Re: [Pdns-users] Recursor: Black list

[k...@rice.edu]

On Fri, Oct 17, 2014 at 01:18:36AM -0300, Ciro Iriarte wrote:
> Hi!, I've seen the published LUA scripts examples and seems pretty
> simple to redirect certain domains (one?) just modifying examples
> available, but what about have a list of hundreds or thousands of
> sites to blacklist?.
> 
> I would like to avoid fancy options like database conections for
> example, will "grepping" on a CSV file affect performance notably?.
> What's the general consensus/experience?
> 
> Regards,
> 
> -- 
> Ciro Iriarte
> http://iriarte.it
> --

Hi Ciro,

We used a CDB key value store. It was easy to use/update and had
very good performance. "grepping" is O(n*n) so it will tank as
your list grows and you really don't want to slow down your DNS
lookups.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor: Black list

[k...@rice.edu]

> > Hi Ciro,
> >
> > We used a CDB key value store. It was easy to use/update and had
> > very good performance. "grepping" is O(n*n) so it will tank as
> > your list grows and you really don't want to slow down your DNS
> > lookups.
> >
> > Regards,
> > Ken
> 
> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any
> document specific for PDNS you can point me to?
> 
> Regards,!
> 

Hi,

No PDNS specific documentation, we used the CDB map to allow the
blacklist to be update without needing to restart the recursor
and lose all the cached DNS lookups. We wrote a function similar
to the example Lua script using a CDB map instead.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor: Black list

[k...@rice.edu]

On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote:
> 2014-10-20 13:29 GMT-03:00 Robert Mortimer :
> > Hi,
> >
> > Just to add a bit less light, we implemented this sort of thing about 5 
> > years back
> > and now with the aid of a small script have a solution which is fully RPZ
> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of 
> > about four
> > thousand records and around 5,000 QPS. We did stress test briefly with a 
> > 11,000 item
> > RPZ feed.
> >
> > As said no need to restart when it updates just do a LUA reload. Hopefully I
> > should be able to release what we did soon - am waiting for permission from 
> > our
> > legal types.
> >
> > Really not sure if that helps any, except to say it's very doable and can be
> > quite stable.
> >
> >
> 
> RPZ seem really interesting, and I see there was a request for it in
> the past*. The thing is, we have direct requests from local government
> agencies to ban some domains with legal issues (mandated by a judge
> for example), and we were just approached about being able to block
> sites from the Internet Watch Foundation black list also (with their
> own landing page). Both cases will be redirected to different sites,
> and each has its own data source. Currently on bind we just define the
> domain as authoritative and it's kind of a hassle.
> 
> Also, I thought about adding some helpful LUA bits to report date/time
> or the client's IP address, but from what I understood, only one LUA
> script can be added to the recursor, maybe a super monster script
> could be able to achieve all that.
> 
> 
> Ref:
> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html
> 
> 
> Regards,
> -- 
> Ciro Iriarte
> http://iriarte.it
> --

Hi,

I would use a single Lua script for all of it. I am trying to find my
sample using CDB to post.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor: Black list

[k...@rice.edu]

On Mon, Oct 27, 2014 at 07:27:15PM +0200, Aki Tuomi wrote:
> On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote:
> > 2014-10-27 3:46 GMT-03:00 Aki Tuomi :
> > >
> > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb.
> > > But, to make it work properly, i'd just add "*.domain.com", and when you 
> > > lookup,
> > > you could reduce it like this with get()
> > >
> > > www.my.long.name.com => NOT FOUND
> > > *.my.long.name.com => NOT FOUND
> > > *.long.name.com => NOT FOUND
> > > *.name.com => FOUND
> > >
> > > (
> > > of course you could continue with
> > > *.com
> > > *
> > > )
> > >
> > > Aki
> > 
> > Hi Aki!, I couldn't find a (finished) benchmark that compares directly
> > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster.
> > Given it's SQL I assume we can just use a SELECT with LIKE clause to
> > match an "ending" on the DB with the requested fqdn, would it be
> > faster than doing multiple cdb queries (one for each part of the
> > requested fqdn)?
> > 
> > Regards,
> > 
> > -- 
> > Ciro Iriarte
> > http://iriarte.it
> > --
> >
> 
> The difference, to my eyes, is the diference between
> 
>   SELECT name FROM table WHERE name LIKE '%suffix';
> 
> and
> 
>   SELECT name FROM table WHERE name = 'www.my.long.name.com';
>   SELECT name FROM table WHERE name = '*.my.long.name.com';
>   SELECT name FROM table WHERE name = '*.long.name.com';
>   SELECT name FROM table WHERE name = '*.name.com';
>   SELECT name FROM table WHERE name = '*.com';
> 
> (assuming you'll want to filter out, say, *.xxx)
> 
> Obviously using suffix would require you to know what you are
> doing, since you'd have to know what suffix to look for, otherwise
> you'll end up with very unpredicable behaviour. 
> 
> Consider, you have www.name.com in your blacklist, you'll look for
> %.name.com. It'll always return match. So it's safer to go with
> repeated lookups for *.parent. 
> 
> Performance-wise you should consider that your most likely usage 
> patterns are, 
> 
> not blacklisted:
>   SELECT name FROM table WHERE name = 'www.name.com';
>   SELECT name FROM table WHERE name = '*.name.com';
>   SELECT name FROM table WHERE name = '*.com';
> 
> blacklisted:
>   SELECT name FROM table WHERE name = 'www.name.com';
> 
> or:
>   SELECT name FROM table WHERE name = 'www.name.com';
>   SELECT name FROM table WHERE name = '*.name.com';
> 
> 
> to give proper answer whether SQLite3 or CDB is better, you'd have to 
> run benchmark tests against these use cases as they cover most of your
> situations.
> 
> Also, you might want to consider early-break on any query ending with
> in-addr.arpa and i6.arpa, unless you are required to filter these too,
> because you can get pretty long iterations especially with IPv6 reverses. 
> 
> All in all, i'd say go with cdb, since you already have the code there
> and it's not a big mod to make. Just keep this is mind. 
> 
> ---
> Aki 
> 

Hi,

CDB is a very simple key/value store. I would expect it to blow the
doors off SQLite for simple lookups. In addition, the size of the
library is much, much smaller for CDB (20k) than for SQLite (400k),
which means that it should need much fewer resources and produce
a lighter weight Lua process. Since the logic is mainly in the Lua
function and the the DB backend, the simple CDB key/value store
should perform better per amount of resources used.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Remote Service Check

[k...@rice.edu]

On Tue, Dec 02, 2014 at 07:25:55AM +, Phil Daws wrote:
> Good morning, all
> 
> Have you recently started to use PDNS and very impressed indeed.  Am 
> wondering if any of you have an example LUA script for checking whether a 
> remote service is available or not ie. is webserver A available if not return 
> A record or webserver B
> 
> Many thanks, Phil
> 

Hi Phil,

Typically work done within a lua script is of very short duration. Otherwise
it causes your DNS resolution performance to be poor. Checking website status
can be a slow process, and while it is taking place other non-related site
DNS queries can block. I would set up monitoring outside of PDNS and then
update a file or map and have your LUA script check that instead of trying
to check to website status itself. This will keep all the slow parts out-
of-band from the DNS resolution/lookup path.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC query for net ds does not return RRSIG causing trust anchor failures in unbound

[k...@rice.edu]

Have you tried the latest release 3.4.1? It does have some bug
fixes.

Regards,
Ken
On Wed, Dec 03, 2014 at 11:49:33AM -0500, Craig Despeaux wrote:
> ...
> 
> I'm at my wit's end as to how to resolve this problem.  Any suggestions as
> to things I can look at?  Like I said, it works flawlessly with named from
> Bind 9.10.
> 
> Thanks,
> Craig

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor works but pdns discards responses

[k...@rice.edu]

On Tue, Jan 27, 2015 at 11:22:28AM +0100, sth...@nethelp.no wrote:
> > I have pdns-recursor and pdns on the same host and port but on 
> > different IP$,1rys. When I query pdns and it can not answer, so it passes 
> > the query on to pdns-recursor, which then responds with the answer but then 
> > pdns discards the packets. What did I do wrong? I have tried this with the 
> > firewall both on and off and the result is the same. Below is a snippet of 
> > the log file with the error, followed by my configuration for the recursor 
> > and pdns itself. The host is a PowerPC computer running ubuntu 14.04 LTS.
> 
> Can't speak for pdns. However, we have pdns_recursor and BIND running
> on the same host (same port 53, different IPs), with pdns_recursor
> forwarding some queries to BIND.  Works without problems for us.
> 
> Steinar Haug, AS 2116
> 
Hi,

We start with pdns_recursor and then forward some to pdns. We had your
setup with pdns_recursor behind pdns and had some issues with pdns >= 3.
According to the developers that is not really supported. I do not know
if what is happening to you is similar.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused

[k...@rice.edu]

Hi Steven,

Review the schema and if the tables do not exist create them as
specified. The alter's should be run against existing tables.

Regards,
Ken

On Tue, Feb 17, 2015 at 03:59:46PM -0600, Steven Spencer wrote:
> List,
> 
> I need to preface this that we are not using DNSSEC.
> 
> In doing the schema changes, I've run into problems, or what appear
> to be a problems:
> 
> Schema changes required (according to the upgrade notes) for 2.9.x to 3.1:
> 
> |mysql> ALTER TABLE records MODIFY content VARCHAR(64000);
> mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);|
> 
> 
> The first one (above) works as expected, second one gives this error:
> 
> ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist
...

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused

[k...@rice.edu]

On Wed, Feb 18, 2015 at 08:40:47AM -0600, Steven Spencer wrote:
> That makes perfect sense, but since I do not have DNSSEC enabled,
> none of the tables or columns specific to that are in the schema.
> The very first set from my original email shows the ALTER TABLE
> tsigkeys line, and that table and none of the columns associated
> with it, are in the database at all.  In my searching the upgrade
> notes, there is no mention of what /should/ be in that table. So,
> what I'm trying to do is make sure I have a working DNS server after
> the upgrade. If the table 'tsigkeys' is required, then I need to
> know how to create that and what columns/fields it should contain.
> 
> Thanks,
> Steve

Hi Steve,

The documentation has all of the schema definitions. There are also
schema definitions in the source code tar file.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] When was ordername column added to records table?

[k...@rice.edu]

On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote:
> I'm a bit curious because, looking through the code history, I can't find any 
> evidence of it.
> 
> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on 
> the records table:
> 
> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql
> 
> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement 
> for adding the "ordername" column or "orderindex" index:
> 
> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31
> 
> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for 
> _modifying_ the "ordername" column and _dropping_ the "orderindex" index that 
> were never added:
> 
> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32
> 
> This doesn't compute.
> 
> Can someone provide me some perspective on this?
> 
> Thanks,
> 
> Nick

Hi Nick,

Please check the release documentation for the new release for the schema 
definitions
used and add any missing tables. The ALTER TABLE will only apply to previously 
existing
tables, not create the needed new ones.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursing for records which are missing from authoritative zones

[k...@rice.edu]

On Tue, Apr 28, 2015 at 06:22:02PM +0300, Kiki wrote:
> Hi all,
> 
> I want to setup a NS to "shadow" a zone on an internal LAN. Basically to
> add private records for the machines on the LAN to an otherwise public zone.
> 
> According to https://doc.powerdns.com/md/authoritative/recursion/ even if
> the NS thinks it's authoritative for a domain it should still consult the
> recursor for an recursive query if the record is not found in the database.
> 
> I have set both an "allow-recursion" and "recursor" option and it works for
> queries for which are not considered authoritative like google.com, but I
> get NXDOMAIN for queries for the "shadowed" zone which are not in the local
> database
> 
> It seems like "lazy-recursion" was the option which would do that but it's
> been removed. The docs also mention "allow-recursion-override" which is
> also not available anymore
> 
> What am I missing? Should I downgrade to an earlier version?
> 
> PowerDNS version: 3.4.3 w/ gmysql backend
> OS: CentOS 7
> 
> Thanks,

Hi,

The authoritative server is considered authoritative and if an entry is
not present, an NXDOMAIN will be returned. The recursion described in the
manual only applies to items that DO EXIST in the authoritative system.
I suspect that you need to be using the pdns-recursor at the front with
some Lua scripting to handle the local private addresses.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursing for records which are missing from authoritative zones

[k...@rice.edu]

On Wed, Apr 29, 2015 at 11:26:41AM +0300, Kiki wrote:
> Thanks for the info. I'm stull confused about the meaning of "for questions
> for which there is no answer", in the following paragraph:
> 
> This means that for questions for which there is no answer, PowerDNS will
> consult the recursor for an recursive query, even if PowerDNS is
> authoritative for a domain!
> 
> 
> I thought "an answer" means a record in the PowerDNS database
> 
Hi,

But the authoritative server IS authoritative for that zone. What that
means is that if a record does not exist in the zone DB or backend, a
NXDOMAIN will be returned. It will never recurse because it KNOWS that
the item does not exist. That is what authoritative means. You may
want to try querying the recursor first and have it return any needed
private records using Lua and then get the rest from your authoritative
server.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursing for records which are missing from authoritative zones

[k...@rice.edu]

On Wed, Apr 29, 2015 at 03:33:50PM +0200, Peter Thomassen wrote:
> Hi Ken,
> 
> So, what would be an example of a situation where "PowerDNS will
> consult the recursor for an recursive query, even if PowerDNS is
> authoritative for a domain"?
> 
> Apparently such cases exists, otherwise this sentence would not be in
> the documentation.
> https://doc.powerdns.com/md/authoritative/recursion/
> 
> Best,
> Peter
> 

Hi Peter,

A simple case would be a CNAME to an out-of-zone location. In that case
it would use the recursor to find the IP address. NS record to an out-of-zone
nameserver is another.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursing for records which are missing from authoritative zones

[k...@rice.edu]

On Wed, Apr 29, 2015 at 05:19:22PM +0200, Peter van Dijk wrote:
> Hello,
> 
> On 29 Apr 2015, at 15:40, k...@rice.edu wrote:
> 
> >>Apparently such cases exists, otherwise this sentence would not be in
> >>the documentation.
> >>https://doc.powerdns.com/md/authoritative/recursion/
> 
> Such cases do not exist; the documentation is incorrect/outdated.
> Please file a ticket!
> 
> >A simple case would be a CNAME to an out-of-zone location. In that
> >case
> >it would use the recursor to find the IP address. NS record to an
> >out-of-zone
> >nameserver is another.
> 
> No - neither of those situations work as desired. In both cases the
> client will receive an incomplete answer (i.e. the CNAME, or the NS
> delegation).
> 
> Kind regards,
> -- 
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
> 

Thank you for the correction.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Don't return dereferenced CNAMEs

[k...@rice.edu]

On Mon, Jun 08, 2015 at 02:51:13PM -0700, Mark Moseley wrote:
> I'm curious if there's a setting to tell powerdns not to be helpful and
> return the dereferenced CNAME.
> 
> That is, if I look up a given record and it's a CNAME that then points to
> an A record, don't try to then *also* return a lookup of the A record along
> with the CNAME.
> 
> The reasons for why it'd happen in our setup are annoying and I don't want
> to go into it :)
> 
> I've tried setting out-of-zone-additional-processing to 'no' but that
> doesn't seem to change anything.
> 
> It doesn't to break anything (and presumably a resolver that paid attention
> to these records would be subject to cache poisoning). But it's kind of
> weird and could be confusing to people looking at manual lookups.

