[Pdns-users] [LdapBackend] avoid writing PdnsDomainNotifiedSerial
HI! I have a very tiny and simple setup of PowerDNS Authorative server(s) 4.5.3 with LDAP backend using native OpenLDAP replication. Each pdns instance asks a single local LDAP server (via ldapi://). No need for AXFR or IXFR or anything similar fancy in this setup. Also no LDAP fail-over to multiple replicas. pdns tries to write attribute PdnsDomainNotifiedSerial even though it is IMHO not needed in my setup. It fails because the LDAP server is deliberately configured to not allow write access from the pdns service. Also a pure read-only consumer replica does not accept write operations. Which configuration setting can I tweak to suppress writing PdnsDomainNotifiedSerial? Many thanks in advance. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1
On 5/21/21 12:49 AM, Nikolaos Milas via Pdns-users wrote: > However, I am now trying to start the upgraded server and I get the > message (in journal): > > Caught an exception instantiating a backend: launch= suffixes are > not supported on the bindbackend > > launch=ldap:bkend1,bind:bkend2 This just works: launch=ldap:bkend1,bind Do you really need the launch suffix 'bkend2' for the bindbackend parameters? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)
On 5/11/21 7:22 PM, Otto Moerbeek wrote: > On Tue, May 11, 2021 at 07:01:08PM +0200, Michael Ströder via Pdns-users > wrote: >> Was support for running on 32-bit platforms dropped? > > Yes, as you can read further down below in the announcement. Arrgh! Missed that. Sorry for the noise. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)
HI! Was support for running on 32-bit platforms dropped? configure fails with: configure: error: size of time_t is 4, which is not large enough to fix the y2k38 bug See build system: https://build.opensuse.org/package/show/home:stroeder:network/pdns-recursor Ciao, Michael. On 5/11/21 11:49 AM, Otto Moerbeek via Pdns-users wrote: > Hello! > >We are proud to announce the release of PowerDNS Recursor 4.5.1. >Compared to the release candidate, this release contains two bug fixes. >Note that 4.5.0 was never released publicly, since an issue was found >during QA. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'
On 2/19/21 10:31 AM, Dario García Díaz-Miguel via Pdns-users wrote: > I had to add to the /etc/openldap/ldap.conf the following parameter: > > SASL_MECH GSSAPI FYI: If you don't want to set this globally you can set env var LDAPRC or LDAPCONF to point to a service-specific ldap.conf. See the details in man-page ldap.conf(5). > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) > ) > [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2 > [LDAP GSSAPI] No TGT found, trying to acquire a new one > [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported > by protocol Do you have a correctly configured /etc/krb5.conf? Again you can point to a service-specific Kerberos config with env var KRB5_CONFIG. Also check ownership and permissions of your keytab file whether pdns can read it. I'd also check whether it works to get a TGT with the keytab for the expected client principal name. Assuming you're running pdns as user pdns: runuser -u pdns kinit -t /etc/pdns.keytab pdns-service-princi...@realm.example.com I don't have a kerberized setup so all of the above is just from memory. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)
On 9/9/20 11:48 AM, Otto Moerbeek via Pdns-users wrote: > On 2020-09-09 11:39, Otto Moerbeek via Pdns-users wrote: >> I do not know what I was doing when I previously looked at this, >> but this seem to be the minimal patch for the rel/rec-4.3.x branch. >> Can you check if it works for you?> > And now with the corretc version of the diff, sorry. Another package maintainer already applied a back-port patch and it seems to build: https://build.opensuse.org/package/show/server:dns/pdns-recursor Could you please check whether that's the correct one? It's tracked downstream here: https://bugzilla.opensuse.org/show_bug.cgi?id=1176312 Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)
On 9/8/20 11:49 AM, Remi Gacogne via Pdns-users wrote: > On 9/8/20 11:39 AM, Michael Ströder via Pdns-users wrote: > >> Currently building PowerDNS Recursor fails building on openSUSE >> Tumbleweed/Factory: > > It's an issue caused by Boost >= 1.73, see [1]. We should probably > backport that patch, at least to 4.3.x, but we have not done so yet. > > [1]: https://github.com/PowerDNS/pdns/pull/9070 Thanks for your quick answer. It seems also pdns auth is affected. Any chance to get fixed releases? Or should package maintainers apply back-port patches? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)
HI! Currently building PowerDNS Recursor fails building on openSUSE Tumbleweed/Factory: https://build.opensuse.org/package/live_build_log/home:stroeder:branches:server:dns/pdns-recursor/openSUSE_Tumbleweed/x86_64 Note that openSUSE Tumbleweed/Factory uses gcc version 10.2.1 20200825 [revision c0746a1beb1ba073c7981eb09f55b3d993b32e5c] (SUSE Linux) As you can see it builds on openSUSE Leap: https://build.opensuse.org/package/show/home:stroeder:branches:server:dns/pdns-recursor Is this an issue with newer gcc? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] why CAP_CHOWN?
