Re: [Pdns-users] Master Support with LDAP Backend

[Nikolaos Milas via Pdns-users]

On 7/6/2021 1:40 μ.μ., Peter van Dijk via Pdns-users wrote:


It is in fact available. The 'No' is wrong. I have just merged a
documentation fix for that (should be visible in a few minutes).


Thank you very much Peter,

I somehow missed your reply and came across it only today.

That is good news indeed!

Thanks again and best wishes to the PowerDNS team now and in the future!

Cheers,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Master Support with LDAP Backend

[Nikolaos Milas via Pdns-users]

On 19/5/2021 9:40 μ.μ., Nikolaos Milas via Pdns-users wrote:

By the way, the LDAP backend documentation states "Master (support): 
No", yet there is a section (Master Mode) with configuration for 
Master operation.These changes will allow master operation in the 
future, or rather master support (i.e. Zone Change Notifications and 
AXFRs) is in fact available?


Of course, notifications & AXFRs to DNS Servers with LDAP Backend may 
not lead to zone updates due to LDAP limitations (and thus should be 
disallowed by configuration), yet they will allow updates of all other 
NS servers. 


Recently, within another thread I had asked the above question, but I 
got no reply on it.


Could anyone please kindly clarify the above regarding current Master 
support in Auth Server with LDAP backend?


With many thanks for all PowerDNS efforts and best regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1

[Nikolaos Milas via Pdns-users]

On 21/5/2021 2:08 π.μ., Michael Ströder wrote:


Do you really need the launch suffix 'bkend2' for the bindbackend
parameters?


Hi Michael, thanks for the reply.

I simply had left this part of the config as it was (working before 
upgrade) at version 4.1.14.


Obviously, bind suffix support was dropped at some point, probably 
because the bind backend can be launched only once anyway, so suffix 
support does not provide any benefit. Looking at Authoritative Server 
change logs, I found, at v4.2.0:


 bindbackend: Refuse launch suffixes. References: pull request 6558

I tried with:

   launch=ldap:bkend1,bind

   ldap-bkend1-host=localhost
   ldap-bkend1-basedn=ou=dns,dc=noa,dc=gr
   ldap-bkend1-binddn=uid=dnsusr,ou=sys,dc=noa,dc=gr
   ldap-bkend1-secret=oursecret
   ldap-bkend1-method=simple

   bind-config=/etc/pdns/bind/named.conf
   bind-check-interval=600

and it works indeed.

Cheers,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1

[Nikolaos Milas via Pdns-users]

On 19/5/2021 10:20 μ.μ., Brian Candler wrote:

There is no state stored in pdns-auth itself, other than the state in 
the backend.  So as long as you change your backend to be compatible 
with 4.4.1, I see no reason why you can't jump straight to 4.4.1.


Of course you should first do this in a test environment, cloned or 
copied from your live environment, to discover anything that you might 
have missed.


Thank you Brian,

I have upgraded to 4.4.1, after doing minor adjustments to the config.

However, I am now trying to start the upgraded server and I get the 
message (in journal):


   Caught an exception instantiating a backend: launch= suffixes are
   not supported on the bindbackend

I assume something has changed with launch directive and backend config 
format that renders our backend configuration faulty? (Please see our 
config below.)


Any hints to correct things as needed will be welcome!

Our config:

---

setuid=pdns
setgid=pdns
webserver=yes
webserver-address=195.xxx.xxx.xxx
webserver-password=ourpass
webserver-port=8081
webserver-print-arguments=no

launch=ldap:bkend1,bind:bkend2

ldap-bkend1-host=localhost
ldap-bkend1-basedn=ou=dns,dc=noa,dc=gr
ldap-bkend1-binddn=uid=dnsusr,ou=sys,dc=noa,dc=gr
ldap-bkend1-secret=oursecret
ldap-bkend1-method=simple

bind-bkend2-config=/etc/pdns/bind/named.conf
bind-bkend2-check-interval=600

default-ttl=86400
local-address=127.0.0.1 195.xxx.xxx.xxx 2001:::::
local-port=53

allow-axfr-ips=192.168.0.0/16, 10.0.0.0/8, 2001:xxx:xxx::/48, \
  127.0.0.1, ::1, 195.xxx.xxx.xxx

logging-facility=0
loglevel=3

cache-ttl=0
log-dns-details=off

--

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Upgrading Auth Server directly from 4.1.14 to 4.4.1

[Nikolaos Milas via Pdns-users]

Hello,

We are (still) using PowerDNS Auth Server 4.1.14 (on CentOS 7) with LDAP 
backend (simple mode).


Can we upgrade directly to 4.4.1 provided we do pertinent config changes 
as described in the upgrade guide, or it is suggested to upgrade in 
steps, e.g. to the last point release of each major version (4.1.14 --> 
4.2.3 --> 4.3.2 --> 4.4.1)?


After checking documentation:

   https://doc.powerdns.com/authoritative/upgrading.html

...I would say that, apart from the ldap backend schema changes (in 
dnsdomain2.schema and pdns-domaininfo.schema), the only change I can see 
affecting us is deprecation of "local-ipv6" directive.


By the way, the LDAP backend documentation states "Master (support): 
No", yet there is a section (Master Mode) with configuration for Master 
operation.These changes will allow master operation in the future, or 
rather master support (i.e. Zone Change Notifications and AXFRs) is in 
fact available?


Of course, notifications & AXFRs to DNS Servers with LDAP Backend may 
not lead to zone updates due to LDAP limitations (and thus should be 
disallowed by configuration), yet they will allow updates of all other 
NS servers.


Please advise!

Thanks a lot,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Nikolaos Milas via Pdns-users]

On 14/5/2021 3:50 μ.μ., Kevin P. Fleming wrote:


I agree with this sentiment; my publicly-visible zones contain records
with both private addresses and with non-reachable public addresses
(IPv6 GUAs), and I'm fine with that. If someone can learn the address
of one of those systems, that doesn't cause any harm.


Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs); 
GUAs are reachable indeed.


However, the whole point of the discussion is exactly how to avoid 
publishing non-reachable (private and link-local) addresses to the 
Internet, and it seems to me that what you suggest is in fact the 
opposite of what Brian suggested.


Yet, it is important to know that by publishing to the Internet records 
with private and/or link-local addresses is not considered bad practice! 
Is there any documentation (RFC or good practice guidelines) on this 
subject?


I fully understand and accept Brian's point on running a separate 
internal authoritative server,  but if I could do the job by using a 
single authoritative server while keeping a subzone private, that would 
save me valuable administrative cost and would make my admin life 
easier, especially when taking into account that we are a relatively 
small organization with relatively few RRs.


So, if someone (Frank?) can hint on how to block AXFRs/requests for a 
delegated subzone (nevertheless hosted on the same authoritative 
server), that would accomplish what we require while keeping admin 
effort low.


Thanks everyone for your feedback! I still hope that there is a solution 
with our current setup (slightly reconfigured).


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Private IP Addresses in DNS Records

[Nikolaos Milas via Pdns-users]

On 14/5/2021 10:17 π.μ., fr...@tembo.be wrote:

To keep them hidden, what I would recommend, is to create 
private.noa.gr  as a separate zone (so add NS 
records for it in the noa.gr  zone and create a new 
zone), and add example.privrate.noa.gr 
 to that zone. You can then deny AXFRs 
for that zone. People who can AXFR noa.gr  can still 
see that a private.noa.gr  zone exists (as they 
would see the NS delegation), but they can't see what's in it.


Thank you Frank,

Some questions:

1. How can we configure PowerDNS (Authoritative) to deny AXFRs for a 
particular zone? I have seen domainmetadata documentation at:


   https://doc.powerdns.com/authoritative/domainmetadata.html

but this functionality is documented as not available for non-DNSSEC 
capable backends as is ours (LDAP).


2. If anyone on the Internet looks up *directly* a particular hostname 
under private.noa.gr zone (e.g. example.private.noa.gr), won't they be 
able to see data about it? Shouldn't we somehow deny all Internet 
requests for that particular zone (in addition to AXFRs), and only allow 
internal requests?


If so, how do we configure PowerDNS (Authoritative) to allow requests 
only from specific IP ranges for that particular zone?


Thanks again,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Private IP Addresses in DNS Records

[Nikolaos Milas via Pdns-users]

Hello,

We are using PowerDNS Authoritative Server 4.1.14 with LDAP backend.

In our setup we are hosting our organization domain (noa.gr) and there 
is a number of additional servers which are synced via AXFR.


In this setup we do NOT host name records for internal hosts with 
private ip addresses, although we would like at some point in time to 
setup a separate branch, specifically private.noa.gr, which will be used 
for private IP Addresses.


Can we immediately add records *.private.noa.gr (mapped to private 
addresses) to our DNS DIT (in LDAP) and configure PowerDNS to ignore 
from AXFRs all these records?


In other words, is there a way to configure PowerDNS (4.1.14) to ignore 
a set of records (here: those belonging to subdomain private.noa.gr) 
from AXFRs? This would be a simple way to serve internal DNS needs 
through the same setup.


Otherwise, if this is not possible, if we include a small number of A 
records with private IP Addresses (which unavoidably would be propagated 
to the Internet), would this be considered bad practice? Could this 
cause problems?


Please advise.

Thanks,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

On 15/12/2017 2:35 μμ, Peter van Dijk wrote:


Please do file your issue, with as much detail as possible


Thank you Peter,

I have filed: https://github.com/PowerDNS/pdns/issues/6097

Important note: After more testing, I found that the issue occurs *only 
in v4.0.5 and 4.1.0* and NOT in 4.0.4 (or earlier).


Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

I am sorry I have sounded rude with that statement. (Bert politely 
corrected me privately.)


So, let me rephrase it: Please note this LDAP backend zone issue and 
consider it in your to-do source code development tasks.


As always, I am available for any testing and/or other information 
needed to help resolve it.


Thank you,
Nick


On 15/12/2017 1:15 μμ, Nikolaos Milas wrote:


Please identify the bug and correct it.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

Hello Pieter,

Today I downgraded to Auth Server 4.0.3 and, voila!, everything works fine:

[root@vdns ~]# rpm -qa | grep pdns
pdns-recursor-4.0.8-1pdns.el7.x86_64
pdns-backend-ldap-4.0.3-1pdns.el7.x86_64
pdns-4.0.3-1pdns.el7.x86_64

[root@vdns ~]# pdnsutil check-zone noa.gr
Dec 15 12:54:15 Reading random entropy from '/dev/urandom'
Dec 15 12:54:15 [LdapBackend] Ldap connection succeeded
Dec 15 12:54:15 [LdapBackend] Ldap connection succeeded
Dec 15 12:54:15 [bind-bkend2backend] Parsing 1 domain(s), will report 
when done
Dec 15 12:54:15 [bind-bkend2backend] Done parsing domains, 0 rejected, 1 
new, 0 removed

Checked 1098 records of 'noa.gr', 0 errors, 0 warnings.

So, as I have suspected, there exists some bug, probably in 
pdns-backend-ldap, introduced in v4.0.4 and existing continuously 
thereafter.


AXFRs with slaves work fine now, but I cannot upgrade from v4.0.3, since 
all versions thereafter do not work correctly; I have tried each one of 
them.


Please identify the bug and correct it.

Should I create a bug report to the bug tracker (at 
https://github.com/PowerDNS/pdns/issues) ?


Nick

On 15/12/2017 11:50 πμ, Pieter Lexis wrote:

That is pretty damning. Can you check your data in LDAP to see if this 
data is indeed (not) there?



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

On 14/12/2017 11:18 μμ, Eric Beck wrote:


Try putting an A record for the domain there.
...


Thank you Eric,

I may try it; Which IP Address is suggested to be used? The master dns 
server's IP Address? The organization web server IP Address? Which?


Yet, there remain more questions:

   1. Why pdnsutil reports an error?
   2. Why AXFRs to slaves fail?

The latter is currently the most important one!

I hope you kind people will help find the solution!

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

On 14/12/2017 10:11 μμ, Nikolaos Milas wrote:


...
So, I tried disabling recursion entirely and running the Authoritative 
Server alone.


However, the problem persists:
...


In the meantime, I upgraded to Auth Server 4.1 (running standalone, 
without recursion on the same box), but the problem seems to continue:


# systemctl status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; 
vendor preset: disabled)

   Active: active (running) since Thu 2017-12-14 22:44:50 EET; 5s ago
 Docs: man:pdns_server(1)
   man:pdns_control(1)
   https://doc.powerdns.com
 Main PID: 21218 (pdns_server)
   CGroup: /system.slice/pdns.service
   └─21218 /usr/sbin/pdns_server --guardian=no --daemon=no 
--log-timestamp=no --write-pid=no


Dec 14 22:44:50 vdns.noa.gr pdns[21218]: About to create 3 backend 
threads for UDP
Dec 14 22:44:50 vdns.noa.gr pdns_server[21218]: About to create 3 
backend threads for UDP
Dec 14 22:44:50 vdns.noa.gr pdns[21218]: [LdapBackend] Ldap connection 
succeeded
Dec 14 22:44:50 vdns.noa.gr pdns_server[21218]: [LdapBackend] Ldap 
connection succeeded
Dec 14 22:44:50 vdns.noa.gr pdns[21218]: [LdapBackend] Ldap connection 
succeeded
Dec 14 22:44:50 vdns.noa.gr pdns_server[21218]: [LdapBackend] Ldap 
connection succeeded
Dec 14 22:44:50 vdns.noa.gr pdns[21218]: [LdapBackend] Ldap connection 
succeeded
Dec 14 22:44:50 vdns.noa.gr pdns_server[21218]: [LdapBackend] Ldap 
connection succeeded
Dec 14 22:44:50 vdns.noa.gr pdns[21218]: Done launching threads, ready 
to distribute questions
Dec 14 22:44:50 vdns.noa.gr pdns_server[21218]: Done launching threads, 
ready to distribute questions


# pdnsutil check-zone noa.gr
Dec 14 22:45:06 Reading random entropy from '/dev/urandom'
Dec 14 22:45:06 [LdapBackend] Ldap connection succeeded
Dec 14 22:45:06 [LdapBackend] Ldap connection succeeded
Dec 14 22:45:06 [bind-bkend2backend] Parsing 1 domain(s), will report 
when done
Dec 14 22:45:06 [bind-bkend2backend] Done parsing domains, 0 rejected, 1 
new, 0 removed

[Error] No NS record at zone apex in zone 'noa.gr'
Checked 1 records of 'noa.gr', 1 errors, 0 warnings.