Hi Mark,

I think you will find that a lot of software will work quite poorly if
you do this. If you are performing a manual lookup, just ask for the
CNAME type in the lookup and that is what you will get.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS - Active Directory DDNS

[k...@rice.edu]

On Thu, Oct 01, 2015 at 08:40:03AM -0400, Larry Smith wrote:
> I should also note...All static entries other than AD related (SRV) work
> and all DHCP (ISC-DHCP) DDNS related entries are created and work; other
> than AD DDNS related entries which should be created automatically within
> each zone.
> 
> Zones pre-created are below.
> example.org
> _msdcs.example.org
> _sites.example.org
> _tcp.example.org
> _udp.example.org
> 
> The following are set in pdns.conf
> 
> allow-dnsupdate-from=0.0.0.0/0
> 
> experimental-dnsupdate=yes
> 

Hi Larry,

AD DDNS uses GSS-TSIG. Make sure that your Kerberos environment is correct and
that your system times are sync-ed. Otherwise the authentication will fail.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Problems with PowerDNS

[k...@rice.edu]

On Wed, Nov 11, 2015 at 04:15:18PM +0400, Nadir M. Aliyev wrote:
> Dear All Thanks for your reply!
> 
> I understand keeping authoritative and recursive services separated is 
> strongly recommended. Ok.
> 
> I understand that I must set for my customers (approx. 200k) powerdns 
> recursive service as DNS?
> 
> If yes in this case I must change my authorative servers ip's and its not 
> good idea for my hosting customers.
> Also I cant limit recursion on separated pdns recursive service for external 
> ips via allow-recursion.
> 
> 
> Currently I'm using Bind but managing a lot of bind servers is not 
> comfortable. So I choosed powerdns + mysql replication + heartbeat.
> 
> 
> Any ideas or I wrong? :-)
> 
> Thanks
> Nadir
> 

Hi Nadir,

For historical reasons, we had our recursive DNS and authoritative DNS on the
same host/IP. We used iptables to pass local IP-space connections to the 
pdns-recursor
and external IPs directly to the pdns authoritative server. We even run a 
second pdns
instance to support split horizon DNS. Here is a snippit from the iptables that 
does
the work:


##
# Allow local hosts to access the recursive name server on post 53.
# Pass non-local hosts to authoritative name server on port 553.
##

*nat
:DNS-ROUTE - [0:0]

## We will only affect in-coming traffic to port 53:
-A PREROUTING -p udp --dport 53 -j DNS-ROUTE
-A PREROUTING -p tcp --dport 53 -j DNS-ROUTE

## Let local hosts access the recursor (on post 53):
## Add similar lines for any local address spaces
-A DNS-ROUTE -s 10.0.0.0/8   -j ACCEPT
-A DNS-ROUTE -s 192.168.0.0/16   -j ACCEPT
-A DNS-ROUTE -s 172.16.0.0/16-j ACCEPT

## Divert all others to the authoritative server on port 553:
-A DNS-ROUTE -p udp -m udp -j DNAT --to-destination :553
-A DNS-ROUTE -p tcp -m tcp -j DNAT --to-destination :553

This is for a Linux system, but it should be similar for others as well.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] ddns performance of pdns

[k...@rice.edu]

On Thu, Feb 25, 2016 at 12:01:19PM +0100, Thomas Mieslinger wrote:
> Hi,
> 
> today I wanted to migrate my ddns master from bind to pdns. 3 DHCP
> Servers sent a about 50 updates per second to the pdns 3.4.8 and
> only one or two updates per second could be successfully commited to
> the database.
> 
> All failed transactions rolled back after trying to edit the SOA record.
> 
> I'm using 5.1.73-log MySQL Community Server.
> 
> I'm using REPEATABLE-READ transaction-isolation and
> 
> distributor-threads=2
> receiver-threads=10
> 
> as pdns performance settings.
> 
> I tried to disable SOA-EDITs with domainmetadata
> 
> SOA-EDIT-DNSUPDATE   | SOA-EDIT
> SOA-EDIT | NONE
> 
> but that didn't change anything.
> 
> What DDNS performance do you get from your pdns instances with which
> settings?
> 
> Thanks Thomas

Hi Thomas,

You will need to investigate your DB performance. Turn on query logging
and slow query logging. Also check system I/O stats to see if you have
a bottleneck there. We are just getting started on adding a DDNS component
to our network so I do not have any firsthand experience with it and the
queries it uses. Good luck in your hunt for the bottleneck.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns Problem with Delegation to Isilon.

[k...@rice.edu]

On Wed, Mar 23, 2016 at 05:44:56AM -0700, syaginf wrote:
> Greetings.
> We are in the process of migrating from Bind to Powerdns on one of our
> compute cluster.
> Issue we are having is related to DNS Delegation for Isilon (Related to
> Isilon Smart Connect feature.)
> 
> Server is Master for .hpc 
> we need to delegate for isilon.hpc
> 
> In order to achive that we have 
> 
> isilon.hpc -> NS isilon-dns.hpc
> isilon-dns.hpc -> A record with Ip address.
> 
> This works like a Charm in Bind on one of the old servers and doesn't work
> in PowerDNS.
> 
> Any suggestion on what we might be missing and what might have to be
> enabled, or troubleshooting steps would be appreciated.
> 

Hi,

The results of the dig command against the old server includes the A
record for the isilon.hpc. This must come from your isilon-dns.hpc
server so your bind must be performing recursion to present that value
back. The PDNS server is only an authoritative server. For recursion,
we use pdns-recursor here and use the forward-zone feature to route
Isilon lookups to the correct server.

> This is result of DIG command on the old server.
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @127.0.0.1 isilon.hpc
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45472
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; QUESTION SECTION:
> ;isilon.hpc.IN  A
> 
> ;; ANSWER SECTION:
> isilon.hpc. 0   IN  A   192.168.3.121
> 
> ;; AUTHORITY SECTION:
> isilon.hpc. 259200  IN  NS  isilon-dns.hpc.
> 
> ;; ADDITIONAL SECTION:
> isilon-dns.hpc. 259200  IN  A   192.168.3.0
> 
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Mar 23 09:38:53 2016
> ;; MSG SIZE  rcvd: 85
> 

These results are correct for an authoritative server w/o recursion. Bind
has both functions integrated into the same product:

> Here are result for the PowerDNS server
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @127.0.0.1 isilon.hpc
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18138
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1680
> ;; QUESTION SECTION:
> ;isilon.hpc.IN  A
> 
> ;; AUTHORITY SECTION:
> isilon.hpc. 259200  IN  NS  isilon-dns.hpc.
> 
> ;; ADDITIONAL SECTION:
> isilon-dns.hpc. 259200  IN  A   192.168.3.0
> 
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Mar 22 20:51:20 EDT 2016
> ;; MSG SIZE  rcvd: 80
> 

Good luck.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns Problem with Delegation to Isilon.

[k...@rice.edu]

On Wed, Mar 23, 2016 at 06:12:53AM -0700, syaginf wrote:
> I have pdns-recursor configured.
> It works for outside addresses , but I can't seem to make it respond for
> this type of requests.
> 
> Indeed what happens on bind side is isilon would return one of the addresses
> from dynamic pool.
> So if I keep repeating requests I will keep getting different addresses most
> of the time.
> 
> So far I wasn't able to replicate this kind of behavior using PDNS with
> PDNS-Recursor.
> 
> What would be the config changes?
> Do I have to keep the 2 records I have and add something like
> forward-zones in recursor?
> What would be the record.

This one. You want lookups for this domain to be handled by your Isilon DNS
service.

> forward-zones=isilon.hpc=192.168.3.0?

Not this. The zone to forward is the one that will be served.

> or 
> forward-zones=isilon-dns.hpc=192.168.3.0?
> 
> PDNS is master for .hpc so what would make it got and use recursor for
> records in hpc domain?
> 

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns Problem with Delegation to Isilon.

[k...@rice.edu]

On Wed, Mar 23, 2016 at 06:30:47AM -0700, syaginf wrote:
> This is the part I don't understand I guess.
> what would be the forward zone that I am serving?
> if it's not isilon.hpc and not isilon-dns.hpc? What exactly am I serving and
> how do I put it in?
> forward-zone=???=???
> 
> Because what is happening is nfs would query isilon.hpc and it need to
> resolve that to ip address of some sort to perform nfs mount.
> 

You need to put the zone for lookups: isilon.hpc and the IP address of its name
server:

forward-zone=isilon.hpc=a.b.c.d

and restart/reload pdns-recursor.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns Problem with Delegation to Isilon.

[k...@rice.edu]

On Wed, Mar 23, 2016 at 07:50:37AM -0700, syaginf wrote:
> I have tried following options as this point
>  forward-zones=isilon.hpc=192.168.3.0
> forward-zones=+isilon.hpc=192.168.3.0
> forward-zones-recurse=192.168.3.0
> 
> None of them provide me with result that I need.
> I still don't get A record answer.
> 

Hi,

It works for us but we are using a real domain/subdomain and not a
made up one. If you turn on the trace option for the pdns-recursor,
I suspect that you never get to the right place because the hpc
domain does not exist. Try making the domain a subdomain of your
domain, or alternatively, there is an option for pdns-recursor to
server some zones authoritatively from a bind-style config file.
Maybe that could be used to enable your made up domainname to work.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns Problem with Delegation to Isilon.

[k...@rice.edu]

On Wed, Mar 23, 2016 at 08:03:04AM -0700, syaginf wrote:
> What is interesting with 
> forward-zones=isilon.hpc=192.168.3.0 set
> if I do dig and point to recursor dns and port - I get the A record I need.
> But when I ask PDNS server i don't get A record.
> So it seems like I need to do something that would make PDNS ask recursor
> about this and it's not happening right now.
> 

Hi,

You cannot get this answer from the authoritative server. You must use a
recursive DNS server for that. You should be talking to a DNS recursor
for client DNS lookups and not the authoritative-only PDNS server. The
recursor will take care of asking the auth server for what it needs.
We used iptables+nat to have the campus hit the pdns-recursor and off-campus,
who should not get recursion, hit the PDNS auth server.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Small site backend recommendations

[k...@rice.edu]

On Thu, May 12, 2011 at 03:37:24AM -0400, Charles Sprickman wrote:
> Hello,
> 
> We've been using the PDNS recursor for some time now and have been quite
> happy with it.  It replaced dnscache and has proven to perform much better.
> 
> We're now looking at moving away from tinydns, mainly to get IPv6
> support without patching and to get started with DNSSEC.  I don't see us
> with more than a few thousand zones anytime soon, and we aren't looking
> at anything above 1000 qps (across three servers) anytime soon.
> 
> I'm not sure I completely understand the PowerDNS philosophy quite yet,
> but it looks like BCP is to run a db server on each name server
> (postgres or mysql).  This feels a little too heavyweight for us.  What
> might be some interesting options?  Would something like one master with
> a "real" db backend (in our case PostgreSQL) and then two slaves running
> SQLite work well?  Is there anything "lighter" than SQLite that we could
> stick on the slaves?  Is the SQLite backend well-supported?
> 
> Any pointers greatly appreciated.  We are committed to a database-backed
> DNS server (we currently have a script that dumps db data to a tinydns
> data file), and there do not seem to be that many actively-developed
> options out there...
> 
> Thanks,
> 
> Charles

Hi Charles,

The advantages to having a db for each server is redundancy. A single
server can easily serve 10X you expected load on a single box. I addition
using db replication to move the updates around provides for a much more
real-time process across all of your systems.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS resolution problem with pdns-recursor-3.3

[k...@rice.edu]

On Thu, Apr 21, 2011 at 10:52:42PM +0200, bert hubert wrote:
> On Thu, Apr 21, 2011 at 03:33:31PM -0500, Kenneth Marshall wrote:
> > I am sorry, but I think this has been a wild goose chase regarding a
> > bug in the recursor. The existing 3.3 version works just fine with
> > resolving cdn4.digitalconcerthall.com from a system outside our
> > network. I am going to start looking into a firewall or networking
> > problem. Thank you for your assistance and I will let you know what
> > I find and hopefully it will help someone else.
> 
> Thanks Kenneth - based on your traces, I thought this might be the case.
> 
> It starts with a clara.net server giving a truncated response, truncated in
> mid-packet. This might upset a firewall somewhere.
> 
> Such truncation is often caused by.. powerdns authoritative server by the
> way..
> 
>   Bert
> 
Hi Bert,

Just to close the loop on this problem. The cause was the DNS ALG (application
layer gateway) in our Juniper firewall product. Apparently, if it is not
explicitly disabled in the configuration, it is enabled by default and it is
not obvious that it is enabled. We turned that off and the DNS lookup problem
ceased. Thank you again for a wonderful product and your time looking into
this problem.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] positive cache-ttl on recursor

[k...@rice.edu]

On Sat, Jun 11, 2011 at 07:08:54PM +0200, Marten Lehmann wrote:
> Hi,
> 
> I'm about to migrate from BIND named caching daemon to
> pdns-recursor, but I cannot find an equivalent for BINDs
> max-cache-ttl option.
> 
> While max-negative-ttl in pdns is the same as max-ncache-ttl in
> BIND, I cannot find an analog parameter for max-cache-ttl.
> Parameters that I found in different search results (ie. cache-ttl
> or packet-cache-ttl) seem to relate to the authoritative pdns only.
> 
> pdns-recursor is only used locally on several servers and as dns
> entries for our internal stuff and customer configurations might
> change more often then IPs of google.com, we want a positive cache
> ttl of 900, no matter what the authoritative dns told. How can we do
> this?
> 
> Kind regards
> Marten

According to the docs, the latest version of pdns-recursor also has
a max-cache-ttl parameter along with the max-negative-ttl.

http://doc.powerdns.com/built-in-recursor.html#recursor-settings

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Is DNAME supported (or going to be)?

