[Pdns-users] [LdapBackend] avoid writing PdnsDomainNotifiedSerial

2022-01-21 Thread Michael Ströder via Pdns-users
HI! I have a very tiny and simple setup of PowerDNS Authorative server(s) 4.5.3 with LDAP backend using native OpenLDAP replication. Each pdns instance asks a single local LDAP server (via ldapi://). No need for AXFR or IXFR or anything similar fancy in this setup. Also no LDAP fail-over to

Re: [Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1

2021-05-20 Thread Michael Ströder via Pdns-users
On 5/21/21 12:49 AM, Nikolaos Milas via Pdns-users wrote: > However, I am now trying to start the upgraded server and I get the > message (in journal): > >    Caught an exception instantiating a backend: launch= suffixes are >    not supported on the bindbackend > >

Re: [Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)

2021-05-11 Thread Michael Ströder via Pdns-users
On 5/11/21 7:22 PM, Otto Moerbeek wrote: > On Tue, May 11, 2021 at 07:01:08PM +0200, Michael Ströder via Pdns-users > wrote: >> Was support for running on 32-bit platforms dropped? > > Yes, as you can read further down below in the announcement. Arrgh! Missed that. Sorry fo

[Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)

2021-05-11 Thread Michael Ströder via Pdns-users
HI! Was support for running on 32-bit platforms dropped? configure fails with: configure: error: size of time_t is 4, which is not large enough to fix the y2k38 bug See build system: https://build.opensuse.org/package/show/home:stroeder:network/pdns-recursor Ciao, Michael. On 5/11/21 11:49

Re: [Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

2021-02-19 Thread Michael Ströder via Pdns-users
On 2/19/21 10:31 AM, Dario García Díaz-Miguel via Pdns-users wrote: > I had to add to the /etc/openldap/ldap.conf the following parameter: > > SASL_MECH GSSAPI FYI: If you don't want to set this globally you can set env var LDAPRC or LDAPCONF to point to a service-specific ldap.conf. See the

Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

2020-09-09 Thread Michael Ströder via Pdns-users
On 9/9/20 11:48 AM, Otto Moerbeek via Pdns-users wrote: > On 2020-09-09 11:39, Otto Moerbeek via Pdns-users wrote: >> I do not know what I was doing when I previously looked at this, >> but this seem to be the minimal patch for the rel/rec-4.3.x branch. >> Can you check if it works for you?> > And

Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

2020-09-09 Thread Michael Ströder via Pdns-users
On 9/8/20 11:49 AM, Remi Gacogne via Pdns-users wrote: > On 9/8/20 11:39 AM, Michael Ströder via Pdns-users wrote: > >> Currently building PowerDNS Recursor fails building on openSUSE >> Tumbleweed/Factory: > > It's an issue caused by Boost >= 1.73, see [1]. We

[Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)

2020-09-08 Thread Michael Ströder via Pdns-users
HI! Currently building PowerDNS Recursor fails building on openSUSE Tumbleweed/Factory: https://build.opensuse.org/package/live_build_log/home:stroeder:branches:server:dns/pdns-recursor/openSUSE_Tumbleweed/x86_64 Note that openSUSE Tumbleweed/Factory uses gcc version 10.2.1 20200825 [revision

Re: [Pdns-users] why CAP_CHOWN?

2020-05-16 Thread Michael Ströder via Pdns-users
On 5/16/20 10:25 PM, bert hubert wrote: > On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users > wrote: >> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and >> AmbientCapabilities= and I could not find a reason in the git history of >>

[Pdns-users] why CAP_CHOWN?