# less /var/log/pdns.log
...
Dec 14 22:44:50 vdns pdns[21218]: Reading random entropy from '/dev/urandom'
Dec 14 22:44:50 vdns pdns[21218]: Loading 
'/usr/lib64/pdns/libldapbackend.so'
Dec 14 22:44:50 vdns pdns[21218]: Loading 
'/usr/lib64/pdns/libbindbackend.so'

Dec 14 22:44:50 vdns pdns[21218]: This is a standalone pdns
Dec 14 22:44:50 vdns pdns[21218]: Listening on controlsocket in 
'/var/run/pdns.controlsocket'

Dec 14 22:44:50 vdns pdns[21218]: UDP server bound to 127.0.0.1:53
Dec 14 22:44:50 vdns pdns[21218]: UDP server bound to 194.177.195.162:53
Dec 14 22:44:50 vdns pdns[21218]: UDPv6 server bound to [::1]:53
Dec 14 22:44:50 vdns pdns[21218]: UDPv6 server bound to 
[2001:648:2011:15::162]:53

Dec 14 22:44:50 vdns pdns[21218]: TCP server bound to 127.0.0.1:53
Dec 14 22:44:50 vdns pdns[21218]: TCP server bound to 194.177.195.162:53
Dec 14 22:44:50 vdns pdns[21218]: TCPv6 server bound to [::1]:53
Dec 14 22:44:50 vdns pdns[21218]: TCPv6 server bound to 
[2001:648:2011:15::162]:53
Dec 14 22:44:50 vdns pdns[21218]: PowerDNS Authoritative Server 4.1.0 
(C) 2001-2017 PowerDNS.COM BV
Dec 14 22:44:50 vdns pdns[21218]: Using 64-bits mode. Built using gcc 
4.8.5 20150623 (Red Hat 4.8.5-11) on Nov 30 2017 10:19:16 by 
buildbot@f7be231fe43f.
Dec 14 22:44:50 vdns pdns[21218]: PowerDNS comes with ABSOLUTELY NO 
WARRANTY. This is free software, and you are welcome to redistribute it 
according to the terms of the GPL version 2.
Dec 14 22:44:50 vdns pdns[21218]: Listening for HTTP requests on 
194.177.195.162:8081
Dec 14 22:44:50 vdns pdns[21218]: Polled security status of version 
4.1.0 at startup, no known issues reported: OK

Dec 14 22:44:50 vdns pdns[21218]: Creating backend connection for TCP
Dec 14 22:44:50 vdns pdns[21218]: [LdapBackend] Ldap connection succeeded
Dec 14 22:44:50 vdns pdns[21218]: [bind-bkend2backend] Parsing 1 
domain(s), will report when done
Dec 14 22:44:50 vdns pdns[21218]: [bind-bkend2backend] Done parsing 
domains, 0 rejected, 1 new, 0 removed

Dec 14 22:44:50 vdns pdns[21218]: About to create 3 backend threads for UDP
Dec 14 22:44:50 vdns pdns[21218]: [LdapBackend] Ldap connection succeeded
Dec 14 22:44:50 vdns pdns[21218]: [LdapBackend] Ldap connection succeeded
Dec 14 22:44:50 vdns pdns[21218]: [LdapBackend] Ldap connection succeeded
Dec 14 22:44:50 vdns pdns[21218]: Done launching threads, ready to 
distribute questions

...

I don't understand what is happening.

*Why do I get the zone error?* Can you please shed some light on it?

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

On 14/12/2017 5:23 μμ, Pieter Lexis wrote:

It looks like you are using the authoritative server as a recursor for 
selected clients. This never works the way it is expected (or should).


Hi Pieter,

Actually, we don't need recursion any more. (It's been left over from 
the past.)


So, I tried disabling recursion entirely and running the Authoritative 
Server alone.


However, the problem persists:

   [root@vdns pdns]# pdnsutil check-zone noa.gr
   Dec 14 21:55:26 Reading random entropy from '/dev/urandom'
   Dec 14 21:55:26 [LdapBackend] Ldap connection succeeded
   Dec 14 21:55:26 [LdapBackend] Ldap connection succeeded
   Dec 14 21:55:26 [bind-bkend2backend] Parsing 1 domain(s), will
   report when done
   Dec 14 21:55:26 [bind-bkend2backend] Done parsing domains, 0
   rejected, 1 new, 0 removed
   [Error] No NS record at zone apex in zone 'noa.gr'
   Checked 1 records of 'noa.gr', 1 errors, 0 warnings.

Am I doing something wrong? What is the cause of the problem now?

As a side note, can you please explain why running the dig query using 
the ANY keyword provides full results, while otherwise it does not?


Here is the current (new) setup:

   [root@vdns pdns]# cat /etc/pdns/pdns.conf
   setuid=pdns
   setgid=pdns

   webserver=yes
   webserver-address=194.177.195.162
   webserver-password=
   webserver-port=8081
   webserver-print-arguments=no
   launch=ldap:bkend1,bind:bkend2

   bind-bkend2-config=/etc/pdns/bind/named.conf
   bind-bkend2-check-interval=600

   ldap-bkend1-host=localhost
   ldap-bkend1-basedn=ou=dns,dc=noa,dc=gr
   ldap-bkend1-binddn=uid=dnsauth,ou=system,dc=noa,dc=gr
   ldap-bkend1-secret=x
   ldap-bkend1-method=simple
   default-ttl=86400
   local-address=127.0.0.1 194.177.195.162
   do-ipv6-additional-processing=yes
   local-ipv6=::1 2001:648:2011:15::162
   local-port=53

   allow-axfr-ips=192.168.0.0/16, 195.251.202.0/23, 195.251.204.0/24, \
  194.177.194.0/24, 194.177.195.0/24, 10.0.0.0/8, 194.177.210.211, \
  194.177.210.10, 83.212.5.18, 83.212.5.22, 2001:648:2011::/48, \
  2001:648:2ffc:111::2, 2001:648:2ffc:112::2, 127.0.0.1, ::1

   logging-facility=0
   loglevel=5
   cache-ttl=0
   log-dns-details=off

Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

On 13/12/2017 10:53 πμ, Pieter Lexis wrote:


...
How is your set up? Please share your pdns.conf and recursor.conf.

Also, can you show the output of `pdnsutil check-zone noa.gr`?
...


Hi Pieter,

Thank you for your reply.

I list the details you requested below.

I have also included our reverse zones. As you can see, they all appear 
as not having NS records!


As we have not changed our setup at all for years, and we have not had 
any such (or other) problems during all these years, I tend to suspect 
some LDAP backend -related bug, introduced in some recent version.


Finally, for your reference, I am including the LDAP DIT (tree) down to 
the noa.gr SOA entry.


I am available to provide any other info you may require to troubleshoot 
the issue.


Please advise.

---

[root@vdns ~]# cat /etc/pdns/pdns.conf
setuid=pdns
setgid=pdns
allow-recursion=0.0.0.0/0, ::/0
webserver=yes
webserver-address=194.177.195.162
webserver-password=
webserver-port=8081
webserver-print-arguments=no

launch=ldap:bkend1,bind:bkend2

bind-bkend2-config=/etc/pdns/bind/named.conf
bind-bkend2-check-interval=600

ldap-bkend1-host=localhost
ldap-bkend1-basedn=ou=dns,dc=noa,dc=gr
ldap-bkend1-binddn=uid=dnsauth,ou=system,dc=noa,dc=gr
ldap-bkend1-secret=xxx
ldap-bkend1-method=simple
default-ttl=86400
local-address=127.0.0.1 194.177.195.162
do-ipv6-additional-processing=yes
local-ipv6=::1 2001:648:2011:15::162
local-port=53

allow-axfr-ips=192.168.0.0/16, 195.251.202.0/23, 195.251.204.0/24, \
 194.177.194.0/24, 194.177.195.0/24, 10.0.0.0/8, 194.177.210.211, \
  194.177.210.10, 83.212.5.18, 83.212.5.22, 2001:648:2011::/48, \
  2001:648:2ffc:111::2, 2001:648:2ffc:112::2, 127.0.0.1, ::1

allow-recursion=127.0.0.1, ::1, 192.168.0.0/16, 195.251.202.0/23, 
195.251.204.0/24, \

 194.177.194.0/24, 194.177.195.0/24, 10.0.0.0/8, 83.212.5.18, \
 83.212.5.22, 194.177.210.210, 194.177.194.99, 2001:648:2011::/48

logging-facility=0
loglevel=5
cache-ttl=0
log-dns-details=off

recursor=127.0.0.1:5300

---

[root@vdns ~]# cat /etc/pdns-recursor/recursor.conf
setuid=pdns-recursor
setgid=pdns-recursor

local-address=127.0.0.1,194.177.195.162,[::1],[2001:648:2011:15::162]
allow-from=0.0.0.0/0,::/0
query-local-address6=2001:648:2011:15::162
local-port=5300
quiet=yes
logging-facility=0
log-common-errors=off

max-cache-entries=0
max-negative-ttl=3600

---

[root@vdns ~]# pdnsutil check-zone noa.gr
Dec 13 19:00:27 Reading random entropy from '/dev/urandom'
Dec 13 19:00:27 [LdapBackend] Ldap connection succeeded
Dec 13 19:00:27 [LdapBackend] Ldap connection succeeded
Dec 13 19:00:27 [bind-bkend2backend] Parsing 1 domain(s), will report 
when done
Dec 13 19:00:27 [bind-bkend2backend] Done parsing domains, 0 rejected, 1 
new, 0 removed

[Error] No NS record at zone apex in zone 'noa.gr'
Checked 1 records of 'noa.gr', 1 errors, 0 warnings.
[root@vdns ~]#
[root@vdns ~]# pdnsutil check-zone 203.251.195.in-addr.arpa
Dec 13 19:01:20 Reading random entropy from '/dev/urandom'
Dec 13 19:01:20 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:20 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:20 [bind-bkend2backend] Parsing 1 domain(s), will report 
when done
Dec 13 19:01:20 [bind-bkend2backend] Done parsing domains, 0 rejected, 1 
new, 0 removed

[Error] No NS record at zone apex in zone '203.251.195.in-addr.arpa'
Checked 1 records of '203.251.195.in-addr.arpa', 1 errors, 0 warnings.
[root@vdns ~]#
[root@vdns ~]# pdnsutil check-zone 204.251.195.in-addr.arpa
Dec 13 19:01:33 Reading random entropy from '/dev/urandom'
Dec 13 19:01:33 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:33 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:33 [bind-bkend2backend] Parsing 1 domain(s), will report 
when done
Dec 13 19:01:33 [bind-bkend2backend] Done parsing domains, 0 rejected, 1 
new, 0 removed

[Error] No NS record at zone apex in zone '204.251.195.in-addr.arpa'
Checked 1 records of '204.251.195.in-addr.arpa', 1 errors, 0 warnings.
[root@vdns ~]#
[root@vdns ~]# pdnsutil check-zone 202.251.195.in-addr.arpa
Dec 13 19:01:39 Reading random entropy from '/dev/urandom'
Dec 13 19:01:39 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:39 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:39 [bind-bkend2backend] Parsing 1 domain(s), will report 
when done
Dec 13 19:01:39 [bind-bkend2backend] Done parsing domains, 0 rejected, 1 
new, 0 removed

[Error] No NS record at zone apex in zone '202.251.195.in-addr.arpa'
Checked 1 records of '202.251.195.in-addr.arpa', 1 errors, 0 warnings.
[root@vdns ~]#
[root@vdns ~]# pdnsutil check-zone 194.177.194.in-addr.arpa
Dec 13 19:01:59 Reading random entropy from '/dev/urandom'
Dec 13 19:01:59 [LdapBackend] Ldap connection succeeded
Dec 13 19:01:59 

Re: [Pdns-users] Dig: zone queries are not answered without the ANY flag

[Nikolaos Milas]

Hello,

No one can comment/advise?

I may have not described my issue clearly enough. The problem is that 
remote slaves refuse our AXFRs because they "see" absence of NS records, 
although such records do exist.


Please advise, because it is critical for consistent zone operation.

For example, normal zone replies should be of the form:

# dig nasa.gov

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> nasa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20107
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6

;; QUESTION SECTION:
;nasa.gov.  IN  A

;; ANSWER SECTION:
nasa.gov.   600 IN  A 23.22.39.120
nasa.gov.   600 IN  A 52.0.14.116

;; AUTHORITY SECTION:
nasa.gov.   86400   IN  NS ns1.nasa.gov.
nasa.gov.   86400   IN  NS ns2.nasa.gov.
nasa.gov.   86400   IN  NS ns3.nasa.gov.

;; ADDITIONAL SECTION:
ns1.nasa.gov.   86400   IN  A 198.116.4.189
ns1.nasa.gov.   75778   IN   2001:4d0:8300:401::189
ns2.nasa.gov.   86400   IN  A 198.116.4.185
ns2.nasa.gov.   75778   IN   2001:4d0:2300:401::185
ns3.nasa.gov.   86400   IN  A 198.116.4.181
ns3.nasa.gov.   75778   IN   2001:4d0:6300:401::181

;; Query time: 327 msec
;; SERVER: 194.177.210.211#53(194.177.210.211)
;; WHEN: Wed Dec 13 00:44:16 2017
;; MSG SIZE  rcvd: 244

whereas in our case:

# dig noa.gr

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> noa.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39654
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;noa.gr.    IN  A

;; AUTHORITY SECTION:
noa.gr. 3600    IN  SOA vdns.noa.gr. 
sysadmin.noa.gr. 2017120501 7200 180 1209600 3600


;; Query time: 5 msec
;; SERVER: 194.177.210.211#53(194.177.210.211)
;; WHEN: Wed Dec 13 00:44:20 2017
;; MSG SIZE  rcvd: 74

(But we do get results when querying with the ANY flag, as I have 
demonstrated already.)


What is the real cause of the problem and how to overcome it?

Please advise!

Thanks again,
Nick


On 12/12/2017 12:50 πμ, Nikolaos Milas wrote:


Should I configure something differently or is this a bug?


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] TXT domain verification record (using @) issues

[Nikolaos Milas]

On 18/1/2017 4:20 μμ, Nikolaos Milas wrote:


I tried to add a tXTRecord to the zone:

   dn: dc=noa.gr,ou=dns1,dc=noa,dc=gr
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: noa.gr
   associatedDomain: noa.gr
   nSRecord: vdns.noa.gr
   nSRecord: dns2.noa.gr
   nSRecord: sns0.grnet.gr
   nSRecord: sns1.grnet.gr
   mXRecord: 20 mailgw1.noa.gr
   mXRecord: 10 mailgw3.noa.gr
   sOARecord: vdns.noa.gr sysad...@noa.gr 2017011805 7200 180 1209600
3600
   tXTRecord: "MS=ms14959969"

but it doesn't seem to be used by pdns:


As I later found out, in the above way verification worked!