[k...@rice.edu]

On Thu, Sep 29, 2011 at 07:38:49PM +0100, AJ McKee wrote:
> +1 for DNAME support but I like the pipe backend idea. Still would be
> cute to have it built into pdns. I am seeing a lot of scenarios where
> this may be useful now.
> 
> AJ

I do not know how useful DNAME support is given the dearth of requests
for it. A lua or pipe backend implementation does not seem terribly
difficult. Maybe someone interested in DNAME support would write one
and contribute the code for all to use.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Problem compiling PDNS 3.0 on RHEL 6.1

[k...@rice.edu]

Hi PDNS user community.

I am having a problem compiling PDNS 3.0 on RHEL 6. It cannot locate
some system libraries and I was wondering about the best way to correct
the problem. It looks like libssl.so.1.0.0 is located in /usr/lib64:

$ ls -l /usr/lib64/libssl.*
lrwxrwxrwx. 1 root root 15 Jun 16 03:48 /usr/lib64/libssl.so.10 -> 
libssl.so.1.0.0
-rwxr-xr-x. 1 root root 373008 Jun  8 10:43 /usr/lib64/libssl.so.1.0.0

And here is the configure and make log:

pdns-3.0]$ ./configure --with-modules="gpgsql" --with-pgsql=/usr/pgsql-9.1 
--with-pgsql-includes=/usr/pgsql-9.1/include --with-gnu-ld
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... no
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking dependency style of gcc... (cached) gcc3
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking for bison... bison -y
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking whether make sets $(MAKE)... (cached) yes
checking for a sed that does not truncate output... /bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1966080
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for ar... ar
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for dlfcn.h... yes
checking whether we are using the GNU C++ compiler... (cached) yes
checking whether g++ accepts -g... (cached) yes
checking dependency style of g++... (cached) gcc3
checking how to run the C++ preprocessor... g++ -E
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared 
libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared 
libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker

Re: [Pdns-users] Problem compiling PDNS 3.0 on RHEL 6.1

[k...@rice.edu]

On Tue, Oct 18, 2011 at 09:17:08AM +0100, Ian Mordey wrote:
> Any reason for not using the precompiled RPMs here:
> http://www.monshouwer.eu/download/3th_party/pdns-server/el6/
> 
> They've always been rock solid for me.
> 
> Cheers
> 
Hi Ian,

Yes, I would love to except I need to re-apply a patch to
allow you to improve the performance of zone transfers by
changing the default queries to use a TEMPORARY table in
PostgreSQL. The default of deleting every entry in a domain
and then re-adding them back from the transfer really churns
both the table and our log table that we use to record DNS
changes. This would not be an issue is IXFR was supported.
I will be re-posting the  patch again against 3.0 as I did
for 2.9.22 and 2.9.21 in the hopes that it might be added
to the codebase going forward. The performance boost should
be even nicer with the PostgreSQL 9.1 UNLOGGED tables.

Regards,
Ken

> -Original Message-
> From: pdns-users-boun...@mailman.powerdns.com 
> [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of k...@rice.edu
> Sent: 17 October 2011 22:00
> To: pdns-users@mailman.powerdns.com
> Subject: [Pdns-users] Problem compiling PDNS 3.0 on RHEL 6.1
> 
> Hi PDNS user community.
> 
> I am having a problem compiling PDNS 3.0 on RHEL 6. It cannot locate some 
> system libraries and I was wondering about the best way to correct the 
> problem. It looks like libssl.so.1.0.0 is located in /usr/lib64:
> 
> $ ls -l /usr/lib64/libssl.*
> lrwxrwxrwx. 1 root root 15 Jun 16 03:48 /usr/lib64/libssl.so.10 -> 
> libssl.so.1.0.0
> -rwxr-xr-x. 1 root root 373008 Jun  8 10:43 /usr/lib64/libssl.so.1.0.0
> 
> And here is the configure and make log:
> 
> pdns-3.0]$ ./configure --with-modules="gpgsql" --with-pgsql=/usr/pgsql-9.1 
> --with-pgsql-includes=/usr/pgsql-9.1/include --with-gnu-ld checking for a 
> BSD-compatible install... /usr/bin/install -c checking whether build 
> environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir 
> -p checking for gawk... gawk checking whether make sets $(MAKE)... yes 
> checking build system type... x86_64-unknown-linux-gnu checking host system 
> type... x86_64-unknown-linux-gnu checking for style of include used by 
> make... GNU checking for gcc... gcc checking whether the C compiler works... 
> yes checking for C compiler default output file name... a.out checking for 
> suffix of executables... 
> checking whether we are cross compiling... no checking for suffix of object 
> files... o checking whether we are using the GNU C compiler... yes checking 
> whether gcc accepts -g... yes checking for gcc option to accept ISO C89... 
> none needed checking dependency style of gcc... gcc3 checking how to run the 
> C preprocessor... gcc -E checking for grep that handles long lines and -e... 
> /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header 
> files... yes checking for sys/types.h... yes checking for sys/stat.h... yes 
> checking for stdlib.h... yes checking for string.h... yes checking for 
> memory.h... yes checking for strings.h... yes checking for inttypes.h... yes 
> checking for stdint.h... yes checking for unistd.h... yes checking whether 
> byte ordering is bigendian... no checking for gcc... (cached) gcc checking 
> whether we are using the GNU C compiler... (cached) yes checking whether gcc 
> accepts -g... (cached) yes checking for gcc option to accept ISO C89... 
> (cached) non
 e needed checking dependency style of gcc... (cached) gcc3 checking for g++... 
g++ checking whether we are using the GNU C++ compiler... yes checking whether 
g++ accepts -g... yes checking dependency style of g++... gcc3 checking for 
bison... bison -y checking for flex... flex checking lex output file root... 
lex.yy checking lex library... -lfl checking whether yytext is a pointer... yes 
checking whether make sets $(MAKE)... (cached) yes checking for a sed that does 
not truncate output... /bin/sed checking for fgrep... /bin/grep -F checking for 
ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... 
yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B 
checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether 
ln -s works... yes checking the maximum length of command line arguments... 
1966080 checking whether the shell understands some XSI constructs... yes 
checking whether the shell understands "+="... yes chec
 king for /usr/bin/ld option to reload object files... -r checking for 
objdump... objdump checking how to recognize dependent libraries... pass_all 
checking for ar... ar checking for strip... strip checking for ranlib... ranlib 
checking command to parse /usr/bin/nm -B output from gcc object... ok checking 
for dlfcn.h... yes checking whether we are using the GNU C++ comp

Re: [Pdns-users] NS answer inconsistency between implementations for delegated zone

[k...@rice.edu]

On Fri, Mar 16, 2012 at 02:31:34PM +0100, Remi Gacogne wrote:
> 
> Hi,
> 
> I noticed a difference in the behavior of bind, powerdns (using bind
> or MySQL backend) and nsd regarding the answer to an NS query
> for a delegated zone. Powerdns is responding to the query by putting
> corresponding NS RRs into the ANSWER section,
> whereas bind and nsd are putting them into the AUTHORITY section.
> 
> I am not sure what the correct answer is, as I haven't found a clear
> specification on this case yet.
> 
> RFC 1034 states that (3.7 Queries):
> 
> "Answer  Carries RRs which directly answer the query.
> 
> Authority   Carries RRs which describe other authoritative servers.
> May optionally carry the SOA RR for the authoritative
> data in the answer section."
> 
> But in this case, one could argue that NS RRs directly answer the
> query AND describe other authoritative servers, if I'm not mistaken.
> 
> Powerdns response:
> 
> $  drill ns info.example.com
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 57206
> ;; flags: qr rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; info.example.com.IN  NS
> 
> ;; ANSWER SECTION:
> info.example.com.   7200IN  NS  ns1.other.net.
> info.example.com.   7200IN  NS  ns2.other.net.
> 
> ;; AUTHORITY SECTION:
> 
> ;; ADDITIONAL SECTION:
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1
> ;; WHEN: Fri Mar 16 14:04:32 2012
> ;; MSG SIZE  rcvd: 79
> 
> Bind and NSD response:
> 
> $  drill ns info.example.com
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41836
> ;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; info.example.com.IN  NS
> 
> ;; ANSWER SECTION:
> 
> ;; AUTHORITY SECTION:
> info.example.com.   7200IN  NS  ns1.other.net.
> info.example.com.   7200IN  NS  ns2.other.net.
> 
> ;; ADDITIONAL SECTION:
> 
> ;; Query time: 47 msec
> ;; SERVER: 217.0.0.1
> ;; WHEN: Fri Mar 16 14:12:26 2012
> ;; MSG SIZE  rcvd: 79
> 
> 
> Entire zone configuration:
> 
> $TTL 2d ; default TTL is 2 days
> $ORIGIN example.com.
> @  IN  SOA   ns1.isp.net. hostmaster.example.com. (
>2003080800 ; serial number
>2h ; refresh =  2 hours
>15M; update retry = 15 minutes
>3W12h  ; expiry = 3 weeks + 12 hours
>2h20M  ; minimum = 2 hours + 20 minutes
>)
> 
> 
> info.example.com.   7200IN  NS  ns1.other.net.
> info.example.com.   7200IN  NS  ns2.other.net.
> example.com.7200IN  NS  ns0.isp.net.
> example.com.7200IN  NS  ns1.isp.net.
> 
> Regards,
> 
> Rémi Gacogne
> 
> 

The records returned are the RRs to actually answer the query so having them
in the answer section seems appropriate although apparently returning them
in the authority section works as well. The tie breaker for me is that a
Microsoft AD server returns them in the same form as PDNS but I suspect that
it really does not matter much.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] CNAME lookup failure PDNS 2.9.22/PDNS Recursor 3.3.1

[k...@rice.edu]

Hi PDNS community,

I am investigating a CNAME resolution problem using
PDNS Recursor 3.3.1. Here is the lookup that fails:

> nslookup blog.mythandsymbol.com
Server: 127.0.0.1
Address:127.0.0.1#53

** server can't find blog.mythandsymbol.com: NXDOMAIN

Is is actually a CNAME:

> nslookup -type=cname blog.mythandsymbol.com
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
blog.mythandsymbol.com  canonical name = domains.tumblr.com.

And that name looks up as well:

> nslookup domains.tumblr.com
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   domains.tumblr.com
Address: 66.6.44.4

The problem is that the first lookup does not restart the
DNS resolution process with the value that was returned from
the original CNAME lookup. Is this a known bug and if so, is
their a fix. Here is what Google DNS returns:

> nslookup blog.mythandsymbol.com 8.8.8.8
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
blog.mythandsymbol.com  canonical name = domains.tumblr.com.
Name:   domains.tumblr.com
Address: 66.6.44.4

Thank you for any suggestions.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] IP address request

[k...@rice.edu]

On Wed, Mar 21, 2012 at 01:55:06AM +0400, Mikhail Nasonov wrote:
> Hello!
> 
> Please tell, is it possible to determine the IP address source from which 
> request was initialized? PipeBackend have the option "remote-ip-address", but 
> it shows the IP address of the final request (usually this is the DNS server 
> of the user, not his personal address).
> 
> Thank you in advance!
> 
> -- 
> Mikhail Nasonov
> Mobile: +7 (926) 609-00-66
> Skype:  mnasonov

No, it is not. As far as the DNS protocol goes, the IP address of the querying
machine (usually the ISP DNS server) is all you can determine.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME lookup failure PDNS 2.9.22/PDNS Recursor 3.3.1

[k...@rice.edu]

Hi Peter,

I guess I just do not understand. I added a similar CNAME record
in our domain pointing to the same name domains.tumblr.com and
here is what I get for the lookup:

> dig +norec a wombat1.rice.edu @ns1.rice.edu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> +norec a wombat1.rice.edu 
@ns1.rice.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36391
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;wombat1.rice.edu.  IN  A

;; ANSWER SECTION:
wombat1.rice.edu.   3600IN  CNAME   domains.tumblr.com.

;; AUTHORITY SECTION:
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  b.root-servers.net.
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  d.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  m.root-servers.net.

;; Query time: 1 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Wed Mar 21 08:14:18 2012
;; MSG SIZE  rcvd: 277

Note, it still does not return the A record IP address. I thought that
the DNS lookup is to restart using the new value returned from the
CNAME record, but in this case, it does not. The other noise in the
authority section was me trying with send-root-referrals=lean.

It does not sent NXDOMAIN in this case. If I instead remove the +norecurse
option I get:

> dig a wombat1.rice.edu @ns1.rice.edu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> a wombat1.rice.edu @ns1.rice.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 577
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;wombat1.rice.edu.  IN  A

;; AUTHORITY SECTION:
rice.edu.   2699IN  SOA ns1.rice.edu. 
hostmaster.rice.edu. 2012030284 10800 900 360 3600

;; Query time: 1 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Wed Mar 21 08:22:46 2012
;; MSG SIZE  rcvd: 85

Which is still returning NXDOMAIN, even though the A record for 
domains.tumblr.com
does exist:

> dig a domains.tumblr.com @ns1.rice.edu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> a domains.tumblr.com 
@ns1.rice.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29239
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domains.tumblr.com.IN  A

;; ANSWER SECTION:
domains.tumblr.com. 600 IN  A   66.6.44.4

;; Query time: 9 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Wed Mar 21 08:23:50 2012
;; MSG SIZE  rcvd: 52

Why doesn't the recursor restart with the CNAME results?