2020-05-16 Thread Michael Ströder via Pdns-users
HI! I appreciate that pdns/recursordist/pdns-recursor.service.in already contains some of systemd's hardening options. But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and AmbientCapabilities= and I could not find a reason in the git history of that file. It seems to run without that

Re: [Pdns-users] pdns-recursor Permissions Error

2020-01-07 Thread Michael Ströder
On 1/7/20 3:00 PM, Sharone Bakara wrote: > On 7 Jan 2020, at 16:55, Remi Gacogne wrote: >> On 1/7/20 2:41 PM, Sharone wrote: >>> '/var/run/pdns-recursor': Permission denied"* >> I'm not sure of what your SNMP setup is, but it looks like the user >> invoking rec_control does not have the rights

Re: [Pdns-users] Log all zone changes

2019-09-27 Thread Michael Ströder
On 9/27/19 8:30 PM, Vitali Quiering via Pdns-users wrote: > I just started using PowerDNS Authoritative Server recently and got > to the point where I need all changes logged. Is there an option I > missed? If there is none: How do you log your changes? Probably not exactly the answer you're

Re: [Pdns-users] Meltdown impact on PowerDNS/dnsdist

2018-01-06 Thread Michael Ströder
bert hubert wrote: > We have done some very tentative measurements on the Linux Meltdown > workaround & impact on DNS performance. Besides the performance impact of the "fixes" doesn't this mean that people should stop doing DNSSEC signing on-the-fly on the authorative server and move DNSSEC

Re: [Pdns-users] Question about logging changes

2017-11-28 Thread Michael Ströder
Dirk Bartley wrote: > You could log the who of who is logged into the database, but if the database > connection is done from a front end, it would always be the users the front > end > connects to the database as.  But if you have a front end, just manage it by > who > is logged into the Front

Re: [Pdns-users] Question about logging changes

2017-11-28 Thread Michael Ströder
Dirk Bartley wrote: > I have been asked to look at some options for assisting my employer to > alter the way our internal dns is served.  One of the features being > requested is the ability to log the who, what and when of all changes > to the data that dns is serving.  Of course when I search

Re: [Pdns-users] GUI with LDAP backend ?

2017-05-15 Thread Michael Ströder
r0m5 wrote: > So here is my question : what do you think would be a convenient way to > manage zone and > records using the LDAP backend ? How do you guys proceed ? For managing DNS zones in a pdns LDAP backend I've added some plugin classes to my own client: https://web2ldap.de/ Be warned it's

Re: [Pdns-users] pdns-ldap <-> Rudder-ldap

2016-11-15 Thread Michael Ströder
StanC wrote: > Is there a method of translating the ldap schema that Rudder uses for > its node inventory and using this in a pdns ldap backend? More or less you're asking for same feature like me: https://github.com/PowerDNS/pdns/issues/1832 > I had this fantasy that one could connect to

Re: [Pdns-users] [Pdns-announce] PowerDNS Authoritative Server 4.0.0 released

2016-07-11 Thread Michael Ströder
Pieter Lexis wrote: > * A revived and supported LDAP backend (ldap). Thanks! :-) CIao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com

Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-25 Thread Michael Ströder
l...@consolejunkie.net wrote: On 2015-04-24 21:35, Michael Ströder wrote: Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve

[Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-24 Thread Michael Ströder
HI! We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype

Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

2015-04-24 Thread Michael Ströder
Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly

[Pdns-users] LargeScaleDNSSECBCP / versions

2015-04-16 Thread Michael Ströder
HI! It seems this wiki page mentions rather old pdns versions: http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP Are there more recent insight to consider regarding versions? Especially when thinking about pdns upgrade 3.3.x - 3.4.1 for DNSSEC? Ciao, Michael. -- Michael Ströder E-Mail

Re: [Pdns-users] Configure private subdomain

2015-03-28 Thread Michael Ströder
Nikolaos Milas wrote: If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend) for the Linux-Tage, could you please post this work here or a link to a page where it is available? Basically it boils down to this ACL: access to dn.subtree=cn=pdns,ou=services,ou=infra-dir

Re: [Pdns-users] Configure private subdomain

2015-03-04 Thread Michael Ströder
Nikolaos Milas wrote: On 3/3/2015 2:44 μμ, Nikolaos Milas wrote: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A

Re: [Pdns-users] Slave DNSKeys

2015-03-02 Thread Michael Ströder
Peter van Dijk wrote: (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we recommend increasing the size of the ‘content’ column in the records table (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/ ) (Sigh!) I really wonder why the LDAP

Re: [Pdns-users] ANY+Reflection Attacks?