Dig DOES show TXT details with the ANY flag.

Obviously I couldn't see them due to caching of earlier SOA details.

So everything seems to be fine!

Thank you,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] TXT domain verification record (using @) issues

[Nikolaos Milas]

On 18/1/2017 3:11 μμ, Jan-Piet Mens wrote:


Are you sure the '@' doesn't refer to just zone apex, i.e.

noa.grTXT "MS=ms..."


Hmm, I am not sure. The directions are here:

   
https://support.office.com/en-us/article/Create-DNS-records-for-Office-365-at-any-DNS-hosting-provider-7b7b075d-79f9-4e37-8a9e-fb60c1d95166?ui=en-US=en-US=US

If am supposed to add a zone apex, how should I do it?Here is my zone:

   dn: dc=noa.gr,ou=dns1,dc=noa,dc=gr
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: noa.gr
   associatedDomain: noa.gr
   nSRecord: vdns.noa.gr
   nSRecord: dns2.noa.gr
   nSRecord: sns0.grnet.gr
   nSRecord: sns1.grnet.gr
   mXRecord: 20 mailgw1.noa.gr
   mXRecord: 10 mailgw3.noa.gr
   sOARecord: vdns.noa.gr sysad...@noa.gr 2017011805 7200 180 1209600 3600

I tried to add a tXTRecord to the zone:

   dn: dc=noa.gr,ou=dns1,dc=noa,dc=gr
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: noa.gr
   associatedDomain: noa.gr
   nSRecord: vdns.noa.gr
   nSRecord: dns2.noa.gr
   nSRecord: sns0.grnet.gr
   nSRecord: sns1.grnet.gr
   mXRecord: 20 mailgw1.noa.gr
   mXRecord: 10 mailgw3.noa.gr
   sOARecord: vdns.noa.gr sysad...@noa.gr 2017011805 7200 180 1209600 3600
   tXTRecord: "MS=ms14959969"

but it doesn't seem to be used by pdns:

   # dig noa.gr ANY @localhost
   ;; Truncated, retrying in TCP mode.

   ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.1 <<>> noa.gr ANY @localhost
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15873
   ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 9

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 1680
   ;; QUESTION SECTION:
   ;noa.gr.IN  ANY

   ;; ANSWER SECTION:
   noa.gr. 86400   IN  MX  20 mailgw1.noa.gr.
   noa.gr. 86400   IN  MX  10 mailgw3.noa.gr.
   noa.gr. 86400   IN  NS vdns.noa.gr.
   noa.gr. 86400   IN  NS dns2.noa.gr.
   noa.gr. 86400   IN  NS sns0.grnet.gr.
   noa.gr. 86400   IN  NS sns1.grnet.gr.
   noa.gr. 86400   IN  SOA vdns.noa.gr.
   sysadmin.noa.gr. 2017011805 7200 180 1209600 3600

   ;; ADDITIONAL SECTION:
   mailgw1.noa.gr. 86400   IN   2001:648:2ffc:1115::27
   mailgw1.noa.gr. 86400   IN  A 83.212.5.27
   mailgw3.noa.gr. 86400   IN   2001:648:2ffc:126::2
   mailgw3.noa.gr. 86400   IN  A 62.217.124.2
   vdns.noa.gr.120 IN   2001:648:2011:15::162
   vdns.noa.gr.120 IN  A 194.177.195.162
   dns2.noa.gr.120 IN   2001:648:2011:8010::213
   dns2.noa.gr.120 IN  A 195.251.204.213

   ;; Query time: 3 msec
   ;; SERVER: ::1#53(::1)
   ;; WHEN: Wed Jan 18 16:06:57 EET 2017
   ;; MSG SIZE  rcvd: 386

Sorry for my ignorance; :-(I appreciate your guidance!

Thanks for your kind help,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] TXT domain verification record (using @) issues

[Nikolaos Milas]

Hello,

I am using PowerDNS 4 with LDAP backend (simple mode).

I am facing the problem of having to define a "@" TXT record value for 
domain verification purposes.


I have defined such a record in this way:

   dn: dc=@,dc=noa.gr,ou=dns1,dc=noa,dc=gr
   objectClass: dNSDomain2
   objectClass: dNSDomain
   objectClass: domainRelatedObject
   objectClass: domain
   objectClass: top
   associatedDomain: @.noa.gr
   dc: @
   dNSTTL: 3600
   tXTRecord: "MS=ms14959969"

My dig or nslookup queries for @.noa.gr do not seem to work:

# dig '@.noa.gr' ANY
dig: couldn't get address for '.noa.gr': not found

...so I tried the following:

--

# dig '\@.noa.gr' ANY

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.11 <<>> \@.noa.gr ANY
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62739
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; QUESTION SECTION:
;\@.noa.gr. IN  ANY

;; ANSWER SECTION:
\@.noa.gr.  3495IN  TXT "MS=ms14959969"

;; AUTHORITY SECTION:
noa.gr. 3543IN  NS  vdns.noa.gr.
noa.gr. 3543IN  NS  sns1.grnet.gr.
noa.gr. 3543IN  NS  dns2.noa.gr.
noa.gr. 3543IN  NS  sns0.grnet.gr.

;; ADDITIONAL SECTION:
sns0.grnet.gr.  3388IN  A   83.212.5.18
sns0.grnet.gr.  31638   IN   2001:648:2ffc:111::2
sns1.grnet.gr.  3197IN  A   83.212.5.22
sns1.grnet.gr.  77018   IN   2001:648:2ffc:112::2
vdns.noa.gr.33  IN   2001:648:2011:15::162

;; Query time: 5 msec
;; SERVER: 194.177.210.211#53(194.177.210.211)
;; WHEN: Wed Jan 18 12:31:20 2017
;; MSG SIZE  rcvd: 250

--

and:

   # dig noa.gr AXFR @194.177.195.162 | grep ms14
   \@.noa.gr.   3600IN   TXT   "MS=ms14959969"

But this does not seem to do the job. It seems that @ is different than \@

(The domain verification procedure fails as well.)

The questions:

1. What am I doing wrong in setting up this "@" record (over LDAP)?

2. Can you please suggest a solution?

Thanks a lot,
Nick





___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Syslog not logging to configured facility

[Nikolaos Milas]

On 2/12/2016 11:09 μμ, Pieter Lexis wrote:


This is because the systemd-journal is forwarded to syslog. You will need to 
remove the --disable-syslog flag from the PowerDNS Exec command in the service 
file to make PowerDNS*itself*  log to syslog.


Thank you Pieter,

Your suggestion did the trick! Now it's working as (I) expected!

All the best,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Syslog not logging to configured facility

[Nikolaos Milas]

On 1/12/2016 7:47 μμ, Pieter Lexis wrote:


On CentOS 7, logging to syslog is disabled in the systemd unit file. You could 
ship the message via the systemd-journal_or_  create an override unit file to 
enable syslog.


Thank you Pieter for your reply,

In my system, rsyslog is in fact enabled and working. For example, 
openldap which writes to local4 (per the default configuration) works 
fine (via local4).


In any case, the log entries *do* reach /var/log/messages, as I have 
explained. So rsyslog DOES receive them, but they do not seem to reach 
localN (where N=0,...) facility.


What else may be the problem?

Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

[Nikolaos Milas]

On 4/3/2015 8:17 μμ, Michael Ströder wrote:


This sounds a bit like a special case for split horizon DNS.

I promised to configure a demo using powerdns with LDAP backend for this based
on OpenLDAP ACLs and several powerdns instances using different LDAP identities.

Feel free to come here and ask whether I managed to get it working in time:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134


Hi Michael,

If you managed to set up this demo (Split-DNS with powerdns and 
LDAP-Backend) for the Linux-Tage, could you please post this work here 
or a link to a page where it is available?


Thank you in advance.

All the best,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

[Nikolaos Milas]

On 5/3/2015 8:53 πμ, Michael Ströder wrote:

Yes, IMHO it's far easier to build up a replicated setup with the LDAP backend
than with any SQL DB.


We are using LDAP replication for powerdns (rather than normal 
master-slaves) for years. It is a great setup.



Unfortunately, Grégory Oestreicher's fork
(http://repo.or.cz/w/pdns-ldap-backend.git) of the LDAP backend (which is the
most updated source code) has not had any progress for two years now.
I'm using stock pdns 3.4.3 and not external code. Give it a try.


G. Oestreicher's fork is better that stock ldap backend (which I don't 
know if is still included in the latest pdns releases). It includes 
numerous fixes and works fine as is.


The only problem is that development stalled two years ago. It would be 
nice if more ldap-and-pdns-aware developers could delve into it.


I am not a developer, yet I can assist with design, testing and other 
auxilliary tasks.


Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

[Nikolaos Milas]

On 4/3/2015 8:17 μμ, Michael Ströder wrote:


This sounds a bit like a special case for split horizon DNS.


Precisely.


I promised to configure a demo using powerdns with LDAP backend for this based
on OpenLDAP ACLs and several powerdns instances using different LDAP identities.

Feel free to come here and ask whether I managed to get it working in time:
https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134


I am sure it can be done, however it might take significant work; I know 
you can do it. (I would like to play with it as well, yet I would have 
to invest time which I cannot afford now...)


Although I will not be able to attend the event, it would be nice to 
make this demo in a way that it is streamlined enough to be (relatively) 
easily reproduced by others. I guess that the most important part of 
this effort is ACL authoring in order to isolate entries / attributes.


Please post your work and scripts here (or notify us on where you have 
posted it). I would surely like to use this work (esp. if it is handy 
enough).


Despite the fact that PowerDNS with LDAP backend seems underutilized and 
LDAP backend development has been neglected for years (due to lack of 
interest and private investment), I see much potential in it, as you, 
and it would be worth trying to revive it.


Unfortunately, Grégory Oestreicher's fork 
(http://repo.or.cz/w/pdns-ldap-backend.git) of the LDAP backend (which 
is the most updated source code) has not had any progress for two years now.


All the best,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

[Nikolaos Milas]

  
  
On 3/3/2015 1:48 μμ, bert hubert wrote:



  I'm not entirely sure I understand your question, since AXFRs are not sent
but requested. However, I am sure that 2.9.22 can't do this.



Thanks for the reply. 

You are right. I used wrong terminology; I meant "notifications"
(DNS NOTIFY) to trigger AXFRs.

Ideally, we would like pdns to be configured to reply to requests for
  particular names (under a specific subdomain, say
internal.example.com) by only providing  records (if available,
otherwise no results) and hide A records. 

This way we could specify (for names under a specific domain), "A"
records which will contain a Private IP Address, so as to  not be
visible to the Internet but only locally.

Is it possible to achieve the above?

Thank you, 
Nick
  


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

[Nikolaos Milas]

On 3/3/2015 2:44 μμ, Nikolaos Milas wrote:

Ideally, we would like pdns to be configured to reply to requests *for 
particular names* (under a specific subdomain, say 
internal.example.com) by only providing  records (if available, 
otherwise no results) and hide A records.


This way we could specify (for names under a specific domain), A 
records which will contain a Private IP Address, so as to  not be 
visible to the Internet but only locally.


Corrections/Clarifications:

Ideally, we would like pdns to be configured to reply to requests *for 
particular names* (under a specific subdomain, say internal.example.com) 
by only providing  records (if available, otherwise no results) and 
hide A records to all requests, except to those from our own networks 
(as would be configured), to which full replies would be provided.


This way we could specify (for names under a specific domain), A 
records which will contain a Private IP Address, so as to  not be 
visible to the Internet but only locally (to our own networks, which 
would be specified explicitly).


Thanks again,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Naming hosts with public IPv6 and Private IPv4 addresses

[Nikolaos Milas]

  
  
Hello, 

I would like to ask for your experience and advice on the following
situation: 

When we use a private IPv4 subnet (e.g. 10.10.10.0/24) with NAT (to
access the Internet) and at the same time (i.e. on the same LAN or
VLAN) we use a public IPv6 address space, what should be the naming
policy for hosts with dual stack, i.e. with a private IPv4 address
and a public IPv6 address?

Naming using public IPv6 addresses leads to public names (e.g.
example.com), while naming using private IPv4 addresses leads to
private names (e.g. example.local). 

What is the best way to reconcile the two? I feel that hosts should
not be meant to have double names (in order to avoid management and
dns havoc). 

A (single) name should be an easy way to address a host, regardless
whether it is using IPv6 or IPv4; this idea is largely defeated if
we need to address/recognize (in the local network) a host
using a different name in IPv6 and in IPv4.

Thanks in advance for your advice and thoughts. 

Nick
  


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dns flood problem

[Nikolaos Milas]

On 3/6/2013 11:48 πμ, Steffan Noord wrote:


Last weekend i had a DNS attack
Is there some kind of IDS i can install in front of the pdns installation ?

Thanxs for any advice on this.




Start from fail2ban.

Easy to setup and very effective.

Regards,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dns flood problem

[Nikolaos Milas]

On 3/6/2013 1:10 μμ, Steffan Noord wrote:


Hello Nick,

Do you want to share your config with me.
Wat are dns queries that we want to block ?

Im starting the logs of pdns on a higher level
I see some of these errors

Received a malformed qdomain from 194.xx.xx.xx, 
'error(2):\032Connection\032to\032service\032failed.xxx.com': sending servfail





Try: http://wiki.sosdg.org/software:fail2ban:bad-qdomain

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNS Failover

[Nikolaos Milas]

Hello,

We have two SMTP/POP/IMAP/Apache(Webmail) Servers, say mail1.example.com 
and mail2.example.com and we want to implement DNS-based failover. 
mail1.example.com is the main one; in case of mail1.example.com failure, 
DNS should redirect users as soon as possible to mail2.example.com.


Is there a suggested/pre-designed way to do it?

As I understand, we could:

1. Have a CNAME record like mail.example.com which maps users to
   mail1.example.com, using a low TTL like 30 sec.
2. Monitor mail1.example.com every couple of seconds (e.g. using pings).
3. In case of no reply by mail1.example.com, change (via script) the
   CNAME record to now map mail.example com to mail2.example.com.

(Note: We are using pdns 2.9.22 with LDAP backend, but this is irrelevant.)

Can you please provide advice on how to handle this best?

