Re: [Pdns-users] errno - 128 with mysql

2018-12-21 Thread frank+pdns--- via Pdns-users 

Hi Cliff,

Besides the question about 4.0 vs 4.1 that Remi brought up, MySQL errno 128 can 
mean a few things.

Could you try to issues those MySQL queries by hand, when connecting with the 
exact same user/password that PowerDNS uses to connect?

Frank Louwers
Certified PowerDNS Consultant

> On 21 Dec 2018, at 09:26, Remi Gacogne  wrote:
> 
> Signed PGP part
> Hi,
> 
> On 12/20/18 7:25 PM, Cliff Hayes wrote:
>> I have just successfully installed authoritative server 4.0.6 on Fedora
>> 28.  It appears proper results are being returned on DNS queries but I
>> and am now seeing the following errors which are new to me.  I tried
>> putting in 2018122001 for all records as the change_date and nothing
>> changed.  prio field is null.
> 
>> Dec 20 12:14:32 Result field at row 0 column 2 has errno -128
> 
> This sounds very similar to [1], which was fixed in 4.1.0 by [2]. Is
> there any reason you are still using the 4.0.x branch instead of the
> 4.1.x one?
> 
> [1]: https://github.com/PowerDNS/pdns/issues/5675
> [2]: https://github.com/PowerDNS/pdns/pull/5820
> 
> Regards,
> -- 
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> 
> 
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to log mysql query details

2018-12-22 Thread frank+pdns--- via Pdns-users 
Hi Cliff, 

The question-marks are not “obfuscation” by PowerDNS, but are what MySQL calls 
“prepared statements”. 

If you want to know the exact queries that got executed, I recommend you enable 
query-logging on the MySQL side.

Frank

> On 21 Dec 2018, at 19:51, Cliff Hayes  wrote:
> 
> I have the following in pdns.conf...
> 
> launch=gmysql
> log-dns-details=yes
> logging-facility=0
> loglevel=9
> query-logging=yes
> 
> ...but in the log the queries show question marks instead of values...
> 
> pdns[18975]: Query: SELECT content,ttl,prio,type,domain_id,disabled,name,auth 
> FROM records WHERE disabled=0 and type=? and name=?
> 
> How can I configure to show everything in the query?
> 
> Thanks in advance.
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What signal to tell PDNS to shut down?

2019-01-13 Thread frank+pdns--- via Pdns-users 
Hi Bert and Nick,

Docker will issue a SIGTERM, and assumes an app responds to that. It is up to 
the container to “do what’s needed” upon receiving a SIGTERM. So it’s best 
practice to make sure SIGTERM does the right thing…. When using Docker, you 
should expect your container to be started, stopped, restarted elsewhere etc.

Nick: As Brian said: use tini either in your Dockerfile, or when starting the 
container by using the --init parameter…

Frank



> On 13 Jan 2019, at 21:48, bert hubert  wrote:
> 
> On Sun, Jan 13, 2019 at 08:32:33PM +, Brian Candler wrote:
>>> sends a `SIGTERM` to PID 1, waits some amount of time, and then sends
>>> SIGKILL to force it to stop. It’s having to resort to SIGKILL, because
>>> `pdns_server` doesn’t respond to `SIGTERM`. What is the correct signal to
>>> tell PDNS to shut down?
> 
>> The problem is not with pdns, it's with docker: strange things happen if you
>> run the application as pid 1. For an explanation see: 
>> https://hackernoon.com/my-process-became-pid-1-and-now-signals-behave-strangely-b05c52cc551c
> 
> In addition, you could ask powerdns to stop using pdns_control. 
> 
>   Bert
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about PDNS SOA presentation.

2019-03-06 Thread frank+pdns--- via Pdns-users 
Hi Michael,

It seems you have pdns-auth, pdns-recursor and dnsdist installed. Could you 
tell us a bit more about your configuration? What’s listening on port 53, and 
how is it configured?

Regards,

Frank Louwers
PowerDNS Certified Consultant

> On 6 Mar 2019, at 08:06, Michael Van Der Beek  > wrote:
> 
> Hi All,
>  
> I’m a bit confused about my SOA record.
> When I query it.
> dig @server1.cyber-mage.com SOA cyber-mage.com 
>  
> ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @server1.cyber-mage.com SOA 
> cyber-mage.com 
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5232
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1680
> ;; QUESTION SECTION:
> ;cyber-mage.com .IN  SOA
>  
> ;; ANSWER SECTION:
> cyber-mage.com . 86400   IN  SOA 
> ns1.linode.com . hostmaster.cyber-mage.com 
> . 2019033066 28800 7200 1209600 86400
>  
> ;; Query time: 219 msec
> ;; SERVER: 72.14.187.43#53(72.14.187.43)
> ;; WHEN: Wed Mar 06 14:49:45 +08 2019
> ;; MSG SIZE  rcvd: 101
>  
> But my mysql records are:
> MariaDB [powerdns]> select * from records where type="SOA";
> ++---++--+--+---+--+-+--+--+--+
> | id | domain_id | name   | type | content
>   | ttl   | prio | 
> change_date | disabled | ordername| auth |
> ++---++--+--+---+--+-+--+--+--+
> |  1 | 1 | cyber-mage.com  | SOA  | 
> ns1.linode.com  hostmaster.cyber-mage.com 
>  2019030501 28800 7200 1209600 86400 | 
> 86400 |0 |NULL |0 | rvms80ecrvpfkr7n6a3ksp4tc5f2g9bk |
> 1 |
> | 23 | 2 | 187.14.72.in-addr.arpa | SOA  | ns1.linode.com 
>  hostmaster.cyber-mage.com 
>  2019022501 28800 7200 1209600 86400 | 
> 86400 |0 |NULL |0 |  |
> 1 |
> ++---++--+--+---+--+-+--+--+--+
>  
> And
> MariaDB [powerdns]> select * from domains;
> ++++++-+-+
> | id | name   | master | last_check | type   | 
> notified_serial | account |
> ++++++-+-+
> |  1 | cyber-mage.com  | NULL   |   NULL 
> | MASTER |  2019030501 | NULL|
> |  2 | 187.14.72.in-addr.arpa | NULL   |   NULL | MASTER |  
> 2019022501 | NULL|
> ++++++-+-+
>  
> How come the values are different? What am I doing wrong?
>  
>  
> Regards,
>  
> Michael
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about PDNS SOA presentation.

2019-03-06 Thread frank+pdns--- via Pdns-users 
Hi Michael,

> On 7 Mar 2019, at 04:48, Michael Van Der Beek  > wrote:
> 
> Hi Frank,
> 
> Currently not using dnsdist.. just installed that in case I want to try 
> special splitting of traffic.
> 
> Currently 
> Pdns Auth (72.14.187.43:53) -> Recursor (127.0.0.1:53)

Can you disable the connection to the recursor and see what happens? Do you get 
different answers, no answers, …?

> 
> Eventually, when traffic goes high, will use dnsdist to load balance multiple 
> Auths and recursors.

The first thing you’d need to do, is separate the auth from the recursor. Even 
with dnsdist, it’s best to completely separate the dnsdist-for-recursors from 
the dnsdist-for-auth.

Regards,

Frank

> That is why I installed dnsdist as an eventual progression.
> 
> Regards,
> 
> Michael
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Impact of DNSSEC with Sub Domain Zones

2019-03-08 Thread frank+pdns--- via Pdns-users 
Hi Asanka,

> Hi All,
> 
> Just want to give you all an update on how this went as I ran into issues 
> with this implementation.
> 
> What I did first:
> Enabled DNSSEC on primary domain (domain.com )
> Added DS Records to domain registrar.
> What worked: All DNS records under the primary zone worked and resolved 
> without any issues.
> What broke : All subdomain DNS zones failed to resolve.


What would have worked, is adding NS records in your domain.com 
 zone for the subdomains.domain.com 
. Even if they aren’t signed.

Frank


> 
> Kind Regards,
> Asanka Gunasekara
> 
> P: 1300 825 587
> E: supp...@talkup.com.au  | W: www.talkup.com.au 
> 
> Postal Address: PO Box 24, Varsity Lakes QLD 4227
> 
> Please consider the environment before printing this e-mail This email 
> message and any attachments are confidential. If you are not the intended 
> recipient, you are notified that any unauthorised disclosure, copying, 
> distribution or use of this information is strictly prohibited. If you have 
> received this email in error, please notify us immediately by return email, 
> or telephone 1300 825 587, and destroy the original message. We have taken 
> precautions to minimise the risk of transmitting software viruses, but we 
> advise you to carry out your own virus checks on any attachment to this 
> message. We cannot accept liability for any loss or damage caused by software 
> viruses.
>> On 5/03/2019 11:24:27 AM, Asanka Gunasekara > > wrote:
>> 
>> Hi Peter,
>> 
>> Thanks for information. I have done just that :)
>> 
>> Kind Regards,
>> Asanka
>> 
>> Kind Regards,
>> Asanka Gunasekara
>> 
>> P: 1300 825 587
>> E: supp...@talkup.com.au  | W: www.talkup.com.au 
>> 
>> Postal Address: PO Box 24, Varsity Lakes QLD 4227
>> 
>> Please consider the environment before printing this e-mail This email 
>> message and any attachments are confidential. If you are not the intended 
>> recipient, you are notified that any unauthorised disclosure, copying, 
>> distribution or use of this information is strictly prohibited. If you have 
>> received this email in error, please notify us immediately by return email, 
>> or telephone 1300 825 587, and destroy the original message. We have taken 
>> precautions to minimise the risk of transmitting software viruses, but we 
>> advise you to carry out your own virus checks on any attachment to this 
>> message. We cannot accept liability for any loss or damage caused by 
>> software viruses.
>>> On 26/02/2019 10:31:10 PM, Peter van Dijk >> > wrote:
>>> 
>>> Hello
>>> On 26 Feb 2019, at 5:43, Asanka Gunasekara wrote:
>>> 
>>> > I'm sure this is a pretty dumb question but my knowledge on DNSSEC is 
>>> > very limited so hope you guys/gals can help me out.
>>> >
>>> > We use PowerDNS as our Authorative DNS and everything is configured 
>>> > here. We use PowerDNS-Admin 
>>> > [https://github.com/ngoduykhanh/PowerDNS-Admin 
>>> > ] as our GUI.
>>> >
>>> > I have our primary domain: domain.com  and it is 
>>> > split up into several 
>>> > sub-domain zones for ease of management.
>>> > Eg:
>>> > Zone1 - domain.com 
>>> > Zone2 - sub1.domain.com 
>>> > Zone3 - sub2.domain.com 
>>> >
>>> > Q1) If I enable DNSSEC between Zone1 above and domain registrar, would 
>>> > zones 2 and 3 stop functioning?
>>> 
>>> They will keep working, but in insecure mode, as long as there is a 
>>> correct delegation (NS records for Zone2 and Zone3) in Zone1.
>>> 
>>> > Q2) How do I enable DNSSEC on sub zones?
>>> 
>>> For Zone1, you presumably enabled DNSSEC in your Admin and then sent the 
>>> DNSKEY or DS to the parent operator (.com), who then puts a DS in that 
>>> parent zone. For Zone2 and Zone3, you are the parent operator, so enable 
>>> DNSSEC, and then put the DS records in Zone1.
>>> 
>>> Kind regards,
>>> -- 
>>> Peter van Dijk
>>> PowerDNS.COM  BV - https://www.powerdns.com/ 
>>> 
>>> ___
>>> Pdns-users mailing list
>>> Pdns-users@mailman.powerdns.com 
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>>> 
> 
> 
>  
> 
> Virus-free. www.avast.com 
> 
>  
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com

Re: [Pdns-users] Synchronization problem from node

2019-03-12 Thread frank+pdns--- via Pdns-users 
Hi 姜伯洋,

> Mar 12 18:29:59 test-ops-dns-1 pdns_server: Unable to AXFR zone 'test.org 
> ' from remote '10.3.2.15' (resolver): AXFR chunk error: 
> Server Failure
> Slave node error during synchronization

It seems the AXFR zonetransfer failed.

Could you do a “dig AXFR test.org  @10.3.2.15” from the slave 
and paste the output here?

Kind Regards,

Frank Louwers
PowerDNS Consultant

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns-users Digest, Vol 194, Issue 13

2019-03-12 Thread frank+pdns--- via Pdns-users 
Hi,

Ah, your master is running on 5300?

Could you do a "dig AXFR test.org  @10.3.2.15 -p 5300” and 
also show us the record from the `domains` table on your slave for test.org 
?

Frank Louwers
PowerDNS Consultant

> On 12 Mar 2019, at 13:18, 姜伯洋 <1513...@163.com 
> > wrote:
> 
> # dig AXFR test.org  @10.3.2.15
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> AXFR test.org  
> @10.3.2.15
> ;; global options: +cmd
> ; Transfer failed.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Synchronization error from the node

2019-03-13 Thread frank+pdns--- via Pdns-users 
Hi, 

As I asked you yesterday:

Could you do a "dig AXFR test.org  @10.3.2.15 -p 5300” and 
also show us the record from the `domains` table on your slave for test.org 
?

Frank Louwers
PowerDNS Consultant



> On 13 Mar 2019, at 02:59, 姜伯洋 <1513...@163.com 
> > wrote:
> 
> >Mar 12 18:29:58 test-ops-dns-1 pdns_server: Received NOTIFY for test.org 
> > from 10.3.2.15
> >Mar 12 18:29:58 test-ops-dns-1 pdns_server: Queueing slave check for 
> >test.org 
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Got NOTIFY for test.org 
> >, going to check SOA serial, our serial is 2019031205
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Got NOTIFY for test.org 
> >, going to check SOA serial
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: 1 slave domain needs checking, 0 
> >queued for AXFR
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Received serial number updates 
> >for 1 zone, had 0 timeouts
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Domain 'test.org 
> >' is stale, master serial 2019031209, our serial 2019031205
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Initiating transfer of 'test.org 
> >' from remote '10.3.2.15'
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: gmysql Connection successful. 
> >Connected to database 'powerdns' on '10.3.0.12'.
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Starting AXFR of 'test.org 
> >' from remote 10.3.2.15:53
> >Mar 12 18:29:59 test-ops-dns-1 pdns_server: Unable to AXFR zone 'test.org 
> >' from remote '10.3.2.15' (resolver): AXFR chunk error: 
> >Server Failure
> ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> AXFR test.org  
> @10.3.2.15
> ;; global options: +cmd
> ; Transfer failed.
> 
> I don't know if I am executing the order like this.
> My backend is mysql
> And my master has used the 5300 port to provide services.
> I really need help.I really need help.
> 
> 
> 
>  
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns-users Digest, Vol 194, Issue 16

2019-03-13 Thread frank+pdns--- via Pdns-users 


> On 13 Mar 2019, at 13:11, 姜伯洋 <1513...@163.com 
> > wrote:
> 
> MariaDB [powerdns]> select * from domains;
> ++--+---++---+-+-+
> | id | name | master| last_check | type  | notified_serial | account |
> ++--+---++---+-+-+
> |  1 | test.org  | 10.3.2.15 | 1552381768 | SLAVE | 
>NULL | |
> ++--+---++---+-+-+


Your master server is not running on the default port (53), but on 5300.