On 5/16/20 10:25 PM, bert hubert wrote: > On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users > wrote: >> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and >> AmbientCapabilities= and I could not find a reason in the git history of >> that file. > > We chown the UNIX domain control socket to the 'setgid' and 'setuid' > setting. > > This is likely why we need CAP_CHOWN. It seems to create the control socket just fine because the User= and Group= are set: srwxr-xr-x 1 pdns pdns 0 May 16 22:39 /run/pdns-recursor/pdns_recursor.controlsocket= Anything more I could test to ensure that it's safe to remove CAP_CHOWN? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] why CAP_CHOWN?
HI! I appreciate that pdns/recursordist/pdns-recursor.service.in already contains some of systemd's hardening options. But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and AmbientCapabilities= and I could not find a reason in the git history of that file. It seems to run without that capability. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor Permissions Error
On 1/7/20 3:00 PM, Sharone Bakara wrote: > On 7 Jan 2020, at 16:55, Remi Gacogne wrote: >> On 1/7/20 2:41 PM, Sharone wrote: >>> '/var/run/pdns-recursor': Permission denied"* >> I'm not sure of what your SNMP setup is, but it looks like the user >> invoking rec_control does not have the rights to create a new file in >> /var/run/pdns-recursor. What happens if you invoke the rec_control >> command directly as the 'pdns' user? > > I get the same error as when I run it root. Whenever "permissions denied" happens while running an action as root I'd check whether SELinux or AppArmor blocks some access. => check your audit log (assuming you're running auditd) Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Log all zone changes
On 9/27/19 8:30 PM, Vitali Quiering via Pdns-users wrote: > I just started using PowerDNS Authoritative Server recently and got > to the point where I need all changes logged. Is there an option I > missed? If there is none: How do you log your changes? Probably not exactly the answer you're looking for: I'm using PowerDNS with LDAP backend and write operations to OpenLDAP server(s) are logged with accesslog overlay. My personal setup is very small but the components should easily scale up. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Meltdown impact on PowerDNS/dnsdist
bert hubert wrote: > We have done some very tentative measurements on the Linux Meltdown > workaround & impact on DNS performance. Besides the performance impact of the "fixes" doesn't this mean that people should stop doing DNSSEC signing on-the-fly on the authorative server and move DNSSEC signing to isolated systems? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
Dirk Bartley wrote: > You could log the who of who is logged into the database, but if the database > connection is done from a front end, it would always be the users the front > end > connects to the database as. But if you have a front end, just manage it by > who > is logged into the Front end. Depends on the frontend. If it lets the user impersonate as personal user account on the DB connection you get the real who. It would be nice if the PowerDNS API would have a config option like "connect-as-user" to avoid using a hard-coded API password/key. In this case you could also let the database backend enforce access control even for API requests. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Question about logging changes
Dirk Bartley wrote: > I have been asked to look at some options for assisting my employer to > alter the way our internal dns is served. One of the features being > requested is the ability to log the who, what and when of all changes > to the data that dns is serving. Of course when I search for change > logging, I get the change logs of the code. Would there be a better > phrase than "change log" to search for. Is this the kind of feature > that already exists, or is this the kind of feature that would be > better accomplished by writing a front end that we would force everyone > here to use that does the update. We are considering using LDAP as a > backend for the dns service. How do you plan to maintain the data? E.g. if you're using LDAP server as backend *and* you're going to maintain the data via LDAP it more boils down how to audit write operations on the LDAP server. And this depends on the features of the LDAP server you're planning to use. Personally I love accesslog overlay (originally implemented for delta-replication) in OpenLDAP because it automatigally gives you a perfect audit trail in a separate database. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] GUI with LDAP backend ?