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 11/4/2013 4:20 μμ, a b wrote:

Please add -rpath /usr/local/openldap/lib64 to your LDFLAGS so that 
you do not have to resort to LD_LIBRARY_PATH or ld.so.conf hacks.


Hmm, it didn't work like that:

LDFLAGS=${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber -rpath 
/usr/local/openldap/lib64; export LDFLAGS


In config.log:

   gcc: unrecognized option '-rpath'

But it worked as:

LDFLAGS=${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber 
-R/usr/local/openldap/lib64; export LDFLAGS


Thanks again for your help! :-)

Cheers,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 11/4/2013 9:51 μμ, a b wrote:

That means that ./configure is using the compiler front end (gcc) to 
link the executable, which is correct and good, but is using LDFLAGS 
to do that, which is a mistake.


For linking with the front end, the ./configure script should be using 
CFLAGS:


-Wl,-rpath,@LIBDIR@


You mean I should set:

CFLAGS=${CFLAGS} -Wl/usr/local/openldap/lib64 -lldap -llber -rpath 
/usr/local/openldap/lib64; export CFLAGS


...rather than LDFLAGS ?

-lldap and -llber remain in there as they were?

And what is @LIBDIR@ ? How do we use it?

By the way, why using LDFLAGS is a mistake and we should do it with CFLAGS?

Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 10/4/2013 10:44 πμ, Aki Tuomi wrote:


LDFLAGS=-llber ./configure your configure options here


OK, this worked!

   export LDFLAGS=-llber
   %configure options

I am still puzzled why in my case the above export statement was 
needed, but anyway...


And, if we want to link against the custom ldap libraries:

CXXFLAGS=${CXXFLAGS} -I/usr/local/openldap/include; export CXXFLAGS
LDFLAGS=${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber; export 
LDFLAGS

%configure options

The above worked as well and they are the very settings I had first 
tried and posted here, BUT I had not added the export statement!


So, things look OK now. Thank you all for your kind assistance!

Just one more question: Why in the spec file of pdns-3.1 EPEL SRPM we 
also set:


   export CPPFLAGS=-DLDAP_DEPRECATED %{optflags}

...??

What does -DLDAP_DEPRECATED signify?

Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 9/4/2013 5:30 μμ, Aki Tuomi wrote:


This line here is the clue. You are missing -llber (/usr/lib64/llber.so)


There is not such a lib (llber.so or lber.so or lldap.so or ldap.so) in 
any openldap installation either on CentOS/EL 5 or 6.


If the process requires such libs, it's looking for something that may 
not exist.


The actual libs, as installed by any openldap package (or compiled from 
source), are (at /usr/lib or at /usr/lib64 or at custom paths): 
libldap.so and liblber.so.


Now what?

Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 10/4/2013 12:33 πμ, Ruben Kerkhof wrote:


There must be something broken in your setup, can you show us the same
output as I just did?


[root@vmres x86_64]# rpm -qf /usr/lib64/liblber.so
openldap-devel-2.4.23-32.el6_4.x86_64

[root@vmres x86_64]# ls -l /usr/lib64/liblber*
lrwxrwxrwx. 1 root root 10 Sep 21  2012 /usr/lib64/liblber-2.4.so.2 - 
liblber.so
lrwxrwxrwx  1 root root 27 Mar 11 16:06 /usr/lib64/liblber.so - 
/lib64/liblber-2.4.so.2.5.6


[root@vmres x86_64]# rpm -qf /lib64/liblber-2.4.so.2.5.6
openldap-2.4.23-32.el6_4.x86_64

I have installed both openldap and openldap-devel packages.

Can't find anything broken. Note only that I have also installed ltb 
openldap packages, which however uses different paths to install libs 
etc, so it does not affect any system libraries:


[root@vmres x86_64]# rpm -qa | grep openldap
openldap-devel-2.4.23-32.el6_4.x86_64
openldap-ltb-2.4.34-1.el6.x86_64
openldap-2.4.23-32.el6_4.x86_64
openldap-ltb-debuginfo-2.4.34-1.el6.x86_64

[root@vmres x86_64]# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/berkeleydb/lib64
/usr/local/openldap/lib64

[root@vmres x86_64]# ls -la /usr/local/openldap/lib64/liblber*
lrwxrwxrwx 1 ldap ldap 20 Mar 20 17:06 
/usr/local/openldap/lib64/liblber-2.4.so.2 - liblber-2.4.so.2.9.0
-rw-r--r-- 1 ldap ldap 160959 Mar 12 16:39 
/usr/local/openldap/lib64/liblber-2.4.so.2.9.0
-rw-r--r-- 1 ldap ldap 101556 Mar 12 16:40 
/usr/local/openldap/lib64/liblber.a
-rw-r--r-- 1 ldap ldap864 Mar 12 16:39 
/usr/local/openldap/lib64/liblber.la
lrwxrwxrwx 1 ldap ldap 20 Mar 20 17:06 
/usr/local/openldap/lib64/liblber.so - liblber-2.4.so.2.9.0


Any ideas?

Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Selective notifications

[Nikolaos Milas]

On 5/4/2013 9:56 πμ, Ruben d'Arco wrote:


I believe that should solve your first two points, i suggest you provide a bit 
more information (logging, configuration) in the other thread on the last point.


Thanks,

I am aware of these tickets, I've also asked about them, see:

http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg06050.html

but no one has replied.

Currently I can't apply patches easily, I'm still having problems 
building powerdns.


As to the last point, I have provided full logging. See my post titled 
[Pdns-users] Multiple notifications when notifying IPv6 addresses 
which came in on 3 Apr 2013. (No one has replied to this yet either.)


My master config is:

   module-dir=/usr/lib64
   socket-dir=/var/run/pdns-server
   setuid=powerdns
   setgid=powerdns
   launch=bind

   launch=ldap
   ldap-host=localhost
   ldap-basedn=ou=dns2,dc=noa,dc=gr
   ldap-binddn=uid=userx,ou=system,dc=noa,dc=gr
   ldap-secret=mysecret
   ldap-method=simple
   master=on

   default-ttl=86400
   local-address=127.0.0.1 194.177.195.158
   do-ipv6-additional-processing=yes
   local-ipv6=::1 2001:648:2011:14::158
   local-port=53
   allow-axfr-ips=192.168.0.0/16, 195.251.202.0/23, 2001:648:2011::/48

   logging-facility=5
   loglevel=9
   cache-ttl=60
   log-dns-details=off

Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Selective notifications

[Nikolaos Milas]

On 5/4/2013 4:59 μμ, a b wrote:


Which problem(s) are you experiencing currently?


Thank you,

Since the last time I posted regarding my issues, I haven't been able to 
find time to test your latest suggestions, so I am still at that point. :-(


Too much work, too many priorities for us poor people...

I'll let you know as soon as I get back to building pdns again.

Thanks and Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Selective notifications

[Nikolaos Milas]

Hello,

Is it possible to somehow disable auto notifications when running 
authoritative server (3.2) in master mode and use pdns_control to send 
notifications manually when required to whichever servers we want?


Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Multiple notifications when notifying IPv6 addresses

[Nikolaos Milas]

We have observed that when the master (v3.2) notifies a slave using an 
IPv6 address, then multiple unnecessary notifications are being sent.


The same behavior is observed using pdns_control. One notification is 
sent when the target is notified over an IPv4 address, multiple 
notifications are sent when the target is notified over an IPv6 address.


[ Master is using the new ldap backend 
(http://repo.or.cz/w/pdns-ldap-backend.git) but this behavior should not 
be backend-specific. ]


Is this known behavior? Is it a bug?

Please advise.

Logs follow.

Regards,
Nick

=== test using bind slave 

   On the master:

   # pdns_control notify-host 204.251.195.in-addr.arpa 195.251.204.197

   Log:

   Mar 21 16:09:06 vmres pdns[30302]: Notification request to host
   195.251.204.197 for domain '204.251.195.in-addr.arpa' received
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] LDAP servers =
   localhost
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] Ldap connection
   succeeded
   Mar 21 16:09:06 vmres pdns[30302]: AXFR of domain
   '204.251.195.in-addr.arpa' initiated by 195.251.204.197
   Mar 21 16:09:06 vmres pdns[30302]: AXFR of domain
   '204.251.195.in-addr.arpa' allowed: client IP 195.251.204.197 is
   in allow-axfr-ips
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] LDAP servers =
   localhost
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] Ldap connection
   succeeded
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] LDAP servers =
   localhost
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] Ldap connection
   succeeded
   Mar 21 16:09:06 vmres pdns[30302]: AXFR of domain
   '204.251.195.in-addr.arpa' to 195.251.204.197 finished
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] Ldap connection
   closed
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] Ldap connection
   closed
   Mar 21 16:09:06 vmres pdns[30302]: [LdapBackend] Ldap connection
   closed
   Mar 21 16:09:07 vmres pdns[30302]: Removed from notification
   list: '204.251.195.in-addr.arpa' to 195.251.204.197:53 (was
   acknowledged)

   On the slave (log):

   Mar 21 16:09:06 dnslab named[25294]: client
   194.177.195.158#16228: received notify for zone
   '204.251.195.in-addr.arpa'
   Mar 21 16:09:06 dnslab named[25294]: zone
   204.251.195.in-addr.arpa/IN: Transfer started.
   Mar 21 16:09:06 dnslab named[25294]: transfer of
   '204.251.195.in-addr.arpa/IN' from 194.177.195.158#53: connected
   using 195.251.204.197#49889
   Mar 21 16:09:06 dnslab named[25294]: zone
   204.251.195.in-addr.arpa/IN: transferred serial 2013032107
   Mar 21 16:09:06 dnslab named[25294]: transfer of
   '204.251.195.in-addr.arpa/IN' from 194.177.195.158#53: end of
   transfer

   On the master:

   # pdns_control notify-host 204.251.195.in-addr.arpa
   2001:648:2011:11::197

   Log:

   Mar 21 16:07:10 vmres pdns[30302]: Notification request to host
   2001:648:2011:11::197 for domain '204.251.195.in-addr.arpa' 
received

   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] LDAP servers =
   localhost
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] Ldap connection
   succeeded
   Mar 21 16:07:11 vmres pdns[30302]: AXFR of domain
   '204.251.195.in-addr.arpa' initiated by 195.251.204.197
   Mar 21 16:07:11 vmres pdns[30302]: AXFR of domain
   '204.251.195.in-addr.arpa' allowed: client IP 195.251.204.197 is
   in allow-axfr-ips
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] LDAP servers =
   localhost
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] Ldap connection
   succeeded
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] LDAP servers =
   localhost
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] Ldap connection
   succeeded
   Mar 21 16:07:11 vmres pdns[30302]: AXFR of domain
   '204.251.195.in-addr.arpa' to 195.251.204.197 finished
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] Ldap connection
   closed
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] Ldap connection
   closed
   Mar 21 16:07:11 vmres pdns[30302]: [LdapBackend] Ldap connection
   closed
   Mar 21 16:07:12 vmres pdns[30302]: Received spurious notify
   answer for '204.251.195.in-addr.arpa' from
   [2001:648:2011:11::197]:53
   Mar 21 16:07:15 vmres pdns[30302]: Received spurious notify
   answer for '204.251.195.in-addr.arpa' from
   [2001:648:2011:11::197]:53
   Mar 21 16:07:19 vmres pdns[30302]: Received spurious notify
   answer for '204.251.195.in-addr.arpa' from
   [2001:648:2011:11::197]:53
   Mar 21 16:07:28 vmres pdns[30302]: Received spurious notify
   answer for '204.251.195.in-addr.arpa' from
   [2001:648:2011:11::197]:53

   On the slave (log):

  

Re: [Pdns-users] Testing master functionality on ldap backend

[Nikolaos Milas]

On 22/3/2013 9:11 πμ, Ruben d'Arco wrote:


This is by design and not specific to the ldap backend.
Powerdns simply receives the nameservers from the backend and starts resolving 
the name to ip addresses.
If that name has multiple ip addresses (v6 or v4), notifies will be send to all 
of them.

There is a ticket open for this and a patch:
http://wiki.powerdns.com/trac/ticket/454




Thanks,

The tracker appears to indicate 3.2 as a target version for:

   http://wiki.powerdns.com/trac/ticket/454

and for the related:

   http://wiki.powerdns.com/trac/ticket/468

but apparently neither was included therein.

I guess they are planned to be included in the next version?

Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 22/3/2013 6:23 pm, a b wrote:


I did not mean that literally, sorry for the confusion. What I meant
is that you muss pass the equivalent of
--libdir=/usr/local/openldap/lib64 by using --libdir=%{_libdir}, which
is a special RPM built-in macro.



Thanks for your assistance.

Sorry, I am not a specialist in building apps, so instructions should be 
clear otherwise I have to experiment. :-(



What this means is that your ~/.rpmmacros file is either incorrect or
non-existent.


Until now, I always use a simple:

   $ cat .rpmmacros
   %_topdir %(echo $HOME)/rpmbuild

which has worked fine in many builds I have, and it works fine when I 
build pdns-server on CentOS 5.


However, I see your point: I should set (in .rpmmacros) something like:

   %_libdir /usr/local/openldap/lib64

Yet, my earlier question remains: Can I set multiple paths, like:

   %_libdir /usr/lib64,/usr/local/openldap/lib64

...? Is it supported?

On 22/3/2013 6:06 pm, a b wrote:


While technically not necessary, CFLAGS must often contain -L and -R

 switches to work around buggy or incorrectly coded ./configure files.

Ditto for LDFLAGS.
Do you set CFLAGS and LDFLAGS? What do they look like?


I don't see any CFLAGS or LDFLAGS specified in the spec file.

When I build (as an example) Dovecot, I use in the spec file (before 
./configure):


export CPPFLAGS=${CPPFLAGS} -I/usr/local/openldap/include
export LDFLAGS=${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber

Should I try the same here?



 You should rebuild openldap RPM with the above .rpmmacros file

  sitting in your home directory.




I understand, however I don't want to mess around with this package, 
although I see your point and I think it's valid. I'll pass your 
suggestions to the LTB project maintainers as they are responsible for 
these builds.


Thanks again and regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] installing ldap as backend

[Nikolaos Milas]

On 19/3/2013 3:21 μμ, Jignesh Patel wrote:



This
http://www.ossramblings.com/creating-srv-records-powerdns talks
about creating SRV records at org level, I would like to create an
individual user level(i.e. ou=people).




Sorry, I don't know about that.



You mean you would want to use PostgreSQL as backend for OpenLDAP
and PDNS? The latter is possible, the former I doubt. Yet, I am
not an expert on the issue.


Thanks. The former is default setup as LDAP by default uses BDB.


