Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 01:29:18PM -0600, Michael Loftis wrote: On Tue, Aug 16, 2011 at 1:38 AM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: Hi All, Quick question – is anyone on the list using PDNS in an ISP environment, especially for auth services ? There have definitely been a few pains here and there. Some of them were caused by the fact that wildcard records are used. Some of the issues I had were caused by MySQL's sometimes flaky replication, monitoring them was an absolute must, making sure that they were all in sync and up to date was also absolutely required. The benefits far outweighed the costs at that scale for certain. Yeah an concerning replication-sync you should nowadays use semisync repl. with MySQL. (And still you need monitoring of course:) Regards Erkan -- über den grenzen muß die freiheit wohl wolkenlos sein ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On 08/16/2011 09:42 PM, Erik Weber wrote: On Tue, Aug 16, 2011 at 8:29 PM, Anthony Eden anthonye...@gmail.com wrote: On Tue, Aug 16, 2011 at 8:23 PM, Posner, Sebastian s.pos...@telekom.de wrote: Erik Weber wrote: Some other things to consider why running PDNS is better: [...] Just shooting in with a feature that I just came to remember. 6) Fancy records. 3.0 doesn't support fancy records any more. I, for one, am sad about this. We're still running PowerDNS 2.x and haven't faced this change yet. Shouldn't it be a matter of extending the records table with a column with the URL information, and just insert the record as a normal A record? Your management software and the forwarding software would have to confront the URL field, but to PowerDNS it should look like a normal record. I've never seen the need for the use of any 'special' record for redirects. I prefer simple, hopefully future prove, solutions. We used a seperate table from the start in the same database as PowerDNS uses* so the management software does not need 2 databases and can join some tables if needed. We just have the management software insert the A-record for the redirect normally. We also allow for redirects in the table which don't have a domain our DNS. Sometimes it is easier to point an external domain at your own redirect than to convince an other provider to do the redirect. It keeps our DNS clean. PowerDNS doesn't mind if there is an extra table (I think it doesn't mind extra columns as you mentioned above either). Hope that helps, Leen. * Or actually the management software works on the master database, PowerDNS and redirect use slave databases. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
We at Sonic.net have been running PowerDNS authoritative server and recursor since 2007 over some 12k+ domains. Bert and the PowerDNS community have always been very responsive to questions and assistance. Before we migrated we captured and replayed some traffic from our then production BIND name servers to a test instance of PowerDNS, this gave us the data and confidence to move forward. PowerDNS used to come with some tools ( namely dnsreplay ), I'm not sure how available those tools are anymore: http://doc.powerdns.com/analysis.html And apparently I wrote something too: http://www.schwer.us/journal/2006/11/09/replay-dns-traffic-dnsreplaypl/ Of course that just tells you if the name server answered at all, you would really want to know that it replied with the answer you were expecting. I hope that helps. --Augie On Tue, Aug 16, 2011 at 12:38 AM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: Hi All, Quick question – is anyone on the list using PDNS in an ISP environment, especially for auth services ? Have prepped PDNS to replace our Bind instances however management have raised concerns over moving away from the “industry standard”, so have asked for more justification on the change in software. Already have some ideas but some “real world” use cases would really be the clincher. Have spotted a new names on a couple of things published by Bert, and those of PlusNET but fpdns (yes, a little out of date signatures I acknowledge) seem to suggest no match (could be pdns 3) but mostly Bind. ie: [root@ns1 ~]# fpdns -D plus.net fingerprint (plus.net, 195.166.128.16): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (plus.net, 195.166.128.17): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D register.com fingerprint (register.com, 216.21.227.12): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (register.com, 216.21.227.11): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (register.com, 216.21.230.12): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D .tk fingerprint (.tk, 202.125.44.173): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.tk, 207.36.228.217): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.tk, 217.199.176.121): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D .mn fingerprint (.mn, 199.254.62.1): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.mn, 199.249.116.1): No match found fingerprint (.mn, 202.72.241.5): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.mn, 202.131.0.10): ISC BIND 9.2.3rc1 -- 9.4.0a4 Have also done a few scans on some of the top hosts in the UK ISPA, some PDNS but mostly myDNS and/or bind. This isn’t to get into one server is better than another or individual choices, I like PDNS, more just looking for some use cases so I can get this over the line J Cheers Chris Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Augie Schwer - au...@schwer.us - http://schwer.us ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PowerDNS in an ISP environment