r0m5 wrote: > So here is my question : what do you think would be a convenient way to > manage zone and > records using the LDAP backend ? How do you guys proceed ? For managing DNS zones in a pdns LDAP backend I've added some plugin classes to my own client: https://web2ldap.de/ Be warned it's still not an ideal DNS UI. But once you get used to it it's IMHO not much worse than poweradmin. (You can contact me off-list if you have issues installing/using it.) Hmm, so far I did not see an intuitive DNS management UI anyway. I guess it's the generic flexibility of DNS RRs which put so much burden on the UI. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-ldap <-> Rudder-ldap
StanC wrote: > Is there a method of translating the ldap schema that Rudder uses for > its node inventory and using this in a pdns ldap backend? More or less you're asking for same feature like me: https://github.com/PowerDNS/pdns/issues/1832 > I had this fantasy that one could connect to Rudder's ldap server from > psdn and use it directly as a backend, but I cannot imagine that the > schemas could possible align For tight integration with my Æ-DIR I plan to use the remote-backend: https://doc.powerdns.com/md/authoritative/backend-remote/ http://jpmens.net/2015/11/03/powerdns-with-the-remote-back-end-and-dnssec/ Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [Pdns-announce] PowerDNS Authoritative Server 4.0.0 released
Pieter Lexis wrote: > * A revived and supported LDAP backend (ldap). Thanks! :-) CIao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
l...@consolejunkie.net wrote: On 2015-04-24 21:35, Michael Ströder wrote: Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 It's to bad nobody replied to you yet. Given my last posting was late in the evening your response is pretty quick. :-) Let me tell how it is: The DO-bit in the request to the recursor means: please include DNSSEC information. Yes. Then if the recursor you are requesting it from does validation and it fails it will return an error similar to domain not found. Actually I'm using python-unbound (mainly libunbound) for the validation but would like to use the existing pdns-recursor for simply retrieving the RRs. But since the D0 bit is not forwarded it does not get the RRSIG RRs back and returns the result with validation status bogus. http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ If I understand correctly the PowerDNS developers have put in some of the time to add DNSSEC to their recursor but it isn't done yet. Already saw this blog article before. I'm looking forward to pdns-recursor 4.x because I like its logging more than that of other recursors. In the past I've requested from the PowerDNS developers, would it be possible to at least include the DNSSEC-information so Unbound do the validation. I told them you can leave the validation out of PowerDNS-recursor, I care less about that. The answer I got was: The validation is in comparison the easy part, changing the recursor to return the DNSSEC-information is more work. Hmm, but if explicitly requested in the query pdns-recursor does actually retrieve the RRSIG RRs. Wouldn't it be possible to also send the D0 bit in the out-going query if the incoming query had it set? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSSEC, pdns-recursor and libunbound
HI! We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did anybody else try such a setup before? Did it work? Most people doing DNSSEC validation simply use bind9 or unbound for recursing and as validating resolver but for now that's likely not an option in this infrastructure. Any hint is appreciated. Thanks in advance. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound
Michael Ströder wrote: We're currently testing DNSSEC validation with libunbound 1.5.3 with all the RRs retrieved through a pdns-recursor (also tested 3.7.2). It seems that 1. libunbound does not explicitly retrieve the RRSIG RRs and 2. pdns-recursor does not return them when not explicitly request (qtype ANY). (Explicitly requesting RRSIG works.) = validation in libunbound fails Did further testing with python-unbound (thin wrapper module on top of libunbound) with simple script almost equal to this: http://www.unbound.net/documentation/pyunbound/examples/example4.html Looking at PCAP dumps with Wireshark the requests sent by libunbound contain the D0 bit: 1... = DO bit: Accepts DNSSEC security RRs It seems to me that unbound and Google's 8.8.8.8 therefore return RRSIG RRs while pdns-recursor does not. I have to admit that looking at [1] rather confuses me. ;-) Sniffing the out-going requests sent by pdns-recursor the D0 bit is missing. Obviously the DNS servers then do not respond with RRSIG RRs. Ciao, Michael. [1] http://tools.ietf.org/html/rfc4035#section-3.2.1 smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] LargeScaleDNSSECBCP / versions
HI! It seems this wiki page mentions rather old pdns versions: http://wiki.powerdns.com/trac/wiki/LargeScaleDNSSECBCP Are there more recent insight to consider regarding versions? Especially when thinking about pdns upgrade 3.3.x - 3.4.1 for DNSSEC? Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