True. If you have your primary data in an SQL db and you want to use 
LDAP as well (or the opposite), you may want to check the LDAP 
Synchronization Connector: http://lsc-project.org/


Your OpenLDAP would use any backend (these days preferably MDB).

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 20/3/2013 8:38 μμ, a b wrote:


What does config.log say regarding ldap?


Thanks for the reply.

Please, see below.

Thanks,
Nick

===
...
configure:18499: checking ldap.h usability
configure:18499: g++ -c -D_GNU_SOURCE -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic conftest.cpp 5

configure:18499: $? = 0
configure:18499: result: yes
configure:18499: checking ldap.h presence
configure:18499: g++ -E conftest.cpp
configure:18499: $? = 0
configure:18499: result: yes
configure:18499: checking for ldap.h
configure:18499: result: yes
configure:18513: checking lber.h usability
configure:18513: g++ -c -D_GNU_SOURCE -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic conftest.cpp 5

configure:18513: $? = 0
configure:18513: result: yes
configure:18513: checking lber.h presence
configure:18513: g++ -E conftest.cpp
configure:18513: $? = 0
configure:18513: result: yes
configure:18513: checking for lber.h
configure:18513: result: yes
configure:18526: checking for ldap_set_option in -lldap_r
configure:18551: g++ -o conftest -D_GNU_SOURCE -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -lrt c$
/usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libldap_r.so: 
undefined reference to `ber_sockbuf_io_udp'

collect2: ld returned 1 exit status
configure:18551: $? = 1
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME 
| #define PACKAGE_TARNAME 
| #define PACKAGE_VERSION 
| #define PACKAGE_STRING 
| #define PACKAGE_BUGREPORT 
| #define PACKAGE_URL 
| #define PACKAGE pdns
| #define VERSION 3.2
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define YYTEXT_POINTER 1
| #define HAVE_DLFCN_H 1
| #define LT_OBJDIR .libs/
| #define HAVE_BOOST 1
| #define HAVE_BOOST_FOREACH_HPP 1
| #define HAVE_BOOST_PROGRAM_OPTIONS_HPP 1
| #define HAVE_BOOST_ARCHIVE_TEXT_OARCHIVE_HPP 1
| #define HAVE_LUA 1
| #define HAVE_LUA_H 1
| #define STDC_HEADERS 1
| #define HAVE_FCNTL_H 1
| #define HAVE_GETOPT_H 1
| #define HAVE_LIMITS_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_SYS_TIME_H 1
| #define HAVE_SYSLOG_H 1
| #define HAVE_UNISTD_H 1
| #define TIME_WITH_SYS_TIME 1
| #define RETSIGTYPE void
| #define HAVE_GETHOSTNAME 1
| #define HAVE_GETTIMEOFDAY 1
| #define HAVE_MKDIR 1
| #define HAVE_MKTIME 1
| #define HAVE_SELECT 1
| #define HAVE_SOCKET 1
| #define HAVE_STRERROR 1
| #define HAVE_STRCASESTR 1
| #define HAVE_LIBDL 1
| #define HAVE_LIBCRYPT 1
| #define HAVE_IPV6 1
| #define HAVE_LDAP_H 1
| #define HAVE_LBER_H 1
| /* end confdefs.h. */
|
| /* Override any GCC internal prototype to avoid an error.
| Use char because int might match the return type of a GCC
| builtin and then its argument prototype would still apply. */
| #ifdef __cplusplus
| extern C
| #endif
| char ldap_set_option ();
| int
| main ()
| {
| return ldap_set_option ();
| ;
| return 0;
| }
configure:18560: result: no
configure:18567: checking for ldap_set_option in -lldap
configure:18592: g++ -o conftest -D_GNU_SOURCE -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -lrt c$
/usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libldap.so: 
undefined reference to `ber_sockbuf_io_udp'

collect2: ld returned 1 exit status
configure:18592: $? = 1
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME 
| #define PACKAGE_TARNAME 
| #define PACKAGE_VERSION 
| #define PACKAGE_STRING 
| #define PACKAGE_BUGREPORT 
| #define PACKAGE_URL 
| #define PACKAGE pdns
| #define VERSION 3.2
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define YYTEXT_POINTER 1
| #define HAVE_DLFCN_H 1
| #define LT_OBJDIR .libs/
| #define HAVE_BOOST 1
| #define HAVE_BOOST_FOREACH_HPP 1
| #define HAVE_BOOST_PROGRAM_OPTIONS_HPP 1
| #define HAVE_BOOST_ARCHIVE_TEXT_OARCHIVE_HPP 1
| #define HAVE_LUA 1
| #define HAVE_LUA_H 1
| #define STDC_HEADERS 1
| #define HAVE_FCNTL_H 1
| #define HAVE_GETOPT_H 1
| #define HAVE_LIMITS_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_SYS_TIME_H 1
| #define HAVE_SYSLOG_H 1
| #define HAVE_UNISTD_H 1
| #define TIME_WITH_SYS_TIME 1
| #define RETSIGTYPE void
| #define HAVE_GETHOSTNAME 1
| #define HAVE_GETTIMEOFDAY 1
| #define HAVE_MKDIR 1
| #define HAVE_MKTIME 1
| #define HAVE_SELECT 1
| #define HAVE_SOCKET 1
| #define HAVE_STRERROR 1
| #define HAVE_STRCASESTR 1
| #define 

[Pdns-users] Testing master functionality on ldap backend

[Nikolaos Milas]

Hello,

I am testing the new ldap backend 
(http://repo.or.cz/w/pdns-ldap-backend.git) under pdns v3.2 on CentOS 
6.4 x86_64


I have a question: It seems the master is sending duplicate 
notifications to the slave, both at the IPv4 and at the IPv6 address.


Is this expected behavior? Please explain.

Test details follow.

The test master server is vmres.noa.gr with:

   ...
   local-address=127.0.0.1 194.177.195.158
   local-ipv6=::1 2001:648:2011:14::158
   ...

The slave runs at:

   vdev.noa.gr
   195.251.204.232
   2001:648:2011:10::232

Here is the master zone, as queried:

# dig ANY 204.251.195.in-addr.arpa @194.177.195.158

;  DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6.3  ANY 
204.251.195.in-addr.arpa @194.177.195.158

;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 39168
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;204.251.195.in-addr.arpa.  IN  ANY

;; ANSWER SECTION:
204.251.195.in-addr.arpa. 86400 IN  NS  vdev.noa.gr.
204.251.195.in-addr.arpa. 86400 IN  NS  vmres.noa.gr.
204.251.195.in-addr.arpa. 86400 IN  SOA vmres.noa.gr. 
sysadmin.noa.gr. 2013032002 86400 180 1209600 3600


;; ADDITIONAL SECTION:
vdev.noa.gr.86400   IN  A   195.251.204.232
vdev.noa.gr.86400   IN  2001:648:2011:10::232

;; Query time: 2 msec
;; SERVER: 194.177.195.158#53(194.177.195.158)
;; WHEN: Thu Mar 21 12:21:55 2013
;; MSG SIZE  rcvd: 176

Some logs after zone change, for reference:

Mar 20 20:21:28 vmres pdns[9128]: 1 domain for which we are master needs 
notifications
Mar 20 20:21:28 vmres pdns[9128]: Queued notification of domain 
'204.251.195.in-addr.arpa' to 195.251.204.232
Mar 20 20:21:28 vmres pdns[9128]: Queued notification of domain 
'204.251.195.in-addr.arpa' to 2001:648:2011:10::232

...
Mar 20 20:21:28 vmres pdns[9128]: AXFR of domain 
'204.251.195.in-addr.arpa' initiated by 195.251.204.232
Mar 20 20:21:28 vmres pdns[9128]: AXFR of domain 
'204.251.195.in-addr.arpa' allowed: client IP 195.251.204.232 is in 
allow-axfr-ips

...
Mar 20 20:21:28 vmres pdns[9128]: AXFR of domain 
'204.251.195.in-addr.arpa' to 195.251.204.232 finished

...
Mar 20 20:21:29 vmres pdns[9128]: Removed from notification list: 
'204.251.195.in-addr.arpa' to 195.251.204.232:53 (was acknowledged)


Thanks and Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 20/3/2013 8:25 μμ, a b wrote:

You need to pass --libdir=/usr/local/openldap/lib64 on the %configure 
line.


Tried that, but the same error occurred.

   %configure \
   --sysconfdir=%{_sysconfdir}/powerdns \
   --libdir=/usr/local/openldap/lib64 \
   --with-sqlite3 \
   --with-socketdir=/var/run/pdns-server \
   --with-modules= \
   --with-dynmodules=pipe gmysql gpgsql gsqlite3 ldap
   %{__make}

Due to the fact that in the beginning it was:

   --libdir=%{_libdir}

...I am thinking I should use multiple paths, like:

   --libdir=%{_libdir},/usr/local/openldap/lib64

Is it supported?

But ideally I would like to force the use of /usr/local/openldap/lib64 
ONLY for LDAP libs. Can't I declare that explicitly somehow?


Thanks,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 19/3/2013 8:13 μμ, Nikolaos Milas wrote:


But, as I mentioned, it even fails without any change in the spec
file, simply trying to build with the standard CentOS 6 OpenLDAP
packages. In that case, it should be using the default system lib dir:


In the meantime, I tried building PowerDNS 3.2 on CentOS 5.9 x86_64 
using 
http://www.monshouwer.eu/download/3rd_party/pdns-server/el5/SRPMS/pdns-server-3.2-1.el5.MIND.src.rpm 
and this worked fine with the standard CentOS OpenLDAP libs.


However, building using:

   LIBS=-L/usr/local/openldap/lib64

   %build
   %configure \
--sysconfdir=%{_sysconfdir}/powerdns \
--libdir=%{_libdir} \
--with-sqlite3 \
--with-socketdir=/var/run/pdns-server \
--with-modules= \
--with-dynmodules=pipe gmysql gpgsql gsqlite3 ldap
   %{__make}

I am not sure it produces the required result:
...
/bin/sh ../../libtool --tag=CXX   --mode=link g++  -D_GNU_SOURCE -O2 -g 
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -module -avoid-version 
-lrt -o libldapbackend.la -rpath /usr/lib64 ldapbackend.lo powerldap.lo 
-lldap_r -lz

...

I understand that the compiler probably still uses: /usr/lib64/ for ldap 
libs, although we instructed (?) it to use ldap libs from 
/usr/local/openldap/lib64.


So, there remain two questions:

1. How to build properly with custom LDAP libs?
2. Why we can't build correctly under CentOS 6, but only under CentOS 5?

Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] installing ldap as backend

[Nikolaos Milas]

On 19/3/2013 3:15 πμ, Jignesh Patel wrote:

Looks like pdns works with LDAP. Thanks to Beñat for his kind 
assistance to suggest removing white spaces after =.


Please report here how it behaves (errors etc.).


Now I am seeing for efficient UI to view content.


Besides JXplorer and phpLDAPadmin, we are using a custom php-based 
application (which is tailored to our zones, so it's not suitable for 
general use).


Best regards,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] installing ldap as backend

[Nikolaos Milas]

On 19/3/2013 2:23 μμ, Jignesh Patel wrote:



For the UI my question is in the context of PDNS, not for LDAP UI.
Is there any UI which can work PDNS(with LDAP).



Not that I know of.


I am definitely going to install phpLDAPAdmin, but is that sufficient?



Depends on your needs. If you have few zones with relatively few (i.e. 
infrequent) changes, it should be OK. JXplorer allows faster admin 
operations.



Also how to setup DNS SRV recrod in LDAP and link with PDNS.
Like my email id jignehsmpa...@gmail.com
mailto:jignehsmpa...@gmail.com, now when I create a certificate
for me, how do insert SRV record for the same.



Check: http://www.ossramblings.com/creating-srv-records-powerdns
Is this the info you want?



Also instead of
 BDB -- LDAP -- PDNS

can I make following structure working?

Postgres -- LDAP
Postgres -- PDNS


You mean you would want to use PostgreSQL as backend for OpenLDAP and 
PDNS? The latter is possible, the former I doubt. Yet, I am not an 
expert on the issue.


Regards,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

Hello,

I'm trying to build PowerDNS 3.2 on CentOS 6.4 x86_64 using 
http://www.monshouwer.eu/download/3rd_party/pdns-server/el6/SRPMS/pdns-server-3.2-1.el6.MIND.src.rpm 
based NOT on standard el6/centos 6 LDAP libraries, but on those 
installed by LTB project's RPMs (see: 
http://ltb-project.org/wiki/download#openldap).


So, I've also changed requirements in pdns-server.spec from:

   Requires: openldap
   BuildRequires: openldap-devel

to:

   Requires: openldap-ltb
   BuildRequires: openldap-ltb-debuginfo

and I've tried adding:

CXXFLAGS=${CXXFLAGS} -I/usr/local/openldap/include
LDFLAGS=${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber

or:

   LDAP_CPPFLAGS_CONFIG=-I/usr/local/openldap/include
   LDAP_LIBS_CONFIG=-l/usr/local/openldap/lib64 -lldap -llber

before the following lines:

%build
%configure \
--sysconfdir=%{_sysconfdir}/powerdns \
--libdir=%{_libdir} \
--with-sqlite3 \
--with-socketdir=/var/run/pdns-server \
--with-modules= \
--with-dynmodules=pipe gmysql gpgsql gsqlite3 ldap
%{__make}

but I can't get it to work:

   ...
   checking ldap.h usability... yes
   checking ldap.h presence... yes
   checking for ldap.h... yes
   checking lber.h usability... yes
   checking lber.h presence... yes
   checking for lber.h... yes
   checking for ldap_set_option in -lldap_r... no
   checking for ldap_set_option in -lldap... no
   configure: error: ldap library (libldap) not found
   error: Bad exit status from /var/tmp/rpm-tmp.rgFu3Y (%build)


   RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.rgFu3Y (%build)

Can you please guide me on how to adapt the spec file so as to build 
correctly using the custom ldap libraries / headers?


Please advise.

Thanks and regards,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Building pdns RPMs using custom LDAP libraries/headers

[Nikolaos Milas]

On 19/3/2013 5:28 μμ, Nikolaos Milas wrote:

Can you please guide me on how to adapt the spec file so as to build 
correctly using the custom ldap libraries / headers?


Hmm, actually now that I tried to build using even the standard CentOS 6 
RPMs/libs/headers/, it still fails at the same point.


So, am I doing something wrong? Please advise.

Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] installing ldap as backend

[Nikolaos Milas]

On 18/3/2013 10:37 μμ, Jignesh Patel wrote:


...Is there any good documentation for setting up
powerdns with ldap?



Official support has been dropped for LDAP backend by its former 
maintainer and, as a result, by PowerDNS too. v2.9.22 is the last 
working version, even with some limitations

(see: http://comments.gmane.org/gmane.network.dns.powerdns.devel/1371)

Documentation is available here (by the former maintainer): 
http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend


Thanks to a recent ldap-backend fork, development has restarted, but 
needs testing - no official releases yet. Read here about the fork: 
http://marc.info/?l=pdns-usersm=135534915929068w=2


Here is the latest call for testing, after adding master support for the 
first time:

http://sequanux.org/pipermail/pdns-ldap-backend/2013-March/11.html

Subscribe to:
http://sequanux.org/cgi-bin/mailman/listinfo/pdns-ldap-backend
to keep updated about all progress regarding ldap backend.

If you can help with testing or otherwise, it will certainly make a 
difference. Pdns ldap backend had been largely neglected (despite my 
efforts to keep it alive).


I'm gonna test the latest version in the next few days.

Regards,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Complie problem on PDNS on CENTOS5

[Nikolaos Milas]

On 6/2/2013 4:14 πμ, RBK1001 wrote:


I really need instruction on how to complie PowerDNS 3.2 in CENTOS5


This thread might help you: 
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg04162.html


...although it's for v2.9.22.

This thread might help you too: 
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg04032.html


...while this one is for v3.0.

I have not had any experience compiling v3.1 or 3.2.

Good luck,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Support for GSS-TSIG Dynamic DNS Updates

[Nikolaos Milas]

Does PowerDNS support or will it support GSS-TSIG Secure Dynamic DNS 
Updates (proabably related: RFC 3645, 2930) for interoperability with 
dynamic Windoze clients?


Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] powerdns hangs when ldap backend is unavailable

[Nikolaos Milas]

I totally agree. I even use a local ldap slave server (an openldap 
syncrepl consumer, on the powerdns box) using syncrepl (on openldap) to 
avoid any pdns service outage due to network problems which would 
prevent connectivity with ldap. (Thankfully, syncrepl does not hang when 
there is a network outage.) So, practically, I have minimized any 
problems. (This design also optimizes the speed of lookups [i.e. of DNS 
authoritative queries], since they are carried out locally, and no 
network activity is required.)


However, as you point out as well, I believe the problem is critical and 
should be treated.


Nick


On 29/10/2010 9:31 πμ, Angel Bosch Mora wrote:
i agree this is critical but usually in a large environment you dont 
have just one LDAP service. i always configure pdns with at least two 
ldap servers located at different machines/places.

   ldap-host=ldap1:389 ldap2:389


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] powerdns hangs when ldap backend is unavailable

[Nikolaos Milas]

Hi,

I haven't received any feedback on this problem.

If noone can suggest something, I think I should file it as a bug.

Please, advise.

Thanks,
Nick


On 24/10/2010 11:31 μμ, Nikolaos Milas wrote:
I've noticed that when for some reason ldap is not available for a 
while (e.g. due to restart or due to network outage), powerdns stops 
responding to queries (which is natural, initially) and it doesn't 
recover when ldap is available again (which is the problem). I have to 
manually restart pdns service to resume normal operation, whenever the 
ldap server has some operational interruption.


I would expect powerdns to resume normal operation as soon as ldap 
becomes available again.



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor 3.3 released!

[Nikolaos Milas]

 Hi Bert,

Just wanted to mention that at powerdns.com homepage the latest recursor 
version still appears to be 3.2.


The download links at the Downloads page have been updated to 3.3, but 
on the home page, neither the version number nor the download link have 
been updated. They're still 3.2!


I thought you would like to update those.

All the best,
Nick.

On 22/9/2010 9:47 μμ, bert hubert wrote:

We're proud to announce the release of the PowerDNS Recursor 3.3!

It can be downloaded from http://www.powerdns.com/ or via the following
direct links:


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Announcing JPower Admin

[Nikolaos Milas]

 Hi,

Does it support (or will it support) LDAP backend?

I've searched the source and it doesn't seem to mention ldap anywhere.

Thanks,
Nick


On 12/10/2010 12:36 πμ, Jivko Sabev wrote:

I have released yet another control panel for Power DNS. Some of the


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?

[Nikolaos Milas]

 Until this issue is resolved and pdns/ldap becomes capable of sending 
Notify messages as Master, I had to find a temporary - I hope - 
solution, and now I have managed to bring it to a working mode.


So, I have installed notify-dns-slaves included in the package 
slapi-dnsnotify-0.2.1.tar.gz (see 
http://memberwebs.com/stef/software/slapi-dnsnotify/).
[I remind you that slapi-dnsnotify plugin could not be loaded by the 
standard Openldap 2.3.43 CentOS package.]

Then, I created this little script (remember I'm in CentOS 5.5):

   #!/bin/bash

   # Find the current zone serial number and store it in newsn variable.
   # Note that grep sysadmin is there to isolate the sOARecord line
   from the output of ldapsearch,
   # simply because I'm using sysad...@example.com as the DNS
   administrator email.
   # awk then isolates the serial number from the SOA line.
   #
   newsn=`ldapsearch -x -D uid=userxxx,ou=system,dc=example,dc=com -w
    -s sub -b \
   ou=dns,dc=example,dc=com
   ((dc:dn:=10.10.10.in-addr.arpa)(soarecord=*)) \
   soarecord | grep sysadmin | awk '{ print $4 }'`

   # This is where the most recent serial number is saved
   File=/etc/pdns/notifyscr/reversesn.txt

   # Read the latest stored serial number from the above file
   {
   read oldsn
   }  $File

   # If serial has been incremented, store the new serial in the place
   of the old one, then send Notify to server 10.10.10.101
   #
   if [ $newsn -gt $oldsn ]
   then
   echo $newsn  /etc/pdns/notifyscr/reversesn.txt
   /usr/local/bin/notify-dns-slaves 10.10.10.in-addr.arpa 10.10.10.101
   fi

   exit 0

We have to repeat the above for any other (forward or reverse zone). So, 
I have multiplied it by 7 (1 forward, 6 reverse zones). The script 
(when *not* sending Notify) for the 7 zones runs in 345 ms (every three 
minutes), which means that it doesn't cause any serious load to my server.


Finally, we schedule the script in cron to run as often as we want (I 
run it every three minutes to achieve slave DNS server sync in three 
minutes max):


   # Run the script every three minutes, and do not send email
   notifications
   */3 * * * * /etc/pdns/notifyscr/scr1 /dev/null 21

If someone can optimize the script, or make it in a form which would 
deal with many zones without repeating the same piece of source code, it 
would be a welcome addition. I might work on it too, when I have time.


I have not managed to find a solution on implementing triggered Notify 
(I might try openldap accesslog overlay, as indicated in some discussions).


The above is a working solution (at least when few zones are involved). 
Still, - even by its nature - it *underlines the importance of 
supporting Notify natively in powerdns / ldap backend*.


Thanks again to Jean-Piet Mens for notify-dns-slaves tool.

Nick


On 2/10/2010 4:58 μμ, Nikolaos Milas wrote:
I have now filed a bug (new enhancement) for this, it's No. 318. 
(http://wiki.powerdns.com/trac/ticket/318).




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?

[Nikolaos Milas]

 I have reached to the same conclusion.

However, rebuilding openldap doesn't seem to be easy or straightforward 
(but I'll give it a try when I can)... It is commonly accepted that in 
production servers, pre-built, platform-specific RPMs are preferred (to 
avoid all sorts of problems), compiled by few experts, and I am not a 
master in compiling :(.


Even if it had worked, I would continue to urge pdns developers to 
support pdns/ldap Master functionality (essentially NOTIFY) in the core 
code. It's an important feature. We users (eventually) find solutions 
one way or another (always with developers' and experienced users' 
help), but supporting features that help avoid implementation complexity 
leads to better production systems and to happier administrators :).


So, my request to add master support to ldap backend remains open!

I also tried the notify-dns-slaves tool (which might be of great value) 
manually, but I'm getting errors:


   notify-dns-slaves -d 4 'x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa'
   dns2.example.com
   notify-dns-slaves: building notification packet for
   x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com
   notify-dns-slaves: resolving address: dns2.example.com
   notify-dns-slaves: resolved address for: [unknown]
   notify-dns-slaves: preparing notification to: dns2.example.com
   notify-dns-slaves: resolved address for: 10.10.10.101
   notify-dns-slaves: preparing notification to: dns2.example.com
   notify-dns-slaves: starting processing
   notify-dns-slaves: sending notify for zone
   x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com
   notify-dns-slaves: sending notify for zone
   x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com
   notify-dns-slaves: couldn't send packet to server: dns2.example.com:
   Bad file descriptor
   notify-dns-slaves: received successful response for server:
   dns2.example.com
   notify-dns-slaves: sending notify for zone
   x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com
   notify-dns-slaves: couldn't send packet to server: dns2.example.com:
   Bad file descriptor
   notify-dns-slaves: sending notify for zone
   x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com
   notify-dns-slaves: couldn't send packet to server: dns2.example.com:
   Bad file descriptor
   notify-dns-slaves: sending notify for zone
   x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa to dns2.example.com
   notify-dns-slaves: couldn't send packet to server: dns2.example.com:
   Bad file descriptor
   notify-dns-slaves: notification to server timed out: dns2.example.com
   notify-dns-slaves: processing done

What does it mean by Bad file descriptor? What can I do?

Thanks for your great help and support,
Nick

On 2/10/2010 10:53 πμ, Jan-Piet Mens wrote:

Why openldap refuses to load the plugin (one way or another)? Am I doing
something wrong?

I'd say your slapd has no support for loadable modules -- you're going
to have to rebuild it.

 -JP



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?

[Nikolaos Milas]

 An addition: despite the reported errors, notify is sent and received 
successfully, so notify-dns-slaves works fine!


So, this tool could be used with a cron'ed custom (bash) script (if one 
can't make slapi-dnsnotify work) which would regularly ldapsearch 
soarecord serials and send notify (when changed), as discussed earlier 
in this thread (something which I concluded could not be done with 
pdns_control for the ldap backend).


Nick


On 2/10/2010 1:01 μμ, Nikolaos Milas wrote:

What does it mean by Bad file descriptor? What can I do?


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Can a slave force quich refresh?

[Nikolaos Milas]

 Hi,

Can a slave (e.g. with BIND backend) force quick /refresh/ times, 
overriding the default SOA record value (as defined on the master zone)?


In BIND9, one can use the max-refresh-time (and min-refresh-time) 
directive in a slave zone definition to do that. Does powerdns observe 
these options (min-refresh-time and max-refresh-time) or does it have 
any other mechanism to define particular refresh zone periods on a slave 
zone?


Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?

[Nikolaos Milas]

  
  
Thanks Nils, 

I have now filed a bug ("new enhancement") for this, it's No.
318. (http://wiki.powerdns.com/trac/ticket/318).

Nick.

  
On 2/10/2010 4:20 , Nils Breunese (Lemonbit) wrote:
I believe most public bug trackers are also used for
  feature requests and enhancements. The PowerDNS bug tracker even
  has 'enhancement' as a ticket type ('defect' and 'task' are the
  other two).
  

  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?

[Nikolaos Milas]

 Thanks again for your help, JP.

I describe in short some more things I tried (I still need your guidance):

Initially, I found out that the plugin was not being loaded in openldap 
(as recorded in ldap.log):


   /etc/openldap/slapd.conf: line 182: keyword plugin ignored

And:

   # slaptest -d 255 -f slapd.conf
   ...
   line 186 (plugin postoperation /usr/local/lib/slapi-dnsnotify.so
   plugin_init base-dn=ou=dns1,dc=example,dc=com
   zone-attribute=associatedDomain notify-delay=10)
   slapd.conf: line 186: keyword plugin ignored
   ...
   config file testing succeeded

Trying to solve the problem (why the plugin is not loaded), I came to 
the conclusion that I should probably add a moduleload 
slapi-dnsnotify.la directive in slapd.conf. So I copied the files 
slapi-dnsnotify.* to the directory where all openldap modules exist 
(/usr/lib64/openldap/) and tried again. But now openldap doesn't start 
at all:


   # slaptest -d 255 -f slapd.conf
   ...
   line 59 (moduleload slapi-dnsnotify.la)
   loaded module slapi-dnsnotify.la
   module slapi-dnsnotify.la: init_module() failed
   slapd.conf: line 59: moduleload handler exited with 1!
   slaptest: bad configuration file!

Why openldap refuses to load the plugin (one way or another)? Am I doing 
something wrong?


Nick


On 1/10/2010 6:50 μμ, Jan-Piet Mens wrote:

Changing the SOA serial doesn't seem to trigger any NOTIFY to NS Servers
defined for the zone.

Also, I see no sign of logging anywhere...

It's as if the configuration statement included in slapd.conf is accepted,
but never doing something.

No hints really, as I haven't used that bit for some time. It worked for
me once without problems at all. I'd try the following:

1. Ensure the slapi plugin is indeed being loaded by your slapd. (Check
the slapd log.)
2. Ensure you've compiled slapi-plugin with WITH_SYSLOG defined, or it
won't log.
3. I assume you've started the notify-dns-slaves daemon? That is the one
which will send out the NOTIFY.
4. Once again, check the logs (var/log/messages); there must be
something there...

Good luck,
 -JP



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY by pdns master with ldap backend in next authoritative server releases?

[Nikolaos Milas]

 Hi,

I didn't receive any replies on this.

As we are deploying a new DNS server infrastructure in our organization 
and we have planned to use pdns/ldap on our primary master (already in 
operation), it would be important to us to know whether NOTIFY from 
pdns/ldap (master operation) will be offered as a feature in upcoming 
authoritative server releases or not, or if a patch or (Lua or other) 
script is available by pdns developers/community to provide such NOTIFY 
functionality (I haven't been able to find something).


This would affect to some extent our deployment architecture (type of 
slaves, type of remote slaves, etc.), because, unfortunately, we can't 
use ldap backend on all slaves, and we don't want those slaves to remain 
not-synchronized for long, nor we can use very short refresh times.


Please, could you give a hint?
Thanks,
Nick


On 25/9/2010 12:54 πμ, Nikolaos Milas wrote:
So, can we hope for such a feature to be included in the next official 
release or, if you deem this is undesirable due to whatever specs, 
could it be offered as a patch, as the BIND/sdb one, or even as a Lua 
script ? ...


