Yes, the semantics of who is allowed to perfom AXFR's have changed.
I got busted by this as well, several months back, because it didn't occur to
me that a sift through the change logs before upgrade is mandatory.
At the time, I had suggested that backward compatibility be made a goal for
pdns 4
If I recall correctly, every backend has its own schema.
Unfortunately, this is not immediately obvious when one starts using pdns.
The good news is, the "oracle" backend gets some serious abuse, it's well
tested, rock solid in its operation, and in my opinion, the schema is optimized
for it.
Yo
ll had TTL values.
Thank you. This is why I love the this mailing list.
From: Philippe [m_phili...@rocketmail.com]
Sent: Sunday, November 22, 2015 13:30
To: a b
Subject: AW: [Pdns-users] Multiple A records cause AXFR failure
May be a stupid question, but did
Good idea!
pdnssec check-zone dmz
Error: Received NULL where a value was expected
SQL> delete from records where (id = 16 or id = 66);
2 rows deleted.
SQL> update zones set serial = 2015112209 where name = 'dmz';
1 row updated.
SQL> commit;
Commit complete.
# pdnssec check-zone dmz
Checked
> Based on your queries below, you seem to not be using the default table
> schema and queries:
> https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#regular-queries
>Can you post your query configuration and schema ?
Actually, this describes my schema much better:
https://doc.po
> Based on your queries below, you seem to not be using the default table
> schema and queries:
> https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#regular-queries
>Can you post your query configuration and schema ?
That is because I am not using the "mypgsql", but the "oracle"
I added two A records, as follows:
SQL> insert into records(id, zone_id, fqdn, content, type) values(16, (select
id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.2', 'A');
1 row created.
SQL> insert into records(id, zone_id, fqdn, content, type) values(66, (select
id from zones where na
recursor.1/ as well as in the
pdns_recursor's manual page.
Opened https://github.com/PowerDNS/pdns/issues/2873 to keep track of this.
From: Rob Locke [roblo...@gmail.com]
Sent: Saturday, November 7, 2015 16:26
To: a b
Cc: pdns-users@mailman.powerdns.
What is the syntax to specify that pdns_recursor listen on all interfaces
(something like "0.0.0.0/32")?
The issue I am facing is that, not knowing whether this is even possible, I am
unable to automate this.
As far as I am aware, there is no way of reliably detecting the primary network
interf
> META_TYPE = 'ALLOW-AXFR-FROM'
> META_IND = order number (used for ordering)
> META_CONTENT = 'netmask'
>
> you can have multiple ALLOW-AXFR-FROM keys for multiple networks.
Just to report back: works as written above. Introduced in commit
https://github.com/PowerDNS/pdns/commit/c574336
Appare
> no. its poorly named tool. can you try adding by hand?
SQL> desc zonemetadata
Name
Null?Type
---
> Which version does the master run?
3.4.5.
> Can you tcpdump for us?
Absolutely. I'll send you the dump privately to any e-mail address of your
choice.
Just like the good old times, eh? (:-)
Any particular invocation you'd like me to run? Remember, I'll be using
snoop(1M).
> Can you reproduc
> These are the .NL servers, the PowerDNS.COM parent nameservers and finally a
> PowerDNS nameserver. It is recursing to get the security status.
Got it, thank you!
___
Pdns-users mailing list
Pdns-users@mailman
When pdns_recursor first fires up, it fetches what I assume to be root server
zone name information. Then it connects to the following hosts:
nl1.dnsnode.net.
ns1.pine.nl.
xs.powerdns.com.
"xs.powerdns.com" I am assuming is the security vulnerability "phone home"
feature, but what are these oth
> We'd like to have your input on a topic we've been discussing
> internally. In its current state, the autoserial functionality is
> somewhat incomplete, badly documented and non-intuitive to use.
>
> As such, we're currently on the fence on what to do with this feature.
> In our opinion there ar
> (2) you should be extremely aware that talking to a database in a
> blocking way from within a Recursor script is unsupported, as the
> whole Recursor thread is paused while your script is querying the
> database and making a decision
Out of curiosity, are there any code examples of querying
> --with-oracle-libs= it clearly is:
> --with-oracle-libs=$ORACLE_HOME/lib (or, the absolute equivalent of that).
I guess that's the default.
> --with-oracle-includes=
> anything I tried made it only fail faster, so whatever I did was wrong anyway.
> This seems to work:
--with-oracle-included=/usr/
> Also, where are your headers? I would also recommend that you use the *oracle*
> backend instead of *goracle* if you can.
Is anybody even working on the "goracle" backend any more?
___
Pdns-users mailing list
P
> oracle-zone-masters-query
> Return a list of masters for the zone specified by id. Default:
>
> SELECT master
> FROM Zonemasters
> WHERE zone_id = :zoneid
>
> oracle-is-zone-master-query
> Return a row if the specified host is a registered master for the named zone.
> Default:
>
> SELECT zm.mast
> I noticed in oracle backed schema SQL, there isn't any master
> nameserver column available in Zones table.
> I can specify zone type, but not master name server if type is
> set to slave.
That is correct. "Works as designed."
SQL> desc zones
Name N
Thank You for replying.
> Supermaster relies on NOTIFY messages.
>
> Yes. Please use pdns_control notify zone if you need to make it happen right
> away
It turns out that I was missing the NS records for thesuperslave. I
am documenting the entire process here so that itgets archive
Does adding to the supermasters table require restarting pdns_server?
I am asking this because I have the supermasters table configured, I have the
records.content serial number updated, zones.serial is synchronized with the
serial number on the records.content, and yet after I did a COMMIT; noth
I have both supermaster and superslave listening on port 5300, on their
respective systems.How can I tell the supermaster to contact the superslave on
that port? (This is using "oracle" schema.)
Right now, the supermaster contacts the superslave on port 53, where the
recursor is sitting, and the
I am using the "oracle" (not "goracle") schema.The "supermasters" table
contains an id, "powerdns" for "account name", the fully qualified domain name
of the supermaster, and the correct internet protocol address of the
supermaster.I have the equivalent record for the superslave in the
"superma
pdns_server log:
DNS Proxy launched, local port 26838, remote 127.0.0.1:5300
Master/slave communicator launching
Creating backend connection for TCP
Fatal error in control listener: Guardian exited - going down as well
About to create 3 backend threads for UDP
No new unfresh slave domains, 0 queue
The pdns_recursor process crashed again, but this time I managed to obtain a
core file. Running mdb(1) on the core produced the following stack trace:
Loading modules: [ ld.so.1 libc.so.1 ]> ::statusdebugging core file of
pdns_recursor (64-bit)file: /opt/powerdns/sbin/amd64/pdns_recursorinitial a
About three weeks ago, I finally finished most of the work of packaging and
integrating PowerDNS on Solaris 10, then deployed it on a test zone (Solaris
lightweight virtual server) in order to "soak" it before fully going into
production.
Now it is starting to conk out with the following messag
> Good afternoon, I'm planning to implement 4 node authoritative servers
> working in tandem, using mysql circular replication won't be nice
> because if one node fails the replication is broken.
>
> Though about having a 5th "management server" with mysql running as
> master for the other 4, this
> If you're using rfc2136, the TTL will be set by the client, as he supplies it
> with the update.
> In combination with dhcpd, the TTL will be set to what the dhcpd provides,
> which is typically the lease time.
What happens to the TTL when the lease time is purposely configured to never
expir
> > I've been using it with dhcpd for a while on a very low-client network
> > without any issues.
>
>
> We intend to merge Ruben's great work somewhere in the coming months,
> priorities permitting!
That'd be swell!
> Allthough not in the main powerdns branch, there is this:
> https://github.com/cyclops1982/powerdns/tree/rfc2136
> It's a implementation for rfc2136 for powerdns. It's lacking some feedback,
> so please test and report!
> Also, it does clean cache afterwords so that's not a problem like listed
> You mean I should set:
>
> CFLAGS="${CFLAGS} -Wl/usr/local/openldap/lib64 -lldap -llber -rpath
> /usr/local/openldap/lib64"; export CFLAGS
>
> ...rather than LDFLAGS ?
No, leave it as is, for now. The "-Wl,..." is for the maintainers of the
./configure.in. Ideally, they will fix it.