Could you change the master field in your database to 10.3.2.15:5300 instead of 
10.3.2.15 and try again?

Kind Regards,

Frank Louwers
PowerDNS Consultant
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to create new zone on the API?

2019-03-15 Thread frank+pdns--- via Pdns-users 
Hi Corey,

Please note the syntax is incorrect for recent versions of PowerDNS. 

When defining a zone, the records are passed using either the “zone” or the 
“rrsets” paramater. See 
https://docs.powerdns.com/authoritative/http-api/zone.html#objects 




> On 15 Mar 2019, at 17:25, mailto:co...@bitaccel.com>> 
> mailto:co...@bitaccel.com>> wrote:
> 
> "records": [
> { "content": "ns.example.net . hostmaster.example.com 
> . 1 1800 900 604800 86400", "disabled": 
> false, "name": "example.net .", "ttl": 86400, "type": 
> "SOA" }
> ,
> { "content": "192.168.1.42", "disabled": false, "name": "www.example.net 
> .", "ttl": 3600, "type": "A" }
> ]

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to switch between two different "zone" files for the same domain?

2019-04-01 Thread frank+pdns--- via Pdns-users 
Hi Lucky,

> 
> The backend is going to determine what can be done and I am not seeing that 
> below.  There are many option depending on how complex the changes are in 
> that zone in the DR site.  If you have a similar IP subnet scheme in a /23 or 
> /24 with the same 4th octet and the backend is a database, then a script 
> could easily zap the A records in that zone.  If the number of hosts at the 
> DR site is relatively small, then a script could create/update /etc/hosts 
> entries on the PDNS server and then serve that via 
> "etc-hosts-file=/etc/hosts”.

What you could do as well, is put a dnsdist instance in front of your NS. You 
could then have two pdns instances, one hosting the “main version” of the 
domains, one hosting the DR version.  Define both as a separate pool in 
dnsdist, sending all traffic by default to main one.

Then, when a domain needs to be moved to the DR, you could then change the 
dnsdist config to use the “DR” pool for that domain.

Regards,

Frank Louwers
PowerDNS Consultant @ Kiwazo

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] VPN - Overriding master/slave ip

2019-04-17 Thread frank+pdns--- via Pdns-users 
Hi Mike,

> Ideally, what I'd want is for the hidden master and the slaves all
> to have a vpn between them, with the master and slaves having a shared
> private internal ip address range between them. This is easy to do with
> OpenVPN. The missing part seems to be the ability to explicitly state
> which source ip the master will use to notify the slaves. May it's a
> different source IP per slave, in some setups. It would further be nice
> to tell the server to not even bother sending notifies to the NS records
> of the zone and instead using only an explicit notify list, also
> possibly per zone.
> 
> I have tried various games with with routing, nat, fwmarks, and so
> forth, and I can bludgeon things into mostly - but not entirely -
> working. Lot of work for something that could more or less be automatic
> and with a lot less configuration if we just had additional config
> controls to set the above properties. 

On most POSIX systems, if your peers are “directly connected”, then the correct 
source ip will always be used.

So in your case, let’s imagine you have an OpenVPN setup between both servers, 
and your hidden master is using ip 10.1.2.1/24, and your pdns-master is using 
ip 10.1.2.2/24. I would then do three things:

- tell the hidden master to only accept udp/tcp port 53 connections from 
10.1.2.2. 
- tell the hidden master to send notifies to 10.1.2.2.
- tell the pdns “slave” master to use 10.1.2.1 as supermaster.

Once you’ve done this, there’s no need to force source ips etc, as they will 
always be the “correct” one, as long as you don’t define aliases on the OpenVPN 
interface of course.

Kind Regards,

Frank

> 
> Just my random thoughts. Powerdns is awesome..
> 
> 
> Mike-
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

2019-05-07 Thread frank+pdns--- via Pdns-users 
Hi Tobi,
> 
> curl -X GET -H 'X-API-Key: MY_API'
> http://127.0.0.1:8081/api/v1/servers/localhost/zones/mydomain.tld
> 
> I get a http 500 "Internal Server Error" message. Like said it's the
> only query that fails. Any other for example
> 
> 
> Anyone an idea what goes wrong here?
> Can I somehow enable debug of the api part of pdns?


That API endpoint is certainly correct and should work. Do you only have that 
problem with a particular zone or with all zones? Is the zone very large by 
chance?

The best way to start debugging this, is first to check if pdns itself can 
access the zone and the zone looks “sane” (do a pdnsutil list-zone domain.tld, 
and a pdnsutil check-zone domain.tld). If that looks fine, then I would enable 
/ increase logging of the API component and see if the logs tell you something 
more.

Kind Regards,

Frank Louwers
PowerDNS Certified Consultant
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

2019-05-07 Thread frank+pdns--- via Pdns-users 
Hi Tobi,

> 
> is there a switch to just enable debug for api or has the debug to be
> enabled globally? Will try with debug and let the list know my findings :-)

Pre 4.2, this has to be done globally. See the “loglevel” parameter: 
https://docs.powerdns.com/authoritative/settings.html#loglevel

Could you also show us a full copy of the pdns.conf file, and a "select *” from 
the domains, records and domainsmetadata SQL tables?

Frank
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

2019-05-07 Thread frank+pdns--- via Pdns-users 
Hi Tobi,

> 
>> HTTP ISE for "/api/v1/servers/localhost/zones/REDACTED.tld": STL
>> Exception: Parsing record content (try 'pdnsutil check-zone'): Data
>> field in DNS should start with quote (") at position 0 of 'v=spf1
>> -all'
> 

It seems you’ve hit https://github.com/PowerDNS/pdns/issues/6070


> p.s. it's difficult to provide you with our domains and records as they
> contain customers stuff. Especially we could not do that onlist. But now
> I think the source of error is narrowed down anyway :-)

I completely understand and am very happy to send you my standard NDA agreement 
and very reasonable consulting rates if you reply to me off list.

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor 4.2.0-beta1 fails to resolve p4.no

2019-05-08 Thread frank+pdns--- via Pdns-users 
Hi Pieter,

I can confirm it does NOT work on my 4.2.0-beta1 (Debian version from the PDNS 
repo).

Trace logs can be found here:

https://gist.github.com/franklouwers/cd310d80fef603394cc2fb77d3098fb5

Kind Regards,

Frank


> On 8 May 2019, at 09:50, Pieter Lexis  wrote:
> 
> Hi Øystein,
> 
> 
> I can resolve p4.no without issue on 4.2.0. Can you start the recursor
> with the `trace` option set and provide the logs if it still fails?
> 
> Best regards,
> 
> Pieter
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor 4.2.0-beta1 fails to resolve p4.no

2019-05-08 Thread frank+pdns--- via Pdns-users 
Hi Brian,

They do work if you specify +noedns

Frank

> On 8 May 2019, at 10:46, Brian Candler  wrote:
> 
> On 08/05/2019 09:07, Brian Candler wrote:
>> From here (UK), that domain looks a bit broken - see the FORMERR response 
>> from the authoritative servers.  I have tried from two different networks 
>> and get the same response. 
> 
> The nameserver A records for this domain are also toast.  The glue records 
> have these IPs for ns1/ns2.netclient.no:
> 
> $ dig +norec @x.nic.no. ns1.netclient.no. a
> ...
> ;; ADDITIONAL SECTION:
> ns1.netclient.no.7200INA213.179.58.78
> ns2.netclient.no.7200INA89.105.33.114
> ns2.netclient.no.7200INA213.162.232.67
> ...
> 
> But trying to get authoritative answers I get FORMERR from all of these.
> 
> $ for a in 213.179.58.78 89.105.33.114 213.162.232.67; do for h in 
> ns1.netclient.no. ns2.netclient.no.; do dig +norec "@$a" "$h" a; done; done | 
> grep status:
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 29160
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 36959
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 37955
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 24754
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 65007
> 
> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 1677
> 
> I can't see how this domain ever resolves unless you already have the answer 
> in your cache.  Even the best-known resolvers have problems with it:
> 
> $ dig @8.8.8.8 ns2.netclient.no
> 
> ; <<>> DiG 9.10.6 <<>> @8.8.8.8 ns2.netclient.no
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> However, on a retry, it *did* resolve somehow.
> 
> Regards,
> 
> Brian.
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC with MySQL backend and replication

2019-05-16 Thread frank+pdns--- via Pdns-users 
Hi Alun,

> We currently edit records by way of PowerAdmin, which updates the master 
> database directly and so “PowerDNS Auth A” instance is not actually used or 
> interacted with, normally. Zone/record updates are replicated to the “edge” 
> Auth servers (B and C) via MySQL replication. We would like to enable DNSSec 
> on a few of our domains, at least as a proof of concept. A few questions…
>  
> I assume I need to enable gmysql-dnssec on ALL PowerDNS Auth instances (A,B 
> and C)?
> Will PowerDNS commands to enable DNSSec signing of a zone need executed on 
> “PowerDNS Auth A” ONLY (which will add the relevant records to the database 
> and replicate them to B and C)?
> Given that PowerAdmin talks directly to the database, any record changes here 
> likely to cause a problem with these signed domains?
> Should I look at a newer GUI that implements the DNSSec commands and 
> interacts with PowerDNS API instead?

This is a setup we’ve built a few times for customers of ours, with these exact 
same components (we usually do add dnsdist for easier DDoS and abuse 
mitigation).

Unless you have a large number of queries against your nameservers, I would 
recommend to do “online signing” in PowerDNS, as described in 
https://docs.powerdns.com/authoritative/dnssec/modes-of-operation.html#online-signing
 
.
 In that mode, only the keys is stored in the database, and thus you’d need to 
enable this feature on each of your PowerDNS auth servers.

Once you configure all instances to handle DNSSEC, there’s nothing extra to 
configure: the key info is stored in the database, the flags that enable dnssec 
are stored in the database, so as long as your replication works, you’re good!

While you could continue to work directly in the database, we do recommend 
people to use the API. When enabling DNSSEC, it’s very import to “rectify” the 
database structure after all changes. Using the API, this becomes much easier 
than fiddling with the DB directly. PowerAdmin can be configured to talk 
directly to the API.

As a precaution, I would enable the API only on the min PowerDNS server, and 
would grant the PowerDNS “slaves” read-only access to their own databases, to 
prevent accidental changes in these nodes.

Hope this helps!

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo


>  
> Thanks in advance…
>  
> Regards,
>  
> Alun.
>  
>  
> 
> 
>  
> Alun
>  James
> Senior Systems Engineer
> 
> T: +44 (0) 28 9033 1122
> E: aja...@tibus.com 
> W: www.tibus.com 
> 
>     
>    
> 
> Tibus is a wholly-owned division of Wireless.
>  
>  
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC same key for all

2019-05-20 Thread frank+pdns--- via Pdns-users 
Hi Azur,

It’s possible to do so, by manipulating the database directly (see the 
cryptokeys table).

However, let’s take a step back: what problem are you trying to solve? As far 
as I know, there’s not a single TLD where the use of KEYSETs is mandatory. Some 
offer it as an extra feature, but I am not aware of any TLD where this would be 
mandatory.

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC same key for all

2019-05-20 Thread frank+pdns--- via Pdns-users 
Hi Azur,

Ha, indeed, it seems they did…

Best practise would still be to have a 1:1 relationship between a keyset and a 
domain, so create a new keyset for every dnssec-domain.

If you do want to reuse your dnssec keys, you have a few options:

- fiddle with the custom query options in pdns.conf to return “the correct 
record” for a domain, maybe based on a view in the db?

- keep the “golden” cryptokey you want to use somewhere in your code, and use 
the API or the DB to insert that particular key as the domain’s cryptokey. 
Disadvantage: whenever you want to change the key, you’d have to update all the 
cryptokey records

- rethink everything, go the recommended route and use a different DS/KEYSET 
for every domain (which means creating a new KEYSET for every domain)

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>







> On 20 May 2019, at 10:41, azu...@pobox.sk <mailto:azu...@pobox.sk> wrote:
> 
> Hi Frank,
> 
> it's mandatory for .CZ domains, so if you don't sign every domain with the 
> same key, you need to register a KEYSET for every domain. So this is what i'm 
> trying to solve.
> 
> 
> 
> 
> 
> Citát frank+pdns--- via Pdns-users  <mailto:pdns-users@mailman.powerdns.com>>:
> 
>> Hi Azur,
>> 
>> It’s possible to do so, by manipulating the database directly (see the 
>> cryptokeys table).
>> 
>> However, let’s take a step back: what problem are you trying to solve? As 
>> far as I know, there’s not a single TLD where the use of KEYSETs is 
>> mandatory. Some offer it as an extra feature, but I am not aware of any TLD 
>> where this would be mandatory.
>> 
>> Kind Regards,
>> 
>> Frank Louwers
>> Certified PowerDNS Consultant @ Kiwazo.be <http://kiwazo.be/>
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> 
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

2019-05-20 Thread frank+pdns--- via Pdns-users 
> wonder if the following is possible somehow with pdns-recursor. Our main
> recursor A sometimes has problems talking to some auth servers. In the
> same time another recursor B in our network still can talk to such an
> auth server.
> 
> So we wonder if we could somehow send queries for such auth servers via
> the other recursor. The decission to send queries to the other box is
> based on the IP address of the auth server. The idea is to route such
> queries from recursor A to recursor B while all other queries from
> recursor A should still be sent without recursor B.
> 
> Is something like that possible in pdns-rescursor or do we have to use a
> tool like dnsdist?

Hi Tobi,

I recommend using dnsdist for this use-case! Sending traffic to backend dns 
servers is what dnsdist is made for!