Hi All, Quick question - is anyone on the list using PDNS in an ISP environment, especially for auth services ? Have prepped PDNS to replace our Bind instances however management have raised concerns over moving away from the industry standard, so have asked for more justification on the change in software. Already have some ideas but some real world use cases would really be the clincher. Have spotted a new names on a couple of things published by Bert, and those of PlusNET but fpdns (yes, a little out of date signatures I acknowledge) seem to suggest no match (could be pdns 3) but mostly Bind. ie: [root@ns1 ~]# fpdns -D plus.net fingerprint (plus.net, 195.166.128.16): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (plus.net, 195.166.128.17): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D register.com fingerprint (register.com, 216.21.227.12): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (register.com, 216.21.227.11): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (register.com, 216.21.230.12): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D .tk fingerprint (.tk, 202.125.44.173): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.tk, 207.36.228.217): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.tk, 217.199.176.121): ISC BIND 9.2.3rc1 -- 9.4.0a4 [root@ns1 ~]# fpdns -D .mn fingerprint (.mn, 199.254.62.1): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.mn, 199.249.116.1): No match found fingerprint (.mn, 202.72.241.5): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (.mn, 202.131.0.10): ISC BIND 9.2.3rc1 -- 9.4.0a4 Have also done a few scans on some of the top hosts in the UK ISPA, some PDNS but mostly myDNS and/or bind. This isn't to get into one server is better than another or individual choices, I like PDNS, more just looking for some use cases so I can get this over the line :) Cheers Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 08:38:07AM +0100, Chris Russell wrote: Hi All, Quick question - is anyone on the list using PDNS in an ISP environment, especially for auth services ? The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html DENIC and SIDN (the .de and .nl registries) still measure PowerDNS at around 40%-50% of all their domains. You might also want to consider that SIDN and NIC.AT underwrote part of PowerDNS 3.0 development, please see the 3.0 release notes for more details. Have prepped PDNS to replace our Bind instances however management have raised concerns over moving away from the industry standard, so have asked for more justification on the change in software. Already have some ideas but some real world use cases would really be the clincher. If your management wants assurance on PowerDNS performance reliability, they might want to consider joining the other serious users that have taken out a support agreement with a 2 or 4 hour SLA which is available. I'm not sure if a lot of major users will chime in on the list - the larger the company, the less likely they are to share their details on the list. The largest PowerDNS deployments are around 8 million domains, and loads of deployments are million+. Measuring the 'company domain name' with fpdns is of limited utility - the company domain name itself is often not on the ISP production platform. fpdns also does not identify recent PowerDNS versions. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
Hi Bert, The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html Cheers, that's a good start :) Measuring the 'company domain name' with fpdns is of limited utility - the company domain name itself is often not on the ISP production platform. Yes I know, it more was I was expecting pdns or no match, but it came back with bind. It's not so much the question of is this supported 24x7 etc, I`m already impressed with the level of support provided on these lists which your response is a fine example of which says how good the commercial support would be. We may go down that route but I think their feedback is really more just about a name. My direct manager knows Bind, so I have to justify not bind, if you see what I mean. Thanks Chris Knowledge I.T. 