Nikolaos Milas wrote: If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend) for the Linux-Tage, could you please post this work here or a link to a page where it is available? Basically it boils down to this ACL: access to dn.subtree=cn=pdns,ou=services,ou=infra-dir filter=(objectClass=dNSDomain2) by set=user/memberOf this/seeAlso read by * none Attribute 'seeAlso' contains DN(s) of group entries of service accounts of powerdns instances. Could not extensively test it though due to time constraints. And a nicer schema for not (ab)using attribute 'seeAlso' would be better. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
Nikolaos Milas wrote: On 3/3/2015 2:44 μμ, Nikolaos Milas wrote: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally. Corrections/Clarifications: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records to all requests, except to those from our own networks (as would be configured), to which full replies would be provided. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally (to our own networks, which would be specified explicitly). This sounds a bit like a special case for split horizon DNS. I promised to configure a demo using powerdns with LDAP backend for this based on OpenLDAP ACLs and several powerdns instances using different LDAP identities. Feel free to come here and ask whether I managed to get it working in time: https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134 Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Slave DNSKeys
Peter van Dijk wrote: (2) it looks like your RRSIGs and KSK DNSKEY on the slave are truncated; we recommend increasing the size of the ‘content’ column in the records table (see our upgrade notes https://doc.powerdns.com/md/authoritative/upgrading/ ) (Sigh!) I really wonder why the LDAP backend is not improved to support DNSSEC. It's so much easier to setup a LDAP server with multi-master and two-tier replication than a mySQL server. And attributes are of variable length by default. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] ANY+Reflection Attacks?
Ciro Iriarte wrote: 2015-02-24 17:49 GMT-03:00 Ciro Iriarte cyru...@gmail.com: Hi!, I'm seeing a lot of messages of type Timeout from remote TCP client 10.XXX.XXX.XXX, it seems to be an attack given we have any-to-tcp = yes. Is this usual?, is there anyway to identify the attackers?. The service is working fine and we have in our roadmap constant packed capture for data mining but I find this behaviour new/interesting today :) Any comments? Regards, Well, never mind. After all, those are legitimate clients and there seems to be a firewall with connection tracking issues. What's unexpected to me is having TCP requests, I was expecting only UDP traffic from end users. DNSSEC used? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)
bert hubert wrote: In this post, we’d like to share our current plans for .. PowerDNS 4.x! Glad to read all your plans. * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. Unfortunately the term string is used in many different ways. Could you please elaborate on what that means exactly? E.g. will this affect the way NON-ASCII DNS names are stored in backend files? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Currently using distro packages, want to update
Nick Williams wrote: I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. But my distro Which is your distro? Vendor and exact version number? For openSUSE I'm trying to keep up with powerdns releases and my submissions most times end up here pretty soon: https://build.opensuse.org/package/show/server:dns/pdns (currently pdns-3.4.2) https://build.opensuse.org/package/show/server:dns/pdns-recursor (currently pdns-recursor-3.6.2, 3.7.1 is in my home project but not built yet) Sooner or later this will be passed downstream in openSUSE Factory for the next openSUSE release. You can see here which platforms are enabled for default builds: https://build.opensuse.org/project/repositories/server:dns There you will also find the direct download links to zypper repo for your openSUSE version. In my OBS home project I'm also building openSUSE Factory_ARM for running the packages on rasperry pi. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC with LDAP backend
Jan-Piet Mens wrote: Would it be possible to setup a authorative PowerDNS server with DNSSEC support using the LDAP backend? The LDAP back-end doesn't support DNSSEC. I'm aware that the LDAP back-end is not fully supported. Let me be more precise: I don't need auto-signing or support by other PowerDNS tools. I'd implement generating DNSSEC related RRs with own custom scripts writing LDAP entries. All I need is that powerdns delivers the RRs needed for DNSSEC read from LDAP entries. Is that possible? Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSSEC with LDAP backend
HI! Would it be possible to setup a authorative PowerDNS server with DNSSEC support using the LDAP backend? Do I have to extend some DNSSEC-related RRs in the list ldap_attrany in file modules/ldapbackend/ldapbackend.hh ? As it seems to me the attribute name is derived from qtype name string and not from content of ldap_attrany if qtype is set. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] RFE LDAP backend: Filter template