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

2019-05-20 Thread frank+pdns--- via Pdns-users 
Hi Tobi,

Nico is completely right: it sounds like the wrong solution for your problem. 
If your provider has issues reaching that destination, then the solution would 
be to have your provider fix the reachability issue. Note that the second 
reason you mention (src address rate limiting) won’t be fixed by implementing 
this solution…

If you *do* want to solve it at the configuration layer: do you have a list of 
domains that should use the other resolver?

If not, this is going to be more complex, as you’d need to first resolve the NS 
for the domain, then match that NS to set the backup resolver.

Frank


> On 20 May 2019, at 18:19, Nico CARTRON  > wrote:
> 
> While it's true that what Frank suggested is totally doable with dnsdist (and
> actually one of its missions), it would be interesting though to understand 
> why
> one of your recursors has issues to reach the authoritative server, and 
> another
> recursor has no issue.
> 
> A couple of questions:
> - are they running the same Recursor version?
> - are they on the same network / same site / faced by the same network
>  equipments, if any (e.g. firewall) / any ACL in place
> - which OS are they running (if differences between the 2)
> 
> Cheers,

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

2019-05-21 Thread frank+pdns--- via Pdns-users 
Hi Tobi,

I managed an MSP for more than 15 years, we moved a lot of email as well, so I 
feel your pain.

However, in all cases (about a hand-full that I can recall over that time) 
where we had real reachability issues, we routed the other AS using a different 
network path. In BGP speak: we preferred a different next-hop for that 
particular AS or prefix. This is still my advise to fix your problem and to be 
honest: it’s the only real fix. Because once you’ve solved the resolving 
problem, next up is the mail delivery problem: if you have issues reaching the 
nameservers of that particular network, you’re going to have issues reaching 
the mailservers as well.

If you do want to solve at what I still feel is the incorrect place, and you 
don’t have the list of domain names only the ip-addresses of the nameservers, 
then things get complicated, as you need 2 dns requests, and that’s not 
something dnsdist would easily fix.

What you might do, but again, this is very ugly and will bite you some day:

I am just freewheeling here, no idea if this will actually work, there could be 
design flaws in here, disclaimer, yadayadayada. Imagine your primary resolver 
has ip 10.10.10.10, your backup resolver has ip 10.200.200.200, and 
192.168.123.123 is the “problem ip” of the remote auth server.

Setup:
-  ip 10.10.10.10 on eth0, pdns_recursor binds on port 53 of this ip and of 
localhost
- add 10.10.10.11 as alias, dnsdist binds on port 53 of this ip. Make sure 
dnsdist uses ip 10.10.10.11 for all outbound ip connections
- add an iptables dNAT rule to rewrite all packets with source ip 10.10.10.10, 
destination ip 192.168.123.123, destination port 53 to destination ip 
10.10.10.11 


Flow:
- have the query arrive at the resolver ip
- resolver will do it’s job, and notice that the auth NS has ip 192.168.123.123
- resolver dispatches the Q to the dnsdist on 192.168.123.123, which get 
rewritten to 10.10.10.11, our local dnsdist
- dnsdist then dispatches the Q to 10.200.200.200 (you’d probably need to 
fiddle with the flags at this point).

But again: this is ugly, very ugly, and I feel it’s the worst solution to your 
problem, in my 20+ years experience as a network engineer and MSP-manager.

You might also get away with longer TTLs on the problematic NS records?

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be

> On 21 May 2019, at 07:51, Tobi   wrote:
> 
> Brian
> 
>> In any case, it's the responsibility of the authoritative domain owner
>> to host their domain on at least two different ASes (RFC 2182), if
>> they care about people being able to resolve it.
> 
> Full agree with that, but our customer is not interested why he cannot
> send a mail to the other end of the world. It just needs to work :-) We
> had such problems where after a 5 day investigation by our provider they
> found out that such a BGP issue occured somewhere in the world with
> their peering partner.
> 
>> An authoritative server with that sort of limit, such as could affect
>> a single end-user site, would be completely broken IMO.
> 
> who said it's concerning my homebrew dns server? That issue occured on
> our resolvers at the company where I work. We're working in email
> filtering buissiness and we have quite a lot of dns queries per day.
> 
> Frank
> 
>> Note that the second reason you mention (src address rate limiting)
>> won’t be fixed by implementing this solution…
> 
> true, not fixed as in "not occur anymore" but fixed as in "more than one
> src address --> more queries in total before per SRC address limits kick in"
> 
> 
>> If you *do* want to solve it at the configuration layer: do you have a
>> list of domains that should use the other resolver?
> 
> thats our "problem": we only have the IP address(es) of the authorative
> nameservers we want to reach via the 2nd resolver.
> 
> 
> Cheers
> 
> --
> 
> tobi
> 
> Am 20.05.19 um 20:43 schrieb Brian Candler:
>> On 20/05/2019 17:57, Tobi  wrote:
>>> - BGP routing issues (ex from Provider 1 you can reach target and from
>>> provider 2 not)
>> 
>> That happens, but very rarely in my experience.  In any case, it's the
>> responsibility of the authoritative domain owner to host their domain on
>> at least two different ASes (RFC 2182), if they care about people being
>> able to resolve it.
>> 
>>> - per SRC limits on the recipient side
>> 
>> An authoritative server with that sort of limit, such as could affect a
>> single end-user site, would be completely broken IMO.
>> 
>> If you can replicate this issue, then I think it would be worth drilling
>> down further with tests to prove or disprove these theories.  It sounds
>> more likely that the problem is local to you, either in your network, or
>> with your upstream provider - especially if this affects a wide range of
>> domains and not just a specific few.  However, routing issues in your
>> part of the world may be different to what I see here (in the UK).
>> 
> ___
> Pdns-users m

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

2019-05-21 Thread frank+pdns--- via Pdns-users 


> On 21 May 2019, at 12:06, Tobi   wrote:
> 
> Hi Frank
> 
> fully agree that this is very very very ugly. We never considered this a
> "longterm" solution but just as a temporary fix until the problem is
> solved upstream.
> 
>> I managed an MSP for more than 15 years, we moved a lot of email as
>> well, so I feel your pain.
> 
> then you know its very hard to explain a customer why a certain sender
> could not send him mail although the same mail arrives on his private
> account with a big ESP. Or explain him why we cannot deliver his mail to
> the recpient although when he sends from his ESP all works well :-)

Yes, and there are a lot of factors involved. If the reachability of that ISP 
really is the problem, then you’d need to fix your network. Fixing it on a DNS 
layer isn’t going to help much…

Frank

> 
> Thanks a lot for your detailed answer. We thought about iptables too,
> but hoped that there is a pdns/dnsdist-only solution. Using iptables
> makes that very ugly idea even worse ;-)
> 
> 
> Have a good one
> 
> --
> 
> tobi
> 
> 
> Am 21.05.19 um 10:24 schrieb frank+pdns--- via Pdns-users:
>> Hi Tobi,
>> 
>> I managed an MSP for more than 15 years, we moved a lot of email as well, so 
>> I feel your pain.
>> 
>> However, in all cases (about a hand-full that I can recall over that time) 
>> where we had real reachability issues, we routed the other AS using a 
>> different network path. In BGP speak: we preferred a different next-hop for 
>> that particular AS or prefix. This is still my advise to fix your problem 
>> and to be honest: it’s the only real fix. Because once you’ve solved the 
>> resolving problem, next up is the mail delivery problem: if you have issues 
>> reaching the nameservers of that particular network, you’re going to have 
>> issues reaching the mailservers as well.
>> 
>> If you do want to solve at what I still feel is the incorrect place, and you 
>> don’t have the list of domain names only the ip-addresses of the 
>> nameservers, then things get complicated, as you need 2 dns requests, and 
>> that’s not something dnsdist would easily fix.
>> 
>> What you might do, but again, this is very ugly and will bite you some day:
>> 
>> I am just freewheeling here, no idea if this will actually work, there could 
>> be design flaws in here, disclaimer, yadayadayada. Imagine your primary 
>> resolver has ip 10.10.10.10, your backup resolver has ip 10.200.200.200, and 
>> 192.168.123.123 is the “problem ip” of the remote auth server.
>> 
>> Setup:
>> -  ip 10.10.10.10 on eth0, pdns_recursor binds on port 53 of this ip and of 
>> localhost
>> - add 10.10.10.11 as alias, dnsdist binds on port 53 of this ip. Make sure 
>> dnsdist uses ip 10.10.10.11 for all outbound ip connections
>> - add an iptables dNAT rule to rewrite all packets with source ip 
>> 10.10.10.10, destination ip 192.168.123.123, destination port 53 to 
>> destination ip 10.10.10.11
>> 
>> 
>> Flow:
>> - have the query arrive at the resolver ip
>> - resolver will do it’s job, and notice that the auth NS has ip 
>> 192.168.123.123
>> - resolver dispatches the Q to the dnsdist on 192.168.123.123, which get 
>> rewritten to 10.10.10.11, our local dnsdist
>> - dnsdist then dispatches the Q to 10.200.200.200 (you’d probably need to 
>> fiddle with the flags at this point).
>> 
>> But again: this is ugly, very ugly, and I feel it’s the worst solution to 
>> your problem, in my 20+ years experience as a network engineer and 
>> MSP-manager.
>> 
>> You might also get away with longer TTLs on the problematic NS records?
>> 
>> Frank Louwers
>> Certified PowerDNS Consultant @ Kiwazo.be
>> 
>>> On 21 May 2019, at 07:51, Tobi   wrote:
>>> 
>>> Brian
>>> 
>>>> In any case, it's the responsibility of the authoritative domain owner
>>>> to host their domain on at least two different ASes (RFC 2182), if
>>>> they care about people being able to resolve it.
>>> 
>>> Full agree with that, but our customer is not interested why he cannot
>>> send a mail to the other end of the world. It just needs to work :-) We
>>> had such problems where after a 5 day investigation by our provider they
>>> found out that such a BGP issue occured somewhere in the world with
>>> their peering partner.
>>> 
>>>> An authoritative server with that sort of limit, such as could affect
>>>> a single end-user site, would be completely broken IMO.
>>> 
>>&g

Re: [Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains?

2019-05-23 Thread frank+pdns--- via Pdns-users 
Hi Sander,

Do you want this for a fixed set of “domain.com ” domains 
or for “any domain that is configured in pdns as a native domain”?

If the first, have a look at the LUA-AXFR-SCRIPT functionality. You define a 
(lua) script that gets executed after the AXFR has been done, but before the 
domain is committed to the backend. You could block the commit by returning an 
error. See my blog post https://www.frank.be/when-your-notify-wont-work/ 
 where I used the 
LUA-AXFR-SCRIPT functionality for a different use case.

However, this won’t prevent the domain from being written to the domains table 
in the backend, so you’d have to lab what happens in your version of pdns if 
you get the desired behaviour. Also note that you need to define the script on 
a per-domain level. So you’d need another mechanism to update the backend for 
each newly discovered domain. (Database trigger might help).

Another option would be to intercept the NOTIFYs with a script, check if the 
zone you receive the notify for matches the sub.domain.com 
 regexp, query the pdns master for a SOA for domain.com 
, then then either drop the notify, or pass it to your pdns 
instance.

Kind Regards,

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 

> On 23 May 2019, at 07:54, sandermo...@telenet.be 
>  wrote:
> 
> Hi,
> 
> We have a DirectAdmin server which internally is using a BIND nameserver. We 
> also have a PowerDNS server which is acting as a master for domains 
> configured as NATIVE and it's also acting as a slave for the domains added in 
> DirectAdmin.
> This is done by configuring the IP address of the DirectAdmin server in the 
> supermasters table. All workin as expected.
> 
> Now, we noticed that if we configure "domain.com " as a 
> NATIVE domain in PowerDNS it is still possible to configure "sub.domain.com 
> " in DirectAdmin and powerdns will accept the subzone 
> from the supermaster.
> This way users on our DirectAdmin server can break configurations for domains 
> configured as NATIVE.
> 
> We need a way for PowerDNS to reject all *.domain.com  
> subzones from any supermaster if the main domain is configured as NATIVE.
> 
> Is there a way to do this?
> 
> Thanks
> 
> Sander
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains?

2019-05-23 Thread frank+pdns--- via Pdns-users 


> On 23 May 2019, at 10:20, sandermo...@telenet.be 
>  wrote:
> 
> Hi Frank,
> 
> Intercepting the NOTIFYs with a script sounds like a good idea but can this 
> be done with PowerDNS?
> Or do you mean writing a custom script that acts a a notify proxy/filter?
> 

Yes, use a separate notify proxy/filter. There are multiple scripts that you 
can use as a base for this, eg: https://fanf.livejournal.com/134988.html 
 (or use GitHub to search for DNS 
NOTIFY once GitHub is back up).

You could probably construct a mysql trigger that handles everything btw. 
Create a before insert trigger on the domains tables, check if the new record 
is of type slave. If so, split it into parts, and for each part, check if that 
domain already exists as a native domain. If so: drop the insert.

Regards,

Frank

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] how to handle a subdomain

2019-05-23 Thread frank+pdns--- via Pdns-users 
Hi Hanns,

Could you show us the output of the following commands:

- pdnsutil list-zone bruecko.de
- pdnsutil list-zone list.bruecko.de
- pdnsutil check-zone bruecko.de

Thanks!

Frank


> On 23 May 2019, at 16:29, ha...@hannsmattes.de wrote:
> 
> Hi,
> 
> after nearly a decade I had to upgrade my server, which is located at
> Hetzner.
> 
> The Jump from Opensuse 11.4 to OS 15 went quite smooth, so did the
> upgrade from an ancient pdns-version. I simply had to upgrade the
> configuration and delete all recursion-related statements. Since then,
> ns1.bruecko.de is (ldap backend) serving my domains as excepted.
> 
> What used to work and doesn't anymore:
> 
> There is a Sub-Domain list.bruecko.de under bruecko.de (to use with
> mailman, btw.). Worked before. This is now leading to a servfail - lame
> server resolving. As far as I understand, this might be related to the
> handling of recursion.
> 
> I've found some scenarios in the documentation, but being a dns-idiot I
> don't know, which one applies.
> 
> How do I configure pdns (and/or powerdns-recursor and/or dnsdist and
> whatever) to achieve the "old" behaviour.
> 
> Any hint appreciated
> 
> Thanks in advance
> 
> Hanns
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] how to handle a subdomain

2019-05-24 Thread frank+pdns--- via Pdns-users 
Hi Hanns,

Thanks for the output.