2015-02-25 Thread Michael Ströder
Ciro Iriarte wrote: 2015-02-24 17:49 GMT-03:00 Ciro Iriarte cyru...@gmail.com: Hi!, I'm seeing a lot of messages of type Timeout from remote TCP client 10.XXX.XXX.XXX, it seems to be an attack given we have any-to-tcp = yes. Is this usual?, is there anyway to identify the attackers?. The

[Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)

2015-02-23 Thread Michael Ströder
bert hubert wrote: In this post, we’d like to share our current plans for .. PowerDNS 4.x! Glad to read all your plans. * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us

Re: [Pdns-users] Currently using distro packages, want to update

2015-02-12 Thread Michael Ströder
Nick Williams wrote: I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. But my distro Which is your distro? Vendor and exact version number? For openSUSE I'm

Re: [Pdns-users] DNSSEC with LDAP backend

2015-01-17 Thread Michael Ströder
Jan-Piet Mens wrote: Would it be possible to setup a authorative PowerDNS server with DNSSEC support using the LDAP backend? The LDAP back-end doesn't support DNSSEC. I'm aware that the LDAP back-end is not fully supported. Let me be more precise: I don't need auto-signing or support by

[Pdns-users] DNSSEC with LDAP backend

2015-01-16 Thread Michael Ströder
HI! Would it be possible to setup a authorative PowerDNS server with DNSSEC support using the LDAP backend? Do I have to extend some DNSSEC-related RRs in the list ldap_attrany in file modules/ldapbackend/ldapbackend.hh ? As it seems to me the attribute name is derived from qtype name string and

[Pdns-users] RFE LDAP backend: Filter template

2014-10-18 Thread Michael Ströder
HI! I know that the LDAP backend is not very high on the list of powerdns development. But I'd like to propose a small enhancement which would make some unusual LDAP-related setups easier. Simple new config item 'ldap-filter-template': Default: ldap-filter-template = '(associatedDomain={0})'

[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)

2014-06-26 Thread Michael Ströder
k...@rice.edu wrote: On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote: For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ? If not, the solution is to run pdnssec secure-zone ZONE in a loop on a cron script, am I right? I do not know about a SQL

Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet

2013-09-25 Thread Michael Ströder
Fredrik Roubert wrote: My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html

Re: [Pdns-users] Installation PDNS Server auf Raspberry Pi (weezy)

2013-08-16 Thread Michael Ströder
Marc Haber wrote: pdns-users is an english language mailing list. On Fri, Aug 16, 2013 at 10:09:44AM +0200, abang wrote: aber ich brauche eines für Debian auf Raspberry Pi. wo du ein fertiges Binary für armv6l bekommst weiß ich nicht. Aber du könntest versuchen, selbst zu kompilieren.

Re: [Pdns-users] turn off all type of caching in pdns-recursor

2013-06-19 Thread Michael Ströder
Posner, Sebastian wrote: CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative nameservers' performance/availability, but that of the resolver his upstream provides him with, and/or get a general heatmap of the state of DNS on teh intartubes. Whilst for monitoring _your_

Re: [Pdns-users] turn off all type of caching in pdns-recursor

2013-06-19 Thread Michael Ströder
Michael Ströder wrote: Posner, Sebastian wrote: CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative nameservers' performance/availability, but that of the resolver his upstream provides him with, and/or get a general heatmap of the state of DNS on teh intartubes. Whilst

Re: [Pdns-users] pdns-recursor: Block domains

2013-04-27 Thread Michael Ströder
Peter van Dijk wrote: On Apr 26, 2013, at 18:57 , Michael Ströder wrote: What's the simplest and hopefully efficient way to block domains from being resolved by pdns-recursor? I'd like to just NXDOMAIN being returned for all RRs in unwanted domains. Like JP said, Lua is a very good

[Pdns-users] pdns-recursor: Block domains

2013-04-26 Thread Michael Ströder
HI! What's the simplest and hopefully efficient way to block domains from being resolved by pdns-recursor? I'd like to just NXDOMAIN being returned for all RRs in unwanted domains. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature