From cmouse at youzen.ext.b2.fi Wed Oct 1 06:04:49 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Wed, 1 Oct 2014 09:04:49 +0300 Subject: [Pdns-users] Passing a filename as a variable for an access list In-Reply-To: <002701cfdcea$18a57bb0$49f07310$@ulink.net> References: <002701cfdcea$18a57bb0$49f07310$@ulink.net> Message-ID: <20141001060449.GA753@pi.ip.fi> On Tue, Sep 30, 2014 at 01:07:00PM -0700, Eric Wolff wrote: > The config option allow-recursion= allows for a comma separated listing of > subnets. I am looking for a way to pass a file to this option so I can keep > a list with descriptions similar to /etc/mail/access for sendmail. > > > > Eg: > > > > Allow-recursion=/etc/pdns/access > > > > (Contents of file) > > #ISP Subnet 1 > > 10.10.10.10/24 > > #ISP Subnet 2 > > 20.20.20.20/20 > > #Some Customer > > 30.30.30.30./32 > > > > I could probably write a script to generate a new config file using the > contents of an access list but I'd greatly prefer something built in. > You can use include-dir option and allow-recursion+=host or just put all the hosts in the include-dir file allow-recursion=host,host,host... Aki > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steffannoord at gmail.com Wed Oct 1 09:01:53 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Wed, 1 Oct 2014 11:01:53 +0200 Subject: [Pdns-users] pdnssec error after update Message-ID: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> wildcard-url is removed. Is there now no way to make a wildcart in the dns ? Thanxs Steffan From cmouse at youzen.ext.b2.fi Wed Oct 1 09:22:36 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Wed, 1 Oct 2014 12:22:36 +0300 Subject: [Pdns-users] pdnssec error after update In-Reply-To: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> References: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> Message-ID: <20141001092236.GA2620@pi.ip.fi> On Wed, Oct 01, 2014 at 11:01:53AM +0200, Steffan Noord wrote: > > wildcard-url is removed. > Is there now no way to make a wildcart in the dns ? > > Thanxs > > Steffan > This feature has nothing to do with wildcard DNS, which works just as before. Aki From steffannoord at gmail.com Wed Oct 1 09:26:16 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Wed, 1 Oct 2014 11:26:16 +0200 Subject: [Pdns-users] pdnssec error after update In-Reply-To: <006d01cfdd59$aead3b10$0c07b130$@gmail.com> References: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> <20141001092236.GA2620@pi.ip.fi> <006d01cfdd59$aead3b10$0c07b130$@gmail.com> Message-ID: <006f01cfdd59$c10bfd50$4323f7f0$@gmail.com> Oke thanks Just a sitenode Tonight my server was upgraded with yum. The config file was repleased and all mysql settings was gone. The only settings that was set: setuid=pdns setgid=pdns launch=bind -----Oorspronkelijk bericht----- Van: Aki Tuomi [mailto:cmouse at youzen.ext.b2.fi] Verzonden: woensdag 1 oktober 2014 11:23 Aan: Steffan Noord CC: pdns-users at mailman.powerdns.com Onderwerp: Re: [Pdns-users] pdnssec error after update On Wed, Oct 01, 2014 at 11:01:53AM +0200, Steffan Noord wrote: > > wildcard-url is removed. > Is there now no way to make a wildcart in the dns ? > > Thanxs > > Steffan > This feature has nothing to do with wildcard DNS, which works just as before. Aki From zozo at z0z0.tk Wed Oct 1 09:33:06 2014 From: zozo at z0z0.tk (=?iso-8859-1?Q?Keresztes_P=E9ter-Zolt=E1n?=) Date: Wed, 1 Oct 2014 12:33:06 +0300 Subject: [Pdns-users] pdnssec error after update In-Reply-To: <006f01cfdd59$c10bfd50$4323f7f0$@gmail.com> References: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> <20141001092236.GA2620@pi.ip.fi> <006d01cfdd59$aead3b10$0c07b130$@gmail.com> <006f01cfdd59$c10bfd50$4323f7f0$@gmail.com> Message-ID: <5CD94EC6-9948-4629-9FAB-3C39016841D0@z0z0.tk> look in the /etc/powerdns you should have a pdns.rpmsave file which would be the old config file. On Oct 1, 2014, at 12:26 PM, Steffan Noord wrote: > Oke thanks > > Just a sitenode > Tonight my server was upgraded with yum. > The config file was repleased and all mysql settings was gone. > The only settings that was set: > > setuid=pdns > setgid=pdns > launch=bind > > > > -----Oorspronkelijk bericht----- > Van: Aki Tuomi [mailto:cmouse at youzen.ext.b2.fi] > Verzonden: woensdag 1 oktober 2014 11:23 > Aan: Steffan Noord > CC: pdns-users at mailman.powerdns.com > Onderwerp: Re: [Pdns-users] pdnssec error after update > > On Wed, Oct 01, 2014 at 11:01:53AM +0200, Steffan Noord wrote: >> >> wildcard-url is removed. >> Is there now no way to make a wildcart in the dns ? >> >> Thanxs >> >> Steffan >> > > This feature has nothing to do with wildcard DNS, which works just as before. > > Aki > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steffannoord at gmail.com Thu Oct 2 13:09:40 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Thu, 2 Oct 2014 15:09:40 +0200 Subject: [Pdns-users] PowerDNS Server 3.4.0 cron problem Message-ID: <003001cfde42$20f52be0$62df83a0$@gmail.com> Hello, I have a strange problem. I have a php script that also signs the domains with dnssec. After upgrading top dns 3.4 the script is not signing the domains anymore When i run the script from the commandline it works fine. Just not when using cron. The cron error is: Error: No database backends configured for launch, unable to function The line i execute trough cron ANd trough the commandline /usr/bin/php --define "open_basedir=/" /home/sites/......./registrations_execute.php Any idees ? Steffan From bert.hubert at netherlabs.nl Thu Oct 2 13:23:22 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Thu, 2 Oct 2014 15:23:22 +0200 Subject: [Pdns-users] PowerDNS Server 3.4.0 cron problem In-Reply-To: <003001cfde42$20f52be0$62df83a0$@gmail.com> References: <003001cfde42$20f52be0$62df83a0$@gmail.com> Message-ID: <20141002132321.GA17582@xs.powerdns.com> On Thu, Oct 02, 2014 at 03:09:40PM +0200, Steffan Noord wrote: > Hello, > > I have a strange problem. > I have a php script that also signs the domains with dnssec. > After upgrading top dns 3.4 the script is not signing the domains anymore > When i run the script from the commandline it works fine. > Just not when using cron. > The cron error is: Error: No database backends configured for launch, unable > to function This probably means it hasn't read the configuration file. Perhaps it is not accessible to the CRON user? Bert From steffannoord at gmail.com Thu Oct 2 13:33:36 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Thu, 2 Oct 2014 15:33:36 +0200 Subject: [Pdns-users] PowerDNS Server 3.4.0 cron problem In-Reply-To: <20141002132321.GA17582@xs.powerdns.com> References: <003001cfde42$20f52be0$62df83a0$@gmail.com> <20141002132321.GA17582@xs.powerdns.com> Message-ID: <003201cfde45$78d7c4f0$6a874ed0$@gmail.com> -rw------- 1 root root 13284 Oct 1 11:07 pdns.conf That was the right answer! thanxs -----Oorspronkelijk bericht----- Van: bert hubert [mailto:bert.hubert at netherlabs.nl] Verzonden: donderdag 2 oktober 2014 15:23 Aan: Steffan Noord CC: pdns-users at mailman.powerdns.com Onderwerp: Re: [Pdns-users] PowerDNS Server 3.4.0 cron problem On Thu, Oct 02, 2014 at 03:09:40PM +0200, Steffan Noord wrote: > Hello, > > I have a strange problem. > I have a php script that also signs the domains with dnssec. > After upgrading top dns 3.4 the script is not signing the domains > anymore When i run the script from the commandline it works fine. > Just not when using cron. > The cron error is: Error: No database backends configured for launch, > unable to function This probably means it hasn't read the configuration file. Perhaps it is not accessible to the CRON user? Bert From ppcharli at gmail.com Fri Oct 3 11:08:43 2014 From: ppcharli at gmail.com (Pepe Charli) Date: Fri, 3 Oct 2014 13:08:43 +0200 Subject: [Pdns-users] PowerDNS Web Control Panel Message-ID: Hello, Is "PowerDNS Web Control Panel" production ready? Thanks, From fclaire at free.fr Fri Oct 3 11:47:18 2014 From: fclaire at free.fr (Francois Claire) Date: Fri, 03 Oct 2014 13:47:18 +0200 Subject: [Pdns-users] PowerDNS Web Control Panel In-Reply-To: References: Message-ID: <542E8CC6.1040304@free.fr> Are you talking about poweradmin ? -> http://www.poweradmin.org From ppcharli at gmail.com Fri Oct 3 11:55:41 2014 From: ppcharli at gmail.com (Pepe Charli) Date: Fri, 3 Oct 2014 13:55:41 +0200 Subject: [Pdns-users] PowerDNS Web Control Panel In-Reply-To: <542E8CC6.1040304@free.fr> References: <542E8CC6.1040304@free.fr> Message-ID: No. https://github.com/PowerDNS/pdnscontrol 2014-10-03 13:47 GMT+02:00 Francois Claire : > Are you talking about poweradmin ? -> http://www.poweradmin.org > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From vovdts at gmail.com Sat Oct 4 18:05:41 2014 From: vovdts at gmail.com (me ich) Date: Sat, 4 Oct 2014 20:05:41 +0200 Subject: [Pdns-users] PDNSControl + uwsgi + nginx in a subdirectory, docs? Message-ID: Hello dear PowerDNS Community, right now I am playing, or at least try to, with pdnscontrol as the update to PowerDNS 3.4 is obvious... I would like to run it under the aforementioned set-up that consists of nginx and uwsgi. For this I would like some help - as there are no ( I found none ) docs or howtos. Does anyone has some advice, maybe some configuration files I can use for this? Thank you in advance, & kind regards, -Paul Wats -------------- next part -------------- An HTML attachment was scrubbed... URL: From roblocke at gmail.com Tue Oct 7 17:03:12 2014 From: roblocke at gmail.com (Rob) Date: Tue, 7 Oct 2014 10:03:12 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... Message-ID: <1412701392138-11022.post@n7.nabble.com> Hi, We are rebuilding the registrar for a TLD which we fully control (let's call it .foo) and are looking at using PowerDNS. I have a couple of questions, some of which may not be specific to PowerDNS, but I hope the group doesn't mind if I ask them anyways: 1) I'm assuming every domain (eg, somedomain.foo) will require an SOA record. Is it required that the TLD (ie, "foo") also have an SOA record? 2) Assuming the the owner of "somedomain.foo" chooses to use their own (custom) nameservers, and a request is made for, say, the A record of "www.somedomain.foo", how is our nameserver expected to respond? Should it reply with the custom NS records? Or, in the course of resolving "www.somedomain.foo", will there somehow be a request for the NS records of "somedomain.foo"? If PowerDNS is expected to respond with the custom nameservers for an A record it doesn't know about, how do I setup PDNS to do that? Thanks for any help you can offer, Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022.html Sent from the PowerDNS mailing list archive at Nabble.com. From ahodgson at simkin.ca Tue Oct 7 17:25:23 2014 From: ahodgson at simkin.ca (Alan Hodgson) Date: Tue, 07 Oct 2014 10:25:23 -0700 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <1412701392138-11022.post@n7.nabble.com> References: <1412701392138-11022.post@n7.nabble.com> Message-ID: <2633701.8eu60p00pD@skynet.simkin.ca> On Tuesday, October 07, 2014 10:03:12 AM Rob wrote: > 2) Assuming the the owner of "somedomain.foo" chooses to use their own > (custom) nameservers, and a request is made for, say, the A record of > "www.somedomain.foo", how is our nameserver expected to respond? Should it > reply with the custom NS records? Or, in the course of resolving > "www.somedomain.foo", will there somehow be a request for the NS records of > "somedomain.foo"? If PowerDNS is expected to respond with the custom > nameservers for an A record it doesn't know about, how do I setup PDNS to do > that? For name servers within your TLD, you do need to serve glue A records as well as NS delegations. Registries generally refer to that as registering name servers, and registrars provide tools to do so. From vovdts at gmail.com Tue Oct 7 17:42:51 2014 From: vovdts at gmail.com (P W) Date: Tue, 07 Oct 2014 19:42:51 +0200 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <1412701392138-11022.post@n7.nabble.com> References: <1412701392138-11022.post@n7.nabble.com> Message-ID: <5434261B.2080606@gmail.com> Hello Rob, > 1) I'm assuming every domain (eg, somedomain.foo) will require an SOA > record. Is it required that the TLD (ie, "foo") also have an SOA record? Of course you will require a SOA (Start of Authority) for the .foo zone. Be RFC compliant. This is very important if you change records of your name server and want that other name servers, especially those which are resolving, know that changes were made. > 2) Assuming the the owner of "somedomain.foo" chooses to use their own > (custom) nameservers, and a request is made for, say, the A record of > "www.somedomain.foo", how is our nameserver expected to respond? Should it > reply with the custom NS records? Or, in the course of resolving > "www.somedomain.foo", will there somehow be a request for the NS records of > "somedomain.foo"? If PowerDNS is expected to respond with the custom > nameservers for an A record it doesn't know about, how do I setup PDNS to do > that? You can simply delegate DNS queries to other name servers via the NS records. This could look like in your .foo name server: somedomain.foo. TTL IN NS ns1.customer-dns.tld somedomain.foo. TTL IN NS ns2.costomer-dns.tld and so on... Your .foo name server then simply delegates to those name servers set in the NS records. The way/route how DNS looks for information is this one, where . is the root zone: . -> foo -> somedomain -> www This gives you www.somedomain.foo. In your case your .foo name server will delegate the query to the name servers of f.e. your customers. I hope this helps you a little bit. Kind Regards, Paul Wats From roblocke at gmail.com Wed Oct 8 04:02:42 2014 From: roblocke at gmail.com (Rob) Date: Tue, 7 Oct 2014 21:02:42 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <5434261B.2080606@gmail.com> References: <1412701392138-11022.post@n7.nabble.com> <5434261B.2080606@gmail.com> Message-ID: <1412740962597-11025.post@n7.nabble.com> Hi guys, (I'm not sure if my email reply made it out, since it's not appearing in the archive. My apologies if you're receiving this twice.) I really appreciate the responses from everyone so far. One thing I forgot to mention is that I’m using the MySQL backend. So, if I understand correctly: * We’ll need an SOA record for “foo”. For example: (name, type, content, ttl) = (‘foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 694800 3600', 86400) * For domains which use *custom* nameservers, we only need to include the NS records for purposes of delegation. For example, for “blah.foo": (name, type, content, ttl) = (‘blah.foo’, ’NS’, ‘dns01.customdns.com’, 3600) (name, type, content, ttl) = (‘blah.foo’, ’NS’, ‘dns02.customdns.com’, 3600) We’ll also need glue records if the nameservers are within “blah.foo”. * But, for domains which use *our* name servers (with a web interface for managing records), we’ll need an SOA record in addition to NS records pointing to our name servers. For example, for “something.foo”: (name, type, content, ttl) = (’something.foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 694800 3600', 86400) (name, type, content, ttl) = (’something.foo', ’NS', 'ns01.dns.foo', 3600) (name, type, content, ttl) = (’something.foo', ’NS', 'ns02.dns.foo', 3600) And a sample record for good measure: (name, type, content, ttl) = (’www.something.foo', ’A', ‘123.123.123.123', 3600) Did I get that right? Or am I more confused than ever? Thanks! Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022p11025.html Sent from the PowerDNS mailing list archive at Nabble.com. From cyruspy at gmail.com Fri Oct 10 19:20:09 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Fri, 10 Oct 2014 16:20:09 -0300 Subject: [Pdns-users] powerdns-recursor: ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' Message-ID: Hi!, anybody knows if something changed with the PowerDNS Recursor support?, I'm trying to add a host and it's giving me this error: powerdns-recursor ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' Observium v0.13.10.4586 Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Fri Oct 10 19:39:24 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Fri, 10 Oct 2014 16:39:24 -0300 Subject: [Pdns-users] Statistics with Observium Message-ID: Hi!, anybody happens to collect stats with Observium?. Apparently in the past it had support for both the Authoritative and Recursive servers but as of today it's not working with Recursor 3.6.1. Ideas, comments?. Regards, -- Ciro Iriarte http://iriarte.it -- From mark at streamservice.nl Sat Oct 11 12:50:52 2014 From: mark at streamservice.nl (Mark Scholten) Date: Sat, 11 Oct 2014 14:50:52 +0200 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <1412740962597-11025.post@n7.nabble.com> References: <1412701392138-11022.post@n7.nabble.com> <5434261B.2080606@gmail.com> <1412740962597-11025.post@n7.nabble.com> Message-ID: <099301cfe551$fd8a6190$f89f24b0$@streamservice.nl> Hello Rob, > From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users- > bounces at mailman.powerdns.com] On Behalf Of Rob > Sent: 08 October, 2014 6:03 > > Hi guys, > > (I'm not sure if my email reply made it out, since it's not appearing in the > archive. My apologies if you're receiving this twice.) > > I really appreciate the responses from everyone so far. One thing I forgot to > mention is that I’m using the MySQL backend. So, if I understand > correctly: > > * We’ll need an SOA record for “foo”. For example: > (name, type, content, ttl) = > (‘foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 694800 > 3600', > 86400) Yes, this is what you need. > * For domains which use *custom* nameservers, we only need to include the > NS records for purposes of delegation. For example, for “blah.foo": > (name, type, content, ttl) = > (‘blah.foo’, ’NS’, ‘dns01.customdns.com’, 3600) > > (name, type, content, ttl) = > (‘blah.foo’, ’NS’, ‘dns02.customdns.com’, 3600) > > We’ll also need glue records if the nameservers are within “blah.foo”. Yes this is correct, they are located in the foo zone (same domain_id as the SOA record mentioned earlier). > * But, for domains which use *our* name servers (with a web interface for > managing records), we’ll need an SOA record in addition to NS records > pointing to our name servers. For example, for “something.foo”: > (name, type, content, ttl) = > (’something.foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 > 694800 3600', 86400) > > (name, type, content, ttl) = > (’something.foo', ’NS', 'ns01.dns.foo', 3600) > > (name, type, content, ttl) = > (’something.foo', ’NS', 'ns02.dns.foo', 3600) > > And a sample record for good measure: > (name, type, content, ttl) = > (’www.something.foo', ’A', ‘123.123.123.123', 3600) > > > Did I get that right? Or am I more confused than ever? This is an option. However depending on the number off records and your needs it might be easier to: A. include the records directly in the foo zone without adding a separate zone (with its own SOA records and NS records) OR B. put them on separate name servers Don't forget that you need to add NS records to the foo zone for the domain and in the domain zone. For this you can also check the domain_id field. Do you want to also support DNSsec? This is possible with PowerDNS, you need to add DS records for the domains. If you provide an EPP service to your customers/registrars this is easy as they can provide the DS records. It would be a nice service to verify the DS records at the time they are provided to see if they match and if not return an error or warning. Let us know if you have other questions. Kind regards, Mark Scholten From sfrost at snowman.net Sat Oct 11 19:37:55 2014 From: sfrost at snowman.net (Stephen Frost) Date: Sat, 11 Oct 2014 15:37:55 -0400 Subject: [Pdns-users] Duplicate RRs in records table In-Reply-To: <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> References: <53B51C97.8060104@pernau.at> <53B52BE4.5000606@pernau.at> <53B5462D.6090908@pernau.at> <20140703125630.GX28527@aart.rice.edu> <53B562FB.7090809@pernau.at> <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> Message-ID: <20141011193755.GS28859@tamriel.snowman.net> * Peter van Dijk (peter.van.dijk at netherlabs.nl) wrote: > On 03 Jul 2014, at 16:04 , Klaus Darilion wrote: > > I also think that performing multiple transfers for the same zone should > > be avoided in the application. > > Please file a ticket at https://github.com/PowerDNS/pdns/issues/new so we don’t forget! This doesn't appear to have been addressed in 3.4.0- was the bug ever submitted and is there a plan to fix it..? Thanks! Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From pdns at unicycle.net Sun Oct 12 22:36:39 2014 From: pdns at unicycle.net (Leo Vandewoestijne) Date: Sun, 12 Oct 2014 22:36:39 +0000 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: References: Message-ID: <20141012223639.GA79417@relay7.ucia.gov> > From: "Mark Scholten" > Subject: Re: [Pdns-users] PDNS for a TLD... > > Don't forget that you need to add NS records to the foo zone for the domain and in the domain zone. > Not true per se; only if you delegate "something.foo". And, even "dns.foo" doesn't have to be delegated. Practical example? Check `dig +trace @8.8.8.8 a.fi soa` So in "untechnical","policywise" language: do you need to delegate authority ...? If not, then maybe keep it simple (whichever method that is). Leo Vandewoestijne -- Sent from my Google Glass From roblocke at gmail.com Mon Oct 13 05:45:30 2014 From: roblocke at gmail.com (Rob) Date: Sun, 12 Oct 2014 22:45:30 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <099301cfe551$fd8a6190$f89f24b0$@streamservice.nl> References: <1412701392138-11022.post@n7.nabble.com> <5434261B.2080606@gmail.com> <1412740962597-11025.post@n7.nabble.com> <099301cfe551$fd8a6190$f89f24b0$@streamservice.nl> Message-ID: <7C7B6DD4-54FE-4DE0-88E2-EB0AC4004417@gmail.com> Hi, > > * For domains which use *custom* nameservers, we only need to include the > > NS records for purposes of delegation. For example, for “blah.foo": > > Yes this is correct, they are located in the foo zone (same domain_id as the SOA record mentioned earlier). Thanks for mentioning that explicitly. It is an important point which I failed to mention in my email. > > * But, for domains which use *our* name servers (with a web interface for > > managing records), we’ll need an SOA record in addition to NS records > > pointing to our name servers. For example, for “something.foo”: > > ... > > This is an option. However depending on the number off records and your needs it might be easier to: > A. include the records directly in the foo zone without adding a separate zone (with its own SOA records and NS records) > OR > B. put them on separate name servers Since we might have a number of customers managing their own records, I’m thinking it might be cleanest for each of them to have their own SOA/NS records. Then look at option B in the future. > Don't forget that you need to add NS records to the foo zone for the domain and in the domain zone. For this you can also check the domain_id field. Right now, for customers using *our* name servers, I only have SOA/NS records in the domain zone (along with whatever other records they create). Do I really need to duplicate the NS records for the domain in the foo zone? (For delegated domains, I have the NS records in the foo zone as you recommended.) > Do you want to also support DNSsec? This is possible with PowerDNS, you need to add DS records for the domains. If you provide an EPP service to your customers/registrars this is easy as they can provide the DS records. It would be a nice service to verify the DS records at the time they are provided to see if they match and if not return an error or warning. This is in the cards. I’m sure I’ll have more questions about DNSsec soon! =) Thanks, Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022p11033.html Sent from the PowerDNS mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roblocke at gmail.com Mon Oct 13 05:51:13 2014 From: roblocke at gmail.com (Rob) Date: Sun, 12 Oct 2014 22:51:13 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <20141012223639.GA79417@relay7.ucia.gov> References: <1412701392138-11022.post@n7.nabble.com> <20141012223639.GA79417@relay7.ucia.gov> Message-ID: Hi, > So in "untechnical","policywise" language: > do you need to delegate authority ...? > If not, then maybe keep it simple (whichever method that is). In some cases, we’ll be delegating authority, so we'll simply have the domain NS records in the foo zone, nothing else. In other cases, customers will be using our nameservers, so we’ll have the SOA/NS records in the domain zone. But do we need any records in the foo zone in that scenario? Cheers, Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022p11034.html Sent from the PowerDNS mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at netherlabs.nl Mon Oct 13 06:57:23 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Mon, 13 Oct 2014 08:57:23 +0200 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: References: <1412701392138-11022.post@n7.nabble.com> <20141012223639.GA79417@relay7.ucia.gov> Message-ID: <9AE91940-6F88-4CF3-B882-048154D87B1A@netherlabs.nl> Hello, On 13 Oct 2014, at 7:51 , Rob wrote: > > So in "untechnical","policywise" language: > > do you need to delegate authority ...? > > If not, then maybe keep it simple (whichever method that is). > > In some cases, we’ll be delegating authority, so we'll simply have the domain NS records in the foo zone, nothing else. > > In other cases, customers will be using our nameservers, so we’ll have the SOA/NS records in the domain zone. But do we need any records in the foo zone in that scenario? If ‘foo’ and ‘bar.foo’ are separate zones on the same name server, you need SOA+NS in ‘bar.foo' *and* NS in ‘foo'. Without DNSSEC, you can get away without NS in ‘foo', but as soon as ‘foo’ is DNSSEC signed, you need the NS records so that DNSSEC can do an (in)secure proof on the delegation. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Mon Oct 13 07:07:24 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Mon, 13 Oct 2014 09:07:24 +0200 Subject: [Pdns-users] Duplicate RRs in records table In-Reply-To: <20141011193755.GS28859@tamriel.snowman.net> References: <53B51C97.8060104@pernau.at> <53B52BE4.5000606@pernau.at> <53B5462D.6090908@pernau.at> <20140703125630.GX28527@aart.rice.edu> <53B562FB.7090809@pernau.at> <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> <20141011193755.GS28859@tamriel.snowman.net> Message-ID: Hello Stephen, On 11 Oct 2014, at 21:37 , Stephen Frost wrote: > This doesn't appear to have been addressed in 3.4.0- was the bug ever > submitted and is there a plan to fix it..? We are tracking it as https://github.com/PowerDNS/pdns/issues/1502. There is no fix yet. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From pdns at unicycle.net Mon Oct 13 12:27:15 2014 From: pdns at unicycle.net (Leo Vandewoestijne) Date: Mon, 13 Oct 2014 12:27:15 +0000 Subject: [Pdns-users] Oracle/goracle - bug or my lack of knowledge? In-Reply-To: References: Message-ID: <20141013122715.GB48547@relay7.ucia.gov> Hi all, a b wrote: > You appear to have libraries and includes from both Oracle database and Oracle instant client on your machine. > I know from experience that linking with database client libraries does not work any more > That may be true, but only for the RHEL case. The two others didn't have the database, and still showed the same error. Aki Tuomi wrote: > > checking for OCIEnvInit in -lclntsh... no > > checking for OCIEnvInit in -lclient12... no > > This is the real problem, but to figure out why it fails, you need to put config.log somewhere and send a link to it. > Exactly. In the meanwhile I however (together with a collegua and a DBA) managed to get over it: Besides the instantclient -basic and -devel, I now also installed -sqlplus (all 11.2). And like 'a b' suggested, made an additional link, in my case (this time on CentOS) like this: sudo ln -s /usr/include/oracle/11.2/client64 $ORACLE_HOME/rdbms/public Not sure which of the two was the solution (or if both were), but it did the trick. Thanks for your help! Ah well, acomplishing something is more rewarding if it took much effort. So now I finaly have it working using only a records table (view) in 3.3.1, yay :) But the very recent change in pdns 3.4's SQL schema for oracle broke the SOA lookup (and so the ANY lookup to) :( -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne -- Sent from my Google Glass From cyruspy at gmail.com Mon Oct 13 13:10:43 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 13 Oct 2014 10:10:43 -0300 Subject: [Pdns-users] New recursor install, 50% timeout on first run Message-ID: Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see ~ 50% query timeouts. It has a good Internet connection but no clients yet, can this be caused by empty cache?. It's pretty much default configuration, tried to push threads from 2 to 10, but it still gives me a lot of queries unanswered. The bind server it should replace gives me nearly 100% of answers, but it's being heavily queried. [root at dummy01 ~]# dnsbulktest -q 53 1000 < /tmp/top-1m.csv Read 1000 domains! Sending Receiving Queued 1000 Received 999 Error -/- 0 Timeouts 431 Unexpected 430 Sent 1000 Total 1860 DNS Status OK 554 Error 3 No Data 6 NXDOMAIN 6 Unknowns 0 Answers 569 Timeouts 431 Total 1000 Mean response time: 781.755 msec, median: 559.377 msec Time < 0.612 msec 0.100% cumulative Time < 11.853 msec 1.000% cumulative Time < 90.583 msec 2.500% cumulative Time < 179.855 msec 10.000% cumulative Time < 286.560 msec 25.000% cumulative Time < 529.308 msec 50.000% cumulative Time < 944.519 msec 75.000% cumulative Time < 1764.946 msec 90.000% cumulative Time < 3243.277 msec 97.500% cumulative Time < 4190.023 msec 99.000% cumulative Time < 4420.831 msec 99.990% cumulative It gave me worse times on the second run: [root at dummy01 ~]# dnsbulktest -q 53 1000 < /tmp/top-1m.csv Read 1000 domains! Sending Receiving Queued 1000 Received 921 Error -/- 0 Timeouts 616 Unexpected 537 Sent 1000 Total 2074 DNS Status OK 356 Error 22 No Data 2 NXDOMAIN 4 Unknowns 0 Answers 384 Timeouts 616 Total 1000 Mean response time: 821.931 msec, median: 475.079 msec Time < 0.215 msec 0.100% cumulative Time < 0.218 msec 1.000% cumulative Time < 0.233 msec 2.500% cumulative Time < 0.509 msec 10.000% cumulative Time < 186.245 msec 25.000% cumulative Time < 472.501 msec 50.000% cumulative Time < 796.832 msec 75.000% cumulative Time < 2447.657 msec 90.000% cumulative Time < 3827.301 msec 97.500% cumulative Time < 4207.631 msec 99.000% cumulative Time < 4699.756 msec 99.990% cumulative Comments? Regards, -- Ciro Iriarte http://iriarte.it -- From bert.hubert at netherlabs.nl Mon Oct 13 13:37:08 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Mon, 13 Oct 2014 15:37:08 +0200 Subject: [Pdns-users] New recursor install, 50% timeout on first run In-Reply-To: References: Message-ID: <20141013133708.GC4805@xs.powerdns.com> On Mon, Oct 13, 2014 at 10:10:43AM -0300, Ciro Iriarte wrote: > Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see > ~ 50% query timeouts. It has a good Internet connection but no clients > yet, can this be caused by empty cache?. Yes, on a cold cache, nameservers are a lot slower. You can improve on this by increasing the number of mthreads (max-mthreads) and the number of file descriptors. The best performance comes from a busy nameserver, as outlined on http://blog.netherlabs.nl/test/ That your second time results were worse is weird, can you do a test with more than 1000 domains, say, 50000? Can you report "rec_control get-all" before and after a run? Perhaps your PowerDNS server is behind NAT and your other server isn't? Bert From cyruspy at gmail.com Mon Oct 13 16:05:51 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 13 Oct 2014 13:05:51 -0300 Subject: [Pdns-users] New recursor install, 50% timeout on first run In-Reply-To: <20141013133708.GC4805@xs.powerdns.com> References: <20141013133708.GC4805@xs.powerdns.com> Message-ID: 2014-10-13 10:37 GMT-03:00 bert hubert : > On Mon, Oct 13, 2014 at 10:10:43AM -0300, Ciro Iriarte wrote: >> Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see >> ~ 50% query timeouts. It has a good Internet connection but no clients >> yet, can this be caused by empty cache?. > > Yes, on a cold cache, nameservers are a lot slower. > > You can improve on this by increasing the number of mthreads (max-mthreads) > and the number of file descriptors. > > The best performance comes from a busy nameserver, as outlined on > http://blog.netherlabs.nl/test/ > > That your second time results were worse is weird, can you do a test with > more than 1000 domains, say, 50000? > > Can you report "rec_control get-all" before and after a run? > > Perhaps your PowerDNS server is behind NAT and your other server isn't? > > Bert Hi Bert!, I've run again 1000 domain test with logging disabled (just in case). The results look pretty much the same: http://pastebin.com/Nsjhjnx3 Tried a cold cache with 80k domains, it was a disaster, I couldn't let it finish. The configuration: ---- local-address=,, allow-from=,, threads=10 --- I'll double check with the networking guys, This server will use a secondary public IP, but I see that the queries get out with the base private IP, so it's possible that the edge NAT is causing this. I'll keep you updated. Thanks! -- Ciro Iriarte http://iriarte.it -- From cmeerw at cmeerw.org Thu Oct 16 08:42:34 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 16 Oct 2014 10:42:34 +0200 Subject: [Pdns-users] IXFR with EDIT-SOA, ALLOW-AXFR-FROM in bind-hybrid mode Message-ID: <20141016084234.GI21126@edge.cmeerw.net> Hi, I just noticed that IXFRs appear to be broken when using EDIT-SOA in 3.4.0 - it looks like "rfc1982LessThan(serial, sd.serial)" compares the un-edited SOA from the zone and therefore doesn't send any data back to the client. Another thing I noticed is that in bind-hybrid mode the ALLOW-AXFR-FROM for a zone handled by the bind backend doesn't appear to be read from the database (because I think it only tries to get that information from the bind backend, but doesn't fall back to the database backend). Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org From j.goldinskis at gmail.com Thu Oct 16 08:48:50 2014 From: j.goldinskis at gmail.com (JG) Date: Thu, 16 Oct 2014 01:48:50 -0700 (MST) Subject: [Pdns-users] Not transferred from zone from master to slave Message-ID: <1413449330665-11043.post@n7.nabble.com> Hi, I have problem, SLAVE not send request to MASTER for getting zone, if I send from MASTER with command pdns_control notify-host ... alright, also with tcpdump I not see request to MASTER from SLAVE, supermaster on SLAVE was add, Centos 6.5, pdns-3.3.1 with poweradmin. Maybe I missed some item. Server 1 MASTER config and logs: /etc/pdns/pdns.conf allow-axfr-ips=10.45.25.0/24 disable-axfr=no disable-tcp=no daemon=yes default-soa-name=ns1.dk soa-expire-default=604800 soa-minimum-ttl=3600 soa-refresh-default=10800 #soa-retry-default=3600 #version-string=anonymous #webserver=yes #webserver-address=10.45.25.34 #webserver-password=***** #webserver-port=8081 #webserver-print-arguments=yes launch=gmysql gmysql-socket=/var/lib/mysql/mysql.sock gmysql-host=127.0.0.1 gmysql-user=***** gmysql-dbname=***** gmysql-password=***** master=yes local-address=10.45.25.34 local-port=53 log-dns-details=/var/log/pdns/pdns-details.log log-failed-updates=/var/log/pdns/pdns-fail.log logging-facility=0 loglevel=4 query-logging=yes #config-dir=/etc/pdns #module-dir=/usr/lib64/pdns Logs: Oct 9 18:06:29 ns1 pdns[5488]: Scheduling exit on remote request Oct 9 18:06:30 ns1 pdns[5488]: Guardian is killed, taking down children with us Oct 9 18:06:32 ns1 pdns[5696]: Listening on controlsocket in '/var/run/pdns.controlsocket' Oct 9 18:06:32 ns1 pdns[5699]: Guardian is launching an instance Oct 9 18:06:32 ns1 pdns[5699]: Reading random entropy from '/dev/urandom' Oct 9 18:06:32 ns1 pdns[5699]: This is module gmysqlbackend.so reporting Oct 9 18:06:32 ns1 pdns[5699]: This is a guarded instance of pdns Oct 9 18:06:32 ns1 pdns[5699]: UDP server bound to 10.45.25.34:53 Oct 9 18:06:32 ns1 pdns[5699]: TCP server bound to 10.45.25.34:53 Oct 9 18:06:32 ns1 pdns[5699]: PowerDNS Authoritative Server 3.3.1 (jenkins at autotest.powerdns.com) (C) 2001-2013 PowerDNS.COM BV Oct 9 18:06:32 ns1 pdns[5699]: Using 64-bits mode. Built on 20131217194128 by mockbuild@, gcc 4.4.7 20120313 (Red Hat 4.4.7-4). Oct 9 18:06:32 ns1 pdns[5699]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Oct 9 18:06:32 ns1 pdns[5699]: Creating backend connection for TCP Oct 9 18:06:32 ns1 pdns[5699]: Master/slave communicator launching Oct 9 18:06:32 ns1 pdns[5699]: About to create 3 backend threads for UDP Oct 9 18:06:32 ns1 pdns[5699]: No new unfresh slave domains, 0 queued for AXFR already Oct 9 18:06:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:06:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:06:32 ns1 pdns[5699]: No master domains need notifications Oct 9 18:06:32 ns1 pdns[5699]: Done launching threads, ready to distribute questions Oct 9 18:07:32 ns1 pdns[5699]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:07:32 ns1 pdns[5699]: Query: select id,name,master,last_check,notified_serial,type from domains where type='MASTER' Oct 9 18:07:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:07:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:08:32 ns1 pdns[5699]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:08:32 ns1 pdns[5699]: Query: select id,name,master,last_check,notified_serial,type from domains where type='MASTER' Oct 9 18:08:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:08:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' ... **************************************************************************************************************************************************************** Server 2 SLAVE config and logs: /etc/pdns/pdns.conf daemon=yes default-soa-name=ns2.dk loglevel=4 soa-expire-default=604800 soa-minimum-ttl=3600 soa-refresh-default=10800 soa-retry-default=3600 #version-string=anonymous #webserver=yes #webserver-address=10.45.25.35 #webserver-password=***** #webserver-port=8081 #webserver-print-arguments=yes launch=gmysql gmysql-socket=/var/lib/mysql/mysql.sock gmysql-host=127.0.0.1 gmysql-user=***** gmysql-dbname=***** gmysql-password=***** slave=yes slave-cycle-interval=1 local-address=10.45.25.35 local-port=53 log-dns-details=/var/log/pdns/pdns-details.log log-failed-updates=/var/log/pdns/pdns-fail.log logging-facility=0 query-logging=yes #config-dir=/etc/pdns #module-dir=/usr/lib64/pdns Logs: Oct 9 18:12:08 ns2 pdns[5858]: Listening on controlsocket in '/var/run/pdns.controlsocket' Oct 9 18:12:08 ns2 pdns[5861]: Guardian is launching an instance Oct 9 18:12:08 ns2 pdns[5861]: Reading random entropy from '/dev/urandom' Oct 9 18:12:08 ns2 pdns[5861]: This is module gmysqlbackend.so reporting Oct 9 18:12:08 ns2 pdns[5861]: This is a guarded instance of pdns Oct 9 18:12:08 ns2 pdns[5861]: UDP server bound to 10.45.25.35:53 Oct 9 18:12:08 ns2 pdns[5861]: TCP server bound to 10.45.25.35:53 Oct 9 18:12:08 ns2 pdns[5861]: PowerDNS Authoritative Server 3.3.1 (jenkins at autotest.powerdns.com) (C) 2001-2013 PowerDNS.COM BV Oct 9 18:12:08 ns2 pdns[5861]: Using 64-bits mode. Built on 20131217194128 by mockbuild@, gcc 4.4.7 20120313 (Red Hat 4.4.7-4). Oct 9 18:12:08 ns2 pdns[5861]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Oct 9 18:12:08 ns2 pdns[5861]: Creating backend connection for TCP Oct 9 18:12:08 ns2 pdns[5861]: Master/slave communicator launching Oct 9 18:12:08 ns2 pdns[5861]: About to create 3 backend threads for UDP Oct 9 18:12:08 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:12:08 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:12:08 ns2 pdns[5861]: No new unfresh slave domains, 0 queued for AXFR already Oct 9 18:12:08 ns2 pdns[5861]: Done launching threads, ready to distribute questions Oct 9 18:12:09 ns2 pdns[5861]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:12:09 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:12:09 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:12:10 ns2 pdns[5861]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:12:10 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:12:10 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' ... BR, -- View this message in context: http://powerdns.13854.n7.nabble.com/Not-transferred-from-zone-from-master-to-slave-tp11043.html Sent from the PowerDNS mailing list archive at Nabble.com. From cmeerw at cmeerw.org Thu Oct 16 11:26:21 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 16 Oct 2014 13:26:21 +0200 Subject: [Pdns-users] IXFR with EDIT-SOA, ALLOW-AXFR-FROM in bind-hybrid mode In-Reply-To: <20141016084234.GI21126@edge.cmeerw.net> References: <20141016084234.GI21126@edge.cmeerw.net> Message-ID: <20141016112620.GJ21126@edge.cmeerw.net> On Thu, Oct 16, 2014 at 10:42:34AM +0200, Christof Meerwald wrote: > I just noticed that IXFRs appear to be broken when using EDIT-SOA in > 3.4.0 - it looks like "rfc1982LessThan(serial, sd.serial)" compares > the un-edited SOA from the zone and therefore doesn't send any data > back to the client. the following change seems to fix this for me: Index: pdns/tcpreceiver.cc =================================================================== --- pdns/tcpreceiver.cc (revision 6176) +++ pdns/tcpreceiver.cc (working copy) @@ -1008,6 +1008,11 @@ sendPacket(outpacket,outsock); return 0; } + + string kind; + dk.getFromMeta(target, "SOA-EDIT", kind); + sd.serial = calculateEditSOA(sd, kind); + if (!rfc1982LessThan(serial, sd.serial)) { TSIGRecordContent trc; string tsigkeyname, tsigsecret; @@ -1030,7 +1035,6 @@ DLOG(L<<"Sending out SOA"<addRecord(soa); - editSOA(dk, sd.qname, outpacket.get()); if(securedZone) { set authSet; authSet.insert(target); Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org From cyruspy at gmail.com Thu Oct 16 12:33:33 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Thu, 16 Oct 2014 09:33:33 -0300 Subject: [Pdns-users] New recursor install, 50% timeout on first run In-Reply-To: References: <20141013133708.GC4805@xs.powerdns.com> Message-ID: 2014-10-13 13:05 GMT-03:00 Ciro Iriarte : > 2014-10-13 10:37 GMT-03:00 bert hubert : >> On Mon, Oct 13, 2014 at 10:10:43AM -0300, Ciro Iriarte wrote: >>> Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see >>> ~ 50% query timeouts. It has a good Internet connection but no clients >>> yet, can this be caused by empty cache?. >> >> Yes, on a cold cache, nameservers are a lot slower. >> >> You can improve on this by increasing the number of mthreads (max-mthreads) >> and the number of file descriptors. >> >> The best performance comes from a busy nameserver, as outlined on >> http://blog.netherlabs.nl/test/ >> >> That your second time results were worse is weird, can you do a test with >> more than 1000 domains, say, 50000? >> >> Can you report "rec_control get-all" before and after a run? >> >> Perhaps your PowerDNS server is behind NAT and your other server isn't? >> >> Bert > > Hi Bert!, I've run again 1000 domain test with logging disabled (just > in case). The results look pretty much the same: > http://pastebin.com/Nsjhjnx3 > > Tried a cold cache with 80k domains, it was a disaster, I couldn't let > it finish. > > The configuration: > ---- > local-address=,, > allow-from=,, > threads=10 > --- > > I'll double check with the networking guys, This server will use a > secondary public IP, but I see that the queries get out with the base > private IP, so it's possible that the edge NAT is causing this. > > > I'll keep you updated. Thanks! > > -- > Ciro Iriarte > http://iriarte.it > -- Well, wanted to answer this having the issue solved, but the "ticket is enqueued" with the networking team. So far I could get statistics from the NAT machine, the server was hitting the 2048 ports limit. Running several batches without restarting the server got me 100% hit rate. So, we're moving the server to the outside (public IP) to continue load test. Thanks once more! -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Thu Oct 16 13:13:58 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Thu, 16 Oct 2014 10:13:58 -0300 Subject: [Pdns-users] Recursor: Default/blind tunning? Message-ID: Hi!, I'm awaiting for some network-side changes to continue my load tests, but would like to know in the meanwhile if there are some rule of thumbs to setup a Linux recursor. The parameters that fit the description apparently are "pdns-distributes-queries", "max-mthreads" and "threads". I understand that the recursor uses only 2 threads by default, should I increase that to the number of cores available, maybe even oversubscribe?, what's the relation between "max-mthreads" and "threads"?. If I force ANY requests to TCP (any-to-tcp=yes), how much should I increase "max-tcp-clients", can I set is as "unlimited"?. I'll appreciate any comments on this topics. Regards, -- Ciro Iriarte http://iriarte.it -- From cmeerw at cmeerw.org Thu Oct 16 20:31:55 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 16 Oct 2014 22:31:55 +0200 Subject: [Pdns-users] IXFR with EDIT-SOA, ALLOW-AXFR-FROM in bind-hybrid mode In-Reply-To: <20141016084234.GI21126@edge.cmeerw.net> References: <20141016084234.GI21126@edge.cmeerw.net> Message-ID: <20141016203155.GK21126@edge.cmeerw.net> On Thu, Oct 16, 2014 at 10:42:34AM +0200, Christof Meerwald wrote: > Another thing I noticed is that in bind-hybrid mode the > ALLOW-AXFR-FROM for a zone handled by the bind backend doesn't appear > to be read from the database (because I think it only tries to get > that information from the bind backend, but doesn't fall back to the > database backend). Applying the following change seems to fix that: Index: pdns/tcpreceiver.cc =================================================================== --- pdns/tcpreceiver.cc (revision 6176) +++ pdns/tcpreceiver.cc (working copy) @@ -428,7 +428,7 @@ // cerr<<"got backend and SOA"< acl; - B->getDomainMetadata(q->qdomain, "ALLOW-AXFR-FROM", acl); + s_P->getBackend()->getDomainMetadata(q->qdomain, "ALLOW-AXFR-FROM", acl); for (vector::const_iterator i = acl.begin(); i != acl.end(); ++i) { // cerr<<"matching against "<<*i< Hi!, I've seen the published LUA scripts examples and seems pretty simple to redirect certain domains (one?) just modifying examples available, but what about have a list of hundreds or thousands of sites to blacklist?. I would like to avoid fancy options like database conections for example, will "grepping" on a CSV file affect performance notably?. What's the general consensus/experience? Regards, -- Ciro Iriarte http://iriarte.it -- From ktm at rice.edu Fri Oct 17 12:42:03 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Fri, 17 Oct 2014 07:42:03 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: Message-ID: <20141017124203.GL6579@aart.rice.edu> On Fri, Oct 17, 2014 at 01:18:36AM -0300, Ciro Iriarte wrote: > Hi!, I've seen the published LUA scripts examples and seems pretty > simple to redirect certain domains (one?) just modifying examples > available, but what about have a list of hundreds or thousands of > sites to blacklist?. > > I would like to avoid fancy options like database conections for > example, will "grepping" on a CSV file affect performance notably?. > What's the general consensus/experience? > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Hi Ciro, We used a CDB key value store. It was easy to use/update and had very good performance. "grepping" is O(n*n) so it will tank as your list grows and you really don't want to slow down your DNS lookups. Regards, Ken From cyruspy at gmail.com Fri Oct 17 14:49:24 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Fri, 17 Oct 2014 11:49:24 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017124203.GL6579@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> Message-ID: 2014-10-17 9:42 GMT-03:00 ktm at rice.edu : > On Fri, Oct 17, 2014 at 01:18:36AM -0300, Ciro Iriarte wrote: >> Hi!, I've seen the published LUA scripts examples and seems pretty >> simple to redirect certain domains (one?) just modifying examples >> available, but what about have a list of hundreds or thousands of >> sites to blacklist?. >> >> I would like to avoid fancy options like database conections for >> example, will "grepping" on a CSV file affect performance notably?. >> What's the general consensus/experience? >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Hi Ciro, > > We used a CDB key value store. It was easy to use/update and had > very good performance. "grepping" is O(n*n) so it will tank as > your list grows and you really don't want to slow down your DNS > lookups. > > Regards, > Ken Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any document specific for PDNS you can point me to? Regards,! -- Ciro Iriarte http://iriarte.it -- From ktm at rice.edu Fri Oct 17 16:35:38 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Fri, 17 Oct 2014 11:35:38 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> Message-ID: <20141017163538.GO6579@aart.rice.edu> > > Hi Ciro, > > > > We used a CDB key value store. It was easy to use/update and had > > very good performance. "grepping" is O(n*n) so it will tank as > > your list grows and you really don't want to slow down your DNS > > lookups. > > > > Regards, > > Ken > > Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any > document specific for PDNS you can point me to? > > Regards,! > Hi, No PDNS specific documentation, we used the CDB map to allow the blacklist to be update without needing to restart the recursor and lose all the cached DNS lookups. We wrote a function similar to the example Lua script using a CDB map instead. Regards, Ken From abang at t-ipnet.net Fri Oct 17 19:03:35 2014 From: abang at t-ipnet.net (abang) Date: Fri, 17 Oct 2014 21:03:35 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017163538.GO6579@aart.rice.edu> References: <20141017163538.GO6579@aart.rice.edu> Message-ID: <724B6EEE-FBA2-4532-86C7-8D5844EF8F60@t-ipnet.net> There is no need to restart the Recursor. See http://doc.powerdns.com/html/recursor-scripting.html "At runtime, rec_control reload-lua-script can be used to either reload the script from its current location, or, when passed a new file name, load one from a new location. A failure to parse the new script will leave the old script in working order." Winfried Am 17. Oktober 2014 18:35:38 MESZ, schrieb ktm at rice.edu: >> > Hi Ciro, >> > >> > We used a CDB key value store. It was easy to use/update and had >> > very good performance. "grepping" is O(n*n) so it will tank as >> > your list grows and you really don't want to slow down your DNS >> > lookups. >> > >> > Regards, >> > Ken >> >> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >> document specific for PDNS you can point me to? >> >> Regards,! >> > >Hi, > >No PDNS specific documentation, we used the CDB map to allow the >blacklist to be update without needing to restart the recursor >and lose all the cached DNS lookups. We wrote a function similar >to the example Lua script using a CDB map instead. > >Regards, >Ken > >_______________________________________________ >Pdns-users mailing list >Pdns-users at mailman.powerdns.com >http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From abang at t-ipnet.net Fri Oct 17 19:03:35 2014 From: abang at t-ipnet.net (abang) Date: Fri, 17 Oct 2014 21:03:35 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017163538.GO6579@aart.rice.edu> References: <20141017163538.GO6579@aart.rice.edu> Message-ID: <724B6EEE-FBA2-4532-86C7-8D5844EF8F60@t-ipnet.net> There is no need to restart the Recursor. See http://doc.powerdns.com/html/recursor-scripting.html "At runtime, rec_control reload-lua-script can be used to either reload the script from its current location, or, when passed a new file name, load one from a new location. A failure to parse the new script will leave the old script in working order." Winfried Am 17. Oktober 2014 18:35:38 MESZ, schrieb ktm at rice.edu: >> > Hi Ciro, >> > >> > We used a CDB key value store. It was easy to use/update and had >> > very good performance. "grepping" is O(n*n) so it will tank as >> > your list grows and you really don't want to slow down your DNS >> > lookups. >> > >> > Regards, >> > Ken >> >> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >> document specific for PDNS you can point me to? >> >> Regards,! >> > >Hi, > >No PDNS specific documentation, we used the CDB map to allow the >blacklist to be update without needing to restart the recursor >and lose all the cached DNS lookups. We wrote a function similar >to the example Lua script using a CDB map instead. > >Regards, >Ken > >_______________________________________________ >Pdns-users mailing list >Pdns-users at mailman.powerdns.com >http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Oct 18 16:40:21 2014 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Sat, 18 Oct 2014 18:40:21 +0200 Subject: [Pdns-users] RFE LDAP backend: Filter template Message-ID: <544297F5.8090207@stroeder.com> HI! I know that the LDAP backend is not very high on the list of powerdns development. But I'd like to propose a small enhancement which would make some unusual LDAP-related setups easier. Simple new config item 'ldap-filter-template': Default: ldap-filter-template = '(associatedDomain={0})' Which could be replaced when using DHCP server with LDAP backend by: ldap-filter-template = '(&(objectClass=)(dhcpAssignedHostName={0}))' Even more nice would be a configurable filter map. The {} syntax is inspired by Python's string formatting syntax only used as example. Of course I can use the pipe-backend to implement whatever is needed for LDAP integration. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From klaus.mailinglists at pernau.at Mon Oct 20 12:19:23 2014 From: klaus.mailinglists at pernau.at (Klaus Darilion) Date: Mon, 20 Oct 2014 14:19:23 +0200 Subject: [Pdns-users] Duplicate RRs in records table In-Reply-To: <20141011193755.GS28859@tamriel.snowman.net> References: <53B51C97.8060104@pernau.at> <53B52BE4.5000606@pernau.at> <53B5462D.6090908@pernau.at> <20140703125630.GX28527@aart.rice.edu> <53B562FB.7090809@pernau.at> <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> <20141011193755.GS28859@tamriel.snowman.net> Message-ID: <5444FDCB.20909@pernau.at> On 11.10.2014 21:37, Stephen Frost wrote: > * Peter van Dijk (peter.van.dijk at netherlabs.nl) wrote: >> On 03 Jul 2014, at 16:04 , Klaus Darilion wrote: >>> I also think that performing multiple transfers for the same zone should >>> be avoided in the application. >> >> Please file a ticket at https://github.com/PowerDNS/pdns/issues/new so we don’t forget! > > This doesn't appear to have been addressed in 3.4.0- was the bug ever > submitted and is there a plan to fix it..? As a workaround we regularly check for duplicates and then re-transfer a zone if duplicates were found: // Get the zones which have duplicate records $dbq = pg_query("SELECT name FROM (". " SELECT name,COUNT(type) AS count,content FROM records WHERE type='SOA' GROUP BY name,content". ") AS query1 ". "WHERE count > 1 ORDER BY count desc;"); // Fetch every affected zone while ($row = pg_fetch_object($dbq)) { // calling pdns_control retrieve PdnsControl::retrieve($config_int['pdnscontrolsocket'], $row->name, &$status); } regards Klaus From cyruspy at gmail.com Mon Oct 20 13:40:34 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 10:40:34 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017163538.GO6579@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> Message-ID: 2014-10-17 13:35 GMT-03:00 ktm at rice.edu : >> > Hi Ciro, >> > >> > We used a CDB key value store. It was easy to use/update and had >> > very good performance. "grepping" is O(n*n) so it will tank as >> > your list grows and you really don't want to slow down your DNS >> > lookups. >> > >> > Regards, >> > Ken >> >> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >> document specific for PDNS you can point me to? >> >> Regards,! >> > > Hi, > > No PDNS specific documentation, we used the CDB map to allow the > blacklist to be update without needing to restart the recursor > and lose all the cached DNS lookups. We wrote a function similar > to the example Lua script using a CDB map instead. > > Regards, > Ken Hi Ken!, would you be willing to publish/share your implementation?. Having two different rules (two groups, each group with different answers), do you think it's best to use two scripts?, or just push more data to the CDB (A record expected + answer) and use one script? Regards, -- Ciro Iriarte http://iriarte.it -- From curtis at maurand.com Mon Oct 20 14:54:21 2014 From: curtis at maurand.com (Curtis Maurand) Date: Mon, 20 Oct 2014 10:54:21 -0400 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> Message-ID: <5445221D.5010805@maurand.com> On 10/20/2014 9:40 AM, Ciro Iriarte wrote: > 2014-10-17 13:35 GMT-03:00 ktm at rice.edu : >>>> Hi Ciro, >>>> >>>> We used a CDB key value store. It was easy to use/update and had >>>> very good performance. "grepping" is O(n*n) so it will tank as >>>> your list grows and you really don't want to slow down your DNS >>>> lookups. >>>> >>>> Regards, >>>> Ken >>> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >>> document specific for PDNS you can point me to? >>> >>> Regards,! >>> >> Hi, >> >> No PDNS specific documentation, we used the CDB map to allow the >> blacklist to be update without needing to restart the recursor >> and lose all the cached DNS lookups. We wrote a function similar >> to the example Lua script using a CDB map instead. >> >> Regards, >> Ken > Hi Ken!, would you be willing to publish/share your implementation?. > Having two different rules (two groups, each group with different > answers), do you think it's best to use two scripts?, or just push > more data to the CDB (A record expected + answer) and use one script? > > Regards, I've been looking for a way to do this as well. I would think that a separate pdns instance on a different server than your main dns would do the trick or have one bound to one address and a second instance bound to another using separate databases. I tried setting up a zone and delegating it to the current DNS and that doesn't work. It's an interesting problem. Currently I'm using iptables on my mail servers, but that get's unwieldy and unmanageable in a hurry. I've also done it with spamassassin rules, but that also get's to be unmanageable, too. --Curtis > -- Curtis Maurand curtis at maurand.com 207-252-7748 -------------- next part -------------- An HTML attachment was scrubbed... URL: From robm at scramworks.net Mon Oct 20 16:29:40 2014 From: robm at scramworks.net (Robert Mortimer) Date: Mon, 20 Oct 2014 17:29:40 +0100 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <5445221D.5010805@maurand.com> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> Message-ID: <20141020162940.GA31884@bob.bofh.org> Hi, Just to add a bit less light, we implemented this sort of thing about 5 years back and now with the aid of a small script have a solution which is fully RPZ compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item RPZ feed. As said no need to restart when it updates just do a LUA reload. Hopefully I should be able to release what we did soon - am waiting for permission from our legal types. Really not sure if that helps any, except to say it's very doable and can be quite stable. On Mon, 20 Oct 2014, Curtis Maurand wrote: > On 10/20/2014 9:40 AM, Ciro Iriarte wrote: > >2014-10-17 13:35 GMT-03:00 ktm at rice.edu : > >>>>Hi Ciro, > >>>> > >>>>We used a CDB key value store. It was easy to use/update and had > >>>>very good performance. "grepping" is O(n*n) so it will tank as > >>>>your list grows and you really don't want to slow down your DNS > >>>>lookups. > >>>> > >>>>Regards, > >>>>Ken > >>>Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any > >>>document specific for PDNS you can point me to? > >>> > >>>Regards,! > >>> > >>Hi, > >> > >>No PDNS specific documentation, we used the CDB map to allow the > >>blacklist to be update without needing to restart the recursor > >>and lose all the cached DNS lookups. We wrote a function similar > >>to the example Lua script using a CDB map instead. > >> > >>Regards, > >>Ken > >Hi Ken!, would you be willing to publish/share your implementation?. > >Having two different rules (two groups, each group with different > >answers), do you think it's best to use two scripts?, or just push > >more data to the CDB (A record expected + answer) and use one script? > > > >Regards, > > I've been looking for a way to do this as well. I would think that > a separate pdns instance on a different server than your main dns > would do the trick or have one bound to one address and a second > instance bound to another using separate databases. I tried setting > up a zone and delegating it to the current DNS and that doesn't > work. It's an interesting problem. Currently I'm using iptables on > my mail servers, but that get's unwieldy and unmanageable in a > hurry. I've also done it with spamassassin rules, but that also > get's to be unmanageable, too. > > --Curtis > > > > > > -- > Curtis Maurand > curtis at maurand.com > 207-252-7748 > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Robm 873 "Ask not what I can do for the stupid, but what the stupid can do for me" - Graeme Garden From cyruspy at gmail.com Mon Oct 20 16:42:20 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 13:42:20 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <5445221D.5010805@maurand.com> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> Message-ID: 2014-10-20 11:54 GMT-03:00 Curtis Maurand : > On 10/20/2014 9:40 AM, Ciro Iriarte wrote: > > 2014-10-17 13:35 GMT-03:00 ktm at rice.edu : > > Hi Ciro, > > We used a CDB key value store. It was easy to use/update and had > very good performance. "grepping" is O(n*n) so it will tank as > your list grows and you really don't want to slow down your DNS > lookups. > > Regards, > Ken > > Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any > document specific for PDNS you can point me to? > > Regards,! > > Hi, > > No PDNS specific documentation, we used the CDB map to allow the > blacklist to be update without needing to restart the recursor > and lose all the cached DNS lookups. We wrote a function similar > to the example Lua script using a CDB map instead. > > Regards, > Ken > > Hi Ken!, would you be willing to publish/share your implementation?. > Having two different rules (two groups, each group with different > answers), do you think it's best to use two scripts?, or just push > more data to the CDB (A record expected + answer) and use one script? > > Regards, > > > I've been looking for a way to do this as well. I would think that a > separate pdns instance on a different server than your main dns would do the > trick or have one bound to one address and a second instance bound to > another using separate databases. I tried setting up a zone and delegating > it to the current DNS and that doesn't work. It's an interesting problem. > Currently I'm using iptables on my mail servers, but that get's unwieldy and > unmanageable in a hurry. I've also done it with spamassassin rules, but > that also get's to be unmanageable, too. > > --Curtis > > > > > -- > Curtis Maurand > curtis at maurand.com > 207-252-7748 > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > Does that mean that the recursor can only handle one LUA script?. Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 20 17:09:05 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 14:09:05 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020162940.GA31884@bob.bofh.org> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> Message-ID: 2014-10-20 13:29 GMT-03:00 Robert Mortimer : > Hi, > > Just to add a bit less light, we implemented this sort of thing about 5 years back > and now with the aid of a small script have a solution which is fully RPZ > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item > RPZ feed. > > As said no need to restart when it updates just do a LUA reload. Hopefully I > should be able to release what we did soon - am waiting for permission from our > legal types. > > Really not sure if that helps any, except to say it's very doable and can be > quite stable. > > RPZ seem really interesting, and I see there was a request for it in the past*. The thing is, we have direct requests from local government agencies to ban some domains with legal issues (mandated by a judge for example), and we were just approached about being able to block sites from the Internet Watch Foundation black list also (with their own landing page). Both cases will be redirected to different sites, and each has its own data source. Currently on bind we just define the domain as authoritative and it's kind of a hassle. Also, I thought about adding some helpful LUA bits to report date/time or the client's IP address, but from what I understood, only one LUA script can be added to the recursor, maybe a super monster script could be able to achieve all that. Ref: * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html Regards, -- Ciro Iriarte http://iriarte.it -- From ktm at rice.edu Mon Oct 20 18:12:07 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Mon, 20 Oct 2014 13:12:07 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> Message-ID: <20141020181207.GC32559@aart.rice.edu> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: > 2014-10-20 13:29 GMT-03:00 Robert Mortimer : > > Hi, > > > > Just to add a bit less light, we implemented this sort of thing about 5 years back > > and now with the aid of a small script have a solution which is fully RPZ > > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four > > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item > > RPZ feed. > > > > As said no need to restart when it updates just do a LUA reload. Hopefully I > > should be able to release what we did soon - am waiting for permission from our > > legal types. > > > > Really not sure if that helps any, except to say it's very doable and can be > > quite stable. > > > > > > RPZ seem really interesting, and I see there was a request for it in > the past*. The thing is, we have direct requests from local government > agencies to ban some domains with legal issues (mandated by a judge > for example), and we were just approached about being able to block > sites from the Internet Watch Foundation black list also (with their > own landing page). Both cases will be redirected to different sites, > and each has its own data source. Currently on bind we just define the > domain as authoritative and it's kind of a hassle. > > Also, I thought about adding some helpful LUA bits to report date/time > or the client's IP address, but from what I understood, only one LUA > script can be added to the recursor, maybe a super monster script > could be able to achieve all that. > > > Ref: > * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html > > > Regards, > -- > Ciro Iriarte > http://iriarte.it > -- Hi, I would use a single Lua script for all of it. I am trying to find my sample using CDB to post. Regards, Ken From bert.hubert at netherlabs.nl Mon Oct 20 18:15:57 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Mon, 20 Oct 2014 20:15:57 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020181207.GC32559@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: <20141020181557.GA24286@xs.powerdns.com> On Mon, Oct 20, 2014 at 01:12:07PM -0500, ktm at rice.edu wrote: > > Also, I thought about adding some helpful LUA bits to report date/time > > or the client's IP address, but from what I understood, only one LUA > > script can be added to the recursor, maybe a super monster script > > could be able to achieve all that. Ciro, We could allow chaining Lua scripts eventually, but I'm more interested in a solution that works for people. Is everyone happy with RPZ for blacklist purposes? > I would use a single Lua script for all of it. I am trying to find my > sample using CDB to post. Hi Ken, That would be great, perhaps we could ship a version of that as a contrib/. Bert From cyruspy at gmail.com Mon Oct 20 19:00:23 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 16:00:23 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020181557.GA24286@xs.powerdns.com> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141020181557.GA24286@xs.powerdns.com> Message-ID: 2014-10-20 15:15 GMT-03:00 bert hubert : > On Mon, Oct 20, 2014 at 01:12:07PM -0500, ktm at rice.edu wrote: >> > Also, I thought about adding some helpful LUA bits to report date/time >> > or the client's IP address, but from what I understood, only one LUA >> > script can be added to the recursor, maybe a super monster script >> > could be able to achieve all that. > > Ciro, > > We could allow chaining Lua scripts eventually, but I'm more interested in > a solution that works for people. Is everyone happy with RPZ for blacklist > purposes? > >> I would use a single Lua script for all of it. I am trying to find my >> sample using CDB to post. > > Hi Ken, > > That would be great, perhaps we could ship a version of that as a contrib/. > > Bert > Reading a little more about RPZ it seems to be tailored at Bind's convenience, just define a special zone were you could add FQDNs to override. That doesn't seem usual for pdns-recursor, I might be wrong. It would be nice to keep the solution simple, and as clean as it can fit pdns-recursor. It doesn't need to be with RPZ, unless the use cases mandate to copy blindly this special zones from the authorities (it's not the case on my end). Ref: http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/ Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 20 22:38:02 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 19:38:02 -0300 Subject: [Pdns-users] powerdns-recursor: ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' In-Reply-To: References: Message-ID: 2014-10-10 16:20 GMT-03:00 Ciro Iriarte : > Hi!, anybody knows if something changed with the PowerDNS Recursor > support?, I'm trying to add a host and it's giving me this error: > > powerdns-recursor > ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' > > Observium v0.13.10.4586 > > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Anybody has seen this error?. Regards, Ciro -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Tue Oct 21 00:55:12 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 21:55:12 -0300 Subject: [Pdns-users] powerdns-recursor: ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' In-Reply-To: References: Message-ID: 2014-10-20 19:38 GMT-03:00 Ciro Iriarte : > 2014-10-10 16:20 GMT-03:00 Ciro Iriarte : >> Hi!, anybody knows if something changed with the PowerDNS Recursor >> support?, I'm trying to add a host and it's giving me this error: >> >> powerdns-recursor >> ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' >> >> Observium v0.13.10.4586 >> >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Anybody has seen this error?. > > Regards, > Ciro > > -- > Ciro Iriarte > http://iriarte.it > -- Well, I remember having read this thread last year: http://postman.memetic.org/pipermail/observium/2013-October/003913.html And as like that case, the PowerDNS code has the same issue. Deleting the first backslash allowed the RRD files to be created. It also bothers me the inconsistency given by the fix :P Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Tue Oct 21 00:56:22 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 21:56:22 -0300 Subject: [Pdns-users] Statistics with Observium In-Reply-To: References: Message-ID: 2014-10-10 16:39 GMT-03:00 Ciro Iriarte : > Hi!, anybody happens to collect stats with Observium?. Apparently in > the past it had support for both the Authoritative and Recursive > servers but as of today it's not working with Recursor 3.6.1. > > Ideas, comments?. > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Well, I remember having read this thread last year: http://postman.memetic.org/pipermail/observium/2013-October/003913.html And as like that case, the PowerDNS code has the same issue. Deleting the first backslash allowed the RRD files to be created. It also bothers me the inconsistency given by the fix :P Regards, -- Ciro Iriarte http://iriarte.it -- From bert.hubert at netherlabs.nl Wed Oct 22 19:38:38 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 22 Oct 2014 21:38:38 +0200 Subject: [Pdns-users] New: PowerDNS Security Status Polling Message-ID: <20141022193837.GA24649@xs.powerdns.com> Hi everybody, PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter. To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it. In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes. This feature can easily be disabled, and operators can also point the queries point at their own status service. In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases. Implementation PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request. The data returned is in one of the following forms: * NXDOMAIN or resolution failure * “1 Ok” -> security-status=1 * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2 * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3 In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought. If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem. Distributions Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality. To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. Details and how to disable The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose. If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. Delegation If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly. From zozo at z0z0.tk Wed Oct 22 22:48:26 2014 From: zozo at z0z0.tk (=?utf-8?Q?P=C3=A9ter-Zolt=C3=A1n_Keresztes?=) Date: Thu, 23 Oct 2014 01:48:26 +0300 Subject: [Pdns-users] SRV records Message-ID: Hello, I just want to know if powerdns 3.4 does support SRV records. thanks, Peter From cmouse at youzen.ext.b2.fi Thu Oct 23 06:03:36 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Thu, 23 Oct 2014 09:03:36 +0300 Subject: [Pdns-users] SRV records In-Reply-To: References: Message-ID: <20141023060336.GA1243@pi.ip.fi> On Thu, Oct 23, 2014 at 01:48:26AM +0300, Péter-Zoltán Keresztes wrote: > Hello, > > I just want to know if powerdns 3.4 does support SRV records. > > thanks, > Peter > Yes, those have been supported for long time now. Aki From cyruspy at gmail.com Sun Oct 26 04:17:42 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Sun, 26 Oct 2014 01:17:42 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020181207.GC32559@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : > On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : >> > Hi, >> > >> > Just to add a bit less light, we implemented this sort of thing about 5 years back >> > and now with the aid of a small script have a solution which is fully RPZ >> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four >> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item >> > RPZ feed. >> > >> > As said no need to restart when it updates just do a LUA reload. Hopefully I >> > should be able to release what we did soon - am waiting for permission from our >> > legal types. >> > >> > Really not sure if that helps any, except to say it's very doable and can be >> > quite stable. >> > >> > >> >> RPZ seem really interesting, and I see there was a request for it in >> the past*. The thing is, we have direct requests from local government >> agencies to ban some domains with legal issues (mandated by a judge >> for example), and we were just approached about being able to block >> sites from the Internet Watch Foundation black list also (with their >> own landing page). Both cases will be redirected to different sites, >> and each has its own data source. Currently on bind we just define the >> domain as authoritative and it's kind of a hassle. >> >> Also, I thought about adding some helpful LUA bits to report date/time >> or the client's IP address, but from what I understood, only one LUA >> script can be added to the recursor, maybe a super monster script >> could be able to achieve all that. >> >> >> Ref: >> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >> >> >> Regards, >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Hi, > > I would use a single Lua script for all of it. I am trying to find my > sample using CDB to post. > > Regards, > Ken Hi!, got a proof of concept script that successfully does the CDB lookup, but I'm curious about the CNAME answers, how can I call another resolution iteration to find the A record for the final destination? Currently I can only answer a CNAME record, and any attempt to reach a website for example will fail with "Couldn't resolve host". Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Sun Oct 26 04:47:31 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Sun, 26 Oct 2014 01:47:31 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: 2014-10-26 1:17 GMT-03:00 Ciro Iriarte : > 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : >> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : >>> > Hi, >>> > >>> > Just to add a bit less light, we implemented this sort of thing about 5 years back >>> > and now with the aid of a small script have a solution which is fully RPZ >>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four >>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item >>> > RPZ feed. >>> > >>> > As said no need to restart when it updates just do a LUA reload. Hopefully I >>> > should be able to release what we did soon - am waiting for permission from our >>> > legal types. >>> > >>> > Really not sure if that helps any, except to say it's very doable and can be >>> > quite stable. >>> > >>> > >>> >>> RPZ seem really interesting, and I see there was a request for it in >>> the past*. The thing is, we have direct requests from local government >>> agencies to ban some domains with legal issues (mandated by a judge >>> for example), and we were just approached about being able to block >>> sites from the Internet Watch Foundation black list also (with their >>> own landing page). Both cases will be redirected to different sites, >>> and each has its own data source. Currently on bind we just define the >>> domain as authoritative and it's kind of a hassle. >>> >>> Also, I thought about adding some helpful LUA bits to report date/time >>> or the client's IP address, but from what I understood, only one LUA >>> script can be added to the recursor, maybe a super monster script >>> could be able to achieve all that. >>> >>> >>> Ref: >>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >>> >>> >>> Regards, >>> -- >>> Ciro Iriarte >>> http://iriarte.it >>> -- >> >> Hi, >> >> I would use a single Lua script for all of it. I am trying to find my >> sample using CDB to post. >> >> Regards, >> Ken > > Hi!, got a proof of concept script that successfully does the CDB > lookup, but I'm curious about the CNAME answers, how can I call > another resolution iteration to find the A record for the final > destination? > > Currently I can only answer a CNAME record, and any attempt to reach a > website for example will fail with "Couldn't resolve host". > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Answering to myself, found the followCNAMERecords return option. It works to look for a regular A lookup from the CNAME result. It doesn't cover the case were out overwritten answer should also be blocked (the LUA script is not run on that iteration). Should that case be covered?, is there other return code that will trigger the LUA script again for the CNAME follow up? -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 27 02:52:57 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Sun, 26 Oct 2014 23:52:57 -0300 Subject: [Pdns-users] New: PowerDNS Security Status Polling In-Reply-To: <20141022193837.GA24649@xs.powerdns.com> References: <20141022193837.GA24649@xs.powerdns.com> Message-ID: 2014-10-22 16:38 GMT-03:00 bert hubert : > Hi everybody, > > PowerDNS software sadly sometimes has critical security bugs. Even though we > send out notifications of these via all channels available, our recent > security releases have taught us that not everybody actually finds out about > important security updates via our mailing lists, Facebook and Twitter. > > To solve this, the development versions of PowerDNS software have been > updated to poll for security notifications over DNS, and log these > periodically. Secondly, the security status of the software is available for > monitoring using the built-in metrics. This allows operators to poll for the > PowerDNS security status and alert on it. > > In the implementation of this idea, we have taken the unique role of > operating system distributors into account. Specifically, we can deal with > backported security fixes. > > This feature can easily be disabled, and operators can also point the > queries point at their own status service. > > In this post, we want to inform you that the most recent snapshots of > PowerDNS now include security polling, and we want to solicit your rapid > feedback before this feature becomes part of the next PowerDNS releases. > > Implementation > > PowerDNS software periodically tries to resolve > ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or > ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the > security-poll-suffix setting is left at the default of > secpoll.powerdns.com). No other data is included in the request. > > The data returned is in one of the following forms: > > * NXDOMAIN or resolution failure > * “1 Ok” -> security-status=1 > * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> > security-status=2 > * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> > security-status=3 > > In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The > metric security-status is set to 2 or 3 respectively. The security status > could be lowered however if we discover the issue is less urgent than we > thought. > > If resolution fails, and the previous security-status was 1, the new > security-status becomes 0 (‘no data’). If the security-status was higher > than 1, it will remain that way, and not get set to 0. In this way, > security-status of 0 really means ‘no data’, and can not mask a known > problem. > > Distributions > > Distributions frequently backport security fixes to the PowerDNS versions > they ship. This might lead to a version number that is known to us to be > insecure to be secure in reality. > > To solve this issue, PowerDNS can be compiled with a distribution setting > which will move the security polls from: > ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to > ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com > > Note two things, one, there is a separate namespace for debian, and > secondly, we use the package version of this release. This allows us to know > that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. > > Details and how to disable > > The configuration setting ‘security-poll-suffix’ is by default set to > ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to > ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available > on github for this purpose. > > If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to > “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. > > Delegation > > If a distribution wants to host its own file with version information, we > can delegate dist.security-status.secpoll.powerdns.com to their nameservers > directly. > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users I like it, having the possibility to disable polling is good too. Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 27 03:49:31 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 27 Oct 2014 00:49:31 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: 2014-10-26 1:47 GMT-03:00 Ciro Iriarte : > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte : >> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : >>>> > Hi, >>>> > >>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back >>>> > and now with the aid of a small script have a solution which is fully RPZ >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four >>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item >>>> > RPZ feed. >>>> > >>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I >>>> > should be able to release what we did soon - am waiting for permission from our >>>> > legal types. >>>> > >>>> > Really not sure if that helps any, except to say it's very doable and can be >>>> > quite stable. >>>> > >>>> > >>>> >>>> RPZ seem really interesting, and I see there was a request for it in >>>> the past*. The thing is, we have direct requests from local government >>>> agencies to ban some domains with legal issues (mandated by a judge >>>> for example), and we were just approached about being able to block >>>> sites from the Internet Watch Foundation black list also (with their >>>> own landing page). Both cases will be redirected to different sites, >>>> and each has its own data source. Currently on bind we just define the >>>> domain as authoritative and it's kind of a hassle. >>>> >>>> Also, I thought about adding some helpful LUA bits to report date/time >>>> or the client's IP address, but from what I understood, only one LUA >>>> script can be added to the recursor, maybe a super monster script >>>> could be able to achieve all that. >>>> >>>> >>>> Ref: >>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >>>> >>>> >>>> Regards, >>>> -- >>>> Ciro Iriarte >>>> http://iriarte.it >>>> -- >>> >>> Hi, >>> >>> I would use a single Lua script for all of it. I am trying to find my >>> sample using CDB to post. >>> >>> Regards, >>> Ken >> >> Hi!, got a proof of concept script that successfully does the CDB >> lookup, but I'm curious about the CNAME answers, how can I call >> another resolution iteration to find the A record for the final >> destination? >> >> Currently I can only answer a CNAME record, and any attempt to reach a >> website for example will fail with "Couldn't resolve host". >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Answering to myself, found the followCNAMERecords return option. It > works to look for a regular A lookup from the CNAME result. It doesn't > cover the case were out overwritten answer should also be blocked (the > LUA script is not run on that iteration). > > Should that case be covered?, is there other return code that will > trigger the LUA script again for the CNAME follow up? > > -- > Ciro Iriarte > http://iriarte.it > -- Got a functional pair of scripts: http://iriarte.it/?p=316 This doesn't address yet the possibility to black list "*.offender.com" por example. Comments? Regards, Ciro -- Ciro Iriarte http://iriarte.it -- From cmouse at youzen.ext.b2.fi Mon Oct 27 06:46:58 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Mon, 27 Oct 2014 08:46:58 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: <20141027064658.GA1956@pi.ip.fi> On Mon, Oct 27, 2014 at 12:49:31AM -0300, Ciro Iriarte wrote: > 2014-10-26 1:47 GMT-03:00 Ciro Iriarte : > > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte : > >> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : > >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: > >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : > >>>> > Hi, > >>>> > > >>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back > >>>> > and now with the aid of a small script have a solution which is fully RPZ > >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four > >>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item > >>>> > RPZ feed. > >>>> > > >>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I > >>>> > should be able to release what we did soon - am waiting for permission from our > >>>> > legal types. > >>>> > > >>>> > Really not sure if that helps any, except to say it's very doable and can be > >>>> > quite stable. > >>>> > > >>>> > > >>>> > >>>> RPZ seem really interesting, and I see there was a request for it in > >>>> the past*. The thing is, we have direct requests from local government > >>>> agencies to ban some domains with legal issues (mandated by a judge > >>>> for example), and we were just approached about being able to block > >>>> sites from the Internet Watch Foundation black list also (with their > >>>> own landing page). Both cases will be redirected to different sites, > >>>> and each has its own data source. Currently on bind we just define the > >>>> domain as authoritative and it's kind of a hassle. > >>>> > >>>> Also, I thought about adding some helpful LUA bits to report date/time > >>>> or the client's IP address, but from what I understood, only one LUA > >>>> script can be added to the recursor, maybe a super monster script > >>>> could be able to achieve all that. > >>>> > >>>> > >>>> Ref: > >>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html > >>>> > >>>> > >>>> Regards, > >>>> -- > >>>> Ciro Iriarte > >>>> http://iriarte.it > >>>> -- > >>> > >>> Hi, > >>> > >>> I would use a single Lua script for all of it. I am trying to find my > >>> sample using CDB to post. > >>> > >>> Regards, > >>> Ken > >> > >> Hi!, got a proof of concept script that successfully does the CDB > >> lookup, but I'm curious about the CNAME answers, how can I call > >> another resolution iteration to find the A record for the final > >> destination? > >> > >> Currently I can only answer a CNAME record, and any attempt to reach a > >> website for example will fail with "Couldn't resolve host". > >> > >> Regards, > >> > >> -- > >> Ciro Iriarte > >> http://iriarte.it > >> -- > > > > Answering to myself, found the followCNAMERecords return option. It > > works to look for a regular A lookup from the CNAME result. It doesn't > > cover the case were out overwritten answer should also be blocked (the > > LUA script is not run on that iteration). > > > > Should that case be covered?, is there other return code that will > > trigger the LUA script again for the CNAME follow up? > > > > -- > > Ciro Iriarte > > http://iriarte.it > > -- > > Got a functional pair of scripts: > > http://iriarte.it/?p=316 > > This doesn't address yet the possibility to black list > "*.offender.com" por example. Comments? > > > Regards, > Ciro > > -- > Ciro Iriarte > http://iriarte.it > -- In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. But, to make it work properly, i'd just add "*.domain.com", and when you lookup, you could reduce it like this with get() www.my.long.name.com => NOT FOUND *.my.long.name.com => NOT FOUND *.long.name.com => NOT FOUND *.name.com => FOUND ( of course you could continue with *.com * ) Aki From cyruspy at gmail.com Mon Oct 27 16:56:17 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 27 Oct 2014 13:56:17 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027064658.GA1956@pi.ip.fi> References: <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> Message-ID: 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > you could reduce it like this with get() > > www.my.long.name.com => NOT FOUND > *.my.long.name.com => NOT FOUND > *.long.name.com => NOT FOUND > *.name.com => FOUND > > ( > of course you could continue with > *.com > * > ) > > Aki Hi Aki!, I couldn't find a (finished) benchmark that compares directly sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. Given it's SQL I assume we can just use a SELECT with LIKE clause to match an "ending" on the DB with the requested fqdn, would it be faster than doing multiple cdb queries (one for each part of the requested fqdn)? Regards, -- Ciro Iriarte http://iriarte.it -- From cmouse at youzen.ext.b2.fi Mon Oct 27 17:27:15 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Mon, 27 Oct 2014 19:27:15 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> Message-ID: <20141027172715.GA6328@pi.ip.fi> On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: > 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > > you could reduce it like this with get() > > > > www.my.long.name.com => NOT FOUND > > *.my.long.name.com => NOT FOUND > > *.long.name.com => NOT FOUND > > *.name.com => FOUND > > > > ( > > of course you could continue with > > *.com > > * > > ) > > > > Aki > > Hi Aki!, I couldn't find a (finished) benchmark that compares directly > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. > Given it's SQL I assume we can just use a SELECT with LIKE clause to > match an "ending" on the DB with the requested fqdn, would it be > faster than doing multiple cdb queries (one for each part of the > requested fqdn)? > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- > The difference, to my eyes, is the diference between SELECT name FROM table WHERE name LIKE '%suffix'; and SELECT name FROM table WHERE name = 'www.my.long.name.com'; SELECT name FROM table WHERE name = '*.my.long.name.com'; SELECT name FROM table WHERE name = '*.long.name.com'; SELECT name FROM table WHERE name = '*.name.com'; SELECT name FROM table WHERE name = '*.com'; (assuming you'll want to filter out, say, *.xxx) Obviously using suffix would require you to know what you are doing, since you'd have to know what suffix to look for, otherwise you'll end up with very unpredicable behaviour. Consider, you have www.name.com in your blacklist, you'll look for %.name.com. It'll always return match. So it's safer to go with repeated lookups for *.parent. Performance-wise you should consider that your most likely usage patterns are, not blacklisted: SELECT name FROM table WHERE name = 'www.name.com'; SELECT name FROM table WHERE name = '*.name.com'; SELECT name FROM table WHERE name = '*.com'; blacklisted: SELECT name FROM table WHERE name = 'www.name.com'; or: SELECT name FROM table WHERE name = 'www.name.com'; SELECT name FROM table WHERE name = '*.name.com'; to give proper answer whether SQLite3 or CDB is better, you'd have to run benchmark tests against these use cases as they cover most of your situations. Also, you might want to consider early-break on any query ending with in-addr.arpa and i6.arpa, unless you are required to filter these too, because you can get pretty long iterations especially with IPv6 reverses. All in all, i'd say go with cdb, since you already have the code there and it's not a big mod to make. Just keep this is mind. --- Aki From ktm at rice.edu Mon Oct 27 17:58:43 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Mon, 27 Oct 2014 12:58:43 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027172715.GA6328@pi.ip.fi> References: <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> <20141027172715.GA6328@pi.ip.fi> Message-ID: <20141027175843.GN32559@aart.rice.edu> On Mon, Oct 27, 2014 at 07:27:15PM +0200, Aki Tuomi wrote: > On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: > > 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > > > > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > > > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > > > you could reduce it like this with get() > > > > > > www.my.long.name.com => NOT FOUND > > > *.my.long.name.com => NOT FOUND > > > *.long.name.com => NOT FOUND > > > *.name.com => FOUND > > > > > > ( > > > of course you could continue with > > > *.com > > > * > > > ) > > > > > > Aki > > > > Hi Aki!, I couldn't find a (finished) benchmark that compares directly > > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. > > Given it's SQL I assume we can just use a SELECT with LIKE clause to > > match an "ending" on the DB with the requested fqdn, would it be > > faster than doing multiple cdb queries (one for each part of the > > requested fqdn)? > > > > Regards, > > > > -- > > Ciro Iriarte > > http://iriarte.it > > -- > > > > The difference, to my eyes, is the diference between > > SELECT name FROM table WHERE name LIKE '%suffix'; > > and > > SELECT name FROM table WHERE name = 'www.my.long.name.com'; > SELECT name FROM table WHERE name = '*.my.long.name.com'; > SELECT name FROM table WHERE name = '*.long.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > (assuming you'll want to filter out, say, *.xxx) > > Obviously using suffix would require you to know what you are > doing, since you'd have to know what suffix to look for, otherwise > you'll end up with very unpredicable behaviour. > > Consider, you have www.name.com in your blacklist, you'll look for > %.name.com. It'll always return match. So it's safer to go with > repeated lookups for *.parent. > > Performance-wise you should consider that your most likely usage > patterns are, > > not blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > > or: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > > > to give proper answer whether SQLite3 or CDB is better, you'd have to > run benchmark tests against these use cases as they cover most of your > situations. > > Also, you might want to consider early-break on any query ending with > in-addr.arpa and i6.arpa, unless you are required to filter these too, > because you can get pretty long iterations especially with IPv6 reverses. > > All in all, i'd say go with cdb, since you already have the code there > and it's not a big mod to make. Just keep this is mind. > > --- > Aki > Hi, CDB is a very simple key/value store. I would expect it to blow the doors off SQLite for simple lookups. In addition, the size of the library is much, much smaller for CDB (20k) than for SQLite (400k), which means that it should need much fewer resources and produce a lighter weight Lua process. Since the logic is mainly in the Lua function and the the DB backend, the simple CDB key/value store should perform better per amount of resources used. Regards, Ken From cmouse at youzen.ext.b2.fi Mon Oct 27 18:28:21 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Mon, 27 Oct 2014 20:28:21 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027175843.GN32559@aart.rice.edu> References: <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> <20141027172715.GA6328@pi.ip.fi> <20141027175843.GN32559@aart.rice.edu> Message-ID: <20141027182821.GA6359@pi.ip.fi> On Mon, Oct 27, 2014 at 12:58:43PM -0500, ktm at rice.edu wrote: > On Mon, Oct 27, 2014 at 07:27:15PM +0200, Aki Tuomi wrote: > > On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: > > > 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > > > > > > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > > > > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > > > > you could reduce it like this with get() > > > > > > > > www.my.long.name.com => NOT FOUND > > > > *.my.long.name.com => NOT FOUND > > > > *.long.name.com => NOT FOUND > > > > *.name.com => FOUND > > > > > > > > ( > > > > of course you could continue with > > > > *.com > > > > * > > > > ) > > > > > > > > Aki > > > > > > Hi Aki!, I couldn't find a (finished) benchmark that compares directly > > > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. > > > Given it's SQL I assume we can just use a SELECT with LIKE clause to > > > match an "ending" on the DB with the requested fqdn, would it be > > > faster than doing multiple cdb queries (one for each part of the > > > requested fqdn)? > > > > > > Regards, > > > > > > -- > > > Ciro Iriarte > > > http://iriarte.it > > > -- > > > > > > > The difference, to my eyes, is the diference between > > > > SELECT name FROM table WHERE name LIKE '%suffix'; > > > > and > > > > SELECT name FROM table WHERE name = 'www.my.long.name.com'; > > SELECT name FROM table WHERE name = '*.my.long.name.com'; > > SELECT name FROM table WHERE name = '*.long.name.com'; > > SELECT name FROM table WHERE name = '*.name.com'; > > SELECT name FROM table WHERE name = '*.com'; > > > > (assuming you'll want to filter out, say, *.xxx) > > > > Obviously using suffix would require you to know what you are > > doing, since you'd have to know what suffix to look for, otherwise > > you'll end up with very unpredicable behaviour. > > > > Consider, you have www.name.com in your blacklist, you'll look for > > %.name.com. It'll always return match. So it's safer to go with > > repeated lookups for *.parent. > > > > Performance-wise you should consider that your most likely usage > > patterns are, > > > > not blacklisted: > > SELECT name FROM table WHERE name = 'www.name.com'; > > SELECT name FROM table WHERE name = '*.name.com'; > > SELECT name FROM table WHERE name = '*.com'; > > > > blacklisted: > > SELECT name FROM table WHERE name = 'www.name.com'; > > > > or: > > SELECT name FROM table WHERE name = 'www.name.com'; > > SELECT name FROM table WHERE name = '*.name.com'; > > > > > > to give proper answer whether SQLite3 or CDB is better, you'd have to > > run benchmark tests against these use cases as they cover most of your > > situations. > > > > Also, you might want to consider early-break on any query ending with > > in-addr.arpa and i6.arpa, unless you are required to filter these too, > > because you can get pretty long iterations especially with IPv6 reverses. > > > > All in all, i'd say go with cdb, since you already have the code there > > and it's not a big mod to make. Just keep this is mind. > > > > --- > > Aki > > > > Hi, > > CDB is a very simple key/value store. I would expect it to blow the > doors off SQLite for simple lookups. In addition, the size of the > library is much, much smaller for CDB (20k) than for SQLite (400k), > which means that it should need much fewer resources and produce > a lighter weight Lua process. Since the logic is mainly in the Lua > function and the the DB backend, the simple CDB key/value store > should perform better per amount of resources used. > > Regards, > Ken > Ken, you are right. Thank you for pointing this out. Aki From cyruspy at gmail.com Wed Oct 29 04:16:46 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Wed, 29 Oct 2014 01:16:46 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027172715.GA6328@pi.ip.fi> References: <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> <20141027172715.GA6328@pi.ip.fi> Message-ID: 2014-10-27 14:27 GMT-03:00 Aki Tuomi : > On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: >> 2014-10-27 3:46 GMT-03:00 Aki Tuomi : >> > >> > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. >> > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, >> > you could reduce it like this with get() >> > >> > www.my.long.name.com => NOT FOUND >> > *.my.long.name.com => NOT FOUND >> > *.long.name.com => NOT FOUND >> > *.name.com => FOUND >> > >> > ( >> > of course you could continue with >> > *.com >> > * >> > ) >> > >> > Aki >> >> Hi Aki!, I couldn't find a (finished) benchmark that compares directly >> sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. >> Given it's SQL I assume we can just use a SELECT with LIKE clause to >> match an "ending" on the DB with the requested fqdn, would it be >> faster than doing multiple cdb queries (one for each part of the >> requested fqdn)? >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- >> > > The difference, to my eyes, is the diference between > > SELECT name FROM table WHERE name LIKE '%suffix'; > > and > > SELECT name FROM table WHERE name = 'www.my.long.name.com'; > SELECT name FROM table WHERE name = '*.my.long.name.com'; > SELECT name FROM table WHERE name = '*.long.