Regards,
Ken

On Wed, Mar 21, 2012 at 11:22:17AM +0100, Peter van Dijk wrote:
> Hello Ken,
> 
> On Mar 20, 2012, at 19:10 , k...@rice.edu wrote:
> 
> > I am investigating a CNAME resolution problem using
> > PDNS Recursor 3.3.1. Here is the lookup that fails:
> > 
> >> nslookup blog.mythandsymbol.com
> > Server: 127.0.0.1
> > Address:127.0.0.1#53
> > 
> > ** server can't find blog.mythandsymbol.com: NXDOMAIN
> 
> Recursor is returning NXDOMAIN because that's what ns1-3.dreamhost.com, the 
> auths for mythandsymbol.com, are returning:
> 
> $ dig +norec a blog.mythandsymbol.com @ns1.dreamhost.com
> ; <<>> DiG 9.7.0-P1 <<>> +norec a blog.mythandsymbol.com @ns1.dreamhost.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40440
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;blog.mythandsymbol.com.IN  A
> 
> ;; ANSWER SECTION:
> blog.mythandsymbol.com. 14400   IN  CNAME   domains.tumblr.com.
> 
> ;; AUTHORITY SECTION:
> tumblr.com. 14400   IN  SOA ns1.dreamhost.com. 
> hostmaster.dreamhost.com. 2011092301 21293 1800 1814400 14400
> 
> ;; Query time: 168 msec
> ;; SERVER: 66.33.206.206#53(66.33.206.206)
> ;; WHEN: Wed Mar 21 11:20:51 2012
> ;; MSG SIZE  rcvd

Re: [Pdns-users] CNAME lookup failure PDNS 2.9.22/PDNS Recursor 3.3.1

[k...@rice.edu]

On Wed, Mar 21, 2012 at 02:27:19PM +0100, Peter van Dijk wrote:
> Hello Ken,
> 
> On Mar 21, 2012, at 14:24 , k...@rice.edu wrote:
> 
> > I guess I just do not understand. I added a similar CNAME record
> > in our domain pointing to the same name domains.tumblr.com and
> > here is what I get for the lookup:
> > 
> >> dig +norec a wombat1.rice.edu @ns1.rice.edu
> > 
> > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> +norec a wombat1.rice.edu 
> > @ns1.rice.edu
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36391
> 
> This one says NOERROR. That's okay. ns1-3.dreamhost.com say NXDOMAIN, which 
> the (old) recursor interprets as 'the name you asked for simply does not 
> exist'. Newer versions of the recursor have a workaround for this situation.
> 
> Kind regards,
> -- 
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> 

Hi Peter,

I see that it returns NOERROR, which is good. Now I do not understand why the
recursor does not recurse and return the A record information after the CNAME
lookup?

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME lookup failure PDNS 2.9.22/PDNS Recursor 3.3.1

[k...@rice.edu]

On Wed, Mar 21, 2012 at 02:31:41PM +0100, Peter van Dijk wrote:
> Hello Ken,
> 
> On Mar 21, 2012, at 14:29 , k...@rice.edu wrote:
> 
> > I see that it returns NOERROR, which is good. Now I do not understand why 
> > the
> > recursor does not recurse and return the A record information after the 
> > CNAME
> > lookup?
> 
> 
> Is your recursor behind your auth with a 'recursor=x.x.x.x' line in 
> pdns.conf? If so, please try asking the recursor directly, or try using a 
> recursor that is not behind an auth server for rice.edu.
> 
> Kind regards,
> -- 
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> 

Hi Peter,

Argh! Sorry about wasting your time. It was a caching artifact. I restarted
the recursors and worked locally both through the auth server and directly
to the recursor. I will follow-up with the dream* DNS.

Thank you again.
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Empty CNAME will result "server can't find: NXDOMAIN"

[k...@rice.edu]

On Sat, May 05, 2012 at 09:00:00AM +0200, Thomas Faddegon wrote:
> Hi PDNS community,
> 
> I want implement empty CNAME records instead of empty A records in our DNS
> environment. But when I implement the empty records my MX records won't
> work anymore.
> 
> Example:
> 
> *nslookup
> > set type=mx
> > set debug
> > online-engineers.nl
> Server: 212.54.40.25
> Address: 212.54.40.25#53
> 
> 
> QUESTIONS:
> online-engineers.nl, type = MX, class = IN
> ANSWERS:
> ->  online-engineers.nl
> mail exchanger = 20 mx2.global-e.nl.
> ttl = 120
> ->  online-engineers.nl
> mail exchanger = 50 mx3.global-e.nl.
> ttl = 120
> ->  online-engineers.nl
> mail exchanger = 20 mx1.global-e.nl.
> ttl = 120
> AUTHORITY RECORDS:
> ADDITIONAL RECORDS:
> 
> Non-authoritative answer:
> online-engineers.nl mail exchanger = 20 mx2.global-e.nl.
> online-engineers.nl mail exchanger = 50 mx3.global-e.nl.
> online-engineers.nl mail exchanger = 20 mx1.global-e.nl.
> 
> Authoritative answers can be found from:
> 
> *
> 
> Then I add an empty CNAME: online-engineers.nl CNAME some.otherdomain.nl
> 
> And I start a new nslookup:
> *
> > online-engineers.nl
> Server: 212.54.40.25
> Address: 212.54.40.25#53
> 
> 
> QUESTIONS:
> online-engineers.nl, type = MX, class = IN
> ANSWERS:
> ->  online-engineers.nl
> canonical name = some.otherdomain.nl.
> ttl = 86400
> AUTHORITY RECORDS:
> ->  nl
> origin = ns1.dns.nl
> mail addr = hostmaster.domain-registry.nl
> serial = 2012050309
> refresh = 7200
> retry = 900
> expire = 2419200
> minimum = 900
> ttl = 900
> ADDITIONAL RECORDS:
> 
> ** server can't find online-engineers.nl: NXDOMAIN
> Server: 212.54.40.25
> Address: 212.54.40.25#53
> 
> 
> QUESTIONS:
> online-engineers.nl, type = MX, class = IN
> ANSWERS:
> ->  online-engineers.nl
> canonical name = some.otherdomain.nl.
> ttl = 86400
> AUTHORITY RECORDS:
> ->  nl
> origin = ns1.dns.nl
> mail addr = hostmaster.domain-registry.nl
> serial = 2012050309
> refresh = 7200
> retry = 900
> expire = 2419200
> minimum = 900
> ttl = 900
> ADDITIONAL RECORDS:
> 
> ** server can't find online-engineers.nl: NXDOMAIN
> >
> >
> > *
> 
> And when I remove the empty CNAME everything works fine again:
> *
> > online-engineers.nl
> Server: 212.54.40.25
> Address: 212.54.40.25#53
> 
> 
> QUESTIONS:
> online-engineers.nl, type = MX, class = IN
> ANSWERS:
> ->  online-engineers.nl
> mail exchanger = 50 mx3.global-e.nl.
> ttl = 120
> ->  online-engineers.nl
> mail exchanger = 20 mx1.global-e.nl.
> ttl = 120
> ->  online-engineers.nl
> mail exchanger = 20 mx2.global-e.nl.
> ttl = 120
> AUTHORITY RECORDS:
> ADDITIONAL RECORDS:
> 
> Non-authoritative answer:
> online-engineers.nl mail exchanger = 50 mx3.global-e.nl.
> online-engineers.nl mail exchanger = 20 mx1.global-e.nl.
> online-engineers.nl mail exchanger = 20 mx2.global-e.nl.
> 
> Authoritative answers can be found from:
> *
> 
> Is there a way to fix this? In the past I found an article (RFC, sorry I
> can't find the source anymore) that officially empty CNAME's isn't allowed
> in DNS. But many companies works with empty CNAME's , even google and
> amazon.
> 
> So I think there must be a way - or workaround - to fix this.
> 
> I hope someone can give me a solution.
> 
> Regards,
> Thomas


Hi Thomas,

Based on the RFC, if you have a CNAME record, you cannot have ANY other
record with that name. That is just the way it works.

Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor failing to answer for some domain

[k...@rice.edu]

On Tue, May 15, 2012 at 11:01:30AM +0200, Yousri GRANIER wrote:
> Hi,
> 
> I have been encoutering a trouble with pdns-recusor with some domain
> 
> here they are :
> 
> doth.fr
> tddatech.fr
> 
> Both of the using the same NS/SOA.
> 
> I a m using this debian 6 release :
> Linux ns-cache-1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012
> x86_64 GNU/Linux
> 
> and this pdns-recursor version :
> ii  pdns-recursor   3.2-4
> PowerDNS recursor
> 
> Which is one we get with apt.
> 
> 
> When I try to resolv any from one of this domain here is the answer :
> 
> root@ns-cache-1:/etc/powerdns# dig +nocmd tddatech.fr ANY
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2873
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;tddatech.fr.   IN  ANY
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue May 15 10:56:25 2012
> ;; MSG SIZE  rcvd: 29
> 
> 
> The only workaround i have found is to redirect the domain to 8.8.8.8
> 

That is probably your best bet if you do not want to upgrade to the
latest release.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns slave

[k...@rice.edu]

On Tue, May 22, 2012 at 10:59:22AM +0200, Emiel van Berlo wrote:
> o.k. then why doesn't the slaved NS and MX records have this trailing
> dot in the powerdns database?
> 

The server adds them. You do not need to add a dot "." to every record
in a database, if the software can do it. It matches a user's experience
with browsers, e.g. http://www.google.com is what they enter and see
although the full correct DNS name ends with a dot ".".

Cheers,
Ken

> 
> On Tue, May 22, 2012 at 10:46 AM, Marc Haber  
> wrote:
> > On Tue, May 22, 2012 at 10:17:24AM +0200, Emiel van Berlo wrote:
> >> The PowerDNS manual has a BIG warning that it's forbidden to have a
> >> trailing dot on domainnames.
> >
> > I guess that means the internal database format. To my understanding,
> > the period must be present in the DNS packet.
> >
> >> To my opinion, something goes wrong with the slave setup and the zone
> >> transfer, or the manual is outdated.
> >
> > I think you have misunderstood. When you directly write into the
> > databases, using a trailing period is contraproductive.
> >
> > Greetings
> > Marc
> >
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns slave

[k...@rice.edu]

On Tue, May 22, 2012 at 03:19:13PM +0200, Emiel van Berlo wrote:
> The manual warns about possible strange behaviour with this trailing
> dot business.
> When I do a dig to my dns servers everything seems o.k.
> But will it be o.k. in six months?
> 
> When I setup a master or native domain we don't put in the trailing
> dot and we follow the manual.
> (SOA : ns1.danego.net n...@danego.net 2012010101 etc)
> 
> All this is working and doing as I think it should.
> 
> Then I add a slave domain (or a superslave, doesn't matter behaviour
> is the same)
> 
> PowerDNS gets an incoming zone transfer.
> all records that have the trailing dot appear in the database without
> this trailing dot.
> except for the SOA record.
> 
> I know that on DNS level there should be a trailing dot.
> And yes I know powerdns adds this trailing dot when I do a dig.
> 
> but WHY do I have slaved NS and MX records in the powerdns database
> without this trailing dot and why does the SOA have this trailing dot?
> 
> my concern is the warning in the manual, expect STRANGE behaviour if
> you add trailing dots in the powerdns database.
> 

Ah, now I see. I missed that PDNS was adding the "." to the SOA record
when setup as a slave. It has been doing that for a long time and we
have never had a problem. I would just not add the "." when adding
records manually to the DB, although it looks like a "." at the end
of the primary NS delegation in the SOA record is okay.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] MySQL Backend - Multiple Tables?

[k...@rice.edu]

On Tue, Jul 10, 2012 at 02:00:45PM -0700, Andrew Melton wrote:
> I am wondering whether it is possible to configure the gmysql backend to
> pull from more than one table.  Currently, we use `pdns`.`records`, but it
> is growing large and I would like to split the data.  Any suggestions would
> be appreciated.
> 
> Thanks.

It is possible to define the SQL queries that are run in the PDNS
configuration file pdns.conf. You should be able to do what you
need. See the manual for the default queries being used.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS DNSSEC support

[k...@rice.edu]

On Thu, Jul 12, 2012 at 09:55:18AM -0400, Yingdi Yu wrote:
> Hi all,
> 
> I know PowerDNS authoritative server has been supporting DNSSEC for a
> while, but does PowerDNS recursive server support DNSSEC now? Thanks!
> 
> Regards,
> 
> Yingdi

No.

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] problem resolving completely with pdns-recursor-3.3.1

[k...@rice.edu]

Hi PDNS community,

Running pdns-recursor 3.3.1 behind pdns-2.9.22 I am having
a problem resolving the following host:

wwwa.nko.navy.mil

Here is a dig against one of the servers:

$ dig wwwa.nko.navy.mil @ns1.rice.edu

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> wwwa.nko.navy.mil 
@ns1.rice.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64096
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wwwa.nko.navy.mil. IN  A

;; ANSWER SECTION:
wwwa.nko.navy.mil.  180 IN  CNAME   
wwwa.nko.navy.mil.apps.gcds.disa.mil.
wwwa.nko.navy.mil.apps.gcds.disa.mil. 300 IN CNAME origin-wwwa.nko.navy.mil.

