|

Re: [Pdns-users] Authrotative and recursive on same ip creates an open recursive server

2012-03-29 Thread Michael Loftis 
The recursor only ever talks to the authoritative ersolver in this
scneario so the authoritative resolver needs further configuration to
properly restrict who is being allowed to use it recursively.
recursor.conf only affects the recursor itself.  You need to set, in
pdns.conf, allow-recursion to restrict appropriately.

Also, its usually not a good idea to have your recursors and
authoritative nameservers on the same IPs, the authoritative should
really just be serving authoritative data and never recursing.  This
helps prevent accidental (and malicious) cache poisoning of your
authoritative nameserver.

On Thu, Mar 29, 2012 at 2:27 PM, Miguel Miranda
miguel.miran...@gmail.com wrote:
 Hello to all, im migrating several of my dns server from bind to powerdns, i
 was trying the recursor only and it restricted who can use my server to the
 nets listed in allow-from-file, when i configure the authoritative and
 recursor using the recursor= 127.0.0.1, everybody can use my server for
 recursion, am i missing something or bypassing allow-from-file is the normal
 operation in this scenario?
 regards

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users




-- 

Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS in an ISP environment

2011-08-16 Thread Michael Loftis 
On Tue, Aug 16, 2011 at 1:38 AM, Chris Russell
chris.russ...@knowledgeit.co.uk wrote:
 Hi All,



 Quick question – is anyone on the list using PDNS in an ISP environment,
 especially for auth services ?

Up until a couple years ago I worked as Sr. SA/Ops Manager at Modwest,
we used PowerDNS then, and they still do today.  Something like 10k or
15k domains at the time, no idea how many today honestly.  As with
many the draw was a database backend.  There wasn't much else out
there at the time, and certainly nothing stable like PowerDNS.  With
10k+ domains BIND would take a very LONG time to start/restart or even
check for updates.  There was also the headaches involved in
maintaining slave and master zone configs too.  Authoritative DNS
only.  There's a cluster of BIND servers for resolver functionality.
The actual NS records point at load balanced clusters of DNS servers.
To the outside it looks like there are only a handful of
geographically diverse nameservers, in reality there's multiple
PowerDNS servers behind each IP.  Makes doing upgrades REALLY easy,
you just pull one out of the load balancer, upgrade it.  Then you can
do all the testing you want (one thing I did was to play back DNS
queries and observe/systematically check the responses, without
letting any actual traffic out) -- if it doesn't work out you can then
use whatever process you have to roll that machine back and put it
back into the cluster, or, more deeply investigate the failure.  This
was a situation though where there was a very well proven and trusted
load balancer infrastructure in place already so it absolutely made
sense to deploy externally facing DNS services behind this same setup.
 It definitely requires thought to do it that way (chicken-and-egg
scenarios come to mind, you can not have your load balancers depend on
DNS if you're going to run DNS behind them!!!) but it is reliable when
done right.

There have definitely been a few pains here and there.  Some of them
were caused by the fact that wildcard records are used.  Some of the
issues I had were caused by MySQL's sometimes flaky replication,
monitoring them was an absolute must, making sure that they were all
in sync and up to date was also absolutely required.  The benefits far
outweighed the costs at that scale for certain.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Multiple IPs per host name / round robin

2011-02-24 Thread Michael Loftis 
The recursive resolver is what clients talk to locally.  AKA a
caching resolver, it's not part of your authoritative infrastructure
at all.  In fact, if you're using your authoritative nameservers as
caching resolvers, you should stop.  For most people the recursive
resolver is provided by their ISP unless they elect to run their own
(like I do) or to use an external one (like OpenDNS or Google's DNS).
What makes them recursive is that they answer queries that aren't
necessarily in their cache or known from zone files by recursing up
the tree until it finds an answer it knows (either from root hints or
previous cached lookups) then works it's way back down the tree to
the answer.