If not, can you suggest any other good solution(s) to trace ldap 
record changes and force AXFRs to slaves?



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question on IPv6 with ldap backend

[Nikolaos Milas]

 Waiting for a reply on this (ipv6 with ldap, tree mode), I decided to 
test simple mode and I found the solution with it. I still believe that 
the tree method would need a 34-level deep ldap structure (32 items for 
ipv6 address plus ip6 plus arpa), which renders it totally unsuitable 
for ipv6 use. *Norbert or someone who knows, please confirm or correct 
me if I'm wrong!*


So, I converted to ldap simple mode by using zone2ldap, based on the 
zone files from my BIND9 slave (dns2.example.com, 10.11.12.101, see below).


(Domain names and ip addresses are public, so they have been changed: we 
assume domain example.com with Class-C subnet 10.11.12.0/24 and ipv6 
zone: fe80:100:100:1::/64)


Here are the ipv4 reverse zone ldap entries:

   dn: dc=12.11.10.in-addr.arpa,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: 12.11.10.in-addr.arpa
   nSRecord: dns.example.com
   nSRecord: dns2.example.com
   associatedDomain: 12.11.10.in-addr.arpa
   sOARecord: dns.example.com sysadmin.example.com 2010051213 3600 180
   604800 10800

   dn: dc=100,dc=12.11.10.in-addr.arpa,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: 100
   associatedDomain: 100.12.11.10.in-addr.arpa
   pTRRecord: dns.example.com

   dn: dc=101,dc=12.11.10.in-addr.arpa,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: 101
   associatedDomain: 101.12.11.10.in-addr.arpa
   pTRRecord: dns2.example.com


So, I added a zone for ipv6 reverse lookups, and it works:

   dn: dc=1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: 1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa
   nSRecord: dns.example.com
   nSRecord: dns2.example.com
   associatedDomain: 1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa
   sOARecord: dns.example.com sysadmin.example.com 2010091801 3600 180
   604800 10800

   dn:
   
dc=0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0,dc=1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: 0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0
   associatedDomain:
   0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa

   pTRRecord: dns.example.com

   dn:
   
dc=1.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0,dc=1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: 1.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0
   associatedDomain:
   1.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.1.0.0.0.1.0.0.8.e.f.ip6.arpa
   pTRRecord: dns2.example.com

Finally, I simply added an record attribute in the existing forward 
records for the hosts concerned:


   dn: dc=example.com,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   associatedDomain: example.com
   dc: example.com
   mXRecord: 10 mailgw.example.com
   mXRecord: 100 mailgw2.example.com
   nSRecord: dns.example.com
   nSRecord: dns2.example.com
   sOARecord: dns.example.com sysadmin.example.com 2010091801 900 180
   3600 10800

   dn: dc=dns,dc=example.com,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   aRecord: 10.11.12.100
   aAAARecord: fe80:100:100:1::100
   associatedDomain: dns.example.com
   dc: dns

   dn: dc=dns2,dc=example.com,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   aRecord: 10.11.12.101
   aAAARecord: fe80:100:100:1::101
   associatedDomain: dns2.example.com
   dc: dns2


Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Strange time drift in log

[Nikolaos Milas]

  
  
Hi, 

I have not had any info on that. How we define the path where
the configure script looks for libraries? I assume that the
script doesn't look by default in /usr/lib64 ?

Any clue? Sorry, I' m not very much used in compiling.

Thanks,
Nick
  
On 9/9/2010 1:34 μμ, Nikolaos Milas wrote:
 Now:
  
  
     # find / -name '*libldap*'
  
     /usr/lib/libldap_r-2.3.so.0.2.31
  
     /usr/lib/libldap-2.3.so.0
  
     /usr/lib/libldap_r-2.3.so.0
  
     /usr/lib/libldap-2.3.so.0.2.31
  
     /usr/lib64/libldap_r-2.2.so.7
  
     /usr/lib64/libldap_r-2.3.so.0.2.31
  
     /usr/lib64/libldap_r-2.2.so.7.0.22
  
     /usr/lib64/pdns/libldapbackend.so
  
     /usr/lib64/libldap.so
  
     /usr/lib64/libldap_r.so
  
     /usr/lib64/libldap-2.2.so.7.0.22
  
     /usr/lib64/evolution-openldap/lib64/libldap.a
  
     /usr/lib64/evolution-openldap/lib64/libldap_r.a
  
     /usr/lib64/libldap-2.2.so.7
  
     /usr/lib64/libldap-2.3.so.0
  
     /usr/lib64/libldap_r-2.3.so.0
  
     /usr/lib64/libldap-2.3.so.0.2.31
  
     /usr/lib64/libldap.a
  
     /usr/lib64/libldap_r.a
  
  
  Is the compiler looking into /usr/lib64 ?
  
  

  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Strange time drift in log

[Nikolaos Milas]

 Hmm,

I am not sure if I'll manage to compile myself...

In any case, I think this issue should be corrected for the next release 
of powerdns authoritative server, because it makes no sense to have 
logging in a different time than system time. So I really hope that the 
next releases and the associated RHEL / CentOS packages will be corrected.


The biggest problem is that logging in non-system time renders risky or 
infeasible the use of various log-based tools, like fail2ban etc, which 
take real-time action. It makes things difficult if someone is obliged 
to do time adjustments, esp. when there are different winter/summer 
times. Logging should be in system time.


Consequently, I hope this fix will find its way in future releases. If I 
can finally compile the code with the fix, or if someone can provide an 
rpm, I will test it.


Nick



On 10/9/2010 12:29 μμ, Christian Hofstaedtler wrote:

configure looks for libldap, libldap_r and ldap.h, lber.h. The error
message indicated really means cannot find libldap or libldap_r.

It may or may not look into /usr/lib64.

You might have to patch configure.ac yourself and/or rerun autoreconf on your
platform or something.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Successful, yet incomplete AXFR to BIND9 slave

[Nikolaos Milas]

  
  
Hi Bert, 

Trying to find a solution, I removed from LDAP both the record
that appeared last in AXFR and the one after it, and then
retried. This time the AXFR set contained as a last record the
next in sequence, but still contained the same number of
records. So, the transaction seems as if AXFR table is
  limited in size and can only contain a particular number of 
  entries: 510 records. When this limit is reached, AXFR
table is finalized and sent.

Does this help in finding a solution? (I remind you that I found
the same behavior both with 2.9.21-4 and with 2.9.22-7.)

As to the other problem: Querying the main server (pdns/ldap),
shows AUTHORITY: 0, whereas querying the slave (BIND9) shows
AUTHORITY: 2 and provides authority information (as it should)!
(Note that the slave only uses data derived from AXFR.) See
below.  Have I set up something wrong? Why the authority
server does not indicate authority, while the slave correctly
indicates the authoritative server?
  
Here is the query at
the "master" (run on the master box):
---
# dig hostabc.subdom.example.com any @dns.example.com
  
  ;  DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2  hostabc.subdom.example.com any @dns.example.com
  ;; global options:  printcmd
  ;; Got answer:
  ;; -HEADER- opcode:
QUERY, status: NOERROR, id: 37278
  ;; flags: qr aa rd; QUERY: 1,
ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  
  ;; QUESTION SECTION:
  ;hostabc.subdom.example.com.  IN  ANY
  
  ;; ANSWER SECTION:
  hostabc.subdom.example.com.   3600    IN  A  
10.10.10.10
  
  ;; Query time: 3 msec
  ;; SERVER:
10.10.10.5#53(10.10.10.5)
  ;; WHEN: Thu Sep  9 09:31:20 2010
  ;; MSG SIZE  rcvd: 54
  
  
  Now, here is the query at the
"slave" (run on the master box, as well):
---
  # dig hostabc.subdom.example.com any @slavedns.example.com
  
  ;  DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2  hostabc.subdom.example.com any @slavedns.example.com
  ;; global options:  printcmd
  ;; Got answer:
  ;; -HEADER- opcode:
QUERY, status: NOERROR, id: 27381
  ;; flags: qr aa rd ra; QUERY: 1,
ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
  
  ;; QUESTION SECTION:
  ;hostabc.subdom.example.com.  IN  ANY
  
  ;; ANSWER SECTION:
  hostabc.subdom.example.com.   3600    IN  A  
10.10.10.10
  
  ;; AUTHORITY SECTION:
  noa.gr. 3600   
IN  NS  dns.example.com.
  noa.gr. 3600   
IN  NS  slavedns.example.com.
  
  ;; ADDITIONAL SECTION:
  dns.example.com.    3600    IN 
A   10.10.10.5
  
  ;; Query time: 13 msec
  ;; SERVER:
10.10.10.6#53(10.10.10.6)
  ;; WHEN: Thu Sep  9 09:31:32 2010
  ;; MSG SIZE  rcvd: 108

My pdns.conf follows:
  
setuid=pdns
  setgid=pdns
  launch=ldap
  ldap-host=localhost
  ldap-basedn=ou=dns,dc=example,dc=com
  ldap-binddn=uid=auth,ou=System,dc=example,dc=com
  ldap-secret=***
  ldap-method=tree
  local-address=127.0.0.1
10.10.10.5
  local-port=53
  allow-axfr-ips=10.10.10.0/24
  allow-recursion=127.0.0.1,
10.10.10.0/24
  logging-facility=5
  loglevel=8
  log-dns-details=on
  recursor=127.0.0.1:5300
  webserver-password=*
  webserver-port=8081
  webserver-print-arguments=yes

Nick

  
On 9/9/2010 12:51 πμ, Nikolaos Milas wrote:

  
  Yes, I can see
  exactly where it stopped, but I can't find a reason why it did
  so. It seems to me as a typical host A record like all the
  others - it responds to dig queries as well.
  
...
  
  The AXFR stops at a particular record, then includes the SOA
  record and ends: 

  ...
  
  Any ideas?
  
  Nick.
  
  On 9/9/2010 12:19 πμ, bert hubert wrote:
  Usually this is because of a badly formatted record
in the database, one
that cannot be sent out over AXFR. Can you figure out where it stops
exactly, and what would've been the "next" record?

  


  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Successful, yet incomplete AXFR to BIND9 slave

[Nikolaos Milas]

 Thanks Christian,

That did the trick!  Now AXFR works fine!

I set
sizelimit unlimited
in slapd.conf

You were right. The default max size in openldap is 500 and I didn't
know it.

Would you have any hint about the Authority issue as well?

Thanks again,
Nick


On 9/9/2010 11:07 πμ, Christian Hofstaedtler wrote:


 (slapd has a default sizelimit of 500). While pdns explicitly requests
 an unlimited list, the remote might still truncate it.
 If this is the case, increasing the LDAP server's sizelimit will
 probably fix this issue.
 510 sounds very much like we're hitting the sizelimit of the remote LDAP server


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Strange time drift in log

[Nikolaos Milas]

 Thanks Christian,

I tried to configure, but it fails:
...
configure: error: ldap library (libldap) not found

But there is libldap:

   # find / -name '*libldap*'
   /usr/lib/libldap_r-2.3.so.0.2.31
   /usr/lib/libldap-2.3.so.0
   /usr/lib/libldap_r-2.3.so.0
   /usr/lib/libldap-2.3.so.0.2.31

Nick

On 9/9/2010 11:27 πμ, Christian Hofstaedtler wrote:

* Christian Hofstaedtlerc...@zeha.at  [100909 09:56]:

Nikolas,

The LDAP backend does indeed re-set the timezone to UTC.
Why this propagates to your syslogd and into your log files, is
beyond my imagination right now.

You could try out the following patch. It is compile-tested only, as
I don't have a test environment with ldapbackend, but it should
probably work. What you need to especially test is the autoserial
feature (might now give wrong timezones or whatnot).

Index: modules/ldapbackend/ldapbackend.cc
===
--- modules/ldapbackend/ldapbackend.cc  (revision 1707)
+++ modules/ldapbackend/ldapbackend.cc  (working copy)
@@ -22,9 +22,6 @@
m_default_ttl = arg().asNum( default-ttl );
m_myname = [LdapBackend];

-   // we need UTC time for timestamps
-   setenv( TZ, , 1 ); tzset();
-
setArgPrefix( ldap + suffix );

m_getdn = false;
Index: modules/ldapbackend/utils.hh
===
--- modules/ldapbackend/utils.hh(revision 1707)
+++ modules/ldapbackend/utils.hh(working copy)
@@ -3,6 +3,7 @@
  #includetime.h
  #includestdlib.h
  #includepdns/misc.hh
+#includepdns/utility.hh


  #ifndef LDAPBACKEND_UTILS_HH
@@ -146,7 +147,7 @@

  if( tmp != NULL  *tmp == 0 )
  {
-   return mktime(tm );
+   return timegm(tm );
  }

  return 0;


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Strange time drift in log

[Nikolaos Milas]

  
  
By the way,

The autoserial feature is not supported with the ldap backend
according the documentation.

Nick

On 9/9/2010 11:27 , Christian Hofstaedtler wrote:
 * Christian Hofstaedtler c...@zeha.at [100909 09:56]:
 probably work. What you need to especially test is the
autoserial
 feature (might now give wrong timezones or whatnot).


  
  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Strange time drift in log

[Nikolaos Milas]

 I also installed compat-openldap and now I have:

   openldap-servers-2.3.43-12.el5_5.2
   nss_ldap-253-25.el5
   pdns-backend-ldap-2.9.21-4.el5.centos
   openldap-devel-2.3.43-12.el5_5.2
   python-ldap-2.2.0-2.1
   compat-openldap-2.3.43_2.2.29-12.el5_5.2
   openldap-2.3.43-12.el5_5.2
   openldap-clients-2.3.43-12.el5_5.2
   openldap-2.3.43-12.el5_5.2
   openldap-servers-overlays-2.3.43-12.el5_5.2
   nss_ldap-253-25.el5

(pdns-backend-ldap is the one currently used, which of course will have 
to be uninstalled before the compiled version is installed).


Now:

   # find / -name '*libldap*'
   /usr/lib/libldap_r-2.3.so.0.2.31
   /usr/lib/libldap-2.3.so.0
   /usr/lib/libldap_r-2.3.so.0
   /usr/lib/libldap-2.3.so.0.2.31
   /usr/lib64/libldap_r-2.2.so.7
   /usr/lib64/libldap_r-2.3.so.0.2.31
   /usr/lib64/libldap_r-2.2.so.7.0.22
   /usr/lib64/pdns/libldapbackend.so
   /usr/lib64/libldap.so
   /usr/lib64/libldap_r.so
   /usr/lib64/libldap-2.2.so.7.0.22
   /usr/lib64/evolution-openldap/lib64/libldap.a
   /usr/lib64/evolution-openldap/lib64/libldap_r.a
   /usr/lib64/libldap-2.2.so.7
   /usr/lib64/libldap-2.3.so.0
   /usr/lib64/libldap_r-2.3.so.0
   /usr/lib64/libldap-2.3.so.0.2.31
   /usr/lib64/libldap.a
   /usr/lib64/libldap_r.a

Is the compiler looking into /usr/lib64 ?