'Unifying Business Technology' www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 10:05 AM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: Hi Bert, The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html Cheers, that's a good start :) We're an ISP utilizing PowerDNS, although small scale if you compare us to others/other countries (~2000 domains). Measuring the 'company domain name' with fpdns is of limited utility - the company domain name itself is often not on the ISP production platform. Yes I know, it more was I was expecting pdns or no match, but it came back with bind. It's not so much the question of is this supported 24x7 etc, I`m already impressed with the level of support provided on these lists which your response is a fine example of which says how good the commercial support would be. We may go down that route but I think their feedback is really more just about a name. My direct manager knows Bind, so I have to justify not bind, if you see what I mean. Our selling point was the MySQL backend, which to be true, is the mainly reason we use PowerDNS. When we started it was the only DNS software with a stable MySQL backend, and since it has worked well we haven't looked for alternatives. The MySQL backend makes it a whole lot easier for us to write management software, as we don't have to fuddle with file permissions, zone reloading and what not. I don't know if that's something you would work towards/use. -- Erik ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 08:38:07AM +0100, Chris Russell wrote: [root@ns1 ~]# fpdns -D plus.net fingerprint (plus.net, 195.166.128.16): ISC BIND 9.2.3rc1 -- 9.4.0a4 fingerprint (plus.net, 195.166.128.17): ISC BIND 9.2.3rc1 -- 9.4.0a4 We do intend to move to PowerDNS for our authoritative servers, however other work has taken priority for a while now. We do use (and are very happy with) PowerDNS on our recursive DNS servers for our customers. Ben -- | Ben Brown Broadband Solutions for | Infrastructure Engineer Home Business@ | Plusnet Plc www.plus.net | Registered Office: Internet House, 2 Tenter Street, Sheffield, S1 4BY | Registered in England no: 3279013 + --- Plusnet - ISPA Best Consumer ISP 2008 --- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On 08/16/2011 10:05 AM, Chris Russell wrote: Hi Bert, The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html [cut] Hello, i work in an isp and we're using pdns as auth server, we have about 4000 domains (we switched from bind for the mysql backend ) bye M. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On 8/16/11 1:50 AM, bert hubert wrote: On Tue, Aug 16, 2011 at 08:38:07AM +0100, Chris Russell wrote: Hi All, Quick question - is anyone on the list using PDNS in an ISP environment, especially for auth services ? The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html DENIC and SIDN (the .de and .nl registries) still measure PowerDNS at around 40%-50% of all their domains. You might also want to consider that SIDN and NIC.AT underwrote part of PowerDNS 3.0 development, please see the 3.0 release notes for more details. We use powerdns almost exclusively with the mysql backend. Our ns1 hosts around 300 domains on it, with quite a few of them being high traffic - ahbl.org for example, which is one of the master name servers for all the dnsbl queries. Several other large DNSbl's also use our ns1 as a slave for redundancy. Between the 6 auth name servers in the US, I think we do around 3mbits of DNS traffic, and another 2mbits out of Canada. No problems really, most of our issues were caused by lax config on our end that we promptly fixed. When we did find a pretty major bug during the testing of ipv6 records in 3.0, Bert had the problem fixed within about 5 mins, and a new build pushed out. And that's all just by hopping on IRC and catching him when he's around. Is the SLA worth it? Hell yes, even if you never need to use it, your supporting the development. We're too small and not-for-profit based, so the contract is not feasible, but I always try to test and share my results if needed or asked (feedback is never a bad thing). Some other things to consider why running PDNS is better: 1) BIND is agonizingly slow when loading lots of zones. Only recently have they bothered to work on that so it doesn't take 6 hours to load a ton of domains. 2) Auth and caching services can be run separately, helping keep one potential issue from affecting another. 3) Config options are a heck of alot more easy to use/understand 4) Its trivially easy to run multiple backends, including the bind backend, and even run multiple server instances isolating types of customers, etc. 5) LUA and pipe backends -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
Hi Bert, The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011- May/007719.html Cheers, that's a good start :) Measuring the 'company domain name' with fpdns is of limited utility - the company domain name itself is often not on the ISP production platform. Yes I know, it more was I was expecting pdns or no match, but it came back with bind. It's not so much the question of is this supported 24x7 etc, I`m already impressed with the level of support provided on these lists which your response is a fine example of which says how good the commercial support would be. We may go down that route but I think their feedback is really more just about a name. My direct manager knows Bind, so I have to justify not bind, if you see what I mean. Thanks Chris We are one of these large ISP's. We use it for auth and recursive. Why not to use BIND isn't hard to justify. Break out the exploit lists for BIND vs PowerDNS. Then break out the performance metrics. PowerDNS is hands down the winner. So much so that I have talked several other companies into converting to it. Brad This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 7:00 PM, Brielle Bruns br...