The comp
> Hmm, it didn't work like that:
>
> LDFLAGS="${LDFLAGS} -L/usr/local/openldap/lib64 -lldap -llber -rpath
> /usr/local/openldap/lib64"; export LDFLAGS
>
> In config.log:
>
> gcc: unrecognized option '-rpath'
That means that ./configure is using the compiler front end (gcc) to link the
exe
> I am still puzzled why in my case the above "export" statement was
> needed, but anyway...
Because a variable setting is only good within the current process; if you do
not export (or setenv in C-shells) a variable, the child process(es) will not
inherit it.
When you build software, a lot of
> [root@vmres x86_64]# cat /etc/ld.so.conf
> include ld.so.conf.d/*.conf
> /usr/local/berkeleydb/lib64
> /usr/local/openldap/lib64
Forget ld.so.conf; properly linked binaries and libraries will never need it.
> [root@vmres x86_64]# ls -la /usr/local/openldap/lib64/liblber*
> lrwxrwxrwx 1 ldap lda
> The actual libs, as installed by any openldap package (or compiled from
> source), are (at /usr/lib or at /usr/lib64 or at custom paths):
> libldap.so and liblber.so.
>
> Now what?
The .spec file and the Makefiles should be checked for -llber.
"-llber" tells the link editor to look for "liblber
Without looking at the SRPM, it is difficult to diagnose the
problem. I might look at it later, if I have some time. Please be
advised that this SRPM is a third party contributed SRPM, not the
canonical source package. The only package which could be con-
sidered canonical would be one from
> but it exited with an error:
> + ./configure --build=x86_64-redhat-linux-gnu
> --host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
> --program-prefix= --prefix==/usr/local/openldap
> --exec-prefix==/usr/local/openldap --bindir==/usr/local/openldap/bin
> configure: error: expecte
> Currently I can't apply patches easily, I'm still having problems
> building powerdns.
Which problem(s) are you experiencing currently?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailma
> Actually you can fix this with /etc/ld.so.conf, just make sure the lib dir(s)
> are in, say, /etc/ld.so.conf.d/oracle or /etc/ld.so.conf and run ldconfig.
>
> no need to use LD_LIBRARY_PATH
That only works on GNU/Linux; if the libraries and binaries are linked with -R,
it is not necessary to se
> The point is to use instantclient libs, not the server libs, as intended.
Ah, so. I always avoid instant client libraries, because they were never linked
correctly, libtclntsh.so cannot find libnnz.so because Oracle does not link
with the $ORIGIN linker keyword. If they did that, instant clien
> I also now made a patch that lets you define the location of oracle libs
> and such, and would be grateful if people could test this patch to see if
> it has some problems.
>
> you can find it from http://wiki.powerdns.com/trac/ticket/726
It might be desirable to change this line,
for p1 in /us
> Also, oraclebackend has support for dnssec, but goraclebackend seems not to,
> so I would suggest using oraclebackend for now.
"oracle" backend appears to have much better support for using Oracle databases
in general, so I would recommend sticking with it as well.
The only known issue with th
> Thanks for the patches. Does generic-oracle backend support dnssec and
> autoserial? These are two functionalities I'm looking for:)
You are welcome, but all the thanks should go to Aki Tuomi; I do not deserve
anything.
As for "goracle" backend, I read the pdns documentation several times, a
> It seems like oracle-home configuration parameter does not exist in pdns-3.2
>
> Mar 27 07:55:16 Fatal error: Trying to set unexisting parameter 'oracle-home'
Hmmm, that is bad news, bad news indeed!
I ran into the same problem back in the day; Aki Tuomi was kind enough to give
me a patch whic
> launch=oracle
> oracle-master-database=//ORACLE-IP:PORT/SERVICE-NAME
> oracle-master-username=DBUSER
> oracle-master-password=DBPASS
launch=oracle
oracle-home=${ORACLE_HOME}
oracle-sid=${ORACLE_SID}
oracle-pool-database=${ORACLE_SID}
oracle-pool-username=${PDNS_LOGIN}
oracle-pool-password=${PDNS
> CPPFLAGS="${CPPFLAGS} -I%{_prefix}/include"; export CPPFLAGS
> LDFLAGS="${LDFLAGS} -L%{_libdir}
> -R${ORIGIN}:${ORIGIN}/../%{_lib}:${ORIGIN}/../../%{_lib}:%{_libdir}"; export
> LDFLAGS
> CFLAGS="${CFLAGS}
> -Wl,-L%{_libdir},-R${ORIGIN}:${ORIGIN}/../%{_lib}:${ORIGIN}/../../%{_lib}:%{_libdir}";
> Thanks for your assistance.