On Thu, Feb 24, 2011 at 10:25 AM, PLists jkli...@ifm-services.com wrote:
 Here's your DNS noob question for the day. (I'm not a real sysadmin. I only 
 pretend to be when backed into a corner.)

 I've been running PowerDNS (with a MySQL backend) successfully and happily 
 for a couple of years now. It's really basic stuff, one A record per host 
 name.

 Now I'm in a situation where I need to serve up two possible IP addresses for 
 a certain host name. From my treks through Google, I'm assuming the following:

 1) I simply enter multiple A records into the database, one for each IP.
 2) PowerDNS does not randomize these. [informational]
 3) Recursors are supposed to do this. [informational]

 So all I need to do, really, is enter in the multiple A records.


 What I'm confused about is the role of the recursor. Is it already installed 
 as part of PowerDNS? If not, do I need to install the recursor on my name 
 servers? Does it take over port 53? From reading about recursors, the answer 
 is, No, I think. But I'm not completely sure when one would run a recursor.

 Thanks for making something so simple and reliable. :)


 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Differing (incorrect) behavior in 2.9.21 for AAAA records versus 2.9.20...

2007-08-11 Thread Michael Loftis 
In the presence of a *.domain.com CNAME, 2.9.21, when asked for a more 
specific A record responds appropriately with the A record when an A record 
exists, and NOERROR/no answer for an MX or whatever.  However, when asked 
for an  record, it will respond with the splat/*.domain.com CNAME 
instead.  An example of this is barracuda.neit.edu, ns1.modwest.com is 
running 2.9.20, and ns2.modwest.com is running 2.9.21, ns2 responds 
incorrectly directing traffic to the wrong place.


Any idea when I can see a fix for this behavior?

--
Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Re: How Do SPF records work in PDNS? ( begionner)

2006-11-18 Thread Michael Loftis 



--On November 18, 2006 11:27:26 AM -0800 Richard Vernooij 
[EMAIL PROTECTED] wrote:







I thought PRT record is the same? or do i misundertand. Can you please
explain the difference? and what must i do in my case?


I am going to assume you mean PTR record.  PTR's really only occur in 
.in-addr.arpa zones.  They are for reverse DNS which is not SPF.  Many 
sites do require *VALID* reverse DNS nowadays though, which is very 
different from SPF (which I'll get to in a moment).  A *VALID* rDNS 
consists of a PTR in your providers .in-addr.arpa zone, as well as a 
matching A record that it points to (PTR means PoinTeR).


SPF is simply a specially formatted TXT record associated with the sending 
domain which states which A, MX, or IP's can send mail on behalf of that 
domain.  If you've got people denying mail because of no SPF record well 
you don't want to send mail to them anyway.  SPF is seriously broken in the 
face of *many* everyday applications, including mailing lists, and remote 
dialup users.


Now if you *have* an SPF record (which again is *NOT* a type of DNS record 
at all, it's a TXT record) and that SPF record is *wrong* I can see some 
net.kook's denying mail based on that.




In my case several people do not get any mail, because there spamfilter
blocks mail from our domains on our servers, due to Reverse or SPF
settings . This is all i can understand, form the error messages.


In my Power admin is no such thing as a SPF TYPE.  only PRT / TXT etc..


I hope it is clear enough for you guys?

Please let me know.


thanks,

Richard.

Richard Vernooij wrote:

I seem to have a problem that many messages from a webserver, or
emailserver do not arrive on certain places.

Now i found that it could be the reason, that i do not have SPF records
for reverse DNS.


SPF has _nothing_ to do with reverse DNS.


Now when i check
http://www.dnsreport.com/tools/dnsreport.ch?domain=domainname.com (after
a day with the real domain)

I still have a warning about not having a spf record.


Well, then your domain does not have an SPF record.

Did you add a record of type SPF to your domain's zone?
___




__
Sponsored Link

Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo -
Calculate new house payment




--
Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users