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > (assuming you'll want to filter out, say, *.xxx) > > Obviously using suffix would require you to know what you are > doing, since you'd have to know what suffix to look for, otherwise > you'll end up with very unpredicable behaviour. > > Consider, you have www.name.com in your blacklist, you'll look for > %.name.com. It'll always return match. So it's safer to go with > repeated lookups for *.parent. > > Performance-wise you should consider that your most likely usage > patterns are, > > not blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > > or: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > > > to give proper answer whether SQLite3 or CDB is better, you'd have to > run benchmark tests against these use cases as they cover most of your > situations. > > Also, you might want to consider early-break on any query ending with > in-addr.arpa and i6.arpa, unless you are required to filter these too, > because you can get pretty long iterations especially with IPv6 reverses. > > All in all, i'd say go with cdb, since you already have the code there > and it's not a big mod to make. Just keep this is mind. > > --- > Aki Thanks a lot for the suggestions, got a new version at http://iriarte.it/?p=348, it apparently works fine. Anybody would care to benchmark it? :) Regards, -- Ciro Iriarte http://iriarte.it -- From peter.van.dijk at netherlabs.nl Thu Oct 30 13:26:33 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:26:33 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.1 released Message-ID: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Hi everybody, PowerDNS Authoritative Server 3.4.1 is now available! 3.4.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/html/changelog.html#changelog-auth-3.4.1 for full release notes and all download links. You can get PowerDNS 3.4.1 from: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.x86_64.rpm These files also come with GPG signatures (append .sig or .asc). Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/ This is a bugfix update to 3.4.0 and any earlier version. Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Thu Oct 30 13:27:50 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:27:50 +0100 Subject: [Pdns-users] PowerDNS Recursor 3.6.2 released Message-ID: <59F9179E-AD76-45A8-965E-087575387924@netherlabs.nl> Hi everybody, version 3.6.2 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2 3.6.2 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. This is a bugfix update to 3.6.1. A list of changes since 3.6.1 follows. * gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) * g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". * g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting * g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header * g6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From cmeerw at cmeerw.org Thu Oct 30 14:03:01 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 30 Oct 2014 15:03:01 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.1 released In-Reply-To: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> References: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Message-ID: <20141030140300.GA7526@edge.cmeerw.net> On Thu, 30 Oct 2014 14:26:33 +0100, Peter van Dijk wrote: > PowerDNS Authoritative Server 3.4.1 is now available! Bit of a shame that this doesn't seem to address http://mailman.powerdns.com/pipermail/pdns-users/2014-October/010950.html Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org From peter.van.dijk at netherlabs.nl Thu Oct 30 15:40:59 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 16:40:59 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.1 released In-Reply-To: <20141030140300.GA7526@edge.cmeerw.net> References: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> <20141030140300.GA7526@edge.cmeerw.net> Message-ID: Hello Christof, On 30 Oct 2014, at 15:03 , Christof Meerwald wrote: > On Thu, 30 Oct 2014 14:26:33 +0100, Peter van Dijk wrote: >> PowerDNS Authoritative Server 3.4.1 is now available! > > Bit of a shame that this doesn't seem to address > http://mailman.powerdns.com/pipermail/pdns-users/2014-October/010950.html Our apologies for letting that slip by. We strongly recommend filing a Pull Request at GitHub so we have all patches in one place. Sorry! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From cmouse at youzen.ext.b2.fi Wed Oct 1 06:04:49 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Wed, 1 Oct 2014 09:04:49 +0300 Subject: [Pdns-users] Passing a filename as a variable for an access list In-Reply-To: <002701cfdcea$18a57bb0$49f07310$@ulink.net> References: <002701cfdcea$18a57bb0$49f07310$@ulink.net> Message-ID: <20141001060449.GA753@pi.ip.fi> On Tue, Sep 30, 2014 at 01:07:00PM -0700, Eric Wolff wrote: > The config option allow-recursion= allows for a comma separated listing of > subnets. I am looking for a way to pass a file to this option so I can keep > a list with descriptions similar to /etc/mail/access for sendmail. > > > > Eg: > > > > Allow-recursion=/etc/pdns/access > > > > (Contents of file) > > #ISP Subnet 1 > > 10.10.10.10/24 > > #ISP Subnet 2 > > 20.20.20.20/20 > > #Some Customer > > 30.30.30.30./32 > > > > I could probably write a script to generate a new config file using the > contents of an access list but I'd greatly prefer something built in. > You can use include-dir option and allow-recursion+=host or just put all the hosts in the include-dir file allow-recursion=host,host,host... Aki > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steffannoord at gmail.com Wed Oct 1 09:01:53 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Wed, 1 Oct 2014 11:01:53 +0200 Subject: [Pdns-users] pdnssec error after update Message-ID: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> wildcard-url is removed. Is there now no way to make a wildcart in the dns ? Thanxs Steffan From cmouse at youzen.ext.b2.fi Wed Oct 1 09:22:36 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Wed, 1 Oct 2014 12:22:36 +0300 Subject: [Pdns-users] pdnssec error after update In-Reply-To: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> References: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> Message-ID: <20141001092236.GA2620@pi.ip.fi> On Wed, Oct 01, 2014 at 11:01:53AM +0200, Steffan Noord wrote: > > wildcard-url is removed. > Is there now no way to make a wildcart in the dns ? > > Thanxs > > Steffan > This feature has nothing to do with wildcard DNS, which works just as before. Aki From steffannoord at gmail.com Wed Oct 1 09:26:16 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Wed, 1 Oct 2014 11:26:16 +0200 Subject: [Pdns-users] pdnssec error after update In-Reply-To: <006d01cfdd59$aead3b10$0c07b130$@gmail.com> References: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> <20141001092236.GA2620@pi.ip.fi> <006d01cfdd59$aead3b10$0c07b130$@gmail.com> Message-ID: <006f01cfdd59$c10bfd50$4323f7f0$@gmail.com> Oke thanks Just a sitenode Tonight my server was upgraded with yum. The config file was repleased and all mysql settings was gone. The only settings that was set: setuid=pdns setgid=pdns launch=bind -----Oorspronkelijk bericht----- Van: Aki Tuomi [mailto:cmouse at youzen.ext.b2.fi] Verzonden: woensdag 1 oktober 2014 11:23 Aan: Steffan Noord CC: pdns-users at mailman.powerdns.com Onderwerp: Re: [Pdns-users] pdnssec error after update On Wed, Oct 01, 2014 at 11:01:53AM +0200, Steffan Noord wrote: > > wildcard-url is removed. > Is there now no way to make a wildcart in the dns ? > > Thanxs > > Steffan > This feature has nothing to do with wildcard DNS, which works just as before. Aki From zozo at z0z0.tk Wed Oct 1 09:33:06 2014 From: zozo at z0z0.tk (=?iso-8859-1?Q?Keresztes_P=E9ter-Zolt=E1n?=) Date: Wed, 1 Oct 2014 12:33:06 +0300 Subject: [Pdns-users] pdnssec error after update In-Reply-To: <006f01cfdd59$c10bfd50$4323f7f0$@gmail.com> References: <006b01cfdd56$58da9640$0a8fc2c0$@gmail.com> <20141001092236.GA2620@pi.ip.fi> <006d01cfdd59$aead3b10$0c07b130$@gmail.com> <006f01cfdd59$c10bfd50$4323f7f0$@gmail.com> Message-ID: <5CD94EC6-9948-4629-9FAB-3C39016841D0@z0z0.tk> look in the /etc/powerdns you should have a pdns.rpmsave file which would be the old config file. On Oct 1, 2014, at 12:26 PM, Steffan Noord wrote: > Oke thanks > > Just a sitenode > Tonight my server was upgraded with yum. > The config file was repleased and all mysql settings was gone. > The only settings that was set: > > setuid=pdns > setgid=pdns > launch=bind > > > > -----Oorspronkelijk bericht----- > Van: Aki Tuomi [mailto:cmouse at youzen.ext.b2.fi] > Verzonden: woensdag 1 oktober 2014 11:23 > Aan: Steffan Noord > CC: pdns-users at mailman.powerdns.com > Onderwerp: Re: [Pdns-users] pdnssec error after update > > On Wed, Oct 01, 2014 at 11:01:53AM +0200, Steffan Noord wrote: >> >> wildcard-url is removed. >> Is there now no way to make a wildcart in the dns ? >> >> Thanxs >> >> Steffan >> > > This feature has nothing to do with wildcard DNS, which works just as before. > > Aki > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steffannoord at gmail.com Thu Oct 2 13:09:40 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Thu, 2 Oct 2014 15:09:40 +0200 Subject: [Pdns-users] PowerDNS Server 3.4.0 cron problem Message-ID: <003001cfde42$20f52be0$62df83a0$@gmail.com> Hello, I have a strange problem. I have a php script that also signs the domains with dnssec. After upgrading top dns 3.4 the script is not signing the domains anymore When i run the script from the commandline it works fine. Just not when using cron. The cron error is: Error: No database backends configured for launch, unable to function The line i execute trough cron ANd trough the commandline /usr/bin/php --define "open_basedir=/" /home/sites/......./registrations_execute.php Any idees ? Steffan From bert.hubert at netherlabs.nl Thu Oct 2 13:23:22 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Thu, 2 Oct 2014 15:23:22 +0200 Subject: [Pdns-users] PowerDNS Server 3.4.0 cron problem In-Reply-To: <003001cfde42$20f52be0$62df83a0$@gmail.com> References: <003001cfde42$20f52be0$62df83a0$@gmail.com> Message-ID: <20141002132321.GA17582@xs.powerdns.com> On Thu, Oct 02, 2014 at 03:09:40PM +0200, Steffan Noord wrote: > Hello, > > I have a strange problem. > I have a php script that also signs the domains with dnssec. > After upgrading top dns 3.4 the script is not signing the domains anymore > When i run the script from the commandline it works fine. > Just not when using cron. > The cron error is: Error: No database backends configured for launch, unable > to function This probably means it hasn't read the configuration file. Perhaps it is not accessible to the CRON user? Bert From steffannoord at gmail.com Thu Oct 2 13:33:36 2014 From: steffannoord at gmail.com (Steffan Noord) Date: Thu, 2 Oct 2014 15:33:36 +0200 Subject: [Pdns-users] PowerDNS Server 3.4.0 cron problem In-Reply-To: <20141002132321.GA17582@xs.powerdns.com> References: <003001cfde42$20f52be0$62df83a0$@gmail.com> <20141002132321.GA17582@xs.powerdns.com> Message-ID: <003201cfde45$78d7c4f0$6a874ed0$@gmail.com> -rw------- 1 root root 13284 Oct 1 11:07 pdns.conf That was the right answer! thanxs -----Oorspronkelijk bericht----- Van: bert hubert [mailto:bert.hubert at netherlabs.nl] Verzonden: donderdag 2 oktober 2014 15:23 Aan: Steffan Noord CC: pdns-users at mailman.powerdns.com Onderwerp: Re: [Pdns-users] PowerDNS Server 3.4.0 cron problem On Thu, Oct 02, 2014 at 03:09:40PM +0200, Steffan Noord wrote: > Hello, > > I have a strange problem. > I have a php script that also signs the domains with dnssec. > After upgrading top dns 3.4 the script is not signing the domains > anymore When i run the script from the commandline it works fine. > Just not when using cron. > The cron error is: Error: No database backends configured for launch, > unable to function This probably means it hasn't read the configuration file. Perhaps it is not accessible to the CRON user? Bert From ppcharli at gmail.com Fri Oct 3 11:08:43 2014 From: ppcharli at gmail.com (Pepe Charli) Date: Fri, 3 Oct 2014 13:08:43 +0200 Subject: [Pdns-users] PowerDNS Web Control Panel Message-ID: Hello, Is "PowerDNS Web Control Panel" production ready? Thanks, From fclaire at free.fr Fri Oct 3 11:47:18 2014 From: fclaire at free.fr (Francois Claire) Date: Fri, 03 Oct 2014 13:47:18 +0200 Subject: [Pdns-users] PowerDNS Web Control Panel In-Reply-To: References: Message-ID: <542E8CC6.1040304@free.fr> Are you talking about poweradmin ? -> http://www.poweradmin.org From ppcharli at gmail.com Fri Oct 3 11:55:41 2014 From: ppcharli at gmail.com (Pepe Charli) Date: Fri, 3 Oct 2014 13:55:41 +0200 Subject: [Pdns-users] PowerDNS Web Control Panel In-Reply-To: <542E8CC6.1040304@free.fr> References: <542E8CC6.1040304@free.fr> Message-ID: No. https://github.com/PowerDNS/pdnscontrol 2014-10-03 13:47 GMT+02:00 Francois Claire : > Are you talking about poweradmin ? -> http://www.poweradmin.org > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From vovdts at gmail.com Sat Oct 4 18:05:41 2014 From: vovdts at gmail.com (me ich) Date: Sat, 4 Oct 2014 20:05:41 +0200 Subject: [Pdns-users] PDNSControl + uwsgi + nginx in a subdirectory, docs? Message-ID: Hello dear PowerDNS Community, right now I am playing, or at least try to, with pdnscontrol as the update to PowerDNS 3.4 is obvious... I would like to run it under the aforementioned set-up that consists of nginx and uwsgi. For this I would like some help - as there are no ( I found none ) docs or howtos. Does anyone has some advice, maybe some configuration files I can use for this? Thank you in advance, & kind regards, -Paul Wats -------------- next part -------------- An HTML attachment was scrubbed... URL: From roblocke at gmail.com Tue Oct 7 17:03:12 2014 From: roblocke at gmail.com (Rob) Date: Tue, 7 Oct 2014 10:03:12 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... Message-ID: <1412701392138-11022.post@n7.nabble.com> Hi, We are rebuilding the registrar for a TLD which we fully control (let's call it .foo) and are looking at using PowerDNS. I have a couple of questions, some of which may not be specific to PowerDNS, but I hope the group doesn't mind if I ask them anyways: 1) I'm assuming every domain (eg, somedomain.foo) will require an SOA record. Is it required that the TLD (ie, "foo") also have an SOA record? 2) Assuming the the owner of "somedomain.foo" chooses to use their own (custom) nameservers, and a request is made for, say, the A record of "www.somedomain.foo", how is our nameserver expected to respond? Should it reply with the custom NS records? Or, in the course of resolving "www.somedomain.foo", will there somehow be a request for the NS records of "somedomain.foo"? If PowerDNS is expected to respond with the custom nameservers for an A record it doesn't know about, how do I setup PDNS to do that? Thanks for any help you can offer, Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022.html Sent from the PowerDNS mailing list archive at Nabble.com. From ahodgson at simkin.ca Tue Oct 7 17:25:23 2014 From: ahodgson at simkin.ca (Alan Hodgson) Date: Tue, 07 Oct 2014 10:25:23 -0700 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <1412701392138-11022.post@n7.nabble.com> References: <1412701392138-11022.post@n7.nabble.com> Message-ID: <2633701.8eu60p00pD@skynet.simkin.ca> On Tuesday, October 07, 2014 10:03:12 AM Rob wrote: > 2) Assuming the the owner of "somedomain.foo" chooses to use their own > (custom) nameservers, and a request is made for, say, the A record of > "www.somedomain.foo", how is our nameserver expected to respond? Should it > reply with the custom NS records? Or, in the course of resolving > "www.somedomain.foo", will there somehow be a request for the NS records of > "somedomain.foo"? If PowerDNS is expected to respond with the custom > nameservers for an A record it doesn't know about, how do I setup PDNS to do > that? For name servers within your TLD, you do need to serve glue A records as well as NS delegations. Registries generally refer to that as registering name servers, and registrars provide tools to do so. From vovdts at gmail.com Tue Oct 7 17:42:51 2014 From: vovdts at gmail.com (P W) Date: Tue, 07 Oct 2014 19:42:51 +0200 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <1412701392138-11022.post@n7.nabble.com> References: <1412701392138-11022.post@n7.nabble.com> Message-ID: <5434261B.2080606@gmail.com> Hello Rob, > 1) I'm assuming every domain (eg, somedomain.foo) will require an SOA > record. Is it required that the TLD (ie, "foo") also have an SOA record? Of course you will require a SOA (Start of Authority) for the .foo zone. Be RFC compliant. This is very important if you change records of your name server and want that other name servers, especially those which are resolving, know that changes were made. > 2) Assuming the the owner of "somedomain.foo" chooses to use their own > (custom) nameservers, and a request is made for, say, the A record of > "www.somedomain.foo", how is our nameserver expected to respond? Should it > reply with the custom NS records? Or, in the course of resolving > "www.somedomain.foo", will there somehow be a request for the NS records of > "somedomain.foo"? If PowerDNS is expected to respond with the custom > nameservers for an A record it doesn't know about, how do I setup PDNS to do > that? You can simply delegate DNS queries to other name servers via the NS records. This could look like in your .foo name server: somedomain.foo. TTL IN NS ns1.customer-dns.tld somedomain.foo. TTL IN NS ns2.costomer-dns.tld and so on... Your .foo name server then simply delegates to those name servers set in the NS records. The way/route how DNS looks for information is this one, where . is the root zone: . -> foo -> somedomain -> www This gives you www.somedomain.foo. In your case your .foo name server will delegate the query to the name servers of f.e. your customers. I hope this helps you a little bit. Kind Regards, Paul Wats From roblocke at gmail.com Wed Oct 8 04:02:42 2014 From: roblocke at gmail.com (Rob) Date: Tue, 7 Oct 2014 21:02:42 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <5434261B.2080606@gmail.com> References: <1412701392138-11022.post@n7.nabble.com> <5434261B.2080606@gmail.com> Message-ID: <1412740962597-11025.post@n7.nabble.com> Hi guys, (I'm not sure if my email reply made it out, since it's not appearing in the archive. My apologies if you're receiving this twice.) I really appreciate the responses from everyone so far. One thing I forgot to mention is that I’m using the MySQL backend. So, if I understand correctly: * We’ll need an SOA record for “foo”. For example: (name, type, content, ttl) = (‘foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 694800 3600', 86400) * For domains which use *custom* nameservers, we only need to include the NS records for purposes of delegation. For example, for “blah.foo": (name, type, content, ttl) = (‘blah.foo’, ’NS’, ‘dns01.customdns.com’, 3600) (name, type, content, ttl) = (‘blah.foo’, ’NS’, ‘dns02.customdns.com’, 3600) We’ll also need glue records if the nameservers are within “blah.foo”. * But, for domains which use *our* name servers (with a web interface for managing records), we’ll need an SOA record in addition to NS records pointing to our name servers. For example, for “something.foo”: (name, type, content, ttl) = (’something.foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 694800 3600', 86400) (name, type, content, ttl) = (’something.foo', ’NS', 'ns01.dns.foo', 3600) (name, type, content, ttl) = (’something.foo', ’NS', 'ns02.dns.foo', 3600) And a sample record for good measure: (name, type, content, ttl) = (’www.something.foo', ’A', ‘123.123.123.123', 3600) Did I get that right? Or am I more confused than ever? Thanks! Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022p11025.html Sent from the PowerDNS mailing list archive at Nabble.com. From cyruspy at gmail.com Fri Oct 10 19:20:09 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Fri, 10 Oct 2014 16:20:09 -0300 Subject: [Pdns-users] powerdns-recursor: ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' Message-ID: Hi!, anybody knows if something changed with the PowerDNS Recursor support?, I'm trying to add a host and it's giving me this error: powerdns-recursor ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' Observium v0.13.10.4586 Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Fri Oct 10 19:39:24 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Fri, 10 Oct 2014 16:39:24 -0300 Subject: [Pdns-users] Statistics with Observium Message-ID: Hi!, anybody happens to collect stats with Observium?. Apparently in the past it had support for both the Authoritative and Recursive servers but as of today it's not working with Recursor 3.6.1. Ideas, comments?. Regards, -- Ciro Iriarte http://iriarte.it -- From mark at streamservice.nl Sat Oct 11 12:50:52 2014 From: mark at streamservice.nl (Mark Scholten) Date: Sat, 11 Oct 2014 14:50:52 +0200 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <1412740962597-11025.post@n7.nabble.com> References: <1412701392138-11022.post@n7.nabble.com> <5434261B.2080606@gmail.com> <1412740962597-11025.post@n7.nabble.com> Message-ID: <099301cfe551$fd8a6190$f89f24b0$@streamservice.nl> Hello Rob, > From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users- > bounces at mailman.powerdns.com] On Behalf Of Rob > Sent: 08 October, 2014 6:03 > > Hi guys, > > (I'm not sure if my email reply made it out, since it's not appearing in the > archive. My apologies if you're receiving this twice.) > > I really appreciate the responses from everyone so far. One thing I forgot to > mention is that I’m using the MySQL backend. So, if I understand > correctly: > > * We’ll need an SOA record for “foo”. For example: > (name, type, content, ttl) = > (‘foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 694800 > 3600', > 86400) Yes, this is what you need. > * For domains which use *custom* nameservers, we only need to include the > NS records for purposes of delegation. For example, for “blah.foo": > (name, type, content, ttl) = > (‘blah.foo’, ’NS’, ‘dns01.customdns.com’, 3600) > > (name, type, content, ttl) = > (‘blah.foo’, ’NS’, ‘dns02.customdns.com’, 3600) > > We’ll also need glue records if the nameservers are within “blah.foo”. Yes this is correct, they are located in the foo zone (same domain_id as the SOA record mentioned earlier). > * But, for domains which use *our* name servers (with a web interface for > managing records), we’ll need an SOA record in addition to NS records > pointing to our name servers. For example, for “something.foo”: > (name, type, content, ttl) = > (’something.foo', ‘SOA', 'ns01.dns.foo admin.dns.foo 1 10800 3600 > 694800 3600', 86400) > > (name, type, content, ttl) = > (’something.foo', ’NS', 'ns01.dns.foo', 3600) > > (name, type, content, ttl) = > (’something.foo', ’NS', 'ns02.dns.foo', 3600) > > And a sample record for good measure: > (name, type, content, ttl) = > (’www.something.foo', ’A', ‘123.123.123.123', 3600) > > > Did I get that right? Or am I more confused than ever? This is an option. However depending on the number off records and your needs it might be easier to: A. include the records directly in the foo zone without adding a separate zone (with its own SOA records and NS records) OR B. put them on separate name servers Don't forget that you need to add NS records to the foo zone for the domain and in the domain zone. For this you can also check the domain_id field. Do you want to also support DNSsec? This is possible with PowerDNS, you need to add DS records for the domains. If you provide an EPP service to your customers/registrars this is easy as they can provide the DS records. It would be a nice service to verify the DS records at the time they are provided to see if they match and if not return an error or warning. Let us know if you have other questions. Kind regards, Mark Scholten From sfrost at snowman.net Sat Oct 11 19:37:55 2014 From: sfrost at snowman.net (Stephen Frost) Date: Sat, 11 Oct 2014 15:37:55 -0400 Subject: [Pdns-users] Duplicate RRs in records table In-Reply-To: <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> References: <53B51C97.8060104@pernau.at> <53B52BE4.5000606@pernau.at> <53B5462D.6090908@pernau.at> <20140703125630.GX28527@aart.rice.edu> <53B562FB.7090809@pernau.at> <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> Message-ID: <20141011193755.GS28859@tamriel.snowman.net> * Peter van Dijk (peter.van.dijk at netherlabs.nl) wrote: > On 03 Jul 2014, at 16:04 , Klaus Darilion wrote: > > I also think that performing multiple transfers for the same zone should > > be avoided in the application. > > Please file a ticket at https://github.com/PowerDNS/pdns/issues/new so we don’t forget! This doesn't appear to have been addressed in 3.4.0- was the bug ever submitted and is there a plan to fix it..? Thanks! Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From pdns at unicycle.net Sun Oct 12 22:36:39 2014 From: pdns at unicycle.net (Leo Vandewoestijne) Date: Sun, 12 Oct 2014 22:36:39 +0000 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: References: Message-ID: <20141012223639.GA79417@relay7.ucia.gov> > From: "Mark Scholten" > Subject: Re: [Pdns-users] PDNS for a TLD... > > Don't forget that you need to add NS records to the foo zone for the domain and in the domain zone. > Not true per se; only if you delegate "something.foo". And, even "dns.foo" doesn't have to be delegated. Practical example? Check `dig +trace @8.8.8.8 a.fi soa` So in "untechnical","policywise" language: do you need to delegate authority ...? If not, then maybe keep it simple (whichever method that is). Leo Vandewoestijne -- Sent from my Google Glass From roblocke at gmail.com Mon Oct 13 05:45:30 2014 From: roblocke at gmail.com (Rob) Date: Sun, 12 Oct 2014 22:45:30 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <099301cfe551$fd8a6190$f89f24b0$@streamservice.nl> References: <1412701392138-11022.post@n7.nabble.com> <5434261B.2080606@gmail.com> <1412740962597-11025.post@n7.nabble.com> <099301cfe551$fd8a6190$f89f24b0$@streamservice.nl> Message-ID: <7C7B6DD4-54FE-4DE0-88E2-EB0AC4004417@gmail.com> Hi, > > * For domains which use *custom* nameservers, we only need to include the > > NS records for purposes of delegation. For example, for “blah.foo": > > Yes this is correct, they are located in the foo zone (same domain_id as the SOA record mentioned earlier). Thanks for mentioning that explicitly. It is an important point which I failed to mention in my email. > > * But, for domains which use *our* name servers (with a web interface for > > managing records), we’ll need an SOA record in addition to NS records > > pointing to our name servers. For example, for “something.foo”: > > ... > > This is an option. However depending on the number off records and your needs it might be easier to: > A. include the records directly in the foo zone without adding a separate zone (with its own SOA records and NS records) > OR > B. put them on separate name servers Since we might have a number of customers managing their own records, I’m thinking it might be cleanest for each of them to have their own SOA/NS records. Then look at option B in the future. > Don't forget that you need to add NS records to the foo zone for the domain and in the domain zone. For this you can also check the domain_id field. Right now, for customers using *our* name servers, I only have SOA/NS records in the domain zone (along with whatever other records they create). Do I really need to duplicate the NS records for the domain in the foo zone? (For delegated domains, I have the NS records in the foo zone as you recommended.) > Do you want to also support DNSsec? This is possible with PowerDNS, you need to add DS records for the domains. If you provide an EPP service to your customers/registrars this is easy as they can provide the DS records. It would be a nice service to verify the DS records at the time they are provided to see if they match and if not return an error or warning. This is in the cards. I’m sure I’ll have more questions about DNSsec soon! =) Thanks, Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022p11033.html Sent from the PowerDNS mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roblocke at gmail.com Mon Oct 13 05:51:13 2014 From: roblocke at gmail.com (Rob) Date: Sun, 12 Oct 2014 22:51:13 -0700 (MST) Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: <20141012223639.GA79417@relay7.ucia.gov> References: <1412701392138-11022.post@n7.nabble.com> <20141012223639.GA79417@relay7.ucia.gov> Message-ID: Hi, > So in "untechnical","policywise" language: > do you need to delegate authority ...? > If not, then maybe keep it simple (whichever method that is). In some cases, we’ll be delegating authority, so we'll simply have the domain NS records in the foo zone, nothing else. In other cases, customers will be using our nameservers, so we’ll have the SOA/NS records in the domain zone. But do we need any records in the foo zone in that scenario? Cheers, Rob -- View this message in context: http://powerdns.13854.n7.nabble.com/PDNS-for-a-TLD-tp11022p11034.html Sent from the PowerDNS mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at netherlabs.nl Mon Oct 13 06:57:23 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Mon, 13 Oct 2014 08:57:23 +0200 Subject: [Pdns-users] PDNS for a TLD... In-Reply-To: References: <1412701392138-11022.post@n7.nabble.com> <20141012223639.GA79417@relay7.ucia.gov> Message-ID: <9AE91940-6F88-4CF3-B882-048154D87B1A@netherlabs.nl> Hello, On 13 Oct 2014, at 7:51 , Rob wrote: > > So in "untechnical","policywise" language: > > do you need to delegate authority ...? > > If not, then maybe keep it simple (whichever method that is). > > In some cases, we’ll be delegating authority, so we'll simply have the domain NS records in the foo zone, nothing else. > > In other cases, customers will be using our nameservers, so we’ll have the SOA/NS records in the domain zone. But do we need any records in the foo zone in that scenario? If ‘foo’ and ‘bar.foo’ are separate zones on the same name server, you need SOA+NS in ‘bar.foo' *and* NS in ‘foo'. Without DNSSEC, you can get away without NS in ‘foo', but as soon as ‘foo’ is DNSSEC signed, you need the NS records so that DNSSEC can do an (in)secure proof on the delegation. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Mon Oct 13 07:07:24 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Mon, 13 Oct 2014 09:07:24 +0200 Subject: [Pdns-users] Duplicate RRs in records table In-Reply-To: <20141011193755.GS28859@tamriel.snowman.net> References: <53B51C97.8060104@pernau.at> <53B52BE4.5000606@pernau.at> <53B5462D.6090908@pernau.at> <20140703125630.GX28527@aart.rice.edu> <53B562FB.7090809@pernau.at> <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> <20141011193755.GS28859@tamriel.snowman.net> Message-ID: Hello Stephen, On 11 Oct 2014, at 21:37 , Stephen Frost wrote: > This doesn't appear to have been addressed in 3.4.0- was the bug ever > submitted and is there a plan to fix it..? We are tracking it as https://github.com/PowerDNS/pdns/issues/1502. There is no fix yet. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From pdns at unicycle.net Mon Oct 13 12:27:15 2014 From: pdns at unicycle.net (Leo Vandewoestijne) Date: Mon, 13 Oct 2014 12:27:15 +0000 Subject: [Pdns-users] Oracle/goracle - bug or my lack of knowledge? In-Reply-To: References: Message-ID: <20141013122715.GB48547@relay7.ucia.gov> Hi all, a b wrote: > You appear to have libraries and includes from both Oracle database and Oracle instant client on your machine. > I know from experience that linking with database client libraries does not work any more > That may be true, but only for the RHEL case. The two others didn't have the database, and still showed the same error. Aki Tuomi wrote: > > checking for OCIEnvInit in -lclntsh... no > > checking for OCIEnvInit in -lclient12... no > > This is the real problem, but to figure out why it fails, you need to put config.log somewhere and send a link to it. > Exactly. In the meanwhile I however (together with a collegua and a DBA) managed to get over it: Besides the instantclient -basic and -devel, I now also installed -sqlplus (all 11.2). And like 'a b' suggested, made an additional link, in my case (this time on CentOS) like this: sudo ln -s /usr/include/oracle/11.2/client64 $ORACLE_HOME/rdbms/public Not sure which of the two was the solution (or if both were), but it did the trick. Thanks for your help! Ah well, acomplishing something is more rewarding if it took much effort. So now I finaly have it working using only a records table (view) in 3.3.1, yay :) But the very recent change in pdns 3.4's SQL schema for oracle broke the SOA lookup (and so the ANY lookup to) :( -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne -- Sent from my Google Glass From cyruspy at gmail.com Mon Oct 13 13:10:43 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 13 Oct 2014 10:10:43 -0300 Subject: [Pdns-users] New recursor install, 50% timeout on first run Message-ID: Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see ~ 50% query timeouts. It has a good Internet connection but no clients yet, can this be caused by empty cache?. It's pretty much default configuration, tried to push threads from 2 to 10, but it still gives me a lot of queries unanswered. The bind server it should replace gives me nearly 100% of answers, but it's being heavily queried. [root at dummy01 ~]# dnsbulktest -q 53 1000 < /tmp/top-1m.csv Read 1000 domains! Sending Receiving Queued 1000 Received 999 Error -/- 0 Timeouts 431 Unexpected 430 Sent 1000 Total 1860 DNS Status OK 554 Error 3 No Data 6 NXDOMAIN 6 Unknowns 0 Answers 569 Timeouts 431 Total 1000 Mean response time: 781.755 msec, median: 559.377 msec Time < 0.612 msec 0.100% cumulative Time < 11.853 msec 1.000% cumulative Time < 90.583 msec 2.500% cumulative Time < 179.855 msec 10.000% cumulative Time < 286.560 msec 25.000% cumulative Time < 529.308 msec 50.000% cumulative Time < 944.519 msec 75.000% cumulative Time < 1764.946 msec 90.000% cumulative Time < 3243.277 msec 97.500% cumulative Time < 4190.023 msec 99.000% cumulative Time < 4420.831 msec 99.990% cumulative It gave me worse times on the second run: [root at dummy01 ~]# dnsbulktest -q 53 1000 < /tmp/top-1m.csv Read 1000 domains! Sending Receiving Queued 1000 Received 921 Error -/- 0 Timeouts 616 Unexpected 537 Sent 1000 Total 2074 DNS Status OK 356 Error 22 No Data 2 NXDOMAIN 4 Unknowns 0 Answers 384 Timeouts 616 Total 1000 Mean response time: 821.931 msec, median: 475.079 msec Time < 0.215 msec 0.100% cumulative Time < 0.218 msec 1.000% cumulative Time < 0.233 msec 2.500% cumulative Time < 0.509 msec 10.000% cumulative Time < 186.245 msec 25.000% cumulative Time < 472.501 msec 50.000% cumulative Time < 796.832 msec 75.000% cumulative Time < 2447.657 msec 90.000% cumulative Time < 3827.301 msec 97.500% cumulative Time < 4207.631 msec 99.000% cumulative Time < 4699.756 msec 99.990% cumulative Comments? Regards, -- Ciro Iriarte http://iriarte.it -- From bert.hubert at netherlabs.nl Mon Oct 13 13:37:08 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Mon, 13 Oct 2014 15:37:08 +0200 Subject: [Pdns-users] New recursor install, 50% timeout on first run In-Reply-To: References: Message-ID: <20141013133708.GC4805@xs.powerdns.com> On Mon, Oct 13, 2014 at 10:10:43AM -0300, Ciro Iriarte wrote: > Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see > ~ 50% query timeouts. It has a good Internet connection but no clients > yet, can this be caused by empty cache?. Yes, on a cold cache, nameservers are a lot slower. You can improve on this by increasing the number of mthreads (max-mthreads) and the number of file descriptors. The best performance comes from a busy nameserver, as outlined on http://blog.netherlabs.nl/test/ That your second time results were worse is weird, can you do a test with more than 1000 domains, say, 50000? Can you report "rec_control get-all" before and after a run? Perhaps your PowerDNS server is behind NAT and your other server isn't? Bert From cyruspy at gmail.com Mon Oct 13 16:05:51 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 13 Oct 2014 13:05:51 -0300 Subject: [Pdns-users] New recursor install, 50% timeout on first run In-Reply-To: <20141013133708.GC4805@xs.powerdns.com> References: <20141013133708.GC4805@xs.powerdns.com> Message-ID: 2014-10-13 10:37 GMT-03:00 bert hubert : > On Mon, Oct 13, 2014 at 10:10:43AM -0300, Ciro Iriarte wrote: >> Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see >> ~ 50% query timeouts. It has a good Internet connection but no clients >> yet, can this be caused by empty cache?. > > Yes, on a cold cache, nameservers are a lot slower. > > You can improve on this by increasing the number of mthreads (max-mthreads) > and the number of file descriptors. > > The best performance comes from a busy nameserver, as outlined on > http://blog.netherlabs.nl/test/ > > That your second time results were worse is weird, can you do a test with > more than 1000 domains, say, 50000? > > Can you report "rec_control get-all" before and after a run? > > Perhaps your PowerDNS server is behind NAT and your other server isn't? > > Bert Hi Bert!, I've run again 1000 domain test with logging disabled (just in case). The results look pretty much the same: http://pastebin.com/Nsjhjnx3 Tried a cold cache with 80k domains, it was a disaster, I couldn't let it finish. The configuration: ---- local-address=,, allow-from=,, threads=10 --- I'll double check with the networking guys, This server will use a secondary public IP, but I see that the queries get out with the base private IP, so it's possible that the edge NAT is causing this. I'll keep you updated. Thanks! -- Ciro Iriarte http://iriarte.it -- From cmeerw at cmeerw.org Thu Oct 16 08:42:34 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 16 Oct 2014 10:42:34 +0200 Subject: [Pdns-users] IXFR with EDIT-SOA, ALLOW-AXFR-FROM in bind-hybrid mode Message-ID: <20141016084234.GI21126@edge.cmeerw.net> Hi, I just noticed that IXFRs appear to be broken when using EDIT-SOA in 3.4.0 - it looks like "rfc1982LessThan(serial, sd.serial)" compares the un-edited SOA from the zone and therefore doesn't send any data back to the client. Another thing I noticed is that in bind-hybrid mode the ALLOW-AXFR-FROM for a zone handled by the bind backend doesn't appear to be read from the database (because I think it only tries to get that information from the bind backend, but doesn't fall back to the database backend). Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org From j.goldinskis at gmail.com Thu Oct 16 08:48:50 2014 From: j.goldinskis at gmail.com (JG) Date: Thu, 16 Oct 2014 01:48:50 -0700 (MST) Subject: [Pdns-users] Not transferred from zone from master to slave Message-ID: <1413449330665-11043.post@n7.nabble.com> Hi, I have problem, SLAVE not send request to MASTER for getting zone, if I send from MASTER with command pdns_control notify-host ... alright, also with tcpdump I not see request to MASTER from SLAVE, supermaster on SLAVE was add, Centos 6.5, pdns-3.3.1 with poweradmin. Maybe I missed some item. Server 1 MASTER config and logs: /etc/pdns/pdns.conf allow-axfr-ips=10.45.25.0/24 disable-axfr=no disable-tcp=no daemon=yes default-soa-name=ns1.dk soa-expire-default=604800 soa-minimum-ttl=3600 soa-refresh-default=10800 #soa-retry-default=3600 #version-string=anonymous #webserver=yes #webserver-address=10.45.25.34 #webserver-password=***** #webserver-port=8081 #webserver-print-arguments=yes launch=gmysql gmysql-socket=/var/lib/mysql/mysql.sock gmysql-host=127.0.0.1 gmysql-user=***** gmysql-dbname=***** gmysql-password=***** master=yes local-address=10.45.25.34 local-port=53 log-dns-details=/var/log/pdns/pdns-details.log log-failed-updates=/var/log/pdns/pdns-fail.log logging-facility=0 loglevel=4 query-logging=yes #config-dir=/etc/pdns #module-dir=/usr/lib64/pdns Logs: Oct 9 18:06:29 ns1 pdns[5488]: Scheduling exit on remote request Oct 9 18:06:30 ns1 pdns[5488]: Guardian is killed, taking down children with us Oct 9 18:06:32 ns1 pdns[5696]: Listening on controlsocket in '/var/run/pdns.controlsocket' Oct 9 18:06:32 ns1 pdns[5699]: Guardian is launching an instance Oct 9 18:06:32 ns1 pdns[5699]: Reading random entropy from '/dev/urandom' Oct 9 18:06:32 ns1 pdns[5699]: This is module gmysqlbackend.so reporting Oct 9 18:06:32 ns1 pdns[5699]: This is a guarded instance of pdns Oct 9 18:06:32 ns1 pdns[5699]: UDP server bound to 10.45.25.34:53 Oct 9 18:06:32 ns1 pdns[5699]: TCP server bound to 10.45.25.34:53 Oct 9 18:06:32 ns1 pdns[5699]: PowerDNS Authoritative Server 3.3.1 (jenkins at autotest.powerdns.com) (C) 2001-2013 PowerDNS.COM BV Oct 9 18:06:32 ns1 pdns[5699]: Using 64-bits mode. Built on 20131217194128 by mockbuild@, gcc 4.4.7 20120313 (Red Hat 4.4.7-4). Oct 9 18:06:32 ns1 pdns[5699]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Oct 9 18:06:32 ns1 pdns[5699]: Creating backend connection for TCP Oct 9 18:06:32 ns1 pdns[5699]: Master/slave communicator launching Oct 9 18:06:32 ns1 pdns[5699]: About to create 3 backend threads for UDP Oct 9 18:06:32 ns1 pdns[5699]: No new unfresh slave domains, 0 queued for AXFR already Oct 9 18:06:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:06:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:06:32 ns1 pdns[5699]: No master domains need notifications Oct 9 18:06:32 ns1 pdns[5699]: Done launching threads, ready to distribute questions Oct 9 18:07:32 ns1 pdns[5699]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:07:32 ns1 pdns[5699]: Query: select id,name,master,last_check,notified_serial,type from domains where type='MASTER' Oct 9 18:07:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:07:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:08:32 ns1 pdns[5699]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:08:32 ns1 pdns[5699]: Query: select id,name,master,last_check,notified_serial,type from domains where type='MASTER' Oct 9 18:08:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:08:32 ns1 pdns[5699]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' ... **************************************************************************************************************************************************************** Server 2 SLAVE config and logs: /etc/pdns/pdns.conf daemon=yes default-soa-name=ns2.dk loglevel=4 