;; Query time: 164 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Thu Oct 11 08:17:53 2012
;; MSG SIZE  rcvd: 108

Note, that the CNAME origin-wwwa.nko.navy.mil is not looked up to
give the hosts actual IP address:

$ dig origin-wwwa.nko.navy.mil @ns1.rice.edu

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> origin-wwwa.nko.navy.mil 
@ns1.rice.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21780
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;origin-wwwa.nko.navy.mil.  IN  A

;; ANSWER SECTION:
origin-wwwa.nko.navy.mil. 180   IN  A   160.125.250.20

;; Query time: 60 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Thu Oct 11 08:20:10 2012
;; MSG SIZE  rcvd: 58

But sometimes, after some sequence of lookups in the chain I get
the following:

$ dig wwwa.nko.navy.mil @ns1.rice.edu

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> wwwa.nko.navy.mil 
@ns1.rice.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56590
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wwwa.nko.navy.mil. IN  A

;; ANSWER SECTION:
wwwa.nko.navy.mil.  180 IN  CNAME   
wwwa.nko.navy.mil.apps.gcds.disa.mil.
wwwa.nko.navy.mil.apps.gcds.disa.mil. 120 IN CNAME origin-wwwa.nko.navy.mil.
origin-wwwa.nko.navy.mil. 137   IN  A   160.125.250.20

;; Query time: 58 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Thu Oct 11 08:20:53 2012
;; MSG SIZE  rcvd: 124

which does include the final A record information. Does anyone have an idea
about how to fix this or provide a work-around. Any ideas would be appreciated.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] problem resolving completely with pdns-recursor-3.3.1

[k...@rice.edu]

Dear PDNS community,

Just to follow up. I went ahead and opened ticket #598 against
pdns-recursor-3.3.1 for this matter.

Regards,
Ken

On Thu, Oct 11, 2012 at 08:22:47AM -0500, k...@rice.edu wrote:
> Hi PDNS community,
> 
> Running pdns-recursor 3.3.1 behind pdns-2.9.22 I am having
> a problem resolving the following host:
> 
> wwwa.nko.navy.mil
> 
> Here is a dig against one of the servers:
> 
> $ dig wwwa.nko.navy.mil @ns1.rice.edu
> 
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> wwwa.nko.navy.mil 
> @ns1.rice.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64096
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;wwwa.nko.navy.mil.   IN  A
> 
> ;; ANSWER SECTION:
> wwwa.nko.navy.mil.180 IN  CNAME   
> wwwa.nko.navy.mil.apps.gcds.disa.mil.
> wwwa.nko.navy.mil.apps.gcds.disa.mil. 300 IN CNAME origin-wwwa.nko.navy.mil.
> 
> ;; Query time: 164 msec
> ;; SERVER: 128.42.209.32#53(128.42.209.32)
> ;; WHEN: Thu Oct 11 08:17:53 2012
> ;; MSG SIZE  rcvd: 108
> 
> Note, that the CNAME origin-wwwa.nko.navy.mil is not looked up to
> give the hosts actual IP address:
> 
> $ dig origin-wwwa.nko.navy.mil @ns1.rice.edu
> 
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> origin-wwwa.nko.navy.mil 
> @ns1.rice.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21780
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;origin-wwwa.nko.navy.mil.IN  A
> 
> ;; ANSWER SECTION:
> origin-wwwa.nko.navy.mil. 180 IN  A   160.125.250.20
> 
> ;; Query time: 60 msec
> ;; SERVER: 128.42.209.32#53(128.42.209.32)
> ;; WHEN: Thu Oct 11 08:20:10 2012
> ;; MSG SIZE  rcvd: 58
> 
> But sometimes, after some sequence of lookups in the chain I get
> the following:
> 
> $ dig wwwa.nko.navy.mil @ns1.rice.edu
> 
> ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> wwwa.nko.navy.mil 
> @ns1.rice.edu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56590
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;wwwa.nko.navy.mil.   IN  A
> 
> ;; ANSWER SECTION:
> wwwa.nko.navy.mil.180 IN  CNAME   
> wwwa.nko.navy.mil.apps.gcds.disa.mil.
> wwwa.nko.navy.mil.apps.gcds.disa.mil. 120 IN CNAME origin-wwwa.nko.navy.mil.
> origin-wwwa.nko.navy.mil. 137 IN  A   160.125.250.20
> 
> ;; Query time: 58 msec
> ;; SERVER: 128.42.209.32#53(128.42.209.32)
> ;; WHEN: Thu Oct 11 08:20:53 2012
> ;; MSG SIZE  rcvd: 124
> 
> which does include the final A record information. Does anyone have an idea
> about how to fix this or provide a work-around. Any ideas would be 
> appreciated.
> 
> Regards,
> Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Automatically delete zones that are deleted on Supermaster

[k...@rice.edu]

On Tue, Oct 30, 2012 at 06:48:03PM +0100, Posner, Sebastian wrote:
> a b wrote:
> 
> > Nevertheless, in my experience, this should be handled by the pdns 
> > software. 
> > I'm thinking that if pdns supermaster is capable of "persuading" a 
> > superslave
> > to become a slave for a domain, and then a transfer takes place, would it 
> > not
> > be logical to expect that when said domain is removed from the supermaster,
> > the superslave gets a message to ditch said domain?
> 
> A supermaster is only supermaster from the superslaves point of view.
> A pdns superslave is in absolutely no way bound to have another pdns 
> acting as supermaster. This is due to the means that are used for 
> supermaster-superslave communications: DNS onboard means.
> 
> In fact, I'm running a pdns as superslave to a stock bind9. 
> Works like a charm.
> 
> Superslave operation is nothing but a special way to treat DNS notifies
> received from a remote server for a domain we ware not authoritative/
> configured for. There is no special "supermaster message type" the
> supermaster must know about and use for communications with the superslave.
> Hence, there is nothing that can be changed on supermaster side to
> communicate zone deletions to a superslave.
> 
> The changes would thus have to be made on superslave side:
> Eitehr one would have to change how superslave reacts when a supermaster
> ceases to claim responsibility for a zone it has caused to be created;
> or you use an addon-tool like the on from Mark Scholten that generally
> does exactly this - Check for all slave domains with the according master
> whether it's still present, and start giving it the count if it isn't.
> 
> Kind regards,
> 
> Sebastian

Hi,

It would be hideously ugly, but you could leverage a special content DNS
record to allow the super master to tell the slave that the domain is or
will be deleted. It would require a little bit of smarts/timing and cooperation
but it should work.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [Help] Increase DNS UDP Message Size

[k...@rice.edu]

On Mon, Nov 12, 2012 at 06:05:28PM +0100, Stefan Schmidt wrote:
> On Mon, Nov 12, 2012 at 10:48 AM, Đức Vinh Hồ  wrote:
> 
> > Hi all,
> >
> 
> Hi there,
> 
> 
> > My website is using PDNS round robin with too many servers pointed to 1
> > domain name. I mean:
> >
> >  Name  Type Content
> > abc.comA   X.X.X.1
> > abc.comA   X.X.X.2
> > .
> > abc.comA   X.X.X.50
> > .
> >
> > Couple of days ago, my boss complain me that sometime, he can't access the
> > website at night.
> > After many research, i found that a DNS message carried in UDP 
> > *cannot*exceed 512 bytes.
> > When a UDP DNS message exceeds 512 octets/bytes, the *TRUNCATED* bit is
> > included in the response, indicating to the client/resolver that not all of
> > the answers were returned, and they should re-query using a TCP DNS
> > message. I thinks my DNS round robin records is too large. And that is the
> > main cause of my problem
> >
> > So, can you show me how to increase the PDNS UDP message size, or some
> > solution to make sure PDNS ok
> >
> 
> It is correct that regular UDP DNS responses cannot exceed 512 bytes,
> however nowadays most clients (that is usually recursive dns servers such
> as google dns for example) make use of a DNS extension header format called
> EDNS or EDNS0. See http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS.
> Depending on which version of PowerDNS you use it already does support
> EDNS0 for a long time as it is needed for DNSSEC operations. And it is also
> very likely that most recursive DNS servers speak EDNS0 as well. This
> probably mitigates your issue but due to this being a protocol limitation
> there is no workaround for it other than limiting the number of IP
> addresses in your round-robin-record or making sure all recursive DNS
> servers your clients use are EDNS0 capable. Also some firewalls such as
> Cisco ASA in earlier default configurations are known drop DNS responses
> that are larger than the 512 byte limit.
> 

Hi,

To add to Stefan's response, since you have no control over how broken
the DNS infrastructure is that is talking to your system, you need to
address the lowest common denominator and restrict your round-robin
DNS record to 512-bytes just like the big boys: Google, Yahoo,...

Cheers,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor and amazon cloudfront

[k...@rice.edu]

On Tue, Dec 11, 2012 at 05:25:55PM +0100, Mario Caruso wrote:
> Hello everybody,

Lots of details deleted...

> I'm really puzzled by the situation, is there anybody that is having 
> the same behaviour ? or that is aware of this weird thing with 
> cloudfront ? 
> 

Hi Mario,

I reported this bug and it has been fixed and should be available in
the next pdns-recursor release:

http://wiki.powerdns.com/trac/ticket/598

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor and amazon cloudfront

[k...@rice.edu]

On Tue, Dec 11, 2012 at 06:09:56PM +0100, Mario Caruso wrote:
> Il Tue, 11 Dec 2012 10:33:56 -0600
> "k...@rice.edu"  ha scritto:
> 
> > On Tue, Dec 11, 2012 at 05:25:55PM +0100, Mario Caruso wrote:
> > > Hello everybody,
> > 
> > Lots of details deleted...
> > 
> > > I'm really puzzled by the situation, is there anybody that is having 
> > > the same behaviour ? or that is aware of this weird thing with 
> > > cloudfront ? 
> > > 
> > 
> > Hi Mario,
> > 
> > I reported this bug and it has been fixed and should be available in
> > the next pdns-recursor release:
> > 
> > http://wiki.powerdns.com/trac/ticket/598
> > 
> > Regards,
> > Ken
> 
> Hi Ken,
> thank you fro the reply, I read your ticket but I still have a 
> doubt , in the ticket the affected version is 3.3 while I'm 
> using 3.2 do you think that the bug that affects all 3.x versions ? 
> 
> Anyway I've upgraded pdns-recursor to version 3.3 using 
> the .deb file from http://downloads.powerdns.com/releases/deb/
> but apparently nothing changed, maybe I should compile from 
> latest svn and see how it goes.
> 
> Regards
> 
> M.

Hi Mario,

The fix is only in the latest svn. They have not had a new release
of the pdns-recursor since the bug was fixed so you would need to
compile it yourself. The bug affects all earlier versions of the
recursor.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Checking constraints on MySQL records and auto-rectify

[k...@rice.edu]

On Thu, Jan 31, 2013 at 08:20:24PM +0100, Jan-Piet Mens wrote:
> > On long, solitary drives I get crazy ideas, and at a beastly hour this
> > morning, it happened again:
> 
> FWIW, I'm taking this to [1], where I'm showing some examples of what is
> possible, even though this is probably less than a proof of concept. ;-)
> 
> -JP
> 
> [1] http://jpmens.net/2013/01/31/controlling-back-end-data-for-powerdns/

FWIW, I think this is a good idea. We have had to write similar constraints
to avoid these sorts of problems. If we could define the constraints clearly,
they could be implemented for each backend DBs UDF language of choice.

Regards,
Ken
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SRV records with jpower admin

[k...@rice.edu]

On Fri, Jul 12, 2013 at 10:57:35AM +1000, Luca Salvatore wrote:
> Hi,
> 
> We use JPower Admin to add records into our PDNS box.  I'm trying to add some 
> SRV records but not sure how to format the entries e.g. the priority, weight, 
> port and target that a SRV record needs.
> Can't find much info on the Internet either... Anyone got any suggestions?
> 
> I'm happy to add  the record straight to the PDNS server, but not sure how to 
> do that either...
> 
> Thanks.
> Luca.

Hi Luca,

The documentation has a nice description:

http://doc.powerdns.com/html/types.html

Cheers,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SRV records with jpower admin

[k...@rice.edu]

On Fri, Jul 12, 2013 at 01:47:40PM +1000, Luca Salvatore wrote:
> Erm.. struggling to understand that description.
> I need to add this:
> 
> Name _sipfedls._tcp
> Ttl 3600
> Priority 5
> Weight 0
> Port 
> Target sip.me.com
> 
> 
> How can i format that for PDNS or Jpower Admin?
> 
> Luca Salvatore
> Senior Network & Security Engineer 
> 

Hi Luca,

>From widipedia, the format of a SRV record is:

_service._proto.name. TTL class SRV priority weight port target.

service: the symbolic name of the desired service.
proto: the transport protocol of the desired service; this is usually either 
TCP or UDP.
name: the domain name for which this record is valid, ending in a dot.
TTL: standard DNS time to live field.
class: standard DNS class field (this is always IN).
priority: the priority of the target host, lower value means more preferred.
weight: A relative weight for records with the same priority.
port: the TCP or UDP port on which the service is to be found.
target: the canonical hostname of the machine providing the service, ending in 
a dot.

Here is what the PDNS docs say:

SRV records can be used to encode the location and port of services on a domain 
name.
When encoding, the priority field is used to encode the priority. For example,
'_ldap._tcp.dc._msdcs.conaxis.ch SRV 0 100 389 mars.conaxis.ch' would be 
encoded with
0 in the priority field and '100 389 mars.conaxis.ch' in the content field.

So for you example, these are the fields stored in the DB:

name - _sipfedls._tcp
ttl - 3600
prio - 5
content - '0  sip.me.com.'  # without the quotes

Double-check results with dig.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] updated patch to improve SQL db AXFR performance

[k...@rice.edu]

Dear PDNS community,

We are preparing to upgrade to the DNSSEC capable pdns 3.3. Please find
the attached patch to include a "finalize-axfr-query" to replace the
blanket assumption of "commit". This allows you to utilize areas other
than your primary records tables to manage the API mismatch between
a flatfile update and that of an MVCC capable SQL DB. Here is the
README I wrote while updating the patch to version 3.3. It was originally
targeting 2.9.x and was posted in May 2007. The patch is attached.

README---
This file documents what was changed and why to improve the AXFR
performance with an MVCC type database like PostgreSQL/Oracle and
MySQL with the INNODB storage engine. The AXFR process works as
follows:

1. AXFR for a domain is received by SLAVE.
2. SLAVE transfers zone and checks for validity.
3  SLAVE DELETEs all zone records.
4. SLAVE INSERTs the updated zone.

This is a crazy waste when there are few changes (The usual case)
and even worse for systems that need to be able to ROLLBACK the
changes. A simple substitution of loading the new zone into a
working TEMPORARY table and using that to calculate the deltas,
records added, deleted, or changed. Then only apply those much
smaller updates. The fly in the ointment is that the clean-up
or application of the deletas needs to be done when the zone is
committed and while the delete-zone-query and insert-zone-query
are user defineable, the final commit for a zone transfer is
hard-coded to "commit".

This patch updates the commitTransaction() function to utilize
a new user defineable query called finalize-axfr-query with
a default value of "commit" to yield the same behavior if it
is left undefined. However, it can be defined to execute the
needed zone finalization actions to leverage the use of the
temporary tables. In the original patch against version 2.9.x,
the speed-up was 10x not to mention the reduced table bloating
which needed VACUUM with PostgreSQL to reuse the space. It
appears that the oracle backend already has this by setting
the oracle-finalize-axfr-query. This adds the ability to the
gsql backends.

Note: I have provided patches against the oracle, lua and odbx
backends to support the additional argument to the commitTransaction()
function, but they are just a stub to prevent compile and runtime
errors and I have not tested them. They will need to be tested by
someone with access to and experience with building the different
backends.

patch changes:

1. Add the declaration for finalize-axfr-query to:
./pdns/backends/gsql/gsqlbackend.cc
./modules/gsqlite3backend/gsqlite3backend.cc
./modules/godbcbackend/godbcbackend.cc
./modules/gmysqlbackend/gmysqlbackend.cc
./modules/goraclebackend/goraclebackend.cc
./modules/gpgsqlbackend/gpgsqlbackend.cc
declare(suffix, "commit-zone-axfr-query", "", "commit");

2. Declare d_FinalizeAXFRQuery for g* backends:
./pdns/backends/gsql/gsqlbackend.hh
./pdns/backends/gsql/gsqlbackend.cc
string d_FinalizeAXFRQuery;
d_FinalizeAXFRQuery=getArg("finalize-axfr-query");

3. Add domain_id argument to bool commitTransaction() declaration:
./pdns/backends/bind/bindbackend2.hh
./pdns/backends/gsql/gsqlbackend.hh
./pdns/dnsbackend.hh
./modules/oraclebackend/oraclebackend.hh
./modules/luabackend/luabackend.hh
./modules/opendbxbackend/odbxbackend.hh

4. Fix commitTransaction() functions to use the user defined SQL
command if defined:
./pdns/backends/bind/bindbackend2.cc
./pdns/backends/gsql/gsqlbackend.cc
./modules/oraclebackend/oraclebackend.cc
./modules/luabackend/slave.cc
./modules/opendbxbackend/odbxbackend.cc
./pdns/ws.cc
./pdns/pdnssec.cc
./pdns/slavecommunicator.cc
./pdns/packethandler.cc

5. Test and benchmark AXFR functionality.
The benchmark shows the patched version works like the original version.
If the queries are updated, the patched version is approximately 2X faster
than the unpatched as well as resulting in less DB churn. Here are the
queries I used for testing:

With DNSSEC enabled:
#Update AXFR queries to use stage table for staging
gpgsql-delete-zone-query=CREATE TEMPORARY TABLE stage (id INT, domain_id INT,
name VARCHAR(255), \
   type VARCHAR(6), content VARCHAR(255), ttl INT, prio INT, auth BOOLEAN) ON
COMMIT DROP; \
   PREPARE axfrinsert (varchar, int, int, varchar, int, varchar, boolean) AS
INSERT INTO \
   stage (content,ttl,prio,type,domain_id,name,auth) VALUES
($1,$2,$3,$4,$5,$6,$7::boolean);
gpgsql-insert-record-query-auth=EXECUTE axfrinsert
(E'%s',%d,%d,E'%s',%d,E'%s','%d');
gpgsql-finalize-axfr-query=CREATE TEMPORARY TABLE axfrvars (name VARCHAR(6),
value INT) ON COMMIT DROP; \
INSERT INTO axfrvars (name, value) VALUES ('domain', %d); \
DELETE FROM records \
WHERE domain_id = \
(SELECT value FROM axfrvars WHERE name = 'domain') AND \
  records.id NOT IN \
  (SELECT records.id FROM records INNER JOIN stage \
   USING (domain_id, name, type, content, ttl, prio)); \
INSERT INTO records (domain_id, name, type, content, ttl, prio, auth) \

Re: [Pdns-users] updated patch to improve SQL db AXFR performance

[k...@rice.edu]

Argh! I forgot to include one patch in the posted patchset.
Here it is:

-
--- pdns-3.3/pdns/dnsbackend.hh 2013-05-16 07:55:13.0 -0500
+++ pdns-3.3-FINALIZEAXFR/pdns/dnsbackend.hh2013-07-11 20:05:43.697847786 
-0500
@@ -181,7 +181,7 @@
   }
 
   //! commits the transaction started by startTransaction
-  virtual bool commitTransaction()
+  virtual bool commitTransaction(int id=-1)
   {
 return false;
   }
-

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Problem with recursor behind PDNS 3.3

[k...@rice.edu]

Dear PDNS community,

I am looking into a problem with recursion with pdns-3.3 and
pdns-recursor-3.5.2. Our current system is pdns-2.9.22 and
pdns-recursor-3.3.1. The problem is looking up the IP address
based on a CNAME. Here are the dig results for the old and
new systems:

$ dig imap.mail.rice.edu @ns2.rice.edu

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> imap.mail.rice.edu 
@ns2.rice.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 517
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;imap.mail.rice.edu.IN  A

;; ANSWER SECTION:
imap.mail.rice.edu. 1592IN  CNAME   imap.netfu.rice.edu.
imap.netfu.rice.edu.10  IN  A   128.42.204.112

;; Query time: 3 msec
;; SERVER: 128.42.178.32#53(128.42.178.32)
;; WHEN: Mon Aug 12 14:31:41 2013
;; MSG SIZE  rcvd: 77

$ dig imap.mail.rice.edu @newns2.rice.edu

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 <<>> imap.mail.rice.edu 
@newns2.rice.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18799
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;imap.mail.rice.edu.IN  A

;; ANSWER SECTION:
imap.mail.rice.edu. 3600IN  CNAME   imap.netfu.rice.edu.

;; AUTHORITY SECTION:
netfu.rice.edu. 3600IN  NS  netscaler2.rice.edu.
netfu.rice.edu. 3600IN  NS  netscaler3.rice.edu.

;; ADDITIONAL SECTION:
netscaler2.rice.edu.3600IN  A   128.42.206.5
netscaler3.rice.edu.3600IN  A   128.42.204.5

;; Query time: 4 msec
;; SERVER: 128.42.178.42#53(128.42.178.42)
;; WHEN: Mon Aug 12 14:31:54 2013
;; MSG SIZE  rcvd: 143

Here are the pertinent entries from the records table:

pdns=> select * from records where name = 'imap.mail.rice.edu';
id| domain_id |name| type  |   content   | ttl  
| prio | change_date 
--+---++---+-+--+--+-
 93787060 |71 | imap.mail.rice.edu | CNAME | imap.netfu.rice.edu | 3600 
|0 |  1187098853
(1 row)

pdns=> select * from records where name = 'netfu.rice.edu';
id| domain_id |  name  | type |   content   | ttl  | 
prio | change_date 
--+---++--+-+--+--+-
 97699071 | 1 | netfu.rice.edu | NS   | netscaler3.rice.edu | 3600 |
0 |  1324405987
 97698982 | 1 | netfu.rice.edu | NS   | netscaler2.rice.edu | 3600 |
0 |  1324564910
(2 rows)

Here is the result for querying the recursor directly:
map.mail.rice.edu -p 552 @localhost

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.5 <<>> imap.mail.rice.edu 
@localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62232
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;imap.mail.rice.edu.IN  A

;; ANSWER SECTION:
imap.mail.rice.edu. 1618IN  CNAME   imap.netfu.rice.edu.
imap.netfu.rice.edu.10  IN  A   128.42.204.112

;; Query time: 2 msec
;; SERVER: 127.0.0.1#552(127.0.0.1)
;; WHEN: Mon Aug 12 14:40:24 2013
;; MSG SIZE  rcvd: 77


Why isn't pdns-3.3 recursing the CNAME?

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Autodiscover SRV Record splitting hairs :)

[k...@rice.edu]

On Thu, Oct 31, 2013 at 06:34:38PM +, Norman wrote:
> Hi List,
> 
> I have zones that get transferred from a bind server to a Powerdns
> Mysql back-end on a second server. All records transfer just
> fine...except for the Autodiscover SRV record. The record itself
> registers correctly:
> _autodiscover._tcp.testing29.com  SRV  0 443
> autodiscovery.testing29.com  14400  0
> 
> but...Powerdns splits the SRV record and produces an extra record/row
> in the database, with only the id, domain id, name and type filled in:
> _tcp.test1.testing29.com  A  NULL NULL NULL NULL
> 
> Is there a remedy for this? If not, what would be a cron-compatible
> Mysql command to delete those unwanted records from the database as
> the Mysql root user?
> 
> Regards.
> 
> Norman
> 

Hi Norman,

That is a normal record created/needed to support DNSSEC. Please do
not delete it. I was concerned the first time I saw them because I
thought the AXFR process was broken by a patch that I had written.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

[k...@rice.edu]

On Wed, Dec 04, 2013 at 01:18:40PM -0600, Drew Decker wrote:
> We are currently wanting to implement Isilon's SmartConnect features, which
> requres a delegation (NS) record to the Isilon.  Unfortunately, their
> documentation only covers BIND and Microsoft DNS products.  Is there a way
> to do the same thing in PowerDNS?  If so, what is the correct way?
> 
> Per the documentation, it shows the following for BIND:
> 
> -
> BIND server:
> In BIND, a new name server (NS) record needs to be added to the existing
> authoritative DNS zone specifying the server of authority for the new
> sub-zone. For
> that, an A record must be added, specified in the NS record that points to
> the SIP
> address of the cluster. For example, if the SmartConnect zone name is
> cluster.example.com, the DNS entries would looks like:
> 
> >> cluster.example.com IN NS sip.example.com
> >> sip.example.com IN A {IP"address}
> -
> 
> Unfortunately, it doesn't appear to work on our end - it says "hostname not
> found" - but all other DNS records work for the parent domain on our end -
> it is just this one that is not working.  Please let me know if you'd like
> me to provide more information on the setup of our PowerDNS servers.
> 
> 
> -- 
> Best Regards,
> Drew Decker

Hi Drew,

We do this in the recursor, not in the authoritative server, with pdns-recursor
using the forward-zones option. For your example, it would be a line something
like this:

forward-zones=cluster.example.com={IP address}

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

[k...@rice.edu]

On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote:
> Ken,
> 
> Yea - I don't think this will work for us.  Our domain is shared with the
> Isilon, so it would be lab.domain.com, and I don't want to forward the
> entire zone over to the Isilon.
> 
> thanks!
> 

Yes, we put our Isilon in its own (sub)domain for exactly that reason. It
made this easy. You could roll-your-own with lua in the recursor if a separate
domain is not possible.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Delegation (SmartConnect Isilon)

[k...@rice.edu]

On Thu, Dec 12, 2013 at 06:17:50PM -0600, Drew Decker wrote:
> Does anyone else know of a way to do this, or could give me some
> recommendations on how we could do this in or current configuration?  We
> just  need to be able to create a delegation in PowerDNS to  use a
> different Nameserver on the actual isilon.  We are basically delegating to
> the Isilon for a specific "subdomain".
> 
> Thanks!
> 

Hi again Drew,

I thought that you said that you shared the domain with the Isilon? But
above you say that it is its own domain. Which is it? I thought that the
Isilon "required" its own domain to work.

Regards,
Ken

> 
> On Wed, Dec 4, 2013 at 2:06 PM, k...@rice.edu  wrote:
> 
> > On Wed, Dec 04, 2013 at 02:03:57PM -0600, Drew Decker wrote:
> > > Ken,
> > >
> > > Yea - I don't think this will work for us.  Our domain is shared with the
> > > Isilon, so it would be lab.domain.com, and I don't want to forward the
> > > entire zone over to the Isilon.
> > >
> > > thanks!
> > >
> >
> > Yes, we put our Isilon in its own (sub)domain for exactly that reason. It
> > made this easy. You could roll-your-own with lua in the recursor if a
> > separate
> > domain is not possible.
> >
> > Regards,
> > Ken
> >
> 
> 
> 
> -- 
> Best Regards,
> Drew Decker

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PostgreSQL schema for DNSSEC signing

[k...@rice.edu]

Hi,

I am working on porting your auto-signing schema proof-of-concept for Oracle:

http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/oraclebackend/schema.sql

to PostgreSQL. I have found something that looks like a bug in the following
function dnsname_to_raw():


CREATE OR REPLACE FUNCTION dnsname_to_raw (in_dnsname IN VARCHAR2) RETURN RAW AS
  dnsname VARCHAR2(512) := LOWER(in_dnsname);
  rawname RAW(512);

  lpos BINARY_INTEGER := 1;
  rpos BINARY_INTEGER;
  label VARCHAR2(63);

  TYPE convarray IS VARRAY(64) OF RAW(1);
  byteval convarray := convarray(
'00', '01', '02', '03', '04', '05', '06', '07',
'08', '09', '0A', '0B', '0C', '0D', '0E', '0F',
'10', '11', '12', '13', '14', '15', '16', '17',
'18', '19', '1A', '1B', '1C', '1D', '1E', '1F',
'20', '21', '22', '23', '24', '25', '26', '27',
'28', '29', '2A', '2B', '2C', '2D', '2E', '2F',
'30', '31', '32', '33', '34', '35', '36', '37',
'38', '39', '3A', '3B', '3C', '3D', '3E', '3F'
  );
BEGIN
  IF dnsname IS NULL THEN
RETURN('00');
  END IF;

  WHILE lpos <= LENGTH(dnsname) LOOP
rpos := INSTR(dnsname, '.', lpos);
IF rpos = 0 THEN
  rpos := LENGTH(dnsname) + 1;
END IF;
label := SUBSTR(dnsname, lpos, rpos - lpos);
rawname := UTL_RAW.CONCAT(
  rawname,
  byteval(LENGTH(label) + 1),
  UTL_I18N.STRING_TO_RAW(label, 'US7ASCII')
);
lpos := rpos + 1;
  END LOOP;