>> 
>> - pdnsutil list-zone bruecko.de 
> 
> $ORIGIN .
> 
> list.bruecko.de  3600IN  A   
> 88.198.91.235
> list.bruecko.de  3600IN  MX  10 
> mail.bruecko.de.
> list.bruecko.de   3600IN  NS  ns1.bruecko.de.
> list.bruecko.de   3600IN  NS  robotns2.second-ns.de.
> list.bruecko.de   3600IN  NS  robotns3.second-ns.com.
> list.bruecko.de   3600IN  TXT "v=spf1 ip4:88.198.91.232/29
> ip4:213.239.197.36 mx a:smtp.bruecko.de include:bruecko.de ?all"
> mail._domainkey.bruecko.de3600IN  TXT "v=DKIM1; p="
> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBDNQm+eP40CrU01df8uWcSdS9"
> "Y6AsQzORYEfvd+i27nkoAnhvL6XqHZ906sLRmdzwz+h+kTFevT1xjWl06DlPu3NF"
> "tuAhAfTmH9kY5r2W8URoz/mQ41dzT4RPeJ7oXjqk9FdRc5Z+nzDuSi4LIpXuaUrk"
> “4AOnJeMnPmCqfFTlkQIDAQAB"

I would remove the 3 NS records for list.bruecko.de  
from the bruecko.de  zone. Either you create 
list.burecko.de  as a new zone (and then you need the 
NS), or you include the list. records in the main zone (as you did), but then 
you don’t need the NS records.
> 
>> - pdnsutil check-zone bruecko.de 
> 
> [Warning] 'list.bruecko.de |A' in zone 'bruecko.de 
> ' is occluded by a
> delegation at 'list.bruecko.de '
> [Warning] 'list.bruecko.de |MX' in zone 'bruecko.de 
> ' is occluded by a
> delegation at 'list.bruecko.de '
> [Warning] 'list.bruecko.de |TXT' in zone 'bruecko.de 
> ' is occluded by a
> delegation at 'list.bruecko.de '
> Checked 37 records of 'bruecko.de ', 0 errors, 3 warnings.
> 
> 
> 

Let me know if this helps!

Regards,



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns user owned domains

2019-05-28 Thread frank+pdns--- via Pdns-users 

> 
> In powerdns we can see the users. users are connected to domains. 

Hi,

Could you tell us where and how you can “see” the users? Do you use some kind 
of web-frontend?

> 
> I have a user ricardo , the user ricardo has a lot of domains connected, but 
> he says he misses some that he can not see.
> 
> anybody knows, how to list user owned domains from the powerdns DB ?

It depends on how ricardo’s domains ended up in the system.

You might want to check if the following SQL query gives you any results:

select * from domains where account = ‘ricardo’;

Does that return the list of “ricardo’s domains”? If so, then look for a domain 
that’s missing from ricardo’s list (eg: ‘mydomain.tld’), and check the account 
on that domain…

Kind Regards,


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns user owned domains

2019-05-28 Thread frank+pdns--- via Pdns-users 
OK, then let’s go back to my first question:

> Could you tell us where and how you can “see” the users? Do you use some kind 
> of web-frontend?

Frank


> On 28 May 2019, at 13:03, Udayakumar S  <mailto:uday@connaxis.hosting>> wrote:
> 
> MariaDB [powerdns]> select * from domains where account = 'ricardo';
> Empty set (0.00 sec)
> 
> MariaDB [powerdns]> describe domains
> -> ;
> +-+--+--+-+-++
> | Field   | Type | Null | Key | Default | Extra  |
> +-+--+--+-+-++
> | id  | int(11)  | NO   | PRI | NULL| auto_increment |
> | name| varchar(255) | NO   | UNI | NULL||
> | master  | varchar(128) | YES  | | NULL||
> | last_check  | int(11)  | YES  | | NULL||
> | type| varchar(6)   | NO   | | NULL||
> | notified_serial | int(11)  | YES  | | NULL||
> | account | varchar(40)  | YES  | | NULL||
> +-+--+--+-+-+----+
> 
> not showing any domains, any clue ?
> 
> On Tue, May 28, 2019 at 4:02 PM frank+pdns--- via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> > 
> > In powerdns we can see the users. users are connected to domains. 
> 
> Hi,
> 
> Could you tell us where and how you can “see” the users? Do you use some kind 
> of web-frontend?
> 
> > 
> > I have a user ricardo , the user ricardo has a lot of domains connected, 
> > but he says he misses some that he can not see.
> > 
> > anybody knows, how to list user owned domains from the powerdns DB ?
> 
> It depends on how ricardo’s domains ended up in the system.
> 
> You might want to check if the following SQL query gives you any results:
> 
> select * from domains where account = ‘ricardo’;
> 
> Does that return the list of “ricardo’s domains”? If so, then look for a 
> domain that’s missing from ricardo’s list (eg: ‘mydomain.tld’), and check the 
> account on that domain…
> 
> Kind Regards,
> 
> 
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be <http://kiwazo.be/>
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Master/Slaves in docker containers

2019-05-28 Thread frank+pdns--- via Pdns-users 


> On 29 May 2019, at 06:24, Christian Tardif  
> wrote:
> 
> Hi,
> 
> I'm trying to get this to work:
> 
> I have one master pdns in a docker container with bridge networking on 1 
> server, plus a slave pdns, also in a docker container with bridge networking 
> on another server. On the master, I have a zone (until I get it to work) 
> configured as I would do with any other dns servers (SOA, NS records (with 
> the real IP of the master and slaves, as I need to reach them from this 
> "external" ip).

Are both servers in a Docker Swarm network or are they standalone servers? If 
standalone, is migrating to a Swarm network an option? It would make things a 
lot easier, network-wise.

> When I'm doing an update on the zone in the master, I see that, on the slave 
> server, that I'm receiving the NOTIFY, but coming from 172.17.0.1 (got from 
> the docker bridge) but then, the slave tries to get either the SOA on NS 
> records for the zone  at 172.17.0.1, which leads to nothing, as this is a 
> NAT.   How can I have the slave to unconditionally request the master server 
> (on its real IP) for this zone about the SOA so this master/slave setup 
> actually works?

In general. if you want to use the supermaster functionality when the NOTIFYs 
are coming from a different ip, you’ll need to change the ip of the master in 
the domains table of your backend to the “real” ip. You could do that using 
triggers in the database for instance (or have a script that you run every 
minute to update the records).

However, let’s take a step back. Docker does outbound NAT, not 2-way NAT. Let’s 
assume on serverA, you run container1 (your master). container1 has (local) 
container ip 172.16.0.10. serverA has public ip 10.10.10.10.

Your slave runs in container2 (172.17.0.20) on serverB (10.10.10.20). 

The NOTIFY container2 receives, should have a source ip address 10.10.10.10, 
which is the correct ip, as container2 should use that address to reach 
container1. (Assuming your Docker hosts aren’t in a/the same Swarm network). If 
you’ve told docker to map port 53 (tcp and udp) to your containers, then this 
setup should work.

Could you describe your setup, describe which ports you’ve opened and where, 
and where exactly you see the NOTIFY coming from the wrong ip?

Frank
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Master/Slaves in docker containers

2019-05-29 Thread frank+pdns--- via Pdns-users 
Hi Christian,

> pdns master is running on host 192.168.213.11, and container ip is 172.17.0.4
>  
> pdns slave is running on host 192.168.213.12, and container ip is 172.17.0.3
>  
> both containers have gateway set to 172.17.0.1, and hosts have gateway set to 
> 192.168.213.1
>  
> Both containers publishes udp/53 and tcp/53  (as 0.0.0.0:53) so basically, I 
> can connect to any of these two, targetting the 192.168.213.x IP
>  
> But when I do a zone update on the master container, docker logs of the 
> pdns-slave shows these two things, for all the domains for which he should be 
> authoritative:
> 
> - Received NOTIFY for _this_particular_zone_ from 172.17.0.1 for which we are 
> not authoritative
> - Error resolving SOA or NS for _this_particular_zone_ at: 172.17.0.1: Query 
> to '172.17.0.1' for SOA of '_this_particular_zone_' produced no answer
> 

Could you do the following:

- start a tcpdump on pdns-slave
- from pdns-master: do a dig something @192.168.213.12
- from pdns-master: trigger a notify to 192.168.213.12

And show us the tcpdump?



Frank


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Master/Slaves in docker containers

2019-05-31 Thread frank+pdns--- via Pdns-users 
Hi Christian,

Did you take your tcpdump inside the container or outside?

> On 29 May 2019, at 18:42, Christian Tardif  > wrote:
> 
> TCPDUMP for a dig:   (request was dig @192.168.213.12 SOA int.servinfo.stba
> 
> 16:33:52.289317  In f8:32:e4:8a:b7:b5 ethertype 802.1Q (0x8100), length 106: 
> vlan 213, p 0, ethertype IPv4, 192.168.213.11.33053 > 192.168.213.12.53: 
> 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.289317  In f8:32:e4:8a:b7:b5 ethertype 802.1Q (0x8100), length 106: 
> vlan 213, p 0, ethertype IPv4, 192.168.213.11.33053 > 192.168.213.12.53: 
> 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.289317  In f8:32:e4:8a:b7:b5 ethertype IPv4 (0x0800), length 102: 
> 192.168.213.11.33053 > 192.168.213.12.53: 64585+ [1au] SOA? 
> int.servinfo.stba. (58)

I assume this is “outside” the container: the ip traffic arrives on the host.

> 16:33:52.289371 Out 02:42:f9:95:2b:46 ethertype IPv4 (0x0800), length 102: 
> 172.17.0.1.1038 > 172.17.0.3.53: 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.289376 Out 02:42:f9:95:2b:46 ethertype IPv4 (0x0800), length 102: 
> 172.17.0.1.1038 > 172.17.0.3.53: 64585+ [1au] SOA? int.servinfo.stba. (58)
> 16:33:52.291796   P 02:42:ac:11:00:03 ethertype IPv4 (0x0800), length 90: 
> 172.17.0.3.53 > 172.17.0.1.1038: 64585 Refused- 0/0/1 (46)
> 16:33:52.291796  In 02:42:ac:11:00:03 ethertype IPv4 (0x0800), length 90: 
> 172.17.0.3.53 > 192.168.213.11.33053: 64585 Refused- 0/0/1 (46)

But then this is strange: the source ip gets translated, which shouldn’t 
happen. There’s nothing else running on the host that could mess with the 
traffic? Custom iptables rules, network-agents that intercept the traffic? 
Special network plugins? How are you starting the container? Could you send us 
the output of iptables-save?

The source ip address translation is not (default) docker behaviour. As the ip 
address is translated, pdns receives the notify from the translated IP instead 
of the one it should contact.

Frank
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Broken link for Lua example script in PowerDNS documentation

2019-06-11 Thread frank+pdns--- via Pdns-users 
Hi Steinar,

Somebody just pointed out that the link you provided, is for the old 4.0 branch 
of the documentation, not the current 4.1 or the upcoming 4.2 releases.

The corresponding version of that lua script for the 4.0 branch would be 
https://github.com/PowerDNS/pdns/blob/rel/rec-4.0.x/pdns/powerdns-example-script.lua
 




Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 





> On 11 Jun 2019, at 09:43, Frank Louwers  > wrote:
> 
> Hi Steinar,
> 
> You are correct, that link points to the wrong url. The correct one is
> 
> https://github.com/PowerDNS/pdns/blob/master/pdns/recursordist/contrib/powerdns-example-script.lua
>  
> 
> 
> Kind Regards,
> 
> Frank
> 
> -- 
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be 
> 
> 
> 
> 
> 
>> On 10 Jun 2019, at 09:41, sth...@nethelp.no  wrote:
>> 
>> In the PowerDS recursor documentation at
>> 
>> https://doc.powerdns.com/md/recursor/scripting/#writing-lua-powerdns-recursor-scripts
>>  
>> 
>> 
>> the link to "a sample script that showcases all functionality
>> described below":
>> 
>> https://github.com/PowerDNS/pdns/blob/master/pdns/powerdns-example-script.lua
>>  
>> 
>> 
>> gives me a 404 error.
>> 
>> Steinar Haug, AS2116
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com 
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>> 
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] bind backend and dnssec database

2019-07-10 Thread frank+pdns--- via Pdns-users 
Philip,

Do you make make changes to your zones? If you don’t need to change the zone 
contents and your puppet is meant as a way to easily reinstall/add servers, it 
might make more sense to adapt your puppet manifests to:

- load the zonefile
- use pdnsutil (or the API) to add dnssec signing parameters (maybe with 
predefined cryptokeys if you deploy this to multiple servers and don’t use zone 
transfers)

That way, you don’t need to add binary blobs to your puppet repo, which defeats 
the purpose of “Infrastructure as Code” in my humble opinion.

Just my 2 cents…

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be 

> On 10 Jul 2019, at 11:53, Philip Vanmontfort  > wrote:
> 
> Hello,
> 
> We want to put everything in one place (puppet), so that we don't have to 
> make a backup of the database.  And we want a minimum of moving parts, that 
> is why there is no database backend.
> The setup uses native zones, so we don't do zone transfers with masters and 
> slaves.  So i figured, with everything in puppet saves me on 
> replication/backup of the database.
> 
> Do i understand correctly that I need to replicate the bind-dnssec-db.sqlite3 
> from one server (soa server?) to the others? or do i need to build a 
> master-slave setup with zone transfers to enable a correct working of dnsssec?
> 
> 
> best greetings,
> Philip
> Van: Pdns-users  > namens Bjoern Franke 
> mailto:b...@nord-west.org>>
> Verzonden: woensdag 10 juli 2019 11:12
> Aan: pdns-users@mailman.powerdns.com 
> Onderwerp: Re: [Pdns-users] bind backend and dnssec database
>  
> Hi,
> 
> > 
> > my company is planning the migration of our authoritative name servers 
> > to powerdns 4.1.x  with a bind backend (managed with puppet).  this part
> > is working as intended.
> [...]
> > The question is:
> > 
> > can I put the |bind-dnssec-db.sqlite3| inside puppet after I secured the
> > zone.  (can it be readonly from powerdns's viewpoint)
> > or does powerdns need read-write acces to the |bind-dnssec-db.sqlite3|?
> > (maybe for key roll over?)
> >
> 
> we are running also powerdns in a puppetized way, but with MySQL as
> hybrid-backend. As data is changed during key rollover, a read/write
> access is needed. Why do you want to put the sqlite itself into puppet?
> For the slaves?
> 
> Kind regards
> Bjoern
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] bind backend and dnssec database

2019-07-11 Thread frank+pdns--- via Pdns-users 


> On 11 Jul 2019, at 16:57, Philip Vanmontfort  > wrote:
> 
> goodday,
> 
> we change the zone's regularly, but the zone's are generated with puppet.
> 
> If we use a predefined key on all servers wouldn't we get into trouble with 
> key rollovers? for example rollover differences between name servers that are 
> reinstalled?  Or is the only important factor the DS key (wich would be the 
> same on all servers)?
> 
> 

Philip,


There’s a difference between key rollovers, which don’t happen automatically 
and you should first figure out why you want to rollover, and signature 
refreshes, which happen automatically in PowerDNS if you use online signing 
(the default mode).