Nick

On 9/9/2010 12:36 μμ, Christian Hofstaedtler wrote:

You probably need to install some development packages for libldap
(and for libboost as well).
I don't really know how they are named on your OS, but something
along libldap-dev, libldap-devel, ldap-devel, openldap-devel might
be what you need to look for.

   Christian


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Successful, yet incomplete AXFR to BIND9 slave

[Nikolaos Milas]

  
  
I found the answer here: 
http://doc.powerdns.com/pdns-users-faq.html (Question 3)
  

as was indicated here: 
http://mailman.powerdns.com/pipermail/pdns-users/2006-November/003953.html

So this thread is considered solved. 

Thanks.

On 9/9/2010 11:24 πμ, Nikolaos Milas wrote:

  Would you have any hint about the Authority issue as well?
  
  

  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Successful, yet incomplete AXFR to BIND9 slave

[Nikolaos Milas]

  
  
In my pdns/ldap
(tree) on CentOS 5.5, I am setting up a domain (say:
'example.com')  with its single SOA record. This has several
virtual subzones (a.example.com, b.example.com etc.) which
include their own MX records but are not delegated: the same NS
records (as defined in the example.com entry) are used for the
whole domain (zone) and its subdomains (subzones). 

The LDAP server also includes 5 in-addr.arpa zones (which
correspond to the 5 available LANs = Class-C subnets) for
reverse mapping. 

Everything seems to be working fine when the pdns server is
queried for any records, which obviously means that pdns sees
everything correctly in ldap. (One problem however: queries for
example.com and its subdomains/hosts indicate AUTHORITY: 0. I
would expect it to indicate AUTHORITY: 1 in such queries. Any
hint on this?) 

For testing (preparing a production environment), I have setup a
BIND9 slave ( which uses pdns as master. Everything seems to run
smoothly, messages in logs indicate successful zone transfers,
no errors either in BIND or in pdns logs, BUT a large number
  of A records in some of the subdomains is not
  transferred at all (however, some of the A records are
transferred). Interestingly, the PTR records in all in-addr.arpa
zones seem to be transferred correctly. The slave is also CentOS
5.5 with bind-9.3.6-4.P1.el5_4.2.

The BIND9 zone file for example.com (as produced by slaving),
includes all subdomains, specifies their MX records, but it
misses a large number of A records. I waited for several AXFRs,
to check if subsequent zone transfers would correct things, but
nothing changed. The transferred records are always the same.

  In
the meantime, just in case, I have tried switching from the
2.9.22 rpm which I had found in a repository, to the more
standard 2.9.21-4 rpm included in the 'extras' CentOS
repositories, but the behavior is exactly the same. (I am using
CentOS 5.5 with a 2.6.18-194.11.3.el5 kernel).

I would come to the conclusion that AXFR is not being sent
correctly by pdns, because, if a full set of records is being
sent, why the slave is not registering the complete set of
records? 

All rpms (and the servers) are x86_64.

Any suggestions? How can I  troubleshoot this in more detail?

Thanks in advance, 
Nick 


  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Successful, yet incomplete AXFR to BIND9 slave

[Nikolaos Milas]

 Indeed, I have confirmed that pdns does not send a complete set of 
records during AXFR, by executing:


   # dig example.com AXFR @dns.example.com

where dns.example.com is the pdns/ldap server. The output is exactly the 
content of slave files.


So, why aren't all zone records included in the AXFR set?

I am waiting for your advice.

I like pdns and I am trying to resolve issues so that it can replace 
(gradually) all BIND9 servers in our organization.


Nick

On 8/9/2010 11:26 μμ, Nikolaos Milas wrote:
In my pdns/ldap (tree) on CentOS 5.5, I am setting up a domain (say: 
'example.com')  with its single SOA record. This has several virtual 
subzones (a.example.com, b.example.com etc.) which include their own 
MX records but are not delegated: the same NS records (as defined in 
the example.com entry) are used for the whole domain (zone) and its 
subdomains (subzones).


The LDAP server also includes 5 in-addr.arpa zones (which correspond 
to the 5 available LANs = Class-C subnets) for reverse mapping.


Everything seems to be working fine when the pdns server is queried 
for any records, which obviously means that pdns sees everything 
correctly in ldap. (One problem however: queries for example.com and 
its subdomains/hosts indicate AUTHORITY: 0. I would expect it to 
indicate AUTHORITY: 1 in such queries. Any hint on this?)


For testing (preparing a production environment), I have setup a BIND9 
slave ( which uses pdns as master. Everything seems to run smoothly, 
messages in logs indicate successful zone transfers, no errors either 
in BIND or in pdns logs, BUT *a large number of A records* in some of 
the subdomains *is not transferred at all* (however, some of the A 
records are transferred). Interestingly, the PTR records in all 
in-addr.arpa zones seem to be transferred correctly. The slave is also 
CentOS 5.5 with bind-9.3.6-4.P1.el5_4.2.


The BIND9 zone file for example.com (as produced by slaving), includes 
all subdomains, specifies their MX records, but it misses a large 
number of A records. I waited for several AXFRs, to check if 
subsequent zone transfers would correct things, but nothing changed. 
The transferred records are always the same.


In the meantime, just in case, I have tried switching from the 2.9.22 
rpm which I had found in a repository, to the more standard 2.9.21-4 
rpm included in the 'extras' CentOS repositories, but the behavior is 
exactly the same. (I am using CentOS 5.5 with a 2.6.18-194.11.3.el5 
kernel).


I would come to the conclusion that AXFR is not being sent correctly 
by pdns, because, if a full set of records is being sent, why the 
slave is not registering the complete set of records?


All rpms (and the servers) are x86_64.

Any suggestions? How can I  troubleshoot this in more detail?

Thanks in advance,
Nick



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Strange time drift in log

[Nikolaos Milas]

  
  
Thanks Christian,  {I
am resending in HTML format, to avoid auto line breaks which
make terminal output illegible.}

This problem happened to me only with pdns server logging. I've
never had a similar problem on this or on any of the other
servers I'm managing (mainly CentOS), all with the same locale,
with various daemons and syslog.

The pdns daemons running are as follows:

  # ps -ef | grep
  pdns
  
     UID    PID  PPID  C STIME TTY  TIME CMD
     102   2265 1  0 13:02 ?    00:00:00
  /usr/sbin/pdns_recursor --daemon
     root  2854 1  0 15:10 ?    00:00:00
  /usr/sbin/pdns_server --daemon --guardian=yes
     pdns  2856  2854  0 15:10 ?    00:00:00
  /usr/sbin/pdns_server-instance --daemon --guardian=yes

Threads:

  # ps axjf | grep pdns
  
   PPID   PID  PGID   SID TTY  TPGID STAT   UID   TIME
  COMMAND
      1  2265  2265  2265 ?   -1 Ss 102   0:00
  /usr/sbin/pdns_recursor --daemon
      1  2854  2854  2854 ?   -1 Ssl  0   0:00
  /usr/sbin/pdns_server --daemon --guardian=yes
   2854  2856  2854  2854 ?   -1 Sl 101   0:00 
  \_/usr/sbin/pdns_server-instance --daemon --guardian=yes

It might help in troubleshooting to observe that only
the pdns server start- and stop- related messages are logged
with correct time (Europe/Athens, i.e. EEST). All
normal operation messages are logged with UTC time.

It might also help that the time drift happens after the
message: "Creating backend connection for TCP".

See below:

Stop server (messages with correct time):

   Sep  5 14:48:34
  vdns pdns[2706]: Scheduling exit on remote request
     Sep  5 14:48:34 vdns pdns[2706]: Guardian is killed, taking
  down children with us

Start server (messages with correct time):

   Sep  5 14:48:46
  vdns pdns[2764]: Listening on controlsocket in
  '/var/run/pdns.controlsocket'
     Sep  5 14:48:46 vdns pdns[2766]: Guardian is launching an
  instance
     Sep  5 14:48:46 vdns pdns[2766]: Reading random entropy
  from '/dev/urandom'
     Sep  5 14:48:46 vdns pdns[2766]:  [LdapBackend] This is the
  ldap module version 2.9.22 (Aug 23 2009, 10:47:15) reporting
     Sep  5 14:48:46 vdns pdns[2766]: This is a guarded instance
  of pdns
     Sep  5 14:48:46 vdns pdns[2766]: UDP server bound to
  xxx.xxx.xxx.xxx:53
     Sep  5 14:48:46 vdns pdns[2766]: TCP server bound to
  xxx.xxx.xxx.xxx:53
     Sep  5 14:48:46 vdns pdns[2766]: PowerDNS 2.9.22 (C)
  2001-2009 PowerDNS.COM BV (Aug 23 2009, 10:49:35, gcc 4.1.2
  20080704 (Red Hat 4.1.2-44)) starting up
     Sep  5 14:48:46 vdns pdns[2766]: PowerDNS comes with
  ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it according to the terms of the GPL
  version 2.
     Sep  5 14:48:46 vdns pdns[2766]: Set effective group id to
  103
     Sep  5 14:48:46 vdns pdns[2766]: Set effective user id to
  101
     Sep  5 14:48:46 vdns pdns[2766]: DNS Proxy launched, local
  port 20388, remote xxx.xxx.xxx.xxx:53
     Sep  5 14:48:46 vdns pdns[2766]: Creating backend
  connection for TCP

Entering normal operation (messages with wrong time - pdns has
switched to UTC):

   Sep  5 11:48:46
  vdns pdns[2766]: [LdapBackend] LDAP servers = localhost
     Sep  5 11:48:46 vdns pdns[2766]: Launched webserver on
  xxx.xxx.xxx.xxx:8081
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] Ldap
  connection succeeded
     Sep  5 11:48:46 vdns pdns[2766]: About to create 3 backend
  threads for UDP
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] LDAP servers
  = localhost
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] Ldap
  connection succeeded
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] LDAP servers
  = localhost
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] Ldap
  connection succeeded
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] LDAP servers
  = localhost
     Sep  5 11:48:46 vdns pdns[2766]: [LdapBackend] Ldap
  connection succeeded
     Sep  5 11:48:46 vdns pdns[2766]: Done launching threads,
  ready to distribute questions
     Sep  5 11:49:25 vdns pdns[2766]: 

Re: [Pdns-users] Can pdns (with ldap backend) be a master of BIND9 slave?

[Nikolaos Milas]

  
  
No replies? 

May I try to answer the question myself?: 

Quoting from Ch. 10 of pdns doc: "Only the Generic SQL, OpenDBX
and BIND backends have the ability to act as master or slave.".


This means that pdns is not aware of changes in some zone(s) on
the LDAP backend - I reached to the conclusion that serial
number in LDAP SOARecord is not supported either - and cannot
send NOTIFY to slaves so that they can subsequently request an
AXFR.

Please confirm.

Thanks,
N. Milas 
  
On 1/9/2010 3:04 μμ, Nikolaos Milas wrote:

  
  Hi, 
  
  I am interested in running pdns (I have already installed
  latest version, as an rpm on CentOS 5.5) with ldap backend (tree
  mode). 
  
  My question is: Is this setup capable of working as a master
  to a conventional (i.e. with zone files) BIND9 server which
  will act as a slave? 
  
Currently

  our production servers are BIND (various masters and slaves)
  and we are looking to migrating to ldap backend using pdns.
  What I need is to
  be able to setup my local (authoritative for its name space)
  pdns/ldap server as Master to (one or more) BIND9 slaves
  (which are servers not under my control, on an external
  partner network); the (remote, BIND) slave should
  mirror the whole namespace managed by the (local) pdns/ldap
  master server (as it currently does, but from a currently BIND
  master server).
  
  Can this be done and how?
  
  The pdns documentation says that ldap backend has no
  master/slave capabilities. Also the ldap backend documentation
  refers only to sync on ldap databases, which is not supported
  (see http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend/Future).

  But I am not interested on syncing ldap databases (I can do
  that using openldap syncrepl, to have other pdns/ldap
  pseudo-slaves).
  
  Please advise.
  N. Milas
  
 
  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Can pdns (with ldap backend) be a master of BIND9 slave?

[Nikolaos Milas]

  
  
Thank you very much
Norbert, 

I assume that such a pdns/ldap master should NOT have a
"master=on" setting. Correct?

It's just the slave (e.g. slave.example.com) that must have
configured itself as a slave to us and we should allow it by
having it placed (i.e. the slave.example.com) in our zone's NS
records and by adding it to our "allow-axfr-ips" (if needed). 

Right? Anything else I'm missing?

Thank you again for your valuable help, I' m at a critical
system design point and must make informed decisions.

NM
  
You
  can use the LDAP backend as master for a BIND slave but it's not
  possible that the master (with LDAP backend) sends NOTFYs on
  changes. The slaves will only refresh their data if the TTL timed
  out.
  

  

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Can pdns (with ldap backend) be a master of BIND9 slave?

[Nikolaos Milas]

 Thanks Norbert,

...both for your replies and for your work with powerdns ldap backend.

Is there a plan to include NOTIFY support to pdns/ldap so that it can 
operate as a true master (regardless of the slave software and back-end) 
? [I assume it could make use of the serial number in the sOARecord, as 
usual.] Such functionality is very useful and widely used.


One more issue (because we are using delegated subdomains):  I've seen 
here (http://permalink.gmane.org/gmane.network.dns.powerdns.user/5410 - 
2.5 years ago) that there was a bug reported in zone transfers when ldap 
includes *delegated* subdomains (subzones), and there was not even a 
workaround when ldap-method=tree.


Has this been resolved in current version of pdns (2.9.22), or is it 
planned to be fixed in a subsequent version?


Thanks again,
Nick

On 2/9/2010 1:56 μμ, Norbert Sendetzky wrote:

On 09/02/2010 12:41 PM, Nikolaos Milas wrote:
I assume that such a pdns/ldap master should *NOT* have a master=on 
setting.

Correct?


Correct.

It's just the slave (e.g. slave.example.com) that must have 
configured itself as

a slave to us and we should allow it by having it placed (i.e. the
slave.example.com) in our zone's NS records and by adding it to our
allow-axfr-ips (if needed).


I think so.


Norbert



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users