@2mbit.com wrote: Some other things to consider why running PDNS is better: 1) BIND is agonizingly slow when loading lots of zones. Only recently have they bothered to work on that so it doesn't take 6 hours to load a ton of domains. 2) Auth and caching services can be run separately, helping keep one potential issue from affecting another. 3) Config options are a heck of alot more easy to use/understand 4) Its trivially easy to run multiple backends, including the bind backend, and even run multiple server instances isolating types of customers, etc. 5) LUA and pipe backends Just shooting in with a feature that I just came to remember. 6) Fancy records. I haven't researched BIND for years, so I'm not sure if that's easily supported there now. But with PowerDNS it's easy to set up web forwarding, it has literally saved me from creating hundreds of empty web config files just to redirect somewhere else. You do have to implement the whole forwarding thingy yourself (unless it's in contrib or something by now?), but it's a few lines of code in e.g. PHP or your favorite web language. -- Erik ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
Erik Weber wrote: Some other things to consider why running PDNS is better: [...] Just shooting in with a feature that I just came to remember. 6) Fancy records. 3.0 doesn't support fancy records any more. http://doc.powerdns.com/fancy-records.html Mit freundlichen Grüßen, Sebastian -- Sebastian Posner Unix-Systemspezialist AM Data Center Services, Shared Infrastructure Deutsche Telekom AG, Products Innovation ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 8:23 PM, Posner, Sebastian s.pos...@telekom.dewrote: Erik Weber wrote: Some other things to consider why running PDNS is better: [...] Just shooting in with a feature that I just came to remember. 6) Fancy records. 3.0 doesn't support fancy records any more. I, for one, am sad about this. Sincerely, Anthony Eden -- http://anthonyeden.com | twitter: @aeden | skype: anthonyeden ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 1:38 AM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: Hi All, Quick question – is anyone on the list using PDNS in an ISP environment, especially for auth services ? Up until a couple years ago I worked as Sr. SA/Ops Manager at Modwest, we used PowerDNS then, and they still do today. Something like 10k or 15k domains at the time, no idea how many today honestly. As with many the draw was a database backend. There wasn't much else out there at the time, and certainly nothing stable like PowerDNS. With 10k+ domains BIND would take a very LONG time to start/restart or even check for updates. There was also the headaches involved in maintaining slave and master zone configs too. Authoritative DNS only. There's a cluster of BIND servers for resolver functionality. The actual NS records point at load balanced clusters of DNS servers. To the outside it looks like there are only a handful of geographically diverse nameservers, in reality there's multiple PowerDNS servers behind each IP. Makes doing upgrades REALLY easy, you just pull one out of the load balancer, upgrade it. Then you can do all the testing you want (one thing I did was to play back DNS queries and observe/systematically check the responses, without letting any actual traffic out) -- if it doesn't work out you can then use whatever process you have to roll that machine back and put it back into the cluster, or, more deeply investigate the failure. This was a situation though where there was a very well proven and trusted load balancer infrastructure in place already so it absolutely made sense to deploy externally facing DNS services behind this same setup. It definitely requires thought to do it that way (chicken-and-egg scenarios come to mind, you can not have your load balancers depend on DNS if you're going to run DNS behind them!!!) but it is reliable when done right. There have definitely been a few pains here and there. Some of them were caused by the fact that wildcard records are used. Some of the issues I had were caused by MySQL's sometimes flaky replication, monitoring them was an absolute must, making sure that they were all in sync and up to date was also absolutely required. The benefits far outweighed the costs at that scale for certain. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On Tue, Aug 16, 2011 at 8:29 PM, Anthony Eden anthonye...@gmail.com wrote: On Tue, Aug 16, 2011 at 8:23 PM, Posner, Sebastian s.pos...@telekom.de wrote: Erik Weber wrote: Some other things to consider why running PDNS is better: [...] Just shooting in with a feature that I just came to remember. 6) Fancy records. 3.0 doesn't support fancy records any more. I, for one, am sad about this. We're still running PowerDNS 2.x and haven't faced this change yet. Shouldn't it be a matter of extending the records table with a column with the URL information, and just insert the record as a normal A record? Your management software and the forwarding software would have to confront the URL field, but to PowerDNS it should look like a normal record. -- Erik ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