Also note that the DS records don’t contain the key, they contain a hash of the 
key.

Frank
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Zone Transfers

2019-08-05 Thread frank+pdns--- via Pdns-users 
Hi Thomas,

A zone transfer will only include the contents of that particular zone, so I am 
a bit confused by your question. Could you rephrase it? (Or give an example how 
you would configure this in a another nameserver?)

Frank
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 





> On 5 Aug 2019, at 13:49, Stanford Mings  > wrote:
> 
> Hello All,
> 
> This is a newbie question, so forgive me.
> 
> How do I configure PDNS to return all domains in a zone transfer ?
> 
> Stanford T. Mings Jr. ~Technologist  ~ 
> stanf...@tech.vi  ~ http://www.tech.vi 
>  ~ 786-269-5718
> 
> VI Technical Services, LLC ~ 9160 Estate Thomas ~ 
> Suite 195 ~ St. Thomas, VI, 00802
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Zone Transfers

2019-08-05 Thread frank+pdns--- via Pdns-users 
Hi,

So to get this right, you need to be able to have a secondary (the anycast 
provider) be able to AXFR all the individual domains, right? To configure that, 
you’d first setup all the domains as MASTER domains (as opposed to SLAVE or 
NATIVE), and set these settings in the config file: (replace 10.10.10.10/32 
with the IP addresses your provider will give you). 

allow-axfr-ips=10.10.10.10/32
master=yes

Also, be sure to read 
https://docs.powerdns.com/authoritative/modes-of-operation.html#master-operation
 
<https://docs.powerdns.com/authoritative/modes-of-operation.html#master-operation>
 regarding the master operation.


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be <http://kiwazo.be/>


> On 5 Aug 2019, at 16:12, Stanford Mings  <mailto:stanf...@tech.vi>> wrote:
> 
> Hello All,
> 
> Thanks for the feedback. The project that I am working on is for a gTLD and I 
> need to be able to have an Anycast provider do a zone transfer of all the 
> domains for the TLD.   I am almost certain there is a switch for it 
> somewhere, I just don't know where.
> 
> 
> Stanford T. Mings Jr. ~Technologist  ~ 
> stanf...@tech.vi <mailto:stanf...@tech.vi> ~ http://www.tech.vi 
> <http://www.tech.vi/> ~ 786-269-5718
> 
> VI Technical Services, LLC ~ 9160 Estate Thomas ~ 
> Suite 195 ~ St. Thomas, VI, 00802
> 
> 
> On Mon, Aug 5, 2019 at 8:53 AM Matthias Cramer  <mailto:matthias.cra...@iway.ch>> wrote:
> If you transfer your zones this way, why do you not use mysql replication or 
> a cluster and use native zones?
> 
> DNS-zonetransfer and notifies do not have any method for deleting a zone as 
> fas as I know.
> 
> Regards
> 
>   Matthias
> 
> On 05/08/2019 14:48, Curtis Maurand wrote:
> > I scripted it.  I can't rely on pdns replication.  The supermaster won't 
> > tell a slave to delete a zone for instance.  Adding a new zone may or may 
> > not happen properly or in a
> > timely manner.  Sometimes transfers just don't happen and even if they do, 
> > the signed zones won't work until they're rectified. Don't get me started 
> > on dnsdist.  So to that end, I do:
> > 
> > 
> > 
> > #!/bin/bash
> > # getdns.sh
> > mysqldump -u root -p -h  --opt --databases 
> > powerdns >/tmp/pdns.dump.sql
> > 
> > mysql -u root -p powerdns  > mysql -u root -p powerdns  > /usr/bin/pdnsutil rectify-all-zones
> > 
> > 
> > pdns.sql contains.
> > 
> > USE powerdns;
> > UPDATE domains SET type = 'SLAVE';
> > UPDATE domains SET master = '';
> > 
> > 
> > 
> > On 8/5/19 7:54 AM, frank+pdns--- via Pdns-users wrote:
> >> Hi Thomas,
> >>
> >> A zone transfer will only include the contents of that particular zone, so 
> >> I am a bit confused by your question. Could you rephrase it? (Or give an 
> >> example how you would
> >> configure this in a another nameserver?)
> >>
> >> Frank
> >> Frank Louwers
> >> PowerDNS Certified Consultant @ Kiwazo.be <http://kiwazo.be/> 
> >> <http://Kiwazo.be <http://kiwazo.be/>>
> >>
> >>
> >>
> >>
> >>
> >>> On 5 Aug 2019, at 13:49, Stanford Mings  >>> <mailto:stanf...@tech.vi> <mailto:stanf...@tech.vi 
> >>> <mailto:stanf...@tech.vi>>> wrote:
> >>>
> >>> Hello All,
> >>>
> >>> This is a newbie question, so forgive me.
> >>>
> >>> How do I configure PDNS to return all domains in a zone transfer ?
> >>>
> >>> Stanford T. Mings Jr. ~Technologist  ~ 
> >>> stanf...@tech.vi <mailto:stanf...@tech.vi> <mailto:stanf...@tech.vi 
> >>> <mailto:stanf...@tech.vi>> ~ http://www.tech.vi <http://www.tech.vi/> 
> >>> <http://www.tech.vi/ <http://www.tech.vi/>> ~ 786-269-5718
> >>>
> >>> VI Technical Services, LLC ~ 9160 Estate Thomas ~ 
> >>> Suite 195 ~ St. Thomas, VI, 00802
> >>> ___
> >>> Pdns-users mailing list
> >>> Pdns-users@mailman.powerdns.com <mailto:Pdns-users@mailman.powerdns.com> 
> >>> <mailto:Pdns-users@mailman.powerdns.com 
> >>> <mailto:Pdns-users@mailman.powerdns.com>>
> >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> >>> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
> >>
> >> Frank Louwers
> >> PowerDNS Certified Consultant @ Kiwazo.be

Re: [Pdns-users] Zone Transfers

2019-08-05 Thread frank+pdns--- via Pdns-users 
Hi Curtis,


> Supermaster doesn't look to be part of the RFC, so why can't it send 
> deletions?  It's already doing it for individual records.

Well no. Supermaster isn’t part of “the” (let’s not get started about the 
dns-camel here) RFC, but it’s not changing anything either: Supermaster is a 
way to describe what happens when a slave receives a (completely standard and 
rfc-compliant) NOTIFY message for a domain name it doesn’t know anything about. 
So “Supermaster” is just plain old NOTIFY messages, nothing “out of rfc” here. 
Note that you can use the pdns “supermaster functionality” to slave from any 
pdns authorative software that supports NOTIFY and AXFR. 

The problem is that there’s no way to signal the deletion of a domain.

If the pdns community wants to add that, they’d need to define something truely 
“outside of the rfc”: either by using a modification of the DNS protocol (brr) 
or something out of band. Which PowerDNS has: it has supported the “native” (as 
in: db replication or rsync method) for ages, and the API for a good number of 
years now.

> It's like dnsdist not getting a list of authoritative domains from the db 
> server that pdns talks to at startup and having to hard code them into a 
> file.  I thought powerdns was developed to take advantage of the database 
> server.  Why am I hard coding txt files when I have this lovely database with 
> a domains table full of domains I'm authoritative for?  Seems like an 
> oversight to me.  Feels like I'm editing bind backend files again.  Just 
> invites error.  dnsdist doesn't need to maintain the connection.  I'm 
> assuming it reads in a list from the file at startup and keeps the table in 
> memory for speed.  I see no reason why it can't read the names from the 
> database at startup, then disconnect from the dbserver.  Hard coding txt 
> files just invites mistakes and reminds me of 1996.

I am not sure what you are referring to, or why in your use-case you’d want to 
do that (it could be easier to check for the RD bit, or set up something like 
Scenario 2: Authoritative Server as Recursor for clients and serving public 
domains 
,
 but again: no idea what your use-case is). Feel free to create a new topic (on 
the correct ML) to describe what you want to do and why, and we’ll see what the 
best solution is. But the point is that this is not helping the topic starter.

> I've never been able to get MySQL replication to operate reliably over a wide 
> area network.  I've tried several times with several different versions of 
> MySQL and MariaDB.  I'm certainly not going to try running cluster over a 
> WAN.  My DNS servers are geographically diverse.  1 is in FL and one in ME.  
> My little script works better than anything else I've tried. 

Again no idea what FL and ME mean to you, but I have run pdns auth servers 
across OpenVPN tunnels across multiple continents using both MySQL and 
PostgreSQL replication. Note that the skills to setup a database replication 
setup, are quite different than the ones to setup a DNS server. Most of the 
good database administrators I know, are not DNS experts. A lot of DNS experts 
I know, are certainly not database replication experts… (I happen to know a 
tiny bit about both, which is why I love my job)

Kind Regards,


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 




Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Limit Returned Results from a SRV Query

2019-09-05 Thread frank+pdns--- via Pdns-users 
Hi Shawn,

You might be able to overrule the default Queries (see 
https://docs.powerdns.com/authoritative/backends/generic-sql.html 
). 

Another option might be to use LUA records: 
https://docs.powerdns.com/authoritative/lua-records/index.html 
.

Absolute worst case: create a stored procedure and use that, but it will make 
debugging harder and might impact speed (depending on the QPS your zone 
receives). I assume you’ve considered the side effects on caching and the TTLs 
on your records...

Kind Regards,

Frank



Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 





> On 5 Sep 2019, at 15:46, Shawn Augenstein  > wrote:
> 
> Greetings,
> 
> I have stood up a MariaDB backend for a Authoritative Server deployment and I 
> am working under a specific requirement:
> 
> Provisioning the backend with 200 A Records associated with a SRV however, 
> for each query to the Authoritative server only 5 of the 200 can be returned 
> at any one time. 
> 
> This is an isolated system. 
> 
> I am looking for advisement on where to make the required edits to the query 
> to the backend itself or guidance in general on moving forward.
> 
> Regards,
> 
> -S
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Wrong A-Record is retuned for CNAME that can not be resolved to A

2019-09-26 Thread frank+pdns--- via Pdns-users 
Hi Kevin,

> ===>% ===
> C:\Users\kolbrich>nslookup -q=CNAME 
> _91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de 
> . 8.8.8.8
> Server:  dns.google 
> Address:  8.8.8.8
> 
> Nicht autorisierende Antwort:
> _91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de 
> 
> canonical name = 
> _c09668a36b3b6665549a795863f30b9b.olprtlswtu.acm-validations.aws
> 

> My NS has a catch-all zone using "." including SOA to be authoritative for 
> all new domains that do not yet have a zone (async processing).
> This allows us to be responsive for zones we actually did not yet create or 
> have not been replicated.


> 
> It's seems, that AWS uses the same authoritative NS to resolv it's own CNAME 
> (which does not resolve at all in public):

I doubt that’s the problem (and note that acm-validations.aws is a valid domain 
name and points to AWS).

I believe the problem might be here:

~ ❯❯❯ dig SOA expose.graf-borstar.de 

; <<>> DiG 9.10.6 <<>> SOA expose.graf-borstar.de 

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58518
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;expose.graf-borstar.de .   IN  
SOA

;; ANSWER SECTION:
expose.graf-borstar.de .3593IN  
CNAME   fae31f3b-08a0-4b3c-8767-7f1b1baec2af.iexendpoints.de 
.

;; AUTHORITY SECTION:
iexendpoints.de .  293 IN  SOA 
ns-660.awsdns-18.net . 
awsdns-hostmaster.amazon.com . 1 7200 900 
1209600 86400

;; Query time: 19 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Thu Sep 26 12:20:56 CEST 2019
;; MSG SIZE  rcvd: 199


You have a CNAME in place for expose.graf-borstar.de 
. Does that belong there? This might cause 
issues.

Could you also clarify the problem you are having? It’s not 100% clear to me at 
this point. 

Kind Regards,

Frank
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Reg. PDNS recursor Ver 4.1.16

2020-12-09 Thread frank+pdns--- via Pdns-users 
Hi Kiran,

There's no obvious answer based on the info you have us. How is the server 
configured? Anything special? Who is using your resolver?

Assuming it's a "plain and simple" resolver with good Internet connectivity, I 
would start to investigate which queries are slow, and why you have so many of 
them. You could do that in various ways, I would suggest to use dnsdist to do 
that: it has a "topSlow()" command that will display the slowest queries.

Then, start checking them, you might even enable tracing in pdns on those names 
and investigate the results.

Best of luck in your hunting expedition!

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be 

PS: Recursor 4.1.x is very old and no longer supported, it doesn't even get any 
security updates anymore! I would recommend to migrate to 4.4.1.

> On 9 Dec 2020, at 08:30, Kiran Kumar via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> Hello,
> 
> How do we minimize answers-slow, We are running on CentOS Linux release 
> 7.9.2009 (Core)
> on VM with 4VCPUs and 16GB RAM. 
> 
> rec_control get-all | grep answer
> answers-slow80903
> answers0-1  598471
> answers1-10 1057756
> answers10-100   2342082
> answers100-1000 1341675
> auth4-answers-slow  119250
> auth4-answers0-161649
> auth4-answers1-10   1423348
> auth4-answers10-100 3095598
> auth4-answers100-1000   1515725
> auth6-answers-slow  0
> auth6-answers0-10
> auth6-answers1-10   0
> auth6-answers10-100 0
> auth6-answers100-1000   0
> noerror-answers 16875858
> nxdomain-answers2726842
> servfail-answers1780021
> 
> Are there any parameters that needs to enabled in recursor.conf so that the 
> performance of DNS queries can be further improved.
> 
> Best Regards,
> 
> Kiran
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SOA Record Mismatch Server - NSLOOKUP

2020-12-15 Thread frank+pdns--- via Pdns-users 
Hi Kevin,

Indeed, there's a SOA version mismatch between ns.inta.gob.ni and 
ns{1,2}.enatrelpba.gob.ni for this domain.

Has the 2020121016 ever existed on ns.inta.gob.ni? Could you show us the logs 
of both masters and servers when they did the AXFR?