You are welcome.
> Until now, I always use a simple:
>
> $ cat .rpmmacros
> %_topdir %(echo $HOME)/rpmbuild
>
> which has worked fine in many builds I have, and it works fine when I
> build pdns-server on CentOS 5.
This works because you are redefining the top build
> %_prefix/%{MY_BASE}
I should also add that you should pick a top-level directory in opt, like for
example "blabla" or some other generic name (usually your organization's name,
acronym, or most preferrably, lower case version of your organization's stock
symbol, if you have one), and a
> > You need to pass --libdir=/usr/local/openldap/lib64 on the %configure
> > line.
>
> Tried that, but the same error occurred.
I did not mean that literally, sorry for the confusion. What I meant is that
you muss pass the equivalent of --libdir=/usr/local/openldap/lib64 by using
--libdir=%{_
> Thanks for the reply.
>
> Please, see below.
> /usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libldap_r.so: >
> undefined reference to `ber_sockbuf_io_udp'
As suspected, the link editor is not finding the symbols (function definitions)
it needs to resolve bindings in the object file(
> Hmm, actually now that I tried to build using even the standard CentOS 6
> RPMs/libs/headers/, it still fails at the same point.
>
> So, am I doing something wrong? Please advise.
What does "config.log" say regarding ldap?
___
> LIBS="-L/usr/local/openldap/lib64"
What makes you believe that anything would pay attention to $LIBS? Did you see
this in the code or documentation somewhere?
> %build
> %configure \
> --sysconfdir=%{_sysconfdir}/powerdns \
> --libdir=%{_libdir} \
> --with
> the reason why I asked is that the default syslog is not good enough and it
> will pack repeated messages, like below. If pdns logging can support to send
> to different port address, it can help to resolve this problem.
syslogd(1M) notes identical messages with "last message repeated # times",
> I presume the same is true for Solaris but I cannot verify that right now.
Yes, of course:
% file pdns_recursor
pdns_recursor: ELF 64-bit LSB executable AMD64 Version 1 [SSE2 SSE FXSR CMOV
FPU], dynamically linked, not stripped
___
> How I can know the PowerDNS Recursor is running in a 64-bits mode or not?
One can use the file(1) command on the executable:
% file pdns_recursor
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http:/
> checking for the Boost program_options library... no
> configure: error: cannot not find the flags to link with Boost
> program_options
Please look in "config.log" for "program_options" and post the excerpt here,
ideally +/-20 lines above and below the "program_options" string.
> What are folks using? What databases are you running on the backend?
Oracle 10g (10.2.0.4) and 11g (11.2.0.1).
> Any particular things you do/don't like about your choice?
pdns zone2sql tools do not really support the "oracle" backend properly; manual
crafting of SQL code is required to impo
> We're planning to drop the pdns_control implementation and only keeping the
> pdnssec implementation.
I have not even started to study DNSSEC yet, so I have no idea what the
implications of the above are. Anyone?
__
> If you are afraid of losing a notify, you are free to force your Supermaster
> to periodically notify all Superslaves about *all* zones. If Superslave hasn't
> yet heard of a zone due to a missed NOTIFY, it'll pull it from the master.
So it can be done then? Use NOTIFY and not have data loss on
> Many protocols for distribution of data have a certain ordering and an
> acknowledgement mechanism. NOTIFY does have an acknowledgement mechanism (but
> PowerDNS masters don't do a lot with it) but no ordering. It's easier to lose
> things with NOTIFY than with other replication protocols.
T
> Using purely DNS for zone replication (supermaster) is nice and sounds
> great, but also has disadvantages, e.g. it is not reliable: If the
> NOTIFY could not be delivered to the slave, then the slave is
> inconsistent. So, you need another mechanism to verify and update slaves
> which failed
> The VM box we use for development cannot host Solaris. Ignoring that, my lack
> of experience with Solaris -and- Oracle would make this a time-consuming
> project which means other projects with more immediate benefits get
> preference.
