[Pdns-users] [LdapBackend] avoid writing PdnsDomainNotifiedSerial
HI! I have a very tiny and simple setup of PowerDNS Authorative server(s) 4.5.3 with LDAP backend using native OpenLDAP replication. Each pdns instance asks a single local LDAP server (via ldapi://). No need for AXFR or IXFR or anything similar fancy in this setup. Also no LDAP fail-over to multiple replicas. pdns tries to write attribute PdnsDomainNotifiedSerial even though it is IMHO not needed in my setup. It fails because the LDAP server is deliberately configured to not allow write access from the pdns service. Also a pure read-only consumer replica does not accept write operations. Which configuration setting can I tweak to suppress writing PdnsDomainNotifiedSerial? Many thanks in advance. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1
On 5/21/21 12:49 AM, Nikolaos Milas via Pdns-users wrote: > However, I am now trying to start the upgraded server and I get the > message (in journal): > > Caught an exception instantiating a backend: launch= suffixes are > not supported on the bindbackend > > launch=ldap:bkend1,bind:bkend2 This just works: launch=ldap:bkend1,bind Do you really need the launch suffix 'bkend2' for the bindbackend parameters? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)
On 5/11/21 7:22 PM, Otto Moerbeek wrote: > On Tue, May 11, 2021 at 07:01:08PM +0200, Michael Ströder via Pdns-users > wrote: >> Was support for running on 32-bit platforms dropped? > > Yes, as you can read further down below in the announcement. Arrgh! Missed that. Sorry for the noise. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Building for 32-bit platforms (was: PowerDNS Recursor 4.5.1 Released)
HI! Was support for running on 32-bit platforms dropped? configure fails with: configure: error: size of time_t is 4, which is not large enough to fix the y2k38 bug See build system: https://build.opensuse.org/package/show/home:stroeder:network/pdns-recursor Ciao, Michael. On 5/11/21 11:49 AM, Otto Moerbeek via Pdns-users wrote: > Hello! > >We are proud to announce the release of PowerDNS Recursor 4.5.1. >Compared to the release candidate, this release contains two bug fixes. >Note that 4.5.0 was never released publicly, since an issue was found >during QA. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'
On 2/19/21 10:31 AM, Dario García Díaz-Miguel via Pdns-users wrote: > I had to add to the /etc/openldap/ldap.conf the following parameter: > > SASL_MECH GSSAPI FYI: If you don't want to set this globally you can set env var LDAPRC or LDAPCONF to point to a service-specific ldap.conf. See the details in man-page ldap.conf(5). > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) > ) > [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2 > [LDAP GSSAPI] No TGT found, trying to acquire a new one > [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported > by protocol Do you have a correctly configured /etc/krb5.conf? Again you can point to a service-specific Kerberos config with env var KRB5_CONFIG. Also check ownership and permissions of your keytab file whether pdns can read it. I'd also check whether it works to get a TGT with the keytab for the expected client principal name. Assuming you're running pdns as user pdns: runuser -u pdns kinit -t /etc/pdns.keytab pdns-service-princi...@realm.example.com I don't have a kerberized setup so all of the above is just from memory. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)
On 9/9/20 11:48 AM, Otto Moerbeek via Pdns-users wrote: > On 2020-09-09 11:39, Otto Moerbeek via Pdns-users wrote: >> I do not know what I was doing when I previously looked at this, >> but this seem to be the minimal patch for the rel/rec-4.3.x branch. >> Can you check if it works for you?> > And now with the corretc version of the diff, sorry. Another package maintainer already applied a back-port patch and it seems to build: https://build.opensuse.org/package/show/server:dns/pdns-recursor Could you please check whether that's the correct one? It's tracked downstream here: https://bugzilla.opensuse.org/show_bug.cgi?id=1176312 Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)
On 9/8/20 11:49 AM, Remi Gacogne via Pdns-users wrote: > On 9/8/20 11:39 AM, Michael Ströder via Pdns-users wrote: > >> Currently building PowerDNS Recursor fails building on openSUSE >> Tumbleweed/Factory: > > It's an issue caused by Boost >= 1.73, see [1]. We should probably > backport that patch, at least to 4.3.x, but we have not done so yet. > > [1]: https://github.com/PowerDNS/pdns/pull/9070 Thanks for your quick answer. It seems also pdns auth is affected. Any chance to get fixed releases? Or should package maintainers apply back-port patches? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS Recursor build fails on openSUSE Tumbleweed/Factory (gcc 10)
HI! Currently building PowerDNS Recursor fails building on openSUSE Tumbleweed/Factory: https://build.opensuse.org/package/live_build_log/home:stroeder:branches:server:dns/pdns-recursor/openSUSE_Tumbleweed/x86_64 Note that openSUSE Tumbleweed/Factory uses gcc version 10.2.1 20200825 [revision c0746a1beb1ba073c7981eb09f55b3d993b32e5c] (SUSE Linux) As you can see it builds on openSUSE Leap: https://build.opensuse.org/package/show/home:stroeder:branches:server:dns/pdns-recursor Is this an issue with newer gcc? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] why CAP_CHOWN?
On 5/16/20 10:25 PM, bert hubert wrote: > On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users > wrote: >> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and >> AmbientCapabilities= and I could not find a reason in the git history of >> that file. > > We chown the UNIX domain control socket to the 'setgid' and 'setuid' > setting. > > This is likely why we need CAP_CHOWN. It seems to create the control socket just fine because the User= and Group= are set: srwxr-xr-x 1 pdns pdns 0 May 16 22:39 /run/pdns-recursor/pdns_recursor.controlsocket= Anything more I could test to ensure that it's safe to remove CAP_CHOWN? Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] why CAP_CHOWN?
HI! I appreciate that pdns/recursordist/pdns-recursor.service.in already contains some of systemd's hardening options. But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and AmbientCapabilities= and I could not find a reason in the git history of that file. It seems to run without that capability. Ciao, Michael. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users