Kind Regards,

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be 



> On 15 Dec 2020, at 16:16, Kevin Morales via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> Hi, Anyone could help me to know why 
> 
> I created a Slave Zone, and it zone is transfered from Master without 
> problem, but when I check Record SOA using nslookup I see the serial is 
> 2020121016 it is wrong!!.
> 
> 
> 
> If I check the Record Zone on Server DNS, I can see the SOA is 2020121015.
> 
> 
> I deleted the zone and created again, and I have the same issue!,
> 
> Thanks in Advance!
> 
> -- 
> Kevin Morales
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns server is not passing Authority parameter

2021-01-19 Thread frank+pdns--- via Pdns-users 
Hi,

Could you share the configuration of the PDNS Auth server please?

Frank Louwers
Certified PowerDNS Consultant @ Kiwazo.be 

> On 19 Jan 2021, at 10:08, Dedan Irungu via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> I have made the changes request as soon below. The server does not serve 
> authoritative results.
> 
> setLocal('85.10.203.183')
> setACL({'0.0.0.0/0 ', '::/0'}) -- Allow all IPs access
> 
> newServer({address='85.10.203.183:5300 ', 
> pool='auth'})
> newServer({address='85.10.203.183:5301 ', 
> pool='recursor'})
> 
> recursive_ips = newNMG()
> recursive_ips:addMask('127.0.0.1/8 ') -- These 
> network masks are the ones from allow-recursion in the Authoritative Server
> 
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> addAction(AllRule(), PoolAction('auth'))
> 
> 
> 
> I have tried to target powerdns directly via port 5300 but the result is the 
> same. Any dig performed on port 5300 should be authoritative but in this case 
> it is not.
> 
> dig @85.10.203.183  gifsitebuilder.com 
>  A -p 5300
> 
> 
> 
> 
> On Tue, Jan 19, 2021 at 11:51 AM Brian Candler  > wrote:
> On 19/01/2021 08:40, Dedan Irungu via Pdns-users wrote:
>>  recursive_ips:addMask('0.0.0.0/0 ') -- These network 
>> masks are the ones from allow-recursion in the Authoritative Server
>> 
>>  addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
> These two lines together say: "for incoming queries from *any* IP addresses: 
> send them to the recursor".
> 
> Try changing the first one to something like:
> 
> recursive_ips:addMask('192.168.0.0/16 ')   -- netblock 
> containing your local clients
> 
> Then queries from 192.168.x.x will go to the recursor, whereas queries from 
> any *other* addresses will go to the authoritative server.
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC UDP problems

2021-03-09 Thread frank+pdns--- via Pdns-users 
Hi Steffan,

Sometimes the dnsviz.net debugger is quite complete but can be overwhelming at 
first. The Versisign Analyser can be easier to perform basic checks. 
https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl.

In this case, it seems the zone is not properly signed, but DS records are 
present in the parent zone:

While an RRSIG record does exist for e.g. the NS record for that zone:

~ ❯ dig NS crazyforprint.nl. @ns1.tikklik.nl +dnssec
...
;; ANSWER SECTION:
crazyforprint.nl.   28800   IN  NS  ns2.tikklik.nl.
crazyforprint.nl.   28800   IN  RRSIG   NS 13 2 28800 2021031800 
2021022500 51602 crazyforprint.nl. 
PdcCtYO9yLGiUoz+c5WiajyiaLHOpiAvEpJkS4Ew99fJ5xWOX0vJZAA3 
4tAMzRJHO+aFBYvf7TvKWyL1Y8ytJQ=crazyforprint.nl.   28800   IN  NS  
ns1.tikklik.nl.


No RRSIG records are present for e.g. the A record:

~ ❯ dig A crazyforprint.nl. @ns1.tikklik.nl +dnssec
...
;; ANSWER SECTION:
crazyforprint.nl.   10071   IN  A   199.59.242.153


As the parent indicates that the zone is supposed to be signed, this results in 
verification failures.


Kind Regards,

Frank

> On 9 Mar 2021, at 13:13, Steffan via Pdns-users 
>  wrote:
>
> Hello,
>
> Suddenly im getting DNSSE|C warnings.
> Any idees what im missing here?
>
> When analysing the dns with dnsviz.net im seeing
>
> " The server(s) were not responsive to queries over UDP. 
> (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)
>
>
> I dont understand why,
> I disabled the firewall for testing
>
> netstat -tulpn | grep pdns
> tcp0  0 0.0.0.0:53  0.0.0.0:*   LISTEN
>   861967/pdns_server
> tcp6   0  0 :::53   :::*LISTEN
>   861967/pdns_server
> udp0  0 0.0.0.0:11597   0.0.0.0:* 
>   861967/pdns_server
> udp0  0 0.0.0.0:53  0.0.0.0:* 
>   861967/pdns_server
> udp6   0  0 :::12790:::*  
>   861967/pdns_server
> udp6   0  0 :::53   :::*  
>   861967/pdns_server
>
>
>
> Mar  9 13:07:30 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
> Mar  9 13:07:30 ns1 pdns_server[861967]: Loading 
> '/usr/lib64/pdns/libgmysqlbackend.so'
> Mar  9 13:07:30 ns1 pdns_server[861967]: This is a standalone pdns
> Mar  9 13:07:30 ns1 pdns_server[861967]: Listening on controlsocket in 
> '/run/pdns/pdns.controlsocket'
> Mar  9 13:07:30 ns1 pdns_server[861967]: UDP server bound to 0.0.0.0:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: UDP server bound to [::]:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: TCP server bound to 0.0.0.0:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: TCP server bound to [::]:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: PowerDNS Authoritative Server 
> 4.5.0-alpha0.810.master.ge95f1270a (C) 2001-2021 PowerDNS.COM BV
> Mar  9 13:07:30 ns1 pdns_server[861967]: Using 64-bits mode. Built using gcc 
> 8.3.1 20191121 (Red Hat 8.3.1-5) on Mar  4 2021 17:46:55 by root@8780793e1b61.
> Mar  9 13:07:30 ns1 pdns_server[861967]: PowerDNS comes with ABSOLUTELY NO 
> WARRANTY. This is free software, and you are welcome to redistribute it 
> according to the terms of the GPL version 2.
> Mar  9 13:07:30 ns1 pdns_server[861967]: DNS Proxy launched, local port 
> 33452, remote 208.67.220.220:53
> Mar  9 13:07:30 ns1 pdns_server[861967]: Not validating response for security 
> status update, this is a non-release version
> Mar  9 13:07:30 ns1 pdns_server[861967]: Master/slave communicator launching
> Mar  9 13:07:30 ns1 pdns_server[861967]: Creating backend connection for TCP
> Mar  9 13:07:30 ns1 pdns_server[861967]: About to create 3 backend threads 
> for UDP
> Mar  9 13:07:30 ns1 systemd[1]: Started PowerDNS Authoritative Server.
> Mar  9 13:07:30 ns1 pdns_server[861967]: Done launching threads, ready to 
> distribute questions
> Mar  9 13:07:30 ns1 pdns_server[861967]: Cleared signature cache.
>
> Met vriendelijke groet,
> Steffan Noord
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC UDP problems

2021-03-09 Thread frank+pdns--- via Pdns-users 
Hi Steffan,

Well, it clearly responds to a request for an A record...

Can you tell us a bit more about this zone? What does "pdnsutil check-zone 
crazyforprint.nl " say?

In general, it's a very bad idea to use CNAME records at the apex of a domain.

Frank

> On 9 Mar 2021, at 13:35, Steffan via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> This domain is not using a A record
> But a ALIAS and CNAME
> Is that why dnssec failes?
>  
>  
> Met vriendelijke groet,
> Steffan Noord 
>  
> Van: frank+p...@tembo.be   > 
> Verzonden: dinsdag 9 maart 2021 13:34
> Aan: steffanno...@gmail.com 
> CC: pdns-users-ml 
> Onderwerp: Re: [Pdns-users] DNSSEC UDP problems
>  
> Hi Steffan,
>  
> Sometimes the dnsviz.net  debugger is quite complete but 
> can be overwhelming at first. The Versisign Analyser can be easier to perform 
> basic checks. https://dnssec-analyzer.verisignlabs.com/crazyforprint.nl 
> .
>  
> In this case, it seems the zone is not properly signed, but DS records are 
> present in the parent zone:
>  
> While an RRSIG record does exist for e.g. the NS record for that zone:
>  
> ~ ❯ dig NS crazyforprint.nl . @ns1.tikklik.nl 
> +dnssec   
>  
> ...
> ;; ANSWER SECTION:
> crazyforprint.nl .   28800IN
>NS  ns2.tikklik.nl .
> crazyforprint.nl .   28800IN
>RRSIG   NS 13 2 28800 2021031800 2021022500 51602 crazyforprint.nl 
> . 
> PdcCtYO9yLGiUoz+c5WiajyiaLHOpiAvEpJkS4Ew99fJ5xWOX0vJZAA3 
> 4tAMzRJHO+aFBYvf7TvKWyL1Y8ytJQ==
> crazyforprint.nl .   28800IN
>NS  ns1.tikklik.nl .
>  
>  
> No RRSIG records are present for e.g. the A record:
>  
> ~ ❯ dig A crazyforprint.nl . @ns1.tikklik.nl 
> +dnssec   
>   
> ...
> ;; ANSWER SECTION:
> crazyforprint.nl .   10071IN
>A 199.59.242.153
>  
>  
> As the parent indicates that the zone is supposed to be signed, this results 
> in verification failures.
>  
>  
> Kind Regards,
>  
> Frank
> 
> 
>> On 9 Mar 2021, at 13:13, Steffan via Pdns-users 
>> mailto:pdns-users@mailman.powerdns.com>> 
>> wrote:
>>  
>> Hello,
>> 
>> Suddenly im getting DNSSE|C warnings.
>> Any idees what im missing here?
>> 
>> When analysing the dns with dnsviz.net  im seeing
>> 
>> " The server(s) were not responsive to queries over UDP. 
>> (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)
>> 
>> 
>> I dont understand why,
>> I disabled the firewall for testing
>> 
>> netstat -tulpn | grep pdns
>> tcp0  0 0.0.0.0:53  0.0.0.0:*   LISTEN   
>>861967/pdns_server
>> tcp6   0  0 :::53   :::*LISTEN   
>>861967/pdns_server
>> udp0  0 0.0.0.0:11597   0.0.0.0:*
>>861967/pdns_server
>> udp0  0 0.0.0.0:53  0.0.0.0:*
>>861967/pdns_server
>> udp6   0  0 :::12790:::* 
>>861967/pdns_server
>> udp6   0  0 :::53   :::* 
>>861967/pdns_server
>> 
>> 
>> 
>> Mar  9 13:07:30 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
>> Mar  9 13:07:30 ns1 pdns_server[861967]: Loading 
>> '/usr/lib64/pdns/libgmysqlbackend.so'
>> Mar  9 13:07:30 ns1 pdns_server[861967]: This is a standalone pdns
>> Mar  9 13:07:30 ns1 pdns_server[861967]: Listening on controlsocket in 
>> '/run/pdns/pdns.controlsocket'
>> Mar  9 13:07:30 ns1 pdns_server[861967]: UDP server bound to 0.0.0.0:53
>> Mar  9 13:07:30 ns1 pdns_server[861967]: UDP server bound to [::]:53
>> Mar  9 13:07:30 ns1 pdns_server[861967]: TCP server bound to 0.0.0.0:53
>> Mar  9 13:07:30 ns1 pdns_server[861967]: TCP server bound to [::]:53
>> Mar  9 13:07:30 ns1 pdns_server[861967]: PowerDNS Authoritative Server 
>> 4.5.0-alpha0.810.master.ge95f1270a (C) 2001-2021 PowerDNS.COM 
>>  BV
>> Mar  9 13:07:30 ns1 pdns_server[861967]: Using 64-bits mode. Built using gcc 
>> 8.3.1 20191121 (Red Hat 8.3.1-5) on Mar  4 2021 17:46:55 by 
>> root@8780793e1b61.
>> Mar  9 13:07:30 ns1 pdns_server[861967]: PowerDNS comes with ABSOLUTELY NO 
>> WARRANTY. This is free software, and you are welcome to redistribute it

Re: [Pdns-users] PowerDNS admin Configuration

2021-07-20 Thread frank+pdns--- via Pdns-users 
Hi Adivya,

This is the PowerDNS users mailing lists, for users of the PowerDNS open source 
products (PowerDNS Auth, PowerDNS Recursor and dnsdist). The PowerDNS Admin 
product you're referring to, is not a PowerDNS product (despite the name) and I 
guess most people on this list don't use it. I have no idea if there is a 
PowerDNS Admin users mailing list, but if there is, you're better off asking 
your question there. 

Kind Regards,

Frank


> On 16 Jul 2021, at 8:42 PM, Adivya Singh via Pdns-users 
>  wrote:
> 
> Hi Team,
> 
> I am unable to create a install and Configure a PowerDNS admin on a Server, 
> it installed Fine, but when i am trying  to open the Link , it say "Page not 
> Found error"
> it never shows any error while installation and Configuration, I am using a 
> Setup in Canonical Open Stack where I am using Internal IP for Configuration, 
> There is no Floating IP attached\
> 
> Regards
> Adivya Singh
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor: Possible bug in accepting / rejecting additional answers?

2021-08-30 Thread frank+pdns--- via Pdns-users 
Hi Paul,

This is a design choice by PowerDNS, which is defendable: the domain is 
misconfigured and the RFCs don't clearly which option to take in such a case. 
Unfortunately, Google and Unbound toke a different option, so when the customer 
verifies against 8.8.8.8, it will just work. Also unfortunately, PowerDNS took 
the option of having the return depend on the state of cache, meaning that 
depending on the order you execute the queries in, you'll get a different 
result.

I've had long discussions with the core maintainers and discussion makers at 
PowerDNS, but – for now – they won't change this behaviour.