If we were to provide you with as many Solaris and Oracl
> instead of adding the requested feature to PowerDNS, is possible to add
> 2 feautures to pdns_control:
>
> 1) pdns_control list_domains, which will return all domains managed by
> PowerDNS
>
> 2) pdns_control delete $domain, which will perform the zone deletion
>
> These two function will he
> > We explicitly do not want to depend on any particular database
> > features for DNS records' replication.
>
> Would it be feasible to build a fully RFC 1925 (6a) [1] compliant
> solution?
>
> (1)
> Have a supermaster SM run from Oracle
>
> (2)
> Have a single superslave SS run against the s
> You could do the replication in the database (e.g. postgresql with
> slony). Then you do not need the supermaster feature.
That is something we are actually trying to avoid at all costs: we have Oracle
doing regular notify and transfer requests on port 53.
We explicitly do not want to depend
> To support a backend, it needs to be tested automatically - preferably after
> each commit. Our testing infrastructure runs Debian 6, and as far I have
> seen, setting up Oracle on it would be a pain.
>
> To get the oracle backend into testing, I see two options
> (a) provide us with good and
> > How to get PowerDNS to delete zones that are deleted on a Supermasters?
>
> I don't think that is possible: you'll have to delete zones manually
> from your PowerDNS `domains` and `records` tables.
If I have a large PowerDNS deployment, let us say one supermaster and ten
superslaves, I'm exp
> From: peter.van.d...@netherlabs.nl
> Date: Wed, 10 Oct 2012 16:25:56 +0200
> To: pdns-users@mailman.powerdns.com; pdns-...@mailman.powerdns.com
> Subject: [Pdns-users] IMPORTANT: please help us test the uncommon backends!
>
> Hello,
>
> occasionally, a change in PowerDNS breaks one or more back
> However, coming from BIND, my mind is transfixed with the single daemon
> which can do both authoritative and recursion (selectively). Does it
> mean that with pdns, I have to run at minimum THREE separate servers -
> one master, one slave, one recursor?
That depends. In BIND, the recurso
> I happen to disagree, since I know for a fact it is possible to run
> both the authoritative server and recursor on the same IP address, I
> happen to be doing that at the moment.
We do the same thing, but I think that in this case what Mr. Mens
meant is that no two services can share th
> in any case, its not really a good idea to have your recursor and
> authoritative DNS servers on the same host...
I think this could be (somewhat) mitigated by running
pdns_recursor on 127.0.0.1 and only allowing recursive queries
from pdns_server on the same host, and let noone
> On 06/03/2012 05:06 PM, Peter van Dijk wrote:
> >
> > In general, if there is no ticket for an issue, it is unlikely to get
> > attention. If you can confirm
> > that these problems still exist (as Juraj Lutter seems to disagree), please
> > file a detailed ticket.
OK, that is good to know.
> I need an help on compling pdns-recursor-3.3 in Solaris 10.
>
> I have installed the boost, please still cannot make it works.
>
> is anyone can provide a procedure for me to proceed further?
Here it is, it took a while to locate, even with knowing what to
look for:
http://mailman.powerdns.co
> I need an help on compling pdns-recursor-3.3 in Solaris 10.
>
> I have installed the boost, please still cannot make it works.
>
> is anyone can provide a procedure for me to proceed further?
While it is possible to compile pdns-recursor on Solaris 10, the
binary executable will immediately
> One reason is that this supports setups of the following type:
> - ns01 is a powerdns machine in slave mode, slaving domains from other
> machines.
> - ns01 stores all slaved zones in a database (MySQL, Oracle, etc.) which is
> replicated to one or more database slaves
> - ns02/ns03 use these
> > Regarding superslave provisioning, does the pdns.conf on the mas-
> > ter need to have "master=yes" and does the pdns.conf on the slave
> > need to have "slave=yes"
>
> Correct: the master must be a master, and the slave a slave. :) Zones
> are transferred via AXFR.
Can anyone tell me why thi
Regarding superslave provisioning, does the pdns.conf on the mas-
ter need to have "master=yes" and does the pdns.conf on the slave
need to have "slave=yes", or can all of that be configured
directly by doing INSERT statements in the database?
The documentation mentions all sorts of scenar
78 matches
Mail list logo