  IF rpos = LENGTH(dnsname) THEN
rawname := UTL_RAW.CONCAT(rawname, '00');
  END IF;

  RETURN(rawname);
END;


At the end of the function, it has a test to see if "rpos = LENGTH(dnsname)"
and if so, appends a 00 byte to the end, but the only place that sets rpos
earlier:

IF rpos = 0 THEN
  rpos := LENGTH(dnsname) + 1;
END IF;

specifically sets rpos to the length of the string + 1, which would mean
that the trailing nul would never be added. This looks like a bug, but I
am working from the "code-as-documentation" instead of a spec for what
the dnsname_to_raw output definition. Once the PostgreSQL schema has been
tested, I will post/submit our final version for inclusion in the dist.
Any assistance would be appreciated.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PostgreSQL schema for DNSSEC signing

[k...@rice.edu]

On Thu, Jan 09, 2014 at 10:26:07AM -0600, k...@rice.edu wrote:
> Hi,
> 
> I am working on porting your auto-signing schema proof-of-concept for Oracle:
> 
> http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/oraclebackend/schema.sql
> 
> to PostgreSQL. I have found something that looks like a bug in the following
> function dnsname_to_raw():
> 
> 
> CREATE OR REPLACE FUNCTION dnsname_to_raw (in_dnsname IN VARCHAR2) RETURN RAW 
> AS
>   dnsname VARCHAR2(512) := LOWER(in_dnsname);
>   rawname RAW(512);
> 
>   lpos BINARY_INTEGER := 1;
>   rpos BINARY_INTEGER;
>   label VARCHAR2(63);
> 
>   TYPE convarray IS VARRAY(64) OF RAW(1);
>   byteval convarray := convarray(
> '00', '01', '02', '03', '04', '05', '06', '07',
> '08', '09', '0A', '0B', '0C', '0D', '0E', '0F',
> '10', '11', '12', '13', '14', '15', '16', '17',
> '18', '19', '1A', '1B', '1C', '1D', '1E', '1F',
> '20', '21', '22', '23', '24', '25', '26', '27',
> '28', '29', '2A', '2B', '2C', '2D', '2E', '2F',
> '30', '31', '32', '33', '34', '35', '36', '37',
> '38', '39', '3A', '3B', '3C', '3D', '3E', '3F'
>   );
> BEGIN
>   IF dnsname IS NULL THEN
> RETURN('00');
>   END IF;
> 
>   WHILE lpos <= LENGTH(dnsname) LOOP
> rpos := INSTR(dnsname, '.', lpos);
> IF rpos = 0 THEN
>   rpos := LENGTH(dnsname) + 1;
> END IF;
> label := SUBSTR(dnsname, lpos, rpos - lpos);
> rawname := UTL_RAW.CONCAT(
>   rawname,
>   byteval(LENGTH(label) + 1),
>   UTL_I18N.STRING_TO_RAW(label, 'US7ASCII')
> );
> lpos := rpos + 1;
>   END LOOP;
> 
>   IF rpos = LENGTH(dnsname) THEN
> rawname := UTL_RAW.CONCAT(rawname, '00');
>   END IF;
> 
>   RETURN(rawname);
> END;
> 
> 
> At the end of the function, it has a test to see if "rpos = LENGTH(dnsname)"
> and if so, appends a 00 byte to the end, but the only place that sets rpos
> earlier:
> 
> IF rpos = 0 THEN
>   rpos := LENGTH(dnsname) + 1;
> END IF;
> 
> specifically sets rpos to the length of the string + 1, which would mean
> that the trailing nul would never be added. This looks like a bug, but I
> am working from the "code-as-documentation" instead of a spec for what
> the dnsname_to_raw output definition. Once the PostgreSQL schema has been
> tested, I will post/submit our final version for inclusion in the dist.
> Any assistance would be appreciated.
> 
> Regards,
> Ken

Okay, using the assumption that the code has a bug, here is the PostgreSQL
version:


CREATE OR REPLACE FUNCTION dnsname_to_raw (
  in_dnsname VARCHAR
) RETURNS BYTEA AS $$

DECLARE
  dnsname VARCHAR := LOWER(in_dnsname);
  rawname BYTEA;

  i INTEGER;
  label VARCHAR[];

  byteval VARCHAR[64] := ARRAY[
'00', '01', '02', '03', '04', '05', '06', '07',
'08', '09', '0A', '0B', '0C', '0D', '0E', '0F',
'10', '11', '12', '13', '14', '15', '16', '17',
'18', '19', '1A', '1B', '1C', '1D', '1E', '1F',
'20', '21', '22', '23', '24', '25', '26', '27',
'28', '29', '2A', '2B', '2C', '2D', '2E', '2F',
'30', '31', '32', '33', '34', '35', '36', '37',
'38', '39', '3A', '3B', '3C', '3D', '3E', '3F'
  ];

BEGIN
  IF dnsname IS NULL THEN
RETURN('00');
  END IF;

  label := string_to_array(dnsname, '.');

  FOR i IN 1 .. ARRAY_UPPER(label, 1)
  LOOP

IF rawname IS NULL THEN
  rawname := decode(byteval[LENGTH(label[i]) + 1], 'hex')
   || convert_to(label[i], 'SQL_ASCII');
ELSE
  rawname := rawname || decode(byteval[LENGTH(label[i]) + 1], 'hex')
   || convert_to(label[i], 'SQL_ASCII');
END IF;

  END LOOP;

  rawname := rawname || decode('00', 'hex');
  RETURN rawname;

END;
$$ LANGUAGE plpgsql STRICT IMMUTABLE;


Here is a sample of the results for a test case:

test=> select dnsname_to_raw('moe.rice.edu');
 dnsname_to_raw 

 \x036d6f6504726963650365647500
(1 row)

This seems like it should be the correct result, but I would appreciate
it if someone who knew would corroborate this. Thank you.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PostgreSQL schema for DNSSEC signing

[k...@rice.edu]

On Fri, Jan 10, 2014 at 11:42:18AM +0100, Peter van Dijk wrote:
> Hello Ken,
> 
> replying to both messages in-line.
> 
> On 09 Jan 2014, at 23:47 , k...@rice.edu wrote:
> 
> > On Thu, Jan 09, 2014 at 10:26:07AM -0600, k...@rice.edu wrote:
> >>  WHILE lpos <= LENGTH(dnsname) LOOP
> >>rpos := INSTR(dnsname, '.', lpos);
> 
> rpos is set here, did you miss that?
> 
> > Okay, using the assumption that the code has a bug, here is the PostgreSQL
> > version:
> > 
> > 
> > test=> select dnsname_to_raw('moe.rice.edu');
> > dnsname_to_raw 
> > 
> > \x036d6f6504726963650365647500
> > (1 row)
> > 
> > This seems like it should be the correct result, but I would appreciate
> > it if someone who knew would corroborate this. Thank you.
> 
> Above result is correct.
> 
> However:
> This should be identical to above (only one trailing 00):
> vagrant=> select dnsname_to_raw('moe.rice.edu.');
>   dnsname_to_raw  
> --
>  \x036d6f65047269636503656475
> (1 row)
> 
> This should perhaps be an error (but don’t worry too much, garbage in ..):
> vagrant=> select dnsname_to_raw('moe.rice.edu..');
>dnsname_to_raw   
> 
>  \x036d6f6504726963650365647500
> (1 row)
> 
> 
> This may cause trouble at some point (I would expect \x00):
> vagrant=> select dnsname_to_raw('');
> ERROR:  upper bound of FOR loop cannot be null
> CONTEXT:  PL/pgSQL function "dnsname_to_raw" line 28 at FOR with integer loop 
> variable
> 
> And this should certainly be \x00:
> vagrant=> select dnsname_to_raw('.');
>  dnsname_to_raw 
> 
>  \x00
> (1 row)
> 
> 
> Interesting work! I hope this helps :)
> 
> Kind regards,
> -- 
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> 

Hi Peter,

Thank you for the test cases. I have updated my function to fix these
discrepancies.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PostgreSQL schema for DNSSEC signing

[k...@rice.edu]

On Fri, Jan 10, 2014 at 11:46:43AM +0100, Peter van Dijk wrote:
> Hello Ken,
> 
> >> Okay, using the assumption that the code has a bug, here is the PostgreSQL
> >> version:
> 
> As a followup: Kees Monshouwer has set up a Jenkins job for Oracle testing 
> recently. All tests pass, suggesting the Oracle code is fine.
> 
> Kind regards,
> -- 
> Peter van Dijk
> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> 

Hi Peter,

The code is correct if the incomming name is '.' terminated. My original
function did not use that which is why I thought the code may have been
wrong. The new version assumes that all FQDNs end in a terminal '.', or
it adds it. Thank you again for the response.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LDAP schema

[k...@rice.edu]

On Mon, Feb 24, 2014 at 10:52:36PM +0100, Marco de Booij wrote:
> op 24-02-14 22:00, Gavin Henry schreef:
> >>I run a Debian Wheezy server and I just installed powerdns and the LDAP 
> >>backend. The openLDAP I run uses the internal configuration and for that I 
> >>need to insert the schema from an LDIF file. powerDNS is only installed 
> >>with the dnsdomain2.schema which cannot be used directly. Is the 
> >>dnsdomain2.ldif file somewhere available? I think that there are more 
> >>people who need that file since this is the way that openLDAP is going to 
> >>be configured. I already searched this maillist but could not find a 
> >>question/reply and the internet did not help too.
> >Hi Marco,
> >
> >It's pretty easy to convert any regular schema to an ldif version. Did you 
> >try?
> >
> >Thanks.
> >
> I did not try it yet. I should have but I thought that someone else
> would already have done this for powerDNS. It is the new way to
> configure openLDAP and it would be a lot easier if it was done once
> and added to the package so that not everybody has to do it each for
> themselves.
> 
> I will do the conversion this week. I am a bit short in time :-)
> 
> Thanks,
> 
> Marco
> 
Hi Marco,

Before you march too far down this path you may want to heed this note in the
documentation:

As of PowerDNS Authoritative Server 3.0, the LDAP backend is unmaintained.
While care will be taken that this backend still compiles, this backend is
known to have problems in version 3.0 and beyond! Please contact
powerdns.supp...@netherlabs.nl or visit www.powerdns.com to rectify this
situation.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] pdns-recursor impact of lua script

[k...@rice.edu]

Hi PDNS community,

I have a quick question about the impact of lua scripts on the recursors
performance. If occasionally a script needs to perform more processing for
a particular request, does that lookup/lua processing block or slow up
other queries in progress or new lookups?

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Oracle backed slave zone nameserver problem.

[k...@rice.edu]

On Thu, Mar 27, 2014 at 09:10:19AM +0200, Margus Kiting wrote:
> Hi!
> 
> I noticed in oracle backed schema SQL, there isn't any master nameserver
> column available in Zones table. I can specify zone type, but not master
> name server if type is set to slave.
> I also tried looking in source code, but could not figure out where slave
> zones master nameserver should go. I believe zone type check is done in
> oraclebackend.cc in code given below.
> 
> check_indicator(mResultTypeInd, false);
>   if (strcasecmp(mResultType, "NATIVE") == 0) {
> di.kind = DomainInfo::Native;
>   } else if (strcasecmp(mResultType, "MASTER") == 0) {
> di.kind = DomainInfo::Master;
> check_indicator(notified_serial_ind, false);
> di.notified_serial = notified_serial;
>   } else if (strcasecmp(mResultType, "SLAVE") == 0) {
> di.kind = DomainInfo::Slave;
> check_indicator(last_check_ind, true);
> di.last_check = last_check;
> di.masters = getDomainMasters(mResultName, zone_id);
>   } else {
> throw OracleException("Unknown zone type in Oracle backend");
>   }
> 
> I also did not find any information about this in powerdns documentation.
> 
> Could you nice people help me with the problem?
> 
> Thanks in advance!
> Margus Kiting


Hi Margus,

According to the documentation:

http://doc.powerdns.com/html/oracle.html

Here is an excerpt from the docs about the queries pertaining to the zone 
masters:

oracle-zone-masters-query
Return a list of masters for the zone specified by id. Default:

SELECT master
FROM Zonemasters
WHERE zone_id = :zoneid

oracle-is-zone-master-query
Return a row if the specified host is a registered master for the named zone. 
Default:

SELECT zm.master
FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
WHERE z.name = lower(:name) AND zm.master = :master

Check out the schema definition, it should use the zonemasters table.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursion with authoritative server and subdomains

[k...@rice.edu]

On Thu, Mar 27, 2014 at 02:06:01PM +0100, Matthias Leopold wrote:
> hi,
> 
> i have "a fairly standard" setup of a 3.3.1 powerdns server with
> mysql backend on a centos 6 system. the server is acting as an
> authoritative dns server and doing recursion for selected ip ranges.
> 
> the problem arises with subdomains of authoritative domains who
> should be delegated to other nameservers.
> 
> records table looks like this
> 
> mysql> select domain_id, name,type, content from records where
> domain_id = 36 and type = 'NS';
> +---+---+--+---+
> | domain_id | name  | type | content   |
> +---+---+--+---+
> |36 | abc.at| NS   | ns1.abc.at|
> |36 | abc.at| NS   | ns2.abc.at  |
> |36 | subd.abc.at   | NS   | ns3.abc.at|
> |36 | subd.abc.at   | NS   | ns4.abc.at|
> 
> when i query ns1.abc.at for www.subd.abc.at i get answers with
> correct authority section, but no answer for www.subd.abc.at.
> 
> dig answer flags are
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> 
> a bind9 server on ns2.abc.at, which acts as slave, resolves
> www.subd.abc.at correctly.
> 
> the problem is not the configured recursor, which also resolves
> www.subd.abc.at correctly.
> 
> can someone point me in the right direction?
> 
> thx
> matthias
> 

Hi Matthias,

The PDNS server is an authoritative server only and does not do
recursion. The BIND9 is both an authoritative server and a recursor
so this behavior is expected.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Slight problem with PostgreSQL backend AXFR query

[k...@rice.edu]

Dear PDNS community,

While debugging a new installation we noticed that a slow zone transfer
using a PostgreSQL backend would insert duplicate records if the transfer
took over 1 minute and a second transfer was started before the first
one completed. The problem is that the default isolation level for a
postgres DB is READ COMMITTED, which means that the second query sees
an identical picture of the DB as the first query, until the first
query commits. By then it is too late and the second query commits
as well, resulting in duplicate records in the DB. There is an easy
fix, change the transaction isolation level to serializable at the
start of the transfer. The first command is the delete-zone-query
so it should be:

set transaction isolation level serializable; delete from records where 
domain_id=%d

instead of the bare:

delete from records where domain_id=%d

Then when the second AXFR starts, it errors out and is not allowed to
insert the duplicate records.