Kind Regards,

Frank



> On 28 Aug 2021, at 9:43 AM, Paul Fletcher via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> Hello,
>  
> We are having problems with pdns-recursor when resolving an MX record for a 
> domain whose delegation is partially mis-configured.  Whilst that 
> mis-configuration is clearly the trigger for the problem, the behaviour of 
> pdns is tunring a small problem into a big one, when other recursors do not 
> appear to do so.
>  
> Version: 4.5.5 (also seen in earlier versions)
> OS: CentOS7
>  
> Description of the problem:
> Initial discovery of NS for the domain gets an answer from gtld-servers.  The 
> answer includes:
> 4 NS names; two are in the domain itself, and two are in an unrelated zone.  
> TTL=172800
> A records / IP addresses for those 4 names (one per name).  TTL=172800
>  
> Two of the IP addresses are incorrect.  The four name servers are cached, as 
> are the four A records.
>  
> Recursor then goes on to one of the name servers, for which it has a valid 
> IP.  (In fact the IP in the A record is for a different one of the name 
> servers to the one which the initial answer said it was for, but it is 
> nevertheless the IP of a valid name server for the domain).  It queries the 
> MX record, and gets back a response.  The response includes
> The MX record, with TTL=300
> 2 NS servers (two of the four which were in the parent response).  TTL=1800
> A records for those 2 servers.  TTL=1800
>  
> This time the A records are correct.  However, whilst recursor replaces the 
> previous NS records in the cache, it does NOT replace the A records.  In 
> older versions it says
> “Accept answer? NO!”
> In newer versions it says
> “Removing record  in the 3 section”
>  
> So now if we look up the MX record again after its TTL has expired, recursor 
> correctly identifies the names of the two name servers to use from cache.  It 
> then tries to resolve those to IPs, which it does by using the incorrect A 
> records that were cached from the first response.  And since they are not 
> accessible, the query times out.  Nothing works until the 1800 TTL on the 
> name servers expires, at which point we go back to the start, getting 4 name 
> servers and 4 IPs, two of which work and allow us to resolve the query this 
> one time only.
>  
> I don’t understand why the recursor accepted and cached the A records which 
> it got in the response from the gtld-servers – even though the two important 
> ones are in a different zone, with nothing to indicate that gtld-servers are 
> authoritative for that zone; but it doesn’t accept the A records from the 
> delegated name server’s response.  Is there something we can do to alter this 
> behaviour?  If it either accepted them in both cases or rejected them in both 
> cases, everything would work despite the slightly broken initial response.  
> As I say, we don’t see this problem with other recursive resolvers.
>  
> The domain is solera.com .
>  
> Thanks for any pointers.
>  
> Paul
> 
> This electronic communication and the information and any files transmitted 
> with it, or attached to it, are confidential and are intended solely for the 
> use of the individual or entity to whom it is addressed and may contain 
> information that is confidential, legally privileged, protected by privacy 
> laws, or otherwise restricted from disclosure to anyone else. If you are not 
> the intended recipient or the person responsible for delivering the e-mail to 
> the intended recipient, you are hereby notified that any use, copying, 
> distributing, dissemination, forwarding, printing, or copying of this e-mail 
> is strictly prohibited. If you received this e-mail in error, please return 
> the e-mail to the sender, delete it from your computer, and destroy any 
> printed copy of it.___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-15 Thread frank+pdns--- via Pdns-users 
Hi Michael,

Can you provide full (unedited) config files please?

A lot of info is missing to be able to help you fix this problem. Please see 
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ 
 for 
more information.

Frank



> On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> Howdy,
>  
> I’m new to PowerDNS.  I’m using the authoritative server with the BIND 
> backend for some testing.  (Don’t need power or complexity of a DB backend).
>  
> Fake IPs:
>   11.11.11.11 master
>   22.22.22.22 slave
>  
> I’ve got a master and slave configured with three zones and doing zone 
> transfers.  Initially, I didn’t have TSIGs and have the following configured 
> in pdns.conf on the master:
>  
> allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22
>  
> Now I’d like to configure TSIG.  But the instructions here seem to be related 
> to DB backends:
> https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr
>  
> 
>  
> I’d like to stick to the BIND backend.  But I get errors when trying the same 
> type of configuration options in named.conf that work in regular BIND.
>  
> Here’s what I did:
>  
> On the master:
>  
> key “keyname” {
> algorithm hmac-sha256;
> secret “…”;
> };
>  
> zone “zonename” {
> file …;
> type master;
> allow-transfer { 22.22.22.22 key “keyname”; };
> };
>  
> On the slave:
>  
> key “keyname” {
> algorithm hmac-sha256;
> secret “…”;
> };
>  
> zone “zonename” {
> file …;
> type slave;
> masters { 11.11.11.11 key “keyname”; };   ß I get a syntax error on this, 
> even though it works in regular BIND.
> };
>  
> So, I changed the slave to:
>  
> server 11.11.11.11 {
> keys { “keyname”; };
> };
>  
> zone “zonename” {
> file …;
> type slave;
> masters { 11.11.11.11 };  ß no more syntax error.
> };
>  
> And, in pdns.conf, I set “allow-axfr-ips” back to the default:
>  
> allow-axfr-ips=127.0.0.0/8,::1
>  
> But when I restart the slave, I get the following error: 
>  
> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR 
> chunk error: Server Not Authoritative for zone / Not Authorized (This was the 
> first time. Excluding zone from slave-checks until 1636827466)
>  
> Any help would be greatly appreciated!
>  
> Michael
>  
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-15 Thread frank+pdns--- via Pdns-users 
Hi Michael,

Your pens.conf files seem to be missing and could be very relevant.

Frank





> On 15 Nov 2021, at 14:39, Fox, Michael E.  > wrote:
> 
> You want me to post the TSIG keys?
>  
> Also, the DNS servers themselves are in a lab, behind a firewall.  But I 
> don’t see the relevance of specific domain names to my question.
>  
> Let me just ask the question a different way:  What is the proper syntax for 
> configuring TSIG when using the BIND backend?
>  
> Michael
>  
> From: frank+p...@tembo.be   > 
> Sent: Monday, November 15, 2021 5:27 AM
> To: Fox, Michael E. mailto:michael@tamu.edu>>
> Cc: pdns-users-ml  >
> Subject: Re: [Pdns-users] How to configure TSIG with BIND backend
>  
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi Michael,
>  
> Can you provide full (unedited) config files please?
>  
> A lot of info is missing to be able to help you fix this problem. Please see 
> https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ 
> 
>  for more information.
>  
> Frank
>  
>  
> 
> 
> On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
>  
> Howdy,
>  
> I’m new to PowerDNS.  I’m using the authoritative server with the BIND 
> backend for some testing.  (Don’t need power or complexity of a DB backend).
>  
> Fake IPs:
>   11.11.11.11 master
>   22.22.22.22 slave
>  
> I’ve got a master and slave configured with three zones and doing zone 
> transfers.  Initially, I didn’t have TSIGs and have the following configured 
> in pdns.conf on the master:
>  
> allow-axfr-ips=127.0.0.0/8,::1,22.22.22.22
>  
> Now I’d like to configure TSIG.  But the instructions here seem to be related 
> to DB backends:
> https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr
>  
> 
>  
> I’d like to stick to the BIND backend.  But I get errors when trying the same 
> type of configuration options in named.conf that work in regular BIND.
>  
> Here’s what I did:
>  
> On the master:
>  
> key “keyname” {
> algorithm hmac-sha256;
> secret “…”;
> };
>  
> zone “zonename” {
> file …;
> type master;
> allow-transfer { 22.22.22.22 key “keyname”; };
> };
>  
> On the slave:
>  
> key “keyname” {
> algorithm hmac-sha256;
> secret “…”;
> };
>  
> zone “zonename” {
> file …;
> type slave;
> masters { 11.11.11.11 key “keyname”; };   ß I get a syntax error on this, 
> even though it works in regular BIND.
> };
>  
> So, I changed the slave to:
>  
> server 11.11.11.11 {
> keys { “keyname”; };
> };
>  
> zone “zonename” {
> file …;
> type slave;
> masters { 11.11.11.11 };  ß no more syntax error.
> };
>  
> And, in pdns.conf, I set “allow-axfr-ips” back to the default:
>  
> allow-axfr-ips=127.0.0.0/8,::1
>  
> But when I restart the slave, I get the following error: 
>  
> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR 
> chunk error: Server Not Authoritative for zone / Not Authorized (This was the 
> first time. Excluding zone from slave-checks until 1636827466)
>  
> Any help would be greatly appreciated!
>  
> Michael
>  
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
>  
> Frank Louwers
> PowerDNS Certified Consultant @ Kiwazo.be 
> 
Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-17 Thread frank+pdns--- via Pdns-users 
Hi Michael,

First up: tsig, DNSSEC etc way easier with a "database" backend (even a 
lightweight one) so you might want to reconsider your backend choice.

The reason I am asking for the pdns.conf is twofold:

First up, there's this message:

> Unable to AXFR zone ‘zonename' from remote 11.11.11.11' (resolver): AXFR 
> chunk error: Server Not Authoritative for zone / Not Authorized (This was the 
> first time. Excluding zone from slave-checks until 1636827466)

Which might be caused by a more fundamental issue in the config. 

Secondly, as mentioned in the docs, TSIG usually requires dnssec infrastructure 
in the backend. Your pdns.conf might indicate incorrect setups there.

I completely understand you're not willing to communicate your configuration, 
or that that information can only be shared after signing an NDA. And I am 
perfectly fine to sign one and look at your very specific problem in the scope 
of a consulting engagement, I am sure others on this list can provide you that 
same service. However, this pdns-users-ml mailinglist won't give you much 
answers if we don't have access to full config.

Kind Regards,

Frank

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 






> On 16 Nov 2021, at 21:20, Fox, Michael E.  > wrote:
> 
> Frank,
>  
> Again, I’m not asking what is wrong with my config.
> I’m asking for the proper syntax to configure TSIG between two PowerDNS 
> systems (master/primary and slave/secondary), both with a BIND backend. 
>  
> The existing documentation page seems to apply only (or mostly) to DB 
> backends:
> https://doc.powerdns.com/authoritative/tsig.html#tsig-provision-signed-notify-axfr
>  
> 
> From what I can tell, the ‘pdnsutil’ commands are acting on the database.
> And the example BIND config on that page only shows the slave side of the 
> config (and it says it’s a slave to itself [master=127.0.0.1]).
>  
> An example config snipit, using example IPs and domain name, is what I’m 
> looking for. 
> Specifically, what should go in named.conf and pdns.conf for the master and 
> the slave?
>  
> Can someone help with that?
>  
> Thanks much.
>  
> Michael E Fox
> Sr. Assoc. Director, ITEC
> Texas A&M University
> 979-862-4036 (Office)
> michael@tamu.edu 
> https://itec.tamu.edu 
>  
> Join us for Interoperability Institute ’22:  May 2-6, 2022
> https://itec.tamu.edu/interop22/ 
>  
> From: frank+p...@tembo.be   > 
> Sent: Monday, November 15, 2021 8:25 AM
> To: Fox, Michael E. mailto:michael@tamu.edu>>
> Cc: pdns-users-ml  >
> Subject: Re: [Pdns-users] How to configure TSIG with BIND backend
>  
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi Michael,
>  
> Your pens.conf files seem to be missing and could be very relevant.
>  
> Frank
>  
>  
>  
>  
> 
> 
> On 15 Nov 2021, at 14:39, Fox, Michael E.  > wrote:
>  
> You want me to post the TSIG keys?
>  
> Also, the DNS servers themselves are in a lab, behind a firewall.  But I 
> don’t see the relevance of specific domain names to my question.
>  
> Let me just ask the question a different way:  What is the proper syntax for 
> configuring TSIG when using the BIND backend?
>  
> Michael
>  
> From: frank+p...@tembo.be   > 
> Sent: Monday, November 15, 2021 5:27 AM
> To: Fox, Michael E. mailto:michael@tamu.edu>>
> Cc: pdns-users-ml  >
> Subject: Re: [Pdns-users] How to configure TSIG with BIND backend
>  
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi Michael,
>  
> Can you provide full (unedited) config files please?
>  
> A lot of info is missing to be able to help you fix this problem. Please see 
> https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ 
> 
>  for more information.
>  
> Frank
>  
>  
> 
> 
> 
> On 13 Nov 2021, at 20:00, Fox, Michael E. via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
>  
> Howdy,
>  
> I’m new to PowerDNS.  I’m using the authoritative server with the BIND 
> backend for some testing.  (Don’t need power or complexity of a DB backend).
>  
> Fake IPs:
>   11.11.11.11 master
>   22.22.22.22 slave
>  
> I’ve got a master and slave configured with three zones and doing zone 
> transfers.  Initially, I did

Re: [Pdns-users] How to configure TSIG with BIND backend

2021-11-17 Thread frank+pdns--- via Pdns-users 
Please enable, validate and test dnssec for your backend. Then use the pdnsutil 
command to add the tsig keys.

If that doesn't work, please share full and unedited config, so people can have 
a look and replicate. 

Frank



Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be 

> On 17 Nov 2021, at 14:06, Fox, Michael E.  > wrote:
> 
> Thanks Frank,
>  
> You’re trying to troubleshoot my config.  That is *NOT* what I’m asking.  
> BTW, there’s nothing secret in my config.  But:
> It is in a lab and not accessible from outside (mostly because I don’t know 
> how to secure it yet, but also because it has no useful purpose outside the 
> lab so we keep the threat surface as small as possible)
> It is irrelevant to the question. 
>  
> Again, my question is simple:  what is the proper syntax for enabling TSIG 
> using BIND backend on master and slave?
>  
> Once I know what I’m *supposed* to do, then if I try it and it fails, that’s 
> the time to figure out what’s wrong.  Right now, I don’t even know the proper 
> way to set it up.
>  
>  
> Michael E Fox
> Sr. Assoc. Director, ITEC
> Texas A&M University
> 979-862-4036 (Office)
> michael@tamu.edu 
> https://itec.tamu.edu 
>  
> Join us for Interoperability Institute ’22:  May 2-6, 2022
> https://itec.tamu.edu/interop22/ 
>  

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] BIND-mode vs. Hybrid BIND-mode

2021-12-03 Thread frank+pdns--- via Pdns-users 
Hi Michael,

In BIND mode, a special-purpose sqlite3 database is used to store all dnssec 
related data. That sqlite3 database folllows a specific schema, and is not used 
as a "regular" backend. You'd only one backend (the BIND backend).
In Hybrid-BIND mode, you'd need at least a "regular" database backend, in 
addition to the BIND backend. That database backend can / will be used as a 
regular database backend, following that schema etc.

If you will only have BIND-style backends, the regular dnssec BIND mode is what 
you're probably looking for. If you have domains in both BIND and a MySQL 
database for instance, you can reuse that MySQL backend to store the DNSSEC 
data for domains in the BIND mode.