HI! I know that the LDAP backend is not very high on the list of powerdns development. But I'd like to propose a small enhancement which would make some unusual LDAP-related setups easier. Simple new config item 'ldap-filter-template': Default: ldap-filter-template = '(associatedDomain={0})' Which could be replaced when using DHCP server with LDAP backend by: ldap-filter-template = '((objectClass=)(dhcpAssignedHostName={0}))' Even more nice would be a configurable filter map. The {} syntax is inspired by Python's string formatting syntax only used as example. Of course I can use the pipe-backend to implement whatever is needed for LDAP integration. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Security of DNSSEC signing (was: New to PowerDNS)
k...@rice.edu wrote: On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote: For the DNSSEC part, is there a way to create the DNSSEC information just by SQL ? If not, the solution is to run pdnssec secure-zone ZONE in a loop on a cron script, am I right? I do not know about a SQL only solution for MySQL DNSSEC signing, but I know that there is a sample schema for Oracle that includes the needed triggers and functions and that I have a basically complete version of the same for PostgreSQL that I will be submitting to the PDNS folks once we have it vetted for production. Hmm, am I the only one who is concerned about the security of the signing process? Please don't get me wrong. But people are advocating DANE nowadays and aim to completely replace X.509 certs with that. So security of the signed RRs is crucial just like issuing X.509 certs. And yes, I know that it's hard to achieve a higher level of operational security. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS 3.0: Can't deal with multi-part NSEC mappings yet
Fredrik Roubert wrote: My ISP is running a slave DNS service, using PowerDNS 3.0 as this is the version included in Ubuntu 12.04 LTS. I've already read this post, about DNSSEC in 3.0 being explicitly deprecated: http://mailman.powerdns.com/pipermail/pdns-users/2012-July/009099.html But seeing that my ISP's position of we'll use what's default in the LTS is kind of reasonable, IMO it's nonsense to rely on a distribution package in case the upstream developers strongly discourage a release for a certain usage. You should really discuss this with your ISP even if you manage to work-around the current problem. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Installation PDNS Server auf Raspberry Pi (weezy)
Marc Haber wrote: pdns-users is an english language mailing list. On Fri, Aug 16, 2013 at 10:09:44AM +0200, abang wrote: aber ich brauche eines für Debian auf Raspberry Pi. wo du ein fertiges Binary für armv6l bekommst weiß ich nicht. Aber du könntest versuchen, selbst zu kompilieren. apt-get install libboost-dev wget http://downloads.powerdns.com/releases/pdns-recursor-3.5.2.tar.bz2 tar -xjf pdns-recursor-3.5.2.tar.bz2 cd pdns-recursor-3.5.2 ./configure make all Ich versuchs auch gerade. Dauert allerdings gefühlt ewig auf dem Pi ;-) The PowerDNS recursor cannot be compiled on arm architectures. It needs a feature called swapcontext which is not available on arm. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579194 Frankly I have no idea what swapcontext is but FWIW I'm running package pdns-recursor-3.3-5.1.armv5tel found in the openSUSE snapshot build for Raspberry Pi. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] turn off all type of caching in pdns-recursor
Posner, Sebastian wrote: CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative nameservers' performance/availability, but that of the resolver his upstream provides him with, and/or get a general heatmap of the state of DNS on teh intartubes. Whilst for monitoring _your_ zones' availability, this approach is a good idea, it is not feasible for domains you do not control^^ Well, this entirely depends on your recursor configuration and the domains you control. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] turn off all type of caching in pdns-recursor
Michael Ströder wrote: Posner, Sebastian wrote: CMIIW, but I understand Alex doesn't want to monitor _his_ authoritative nameservers' performance/availability, but that of the resolver his upstream provides him with, and/or get a general heatmap of the state of DNS on teh intartubes. Whilst for monitoring _your_ zones' availability, this approach is a good idea, it is not feasible for domains you do not control^^ Well, this entirely depends on your recursor configuration and the domains you control. Sorry, I've misread your comment. Pleas ignore mine. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor: Block domains
Peter van Dijk wrote: On Apr 26, 2013, at 18:57 , Michael Ströder wrote: What's the simplest and hopefully efficient way to block domains from being resolved by pdns-recursor? I'd like to just NXDOMAIN being returned for all RRs in unwanted domains. Like JP said, Lua is a very good option. The other option is using local-zones or forward-zones. Hmm, in case of forward-zones I'd need an additional DNS server generating the NXDOMAIN. So I will try with pseudo local-zones. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] pdns-recursor: Block domains
HI! What's the simplest and hopefully efficient way to block domains from being resolved by pdns-recursor? I'd like to just NXDOMAIN being returned for all RRs in unwanted domains. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users