Regards,
Ken Marshall

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Slight problem with PostgreSQL backend AXFR query

[k...@rice.edu]

On Fri, Mar 28, 2014 at 08:29:03AM -0500, k...@rice.edu wrote:
> Dear PDNS community,
> 
> While debugging a new installation we noticed that a slow zone transfer
> using a PostgreSQL backend would insert duplicate records if the transfer
> took over 1 minute and a second transfer was started before the first
> one completed. The problem is that the default isolation level for a
> postgres DB is READ COMMITTED, which means that the second query sees
> an identical picture of the DB as the first query, until the first
> query commits. By then it is too late and the second query commits
> as well, resulting in duplicate records in the DB. There is an easy
> fix, change the transaction isolation level to serializable at the
> start of the transfer. The first command is the delete-zone-query
> so it should be:
> 
> set transaction isolation level serializable; delete from records where 
> domain_id=%d
> 
> instead of the bare:
> 
> delete from records where domain_id=%d
> 
> Then when the second AXFR starts, it errors out and is not allowed to
> insert the duplicate records.
> 
> Regards,
> Ken Marshall
> 

Hi,

I just looked at the MySQL documentation, and it looks like MySQL also
supports the "SET TRANSACTION ISOLATION LEVEL *" syntax. Unfortunately,
it looks like it must be issued before the "BEGIN" or "START TRANSACTION"
block, instead of after for PostgreSQL. Yuck. Is it possible to have the
server keep track of an existing AXFR and not try a new one if one is in
progress? This problem can also hit MySQL if they change their isolation
level. It just happens that the default is REPEATABLE READ for MySQL
while PostgreSQL uses READ COMMITTED by default. Another alternative
would be to explicitly set the isolation level when establishing the
connection to a PostgreSQL backend for the entire session with:

SET SESSION CHARACTERISTICS AS TRANSACTION ISOLATION LEVEL REPEATABLE READ;

and use the corresponding MySQL idiom (from the manual):

SET SESSION TRANSACTION ISOLATION LEVEL REPEATABLE READ;

I tested the latter command variant on PostgreSQL 8.3 and 9.3 and it works
for both so you can just use that for both MySQL and PostgreSQL in the
initial connection to the DB:

SET SESSION TRANSACTION ISOLATION LEVEL REPEATABLE READ;

Regards,
Ken




> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Slight problem with PostgreSQL backend AXFR query

[k...@rice.edu]

On Fri, Mar 28, 2014 at 09:41:50AM -0400, Stephen Frost wrote:
> Ken,
> 
> * k...@rice.edu (k...@rice.edu) wrote:
> > While debugging a new installation we noticed that a slow zone transfer
> > using a PostgreSQL backend would insert duplicate records if the transfer
> > took over 1 minute and a second transfer was started before the first
> > one completed. 
> 
> Shouldn't there be a constraint here to prevent duplicate data from
> getting into the database..?  I agree that the transaction isolation
> level might be an issue also, but duplicate data should be prevented by
> constraints also.
> 
>   Thanks,
> 
>   Stephen

Hi Stephen,

According to the code comments, they expect the DB to abort the second
attempt to start a transaction for a zone AXFR, so the isolation level
must be set to provide that assurance. It is fortunate that is looks like
both PostgreSQL and MySQL can both use the same session level isolation
setting syntax.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] New to PowerDNS

[k...@rice.edu]

On Thu, Jun 26, 2014 at 10:21:06PM +0100, Jorge Bastos wrote:
> > It takes very little time for powerdns to pick up the changes. Adding
> > records is backend specific, but assuming you are using mysql backend
> > (gmysql), you can use the schema at
> > 
> > http://doc.powerdns.com/html/generic-mypgsql-backends.html#idp62194400
> > 
> > This will also show you how to insert records.
> 
> > 
> > To enable DNSSEC, first set gmysql-dnssec=yes in configuration, then
> > run
> > 
> > pdnssec secure-zone your.zone
> > 
> > This will create the necessary DNSSEC information for live signing. You
> > can verify the changes with
> > 
> > pdnssec show-zone your.zone
> > 
> > this will also show you the DS and DNSKEY records you need for
> > upstream.
> 
> Hi Aki,
> 
> Confirm, its refreshed a few seconds after i insert the records.
> 
> For the DNSSEC part, is there a way to create the DNSSEC information just by 
> SQL ?
> 
> If not, the solution is to run "pdnssec secure-zone ZONE" in a loop on a cron 
> script, am I right?
> 

Hi Jorge,

I do not know about a SQL only solution for MySQL DNSSEC signing, but I
know that there is a sample schema for Oracle that includes the needed
triggers and functions and that I have a basically complete version of
the same for PostgreSQL that I will be submitting to the PDNS folks once
we have it vetted for production. Maybe you can cobble something together
for MySQL for those as examples. Otherwise 'pdnssec secure-zone your.zone'
is your friend.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Duplicate RRs in records table

[k...@rice.edu]

On Thu, Jul 03, 2014 at 02:01:49PM +0200, Klaus Darilion wrote:
> Another workaround (untested) would be to put an explicit lock at the
> beginning of the "delete-zone-query":
> delete-zone-query="LOCK;delete from records where domain_id=%d"
> 
> But (if it is allowed to have multiple statements in the
> delete-zone-query command) it would lock the whole table also for all
> zone updates which is probably bad for the performance.
> 
> regards
> Klaus
> 

Hi Klaus,

We have observed the same behavior here. When it takes longer to perform
a zone transfer than the periodic check interval (60s), a second will be
initiated with the results that you have reported. We currently time our
transfers to make certain that they are timely (<60s) and also watch the
table for duplicate zone information and clean up if it occurs. This really
should be in PDNS as a flag that a transfer is in progress so it does not
even try a second transfer. As you have noted, DB side solutions are less
effective and ruin the concurrency of the backend for updates. In particular,
we use temporary tables to stage the zone transfer and then only apply the
deltas to the production table. This eliminates the wholesale delete of
all of the zone records followed by its complete repopulation for even a
single record change. But temporary tables are only seen in the transaction
that created them, in our case, so a check in the server code would really
help. The comment in the code requires the backend to handle it:

- only one backend owns the SOA of a zone
- only one AXFR per zone at a time - double startTransaction should fail
- backends need to implement transaction semantics

with the results already seen if a second transfer is initiated. Yuck, it
really needs to be tracked by the server instead. +1 for bug but we have
been working around it for years. It is more of a problem with DNSSEC,
because of the additional processing needed which slow the transfers and
makes them more susceptible to this.

Regards,
Ken
> 
> On 03.07.2014 12:09, Klaus Darilion wrote:
> > Hi.
> > 
> > I think we found the cause for the problem (but no solution yet). It
> > seems the problem happens only during the first zone transfer, when
> > there are no RRs in the records table yet. See the following log messages:
> > 
> > 
> > 1. The zone is inserted into the domains table as type=SLAVE
> > 
> > 2. We execute "pdns_control retrieve example.com" to initiate immediatly
> > a zone transfer
> > 
> > 05:25:09 pdns[23463]: No serial for 'example.com' found - zone is missing?
> > 05:25:09 pdns[23463]: Initiating transfer of 'example.com' from remote
> > '1.2.3.4'
> > 
> > It seems this caused PowerDNS to put the zone transfer into its work-queue
> > 
> > 
> > Some seconds later, the periodic zone check finds out that the zone is
> > stale and also queues a zone transfer
> > 
> > 05:25:13 pdns[23463]: Domain 'example.com' is stale, master serial
> > 2014063000, our serial 0
> > 05:25:13 pdns[23463]: Initiating transfer of 'example.com' from remote
> > '1.2.3.4'
> > 05:25:13 pdns[23463]: No serial for 'example.com' found - zone is missing?
> > 05:25:13 pdns[23463]: AXFR started for 'example.com'
> > 05:25:13 pdns[23463]: Transaction started for 'example.com'
> > 05:25:14 pdns[23463]: No serial for 'example.com' found - zone is missing?
> > 05:25:14 pdns[23463]: AXFR started for 'example.com'
> > 05:25:14 pdns[23463]: Transaction started for 'example.com'
> > 05:25:14 pdns[23463]: AXFR done for 'example.com', zone committed with
> > serial number 2014063000
> > 05:25:14 pdns[23463]: AXFR done for 'example.com', zone committed with
> > serial number 2014063000
> > 
> > As you see, the zone is fetched 2 times concurrently. The second
> > transaction starts before the first transaction is finished.
> > 
> > Thus, there are 2 concurrent transactions:
> > 
> > T1T2
> >  BEGIN
> >  DELETE FROM records 
> >  INSERT into records 
> >BEGIN
> >DELETE FROM records 
> >INSERT into records 
> >  COMMIT
> >COMMIT
> > 
> > Now, the zone is inserted twice into the records table.
> > 
> > The problem happens only on the first transfer. For further transfers,
> > e.g. caused by NOTIFYs, there are already RRs in the records table and
> > the DELETE will delete rows. Therefore the DELETE will cause a lock on
> > the respective rows which will cause all concurrent transfers which will
> > also delete this rows to be locked out until the first transaction is
> > finished.
> > 
> > During the first zone transfer, the DELETE will not delete any rows.
> > Thus, there aren't any locks on the table and both transactions will
> > succeed.
> > 
> > I also tried setting the transaction isolation level to 'serializable'
> > but the problem pe

Re: [Pdns-users] Duplicate RRs in records table

[k...@rice.edu]

On Thu, Jul 03, 2014 at 04:04:43PM +0200, Klaus Darilion wrote:
> > Hi Klaus,
> > 
> > We have observed the same behavior here. When it takes longer to perform
> > a zone transfer than the periodic check interval (60s), a second will be
> > initiated with the results that you have reported. We currently time our
> > transfers to make certain that they are timely (<60s) and also watch the
> > table for duplicate zone information and clean up if it occurs. This really
> > should be in PDNS as a flag that a transfer is in progress so it does not
> > even try a second transfer. As you have noted, DB side solutions are less
> > effective and ruin the concurrency of the backend for updates. In 
> > particular,
> > we use temporary tables to stage the zone transfer and then only apply the
> > deltas to the production table. This eliminates the wholesale delete of
> > all of the zone records followed by its complete repopulation for even a
> > single record change. But temporary tables are only seen in the transaction
> > that created them, in our case, so a check in the server code would really
> > help. The comment in the code requires the backend to handle it:
> > 
> > - only one backend owns the SOA of a zone
> > - only one AXFR per zone at a time - double startTransaction should fail
> > - backends need to implement transaction semantics
> > 
> > with the results already seen if a second transfer is initiated. Yuck, it
> > really needs to be tracked by the server instead. +1 for bug but we have
> > been working around it for years. It is more of a problem with DNSSEC,
> > because of the additional processing needed which slow the transfers and
> > makes them more susceptible to this.
> 
> Hi Ken!
> 
> Which backend are you using? (we use gpgsql)
> 
> If I understand you correct you also have troubles on zone updates. This
> is not the case in our setup: with 2 concurrent transfers/transactions
> the first DELETE will cause a row lock on the old RRs. Thus, the DELETE
> in the second transaction will be delayed until the first transaction is
> committed. Thus, we have the problem only on the very first transfer.
> 
> I also think that performing multiple transfers for the same zone should
> be avoided in the application.
> 
> regards
> Klaus
> 

Hi Klaus,

We use gpgsql as well. We only have problems on the initial transfer of
the zone because there are no existing records in the domain. Then if
multiple AXFRs are started, records can be duplicated. Once the zone has
been populated, the delta logic prevents anymore duplication of records.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Duplicate RRs in records table

[k...@rice.edu]

On Thu, Jul 03, 2014 at 05:30:52PM +0200, Klaus Darilion wrote:
> > Hi Klaus,
> > 
> > We use gpgsql as well. We only have problems on the initial transfer of
> > the zone because there are no existing records in the domain. Then if
> > multiple AXFRs are started, records can be duplicated. Once the zone has
> > been populated, the delta logic prevents anymore duplication of records.
> 
> I think your delta-logic is not needed to prevent duplications. (but
> there may be other reasons why you need the delta logic)
> 
> regards
> Klaus
> 
Hi Klaus,

We calculate the delta because we do not perform the initial zone delete
followed by a complete re-population. We have the zone tranfer load into
a temporary table and then join it with the existing records table to
calculate what to delete/insert to make them the same. This really reduces
the WAL generated as well as the table re-writes caused by the full delete/
re-populate cycles for the typical case of a 1 or 2 record delta.

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] URL Redirect

[k...@rice.edu]

On Wed, Jul 30, 2014 at 12:15:33PM +0100, Stephen Dodge wrote:
> Hello,
> 
> I am using PDNS 3.3.1 with mysql backend and I am trying to configure URL
> redirect.
> 
> in my pdns.conf I have configured:
> 
> fancy-records=yes
> urlredirector=1.1.1.1
> 
> I have a record configured configured:
> 
> name=test.domain.co.uk type=URL content=http://anotherdomain/test/
> 
> when i query my server for test.domain.co.uk then only the SOA is returned
> and not the urlredirector address.
> 
> Any thoughts on what I am missing would be appreciated,  it looks like it
> should be simple but I can't get it to work!!
> 
> Thanks,
> 
> Steve.

Hi Steve,

The first line in Chapter 20 of the PDNS manual:

Warning:
As of PowerDNS Authoritative Server 3.0, fancy records are no longer supported!

Regards,
Ken

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users