Hope this clarifies :)

Kind Regards,

Frank


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be





> On 2 Dec 2021, at 23:08, Fox, Michael E. via Pdns-users 
> mailto:pdns-users@mailman.powerdns.com>> 
> wrote:
> 
> Howdy,
>  
> I’d like to use BIND zone files and DNSSEC.  
>  
> I’m reading:  
> https://doc.powerdns.com/authoritative/dnssec/modes-of-operation.html#bind-mode-operation
>  
> 
>  
> I don’t understand the difference between BIND-mode and Hybrid BIND-mode.
> BIND-mode says the zone records are stored in BIND files and an sqlite3 
> database is required for the keys and other DNSSEC related data.
> Hybrid BIND-mode says the zone records and keying material are stored in 
> different backends.  Isn’t that the same thing?
> If there’s a distinction here, I don’t know what it is.
> Can someone explain?
>  
> Thanks much!
>  
> Michael E Fox
>  
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com 
> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
> 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to make Authoritative work?

2022-01-09 Thread frank+pdns--- via Pdns-users 
Hi,

Could you please paste the full configuration (pdns.conf) and the entries in 
the database?

In particular, the things to look at would be: type of domain set, backend 
config, ...

On top of that, can you run `pdnsutil check-zone` on the zone and paste the 
output?

Frank



> On 9 Jan 2022, at 23:23, jrd via Pdns-users  
> wrote:
> 
> Hi all.  I know this is a bit of a newbie question, but it seems to be
> stumping me.
> 
> I've just set up a new pdns server.  pdns 4.5.1.  I populated its DB
> with a bunch of test records.  I gave it an SOA saying it's the
> authority for my zone.  Made sure the hostname and IP address match
> the local configuration of the machine.
> 
> When I query it with (for instance) dig, it returns all the correct
> data, for the SOA or any other of my test records, but it doesn't set
> the AA bit.
> 
> What are the criteria which have to be met, in order for pdns to say
> "Yep, I'm the authority for this domain" ?
> 
> TIA . . .
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to make Authoritative work?

2022-01-17 Thread frank+pdns--- via Pdns-users 
Hi,

Please see my earlier reply 
(https://mailman.powerdns.com/pipermail/pdns-users/2022-January/027513.html)

> Hi,
> 
> Could you please paste the full configuration (pdns.conf) and the entries in 
> the database?
> 
> In particular, the things to look at would be: type of domain set, backend 
> config, ...
> 
> On top of that, can you run `pdnsutil check-zone` on the zone and paste the 
> output?
> 
> Frank




> On 17 Jan 2022, at 14:01, jrd via Pdns-users 
>  wrote:
> 
> Bump.  Anybody?
> 
> If it's in the docs and I missed it, please point me in the right
> direction.  TIA . . .
> 
>From: jrd-p...@jrd.org
>Date: Sun, 9 Jan 2022 17:23:40 -0500
> 
>Hi all.  I know this is a bit of a newbie question, but it seems to be
>stumping me.
> 
>I've just set up a new pdns server.  pdns 4.5.1.  I populated its DB
>with a bunch of test records.  I gave it an SOA saying it's the
>authority for my zone.  Made sure the hostname and IP address match
>the local configuration of the machine.
> 
>When I query it with (for instance) dig, it returns all the correct
>data, for the SOA or any other of my test records, but it doesn't set
>the AA bit.
> 
>What are the criteria which have to be met, in order for pdns to say
>"Yep, I'm the authority for this domain" ?
> 
>TIA . . .
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to make Authoritative work?

2022-01-18 Thread frank+pdns--- via Pdns-users 
Hi,

The interesting parts are:

- your full pdns config file (please mask passwords, but nothing besides that)
- entry for that domain in the domains table
- SOA / NS records in the records table for that domain
- output of `pdnsutil check-zone` on that domain.

That should give us a good starting point, we'll see from there...

Cheers!

Frank

> On 17 Jan 2022, at 16:51, jrd-p...@jrd.org wrote:
> 
> D'oh, my bad.  That must have fallen into my spam trap and I missed
> it.
> 
> Do you want the entire contents of the DB for that zone, or just a
> subset like the SOA and records talking about that host?  Do you want
> it in sql format or zone format?
> 
> What I'm hoping for is a recipe:  "pdns looks for a valid SOA naming
> the local host, and A record for itself, and [fill in the blank].  If
> those conditions are met, it will conlude that it's authoritative".
> 
> I'll collect that stuff up.  Thanks!
> 
> 
>From: frank+p...@tembo.be
>Date: Mon, 17 Jan 2022 14:20:50 +0100
> 
>Hi,
> 
>Please see my earlier reply (
>https://mailman.powerdns.com/pipermail/pdns-users/2022-January/027513.html)
> 
>> Hi,
>> 
>> Could you please paste the full configuration (pdns.conf) and the entries in
>the database?
>> 
>> In particular, the things to look at would be: type of domain set, backend
>config, ...
>> 
>> On top of that, can you run `pdnsutil check-zone` on the zone and paste the
>output?
>> 
>> Frank
> 
>On 17 Jan 2022, at 14:01, jrd via Pdns-users <
>pdns-users@mailman.powerdns.com> wrote:
> 
>Bump.  Anybody?
> 
>If it's in the docs and I missed it, please point me in the right
>direction.  TIA . . .
> 
>   From: jrd-p...@jrd.org
>   Date: Sun, 9 Jan 2022 17:23:40 -0500
> 
>   Hi all.  I know this is a bit of a newbie question, but it seems to 
> be
>   stumping me.
> 
>   I've just set up a new pdns server.  pdns 4.5.1.  I populated its DB
>   with a bunch of test records.  I gave it an SOA saying it's the
>   authority for my zone.  Made sure the hostname and IP address match
>   the local configuration of the machine.
> 
>   When I query it with (for instance) dig, it returns all the correct
>   data, for the SOA or any other of my test records, but it doesn't 
> set
>   the AA bit.
> 
>   What are the criteria which have to be met, in order for pdns to say
>   "Yep, I'm the authority for this domain" ?
> 
>   TIA . . .
>___
>Pdns-users mailing list
>Pdns-users@mailman.powerdns.com
>https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
>Frank Louwers
>PowerDNS Certified Consultant @ Kiwazo.be
> 

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursur 4.4: host unknown after some time with no clear reason

2022-06-01 Thread frank+pdns--- via Pdns-users 
Hi Jan,

I completely understand NDAs and myself (and numerous other PowerDNS Certified 
Consultants on this list) are happy to sign them, as part of a professional 
engagement. Please reach out to me off-list to discuss your options.

However, this also means that on this list, we can't help you much...

As per your questions: first we need to know what happens. The trace should 
tell us. Options to look at: (yes this list is long and some won't apply, but 
please reread the first sentence of this mail)

* https://doc.powerdns.com/recursor/settings.html#network-timeout 

* https://doc.powerdns.com/recursor/settings.html#non-resolving-ns-max-fails 

* 
https://doc.powerdns.com/recursor/settings.html#non-resolving-ns-max-throttle-time
 

* https://doc.powerdns.com/recursor/settings.html#dont-throttle-names 

* https://doc.powerdns.com/recursor/settings.html#dont-throttle-netmasks 

* https://doc.powerdns.com/recursor/settings.html#server-down-max-fails 

* https://doc.powerdns.com/recursor/settings.html#server-down-throttle-time 


Frank


Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be

> On 1 Jun 2022, at 12:32, Jan Huijsmans via Pdns-users 
>  wrote:
> 
> Hi Frank,
> 
> On Wed, 1 Jun 2022 11:23:16 +0200
> "fr...@tembo.be"  wrote:
>> When this fails, could you run a dig command for a domain after
>> activating trace for that domain? (See
>> https://doc.powerdns.com/recursor/manpages/rec_control.1.html?highlight=trace-regex
>> )
>> 
>> I'd like to see the full trace, but my guess would be all the
>> upstream / root name servers have been marked as too slow to be
>> reliable by PowerDNS.
> 
> I'm not allowed to give a full trace, NDA and stuff. The rec_control
> command can help though. I'll see what I can dig up from the
> environment when I'm able to access it again.
> 
> The slow speed could be the cause, as there are low speed high latency
> links between the recursor and the root servers. How do I disable that
> speed check in PowerDNS?
> 
>> Also, I would recommend upgrading to a more recent version,
>> especially as 4.5 adds goodies such as
>> https://doc.powerdns.com/recursor/settings.html#non-resolving-ns-max-fails
>> .
> 
> Alas, upgrading is not an option, as the environment is 'frozen'. The
> environment needs to work as-is for at least 1.5 years. All we can do
> is tweak settings. I'm already happy we could abandon 4.0 last year.
> 
> -- 
> 
> Jan Huijsmans  b...@koffie.nu
> 
> ... cannot activate /dev/brain, no response from main coffee server
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursur 4.4: host unknown after some time with no clear reason

2022-06-08 Thread frank+pdns--- via Pdns-users 
Jan,

Best of luck with your optimisations. If the network-slow are very slow, then 
this could explain the issue you see. 

Frank


> On 7 Jun 2022, at 15:34, Jan Huijsmans via Pdns-users 
>  wrote:
> 
> Hi Frank,
> 
> On Wed, 1 Jun 2022 12:48:01 +0200
> "frank+p...@tembo.be"  wrote:
> 
>> Hi Jan,
>> 
>> I completely understand NDAs and myself (and numerous other PowerDNS
>> Certified Consultants on this list) are happy to sign them, as part
>> of a professional engagement. Please reach out to me off-list to
>> discuss your options.
>> 
>> However, this also means that on this list, we can't help you much...
>> 
>> As per your questions: first we need to know what happens. The trace
>> should tell us. Options to look at: (yes this list is long and some
>> won't apply, but please reread the first sentence of this mail)
>> 
>> * https://doc.powerdns.com/recursor/settings.html#network-timeout
> 
> I'm getting the feeling this is the culprit. We looked at the nsspeeds
> the recursor reported and saw times between 0.6 and 1.2s for the
> root servers just after a restart of de recursor.
> 
> I now get reports that the admins see 2s responce times in their
> environment, making the default of 1.5s timeout a tad close to the
> times observed in a clean environment and to low for reported times.
> We instructed to set the network-timeout to 3000 or even 5000.
> 
>> *
>> https://doc.powerdns.com/recursor/settings.html#dont-throttle-netmasks
> 
> We already set this to 0.0.0.0/0,::/0 and kept seeing the issues.
> 
> The local admins are keeping an eye on the environment with the new
> settings and will report back.
> 
> -- 
> 
> Jan Huijsmans  b...@koffie.nu
> 
> ... cannot activate /dev/brain, no response from main coffee server
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative 4.6.2, how to log served responses (i.e. NOERROR, NXDOMAIN, SERVFAIL, etc)?

2022-06-14 Thread frank+pdns--- via Pdns-users 
Hi Dmitriy,

https://doc.powerdns.com/authoritative/settings.html#log-dns-queries 
 states 
that it logs "all incoming DNS queries", not the results.

If you want to log the results, you'll need to either increase the loglevel, 
tcpdump the results and parse those, or add something in front of the server 
(eg dnsdist) where you'd capture the result codes and log.

Frank



> On 14 Jun 2022, at 13:38, Dmitriy Koff via Pdns-users 
>  wrote:
> 
> Hello!
> 
> I'm trying to configure log for PowerDNS (4.6.2) and cannot figure how to log 
> served responses (i.e. NOERROR, NXDOMAIN, SERVFAIL, etc)
> 
> /etc/pdns/pdns.conf (parameters regarding logs)
> loglevel=5
> log-dns-details=yes
> log-dns-queries=yes
> query-logging=no
> 
> # nslookup example.com  127.0.0.1
> Server: 127.0.0.1
> Address:127.0.0.1#53
> ** server can't find example.com : NXDOMAIN
> 
> All i've got in log is packetcache status of request (miss or hit) -- 
> "Remote 127.0.0.1 wants 'example.com |A', do = 0, 
> bufsize = 512: packetcache MISS"
> 
> Expected something like 
> "Remote 127.0.0.1 wants 'example.com |A', do = 0, 
> bufsize = 512: packetcache MISS, NXDOMAIN"
> 
> Thanks in advance.
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] named view migration

2022-08-02 Thread frank+pdns--- via Pdns-users 
Hi Lovi,

While you're correct that PowerDNS doesn't have views, you can simulate views 
using dnsdist (see https://www.frank.be/implementing-bind-views-with-powerdns/)

Frank


> On 2 Aug 2022, at 14:46, lovi via Pdns-users 
>  wrote:
> 
> Hello,
> 
> Im running a bind/named ns master, with view zone such as : 
> azone.com  in siteA = bzone.com  in 
> siteB but only some cname records are differents like proxy, ntp, .. 
> As im looking to use powerdns and as I know powerdns do not deal with named 
> views  : what would be the best way to move this configuration ?
> 
> Best Regards
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] named view migration

2022-08-03 Thread frank+pdns--- via Pdns-users 
Hi,

That's certainly possible, you could also use LUA records directly in PowerDNS 
to decide what the reply would be. This would prevent the duplication.

Frank


> On 3 Aug 2022, at 10:10, lovi  wrote:
> 
> Hello,
> 
> Thanks for this answer. 
> I might havent well explained :
> 1 - I have a zone : mycompany.tld
> 2 - this zone is splitted with named in 2 views : siteA and siteB
> 3 - I had to duplicate all my recordds in this 2 views 
> 4- I only have a few difference for example (cname for ntp, proxy, ..)
> 
> I dont think this configuration of duplicating records is a good idea and I 
> might find with powerdns someting better to do, maybe ?
> - like rules  with dnsdist : could it detect that if a query comes it could 
> respond a particular answer
> or .. ?
> 
> 
> Le mar. 2 août 2022 à 20:09, frank+p...@tembo.be 
>   > a écrit :
> Hi Lovi,
> 
> While you're correct that PowerDNS doesn't have views, you can simulate views 
> using dnsdist (see 
> https://www.frank.be/implementing-bind-views-with-powerdns/ 
> )
> 
> Frank
> 
> 
>> On 2 Aug 2022, at 14:46, lovi via Pdns-users 
>> mailto:pdns-users@mailman.powerdns.com>> 
>> wrote:
>> 
>> Hello,
>> 
>> Im running a bind/named ns master, with view zone such as : 
>> azone.com  in siteA = bzone.com  in 
>> siteB but only some cname records are differents like proxy, ntp, .. 
>> As im looking to use powerdns and as I know powerdns do not deal with named 
>> views  : what would be the best way to move this configuration ?
>> 
>> Best Regards
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com 
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
>> 
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users