Re: [Pdns-users] Configure private subdomain
Nikolaos Milas wrote: If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend) for the Linux-Tage, could you please post this work here or a link to a page where it is available? Basically it boils down to this ACL: access to dn.subtree=cn=pdns,ou=services,ou=infra-dir filter=(objectClass=dNSDomain2) by set=user/memberOf this/seeAlso read by * none Attribute 'seeAlso' contains DN(s) of group entries of service accounts of powerdns instances. Could not extensively test it though due to time constraints. And a nicer schema for not (ab)using attribute 'seeAlso' would be better. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
On 4/3/2015 8:17 μμ, Michael Ströder wrote: This sounds a bit like a special case for split horizon DNS. I promised to configure a demo using powerdns with LDAP backend for this based on OpenLDAP ACLs and several powerdns instances using different LDAP identities. Feel free to come here and ask whether I managed to get it working in time: https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134 Hi Michael, If you managed to set up this demo (Split-DNS with powerdns and LDAP-Backend) for the Linux-Tage, could you please post this work here or a link to a page where it is available? Thank you in advance. All the best, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
On 5/3/2015 8:53 πμ, Michael Ströder wrote: Yes, IMHO it's far easier to build up a replicated setup with the LDAP backend than with any SQL DB. We are using LDAP replication for powerdns (rather than normal master-slaves) for years. It is a great setup. Unfortunately, Grégory Oestreicher's fork (http://repo.or.cz/w/pdns-ldap-backend.git) of the LDAP backend (which is the most updated source code) has not had any progress for two years now. I'm using stock pdns 3.4.3 and not external code. Give it a try. G. Oestreicher's fork is better that stock ldap backend (which I don't know if is still included in the latest pdns releases). It includes numerous fixes and works fine as is. The only problem is that development stalled two years ago. It would be nice if more ldap-and-pdns-aware developers could delve into it. I am not a developer, yet I can assist with design, testing and other auxilliary tasks. Regards, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
Nikolaos Milas wrote: On 3/3/2015 2:44 μμ, Nikolaos Milas wrote: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally. Corrections/Clarifications: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records to all requests, except to those from our own networks (as would be configured), to which full replies would be provided. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally (to our own networks, which would be specified explicitly). This sounds a bit like a special case for split horizon DNS. I promised to configure a demo using powerdns with LDAP backend for this based on OpenLDAP ACLs and several powerdns instances using different LDAP identities. Feel free to come here and ask whether I managed to get it working in time: https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134 Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
On 4/3/2015 8:17 μμ, Michael Ströder wrote: This sounds a bit like a special case for split horizon DNS. Precisely. I promised to configure a demo using powerdns with LDAP backend for this based on OpenLDAP ACLs and several powerdns instances using different LDAP identities. Feel free to come here and ask whether I managed to get it working in time: https://chemnitzer.linux-tage.de/2015/en/programm/beitrag/134 I am sure it can be done, however it might take significant work; I know you can do it. (I would like to play with it as well, yet I would have to invest time which I cannot afford now...) Although I will not be able to attend the event, it would be nice to make this demo in a way that it is streamlined enough to be (relatively) easily reproduced by others. I guess that the most important part of this effort is ACL authoring in order to isolate entries / attributes. Please post your work and scripts here (or notify us on where you have posted it). I would surely like to use this work (esp. if it is handy enough). Despite the fact that PowerDNS with LDAP backend seems underutilized and LDAP backend development has been neglected for years (due to lack of interest and private investment), I see much potential in it, as you, and it would be worth trying to revive it. Unfortunately, Grégory Oestreicher's fork (http://repo.or.cz/w/pdns-ldap-backend.git) of the LDAP backend (which is the most updated source code) has not had any progress for two years now. All the best, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
On 3/3/2015 1:48 μμ, bert hubert wrote: I'm not entirely sure I understand your question, since AXFRs are not sent but requested. However, I am sure that 2.9.22 can't do this. Thanks for the reply. You are right. I used wrong terminology; I meant "notifications" (DNS NOTIFY) to trigger AXFRs. Ideally, we would like pdns to be configured to reply to requests for particular names (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records. This way we could specify (for names under a specific domain), "A" records which will contain a Private IP Address, so as to not be visible to the Internet but only locally. Is it possible to achieve the above? Thank you, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
On 3/3/2015 2:44 μμ, Nikolaos Milas wrote: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally. Corrections/Clarifications: Ideally, we would like pdns to be configured to reply to requests *for particular names* (under a specific subdomain, say internal.example.com) by only providing records (if available, otherwise no results) and hide A records to all requests, except to those from our own networks (as would be configured), to which full replies would be provided. This way we could specify (for names under a specific domain), A records which will contain a Private IP Address, so as to not be visible to the Internet but only locally (to our own networks, which would be specified explicitly). Thanks again, Nick ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Configure private subdomain
On Tue, Mar 03, 2015 at 01:31:21PM +0200, Nikolaos Milas wrote: We are using pdns-2.9.22 with LDAP backend, using the Simple LDAP architecture. (...) internal.example.com and to not send AXFRs to the other master servers, as specified in nSRecord attribute, for this particular subdomain. How can we do this? I'm not entirely sure I understand your question, since AXFRs are not sent but requested. However, I am sure that 2.9.22 can't do this. In the 3.4 series we do have options to configure AXFR behaviour per domain, https://doc.powerdns.com/md/authoritative/domainmetadata/ has a list. So any solution will have to be found beyond 2.9.22. I am unsure how well LDAP works in those releases though. https://doc.powerdns.com/md/authoritative/backend-ldap/ has some words. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