soa-expire-default=604800 soa-minimum-ttl=3600 soa-refresh-default=10800 soa-retry-default=3600 #version-string=anonymous #webserver=yes #webserver-address=10.45.25.35 #webserver-password=***** #webserver-port=8081 #webserver-print-arguments=yes launch=gmysql gmysql-socket=/var/lib/mysql/mysql.sock gmysql-host=127.0.0.1 gmysql-user=***** gmysql-dbname=***** gmysql-password=***** slave=yes slave-cycle-interval=1 local-address=10.45.25.35 local-port=53 log-dns-details=/var/log/pdns/pdns-details.log log-failed-updates=/var/log/pdns/pdns-fail.log logging-facility=0 query-logging=yes #config-dir=/etc/pdns #module-dir=/usr/lib64/pdns Logs: Oct 9 18:12:08 ns2 pdns[5858]: Listening on controlsocket in '/var/run/pdns.controlsocket' Oct 9 18:12:08 ns2 pdns[5861]: Guardian is launching an instance Oct 9 18:12:08 ns2 pdns[5861]: Reading random entropy from '/dev/urandom' Oct 9 18:12:08 ns2 pdns[5861]: This is module gmysqlbackend.so reporting Oct 9 18:12:08 ns2 pdns[5861]: This is a guarded instance of pdns Oct 9 18:12:08 ns2 pdns[5861]: UDP server bound to 10.45.25.35:53 Oct 9 18:12:08 ns2 pdns[5861]: TCP server bound to 10.45.25.35:53 Oct 9 18:12:08 ns2 pdns[5861]: PowerDNS Authoritative Server 3.3.1 (jenkins at autotest.powerdns.com) (C) 2001-2013 PowerDNS.COM BV Oct 9 18:12:08 ns2 pdns[5861]: Using 64-bits mode. Built on 20131217194128 by mockbuild@, gcc 4.4.7 20120313 (Red Hat 4.4.7-4). Oct 9 18:12:08 ns2 pdns[5861]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Oct 9 18:12:08 ns2 pdns[5861]: Creating backend connection for TCP Oct 9 18:12:08 ns2 pdns[5861]: Master/slave communicator launching Oct 9 18:12:08 ns2 pdns[5861]: About to create 3 backend threads for UDP Oct 9 18:12:08 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:12:08 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:12:08 ns2 pdns[5861]: No new unfresh slave domains, 0 queued for AXFR already Oct 9 18:12:08 ns2 pdns[5861]: Done launching threads, ready to distribute questions Oct 9 18:12:09 ns2 pdns[5861]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:12:09 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:12:09 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' Oct 9 18:12:10 ns2 pdns[5861]: Query: select id,name,master,last_check,type from domains where type='SLAVE' Oct 9 18:12:10 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='example1.com' Oct 9 18:12:10 ns2 pdns[5861]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name='xxxxx.dk' ... BR, -- View this message in context: http://powerdns.13854.n7.nabble.com/Not-transferred-from-zone-from-master-to-slave-tp11043.html Sent from the PowerDNS mailing list archive at Nabble.com. From cmeerw at cmeerw.org Thu Oct 16 11:26:21 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 16 Oct 2014 13:26:21 +0200 Subject: [Pdns-users] IXFR with EDIT-SOA, ALLOW-AXFR-FROM in bind-hybrid mode In-Reply-To: <20141016084234.GI21126@edge.cmeerw.net> References: <20141016084234.GI21126@edge.cmeerw.net> Message-ID: <20141016112620.GJ21126@edge.cmeerw.net> On Thu, Oct 16, 2014 at 10:42:34AM +0200, Christof Meerwald wrote: > I just noticed that IXFRs appear to be broken when using EDIT-SOA in > 3.4.0 - it looks like "rfc1982LessThan(serial, sd.serial)" compares > the un-edited SOA from the zone and therefore doesn't send any data > back to the client. the following change seems to fix this for me: Index: pdns/tcpreceiver.cc =================================================================== --- pdns/tcpreceiver.cc (revision 6176) +++ pdns/tcpreceiver.cc (working copy) @@ -1008,6 +1008,11 @@ sendPacket(outpacket,outsock); return 0; } + + string kind; + dk.getFromMeta(target, "SOA-EDIT", kind); + sd.serial = calculateEditSOA(sd, kind); + if (!rfc1982LessThan(serial, sd.serial)) { TSIGRecordContent trc; string tsigkeyname, tsigsecret; @@ -1030,7 +1035,6 @@ DLOG(L<<"Sending out SOA"<addRecord(soa); - editSOA(dk, sd.qname, outpacket.get()); if(securedZone) { set authSet; authSet.insert(target); Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org From cyruspy at gmail.com Thu Oct 16 12:33:33 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Thu, 16 Oct 2014 09:33:33 -0300 Subject: [Pdns-users] New recursor install, 50% timeout on first run In-Reply-To: References: <20141013133708.GC4805@xs.powerdns.com> Message-ID: 2014-10-13 13:05 GMT-03:00 Ciro Iriarte : > 2014-10-13 10:37 GMT-03:00 bert hubert : >> On Mon, Oct 13, 2014 at 10:10:43AM -0300, Ciro Iriarte wrote: >>> Hi!, I'm running some quick tests on a new Recursor (3.6.1) and I see >>> ~ 50% query timeouts. It has a good Internet connection but no clients >>> yet, can this be caused by empty cache?. >> >> Yes, on a cold cache, nameservers are a lot slower. >> >> You can improve on this by increasing the number of mthreads (max-mthreads) >> and the number of file descriptors. >> >> The best performance comes from a busy nameserver, as outlined on >> http://blog.netherlabs.nl/test/ >> >> That your second time results were worse is weird, can you do a test with >> more than 1000 domains, say, 50000? >> >> Can you report "rec_control get-all" before and after a run? >> >> Perhaps your PowerDNS server is behind NAT and your other server isn't? >> >> Bert > > Hi Bert!, I've run again 1000 domain test with logging disabled (just > in case). The results look pretty much the same: > http://pastebin.com/Nsjhjnx3 > > Tried a cold cache with 80k domains, it was a disaster, I couldn't let > it finish. > > The configuration: > ---- > local-address=,, > allow-from=,, > threads=10 > --- > > I'll double check with the networking guys, This server will use a > secondary public IP, but I see that the queries get out with the base > private IP, so it's possible that the edge NAT is causing this. > > > I'll keep you updated. Thanks! > > -- > Ciro Iriarte > http://iriarte.it > -- Well, wanted to answer this having the issue solved, but the "ticket is enqueued" with the networking team. So far I could get statistics from the NAT machine, the server was hitting the 2048 ports limit. Running several batches without restarting the server got me 100% hit rate. So, we're moving the server to the outside (public IP) to continue load test. Thanks once more! -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Thu Oct 16 13:13:58 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Thu, 16 Oct 2014 10:13:58 -0300 Subject: [Pdns-users] Recursor: Default/blind tunning? Message-ID: Hi!, I'm awaiting for some network-side changes to continue my load tests, but would like to know in the meanwhile if there are some rule of thumbs to setup a Linux recursor. The parameters that fit the description apparently are "pdns-distributes-queries", "max-mthreads" and "threads". I understand that the recursor uses only 2 threads by default, should I increase that to the number of cores available, maybe even oversubscribe?, what's the relation between "max-mthreads" and "threads"?. If I force ANY requests to TCP (any-to-tcp=yes), how much should I increase "max-tcp-clients", can I set is as "unlimited"?. I'll appreciate any comments on this topics. Regards, -- Ciro Iriarte http://iriarte.it -- From cmeerw at cmeerw.org Thu Oct 16 20:31:55 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 16 Oct 2014 22:31:55 +0200 Subject: [Pdns-users] IXFR with EDIT-SOA, ALLOW-AXFR-FROM in bind-hybrid mode In-Reply-To: <20141016084234.GI21126@edge.cmeerw.net> References: <20141016084234.GI21126@edge.cmeerw.net> Message-ID: <20141016203155.GK21126@edge.cmeerw.net> On Thu, Oct 16, 2014 at 10:42:34AM +0200, Christof Meerwald wrote: > Another thing I noticed is that in bind-hybrid mode the > ALLOW-AXFR-FROM for a zone handled by the bind backend doesn't appear > to be read from the database (because I think it only tries to get > that information from the bind backend, but doesn't fall back to the > database backend). Applying the following change seems to fix that: Index: pdns/tcpreceiver.cc =================================================================== --- pdns/tcpreceiver.cc (revision 6176) +++ pdns/tcpreceiver.cc (working copy) @@ -428,7 +428,7 @@ // cerr<<"got backend and SOA"< acl; - B->getDomainMetadata(q->qdomain, "ALLOW-AXFR-FROM", acl); + s_P->getBackend()->getDomainMetadata(q->qdomain, "ALLOW-AXFR-FROM", acl); for (vector::const_iterator i = acl.begin(); i != acl.end(); ++i) { // cerr<<"matching against "<<*i< Hi!, I've seen the published LUA scripts examples and seems pretty simple to redirect certain domains (one?) just modifying examples available, but what about have a list of hundreds or thousands of sites to blacklist?. I would like to avoid fancy options like database conections for example, will "grepping" on a CSV file affect performance notably?. What's the general consensus/experience? Regards, -- Ciro Iriarte http://iriarte.it -- From ktm at rice.edu Fri Oct 17 12:42:03 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Fri, 17 Oct 2014 07:42:03 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: Message-ID: <20141017124203.GL6579@aart.rice.edu> On Fri, Oct 17, 2014 at 01:18:36AM -0300, Ciro Iriarte wrote: > Hi!, I've seen the published LUA scripts examples and seems pretty > simple to redirect certain domains (one?) just modifying examples > available, but what about have a list of hundreds or thousands of > sites to blacklist?. > > I would like to avoid fancy options like database conections for > example, will "grepping" on a CSV file affect performance notably?. > What's the general consensus/experience? > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Hi Ciro, We used a CDB key value store. It was easy to use/update and had very good performance. "grepping" is O(n*n) so it will tank as your list grows and you really don't want to slow down your DNS lookups. Regards, Ken From cyruspy at gmail.com Fri Oct 17 14:49:24 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Fri, 17 Oct 2014 11:49:24 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017124203.GL6579@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> Message-ID: 2014-10-17 9:42 GMT-03:00 ktm at rice.edu : > On Fri, Oct 17, 2014 at 01:18:36AM -0300, Ciro Iriarte wrote: >> Hi!, I've seen the published LUA scripts examples and seems pretty >> simple to redirect certain domains (one?) just modifying examples >> available, but what about have a list of hundreds or thousands of >> sites to blacklist?. >> >> I would like to avoid fancy options like database conections for >> example, will "grepping" on a CSV file affect performance notably?. >> What's the general consensus/experience? >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Hi Ciro, > > We used a CDB key value store. It was easy to use/update and had > very good performance. "grepping" is O(n*n) so it will tank as > your list grows and you really don't want to slow down your DNS > lookups. > > Regards, > Ken Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any document specific for PDNS you can point me to? Regards,! -- Ciro Iriarte http://iriarte.it -- From ktm at rice.edu Fri Oct 17 16:35:38 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Fri, 17 Oct 2014 11:35:38 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> Message-ID: <20141017163538.GO6579@aart.rice.edu> > > Hi Ciro, > > > > We used a CDB key value store. It was easy to use/update and had > > very good performance. "grepping" is O(n*n) so it will tank as > > your list grows and you really don't want to slow down your DNS > > lookups. > > > > Regards, > > Ken > > Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any > document specific for PDNS you can point me to? > > Regards,! > Hi, No PDNS specific documentation, we used the CDB map to allow the blacklist to be update without needing to restart the recursor and lose all the cached DNS lookups. We wrote a function similar to the example Lua script using a CDB map instead. Regards, Ken From abang at t-ipnet.net Fri Oct 17 19:03:35 2014 From: abang at t-ipnet.net (abang) Date: Fri, 17 Oct 2014 21:03:35 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017163538.GO6579@aart.rice.edu> References: <20141017163538.GO6579@aart.rice.edu> Message-ID: <724B6EEE-FBA2-4532-86C7-8D5844EF8F60@t-ipnet.net> There is no need to restart the Recursor. See http://doc.powerdns.com/html/recursor-scripting.html "At runtime, rec_control reload-lua-script can be used to either reload the script from its current location, or, when passed a new file name, load one from a new location. A failure to parse the new script will leave the old script in working order." Winfried Am 17. Oktober 2014 18:35:38 MESZ, schrieb ktm at rice.edu: >> > Hi Ciro, >> > >> > We used a CDB key value store. It was easy to use/update and had >> > very good performance. "grepping" is O(n*n) so it will tank as >> > your list grows and you really don't want to slow down your DNS >> > lookups. >> > >> > Regards, >> > Ken >> >> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >> document specific for PDNS you can point me to? >> >> Regards,! >> > >Hi, > >No PDNS specific documentation, we used the CDB map to allow the >blacklist to be update without needing to restart the recursor >and lose all the cached DNS lookups. We wrote a function similar >to the example Lua script using a CDB map instead. > >Regards, >Ken > >_______________________________________________ >Pdns-users mailing list >Pdns-users at mailman.powerdns.com >http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From abang at t-ipnet.net Fri Oct 17 19:03:35 2014 From: abang at t-ipnet.net (abang) Date: Fri, 17 Oct 2014 21:03:35 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017163538.GO6579@aart.rice.edu> References: <20141017163538.GO6579@aart.rice.edu> Message-ID: <724B6EEE-FBA2-4532-86C7-8D5844EF8F60@t-ipnet.net> There is no need to restart the Recursor. See http://doc.powerdns.com/html/recursor-scripting.html "At runtime, rec_control reload-lua-script can be used to either reload the script from its current location, or, when passed a new file name, load one from a new location. A failure to parse the new script will leave the old script in working order." Winfried Am 17. Oktober 2014 18:35:38 MESZ, schrieb ktm at rice.edu: >> > Hi Ciro, >> > >> > We used a CDB key value store. It was easy to use/update and had >> > very good performance. "grepping" is O(n*n) so it will tank as >> > your list grows and you really don't want to slow down your DNS >> > lookups. >> > >> > Regards, >> > Ken >> >> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >> document specific for PDNS you can point me to? >> >> Regards,! >> > >Hi, > >No PDNS specific documentation, we used the CDB map to allow the >blacklist to be update without needing to restart the recursor >and lose all the cached DNS lookups. We wrote a function similar >to the example Lua script using a CDB map instead. > >Regards, >Ken > >_______________________________________________ >Pdns-users mailing list >Pdns-users at mailman.powerdns.com >http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Oct 18 16:40:21 2014 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Sat, 18 Oct 2014 18:40:21 +0200 Subject: [Pdns-users] RFE LDAP backend: Filter template Message-ID: <544297F5.8090207@stroeder.com> HI! I know that the LDAP backend is not very high on the list of powerdns development. But I'd like to propose a small enhancement which would make some unusual LDAP-related setups easier. Simple new config item 'ldap-filter-template': Default: ldap-filter-template = '(associatedDomain={0})' Which could be replaced when using DHCP server with LDAP backend by: ldap-filter-template = '(&(objectClass=)(dhcpAssignedHostName={0}))' Even more nice would be a configurable filter map. The {} syntax is inspired by Python's string formatting syntax only used as example. Of course I can use the pipe-backend to implement whatever is needed for LDAP integration. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From klaus.mailinglists at pernau.at Mon Oct 20 12:19:23 2014 From: klaus.mailinglists at pernau.at (Klaus Darilion) Date: Mon, 20 Oct 2014 14:19:23 +0200 Subject: [Pdns-users] Duplicate RRs in records table In-Reply-To: <20141011193755.GS28859@tamriel.snowman.net> References: <53B51C97.8060104@pernau.at> <53B52BE4.5000606@pernau.at> <53B5462D.6090908@pernau.at> <20140703125630.GX28527@aart.rice.edu> <53B562FB.7090809@pernau.at> <0E1BE1A8-4F0E-4CE0-A02B-AA18866C745F@netherlabs.nl> <20141011193755.GS28859@tamriel.snowman.net> Message-ID: <5444FDCB.20909@pernau.at> On 11.10.2014 21:37, Stephen Frost wrote: > * Peter van Dijk (peter.van.dijk at netherlabs.nl) wrote: >> On 03 Jul 2014, at 16:04 , Klaus Darilion wrote: >>> I also think that performing multiple transfers for the same zone should >>> be avoided in the application. >> >> Please file a ticket at https://github.com/PowerDNS/pdns/issues/new so we don’t forget! > > This doesn't appear to have been addressed in 3.4.0- was the bug ever > submitted and is there a plan to fix it..? As a workaround we regularly check for duplicates and then re-transfer a zone if duplicates were found: // Get the zones which have duplicate records $dbq = pg_query("SELECT name FROM (". " SELECT name,COUNT(type) AS count,content FROM records WHERE type='SOA' GROUP BY name,content". ") AS query1 ". "WHERE count > 1 ORDER BY count desc;"); // Fetch every affected zone while ($row = pg_fetch_object($dbq)) { // calling pdns_control retrieve PdnsControl::retrieve($config_int['pdnscontrolsocket'], $row->name, &$status); } regards Klaus From cyruspy at gmail.com Mon Oct 20 13:40:34 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 10:40:34 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141017163538.GO6579@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> Message-ID: 2014-10-17 13:35 GMT-03:00 ktm at rice.edu : >> > Hi Ciro, >> > >> > We used a CDB key value store. It was easy to use/update and had >> > very good performance. "grepping" is O(n*n) so it will tank as >> > your list grows and you really don't want to slow down your DNS >> > lookups. >> > >> > Regards, >> > Ken >> >> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >> document specific for PDNS you can point me to? >> >> Regards,! >> > > Hi, > > No PDNS specific documentation, we used the CDB map to allow the > blacklist to be update without needing to restart the recursor > and lose all the cached DNS lookups. We wrote a function similar > to the example Lua script using a CDB map instead. > > Regards, > Ken Hi Ken!, would you be willing to publish/share your implementation?. Having two different rules (two groups, each group with different answers), do you think it's best to use two scripts?, or just push more data to the CDB (A record expected + answer) and use one script? Regards, -- Ciro Iriarte http://iriarte.it -- From curtis at maurand.com Mon Oct 20 14:54:21 2014 From: curtis at maurand.com (Curtis Maurand) Date: Mon, 20 Oct 2014 10:54:21 -0400 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> Message-ID: <5445221D.5010805@maurand.com> On 10/20/2014 9:40 AM, Ciro Iriarte wrote: > 2014-10-17 13:35 GMT-03:00 ktm at rice.edu : >>>> Hi Ciro, >>>> >>>> We used a CDB key value store. It was easy to use/update and had >>>> very good performance. "grepping" is O(n*n) so it will tank as >>>> your list grows and you really don't want to slow down your DNS >>>> lookups. >>>> >>>> Regards, >>>> Ken >>> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any >>> document specific for PDNS you can point me to? >>> >>> Regards,! >>> >> Hi, >> >> No PDNS specific documentation, we used the CDB map to allow the >> blacklist to be update without needing to restart the recursor >> and lose all the cached DNS lookups. We wrote a function similar >> to the example Lua script using a CDB map instead. >> >> Regards, >> Ken > Hi Ken!, would you be willing to publish/share your implementation?. > Having two different rules (two groups, each group with different > answers), do you think it's best to use two scripts?, or just push > more data to the CDB (A record expected + answer) and use one script? > > Regards, I've been looking for a way to do this as well. I would think that a separate pdns instance on a different server than your main dns would do the trick or have one bound to one address and a second instance bound to another using separate databases. I tried setting up a zone and delegating it to the current DNS and that doesn't work. It's an interesting problem. Currently I'm using iptables on my mail servers, but that get's unwieldy and unmanageable in a hurry. I've also done it with spamassassin rules, but that also get's to be unmanageable, too. --Curtis > -- Curtis Maurand curtis at maurand.com 207-252-7748 -------------- next part -------------- An HTML attachment was scrubbed... URL: From robm at scramworks.net Mon Oct 20 16:29:40 2014 From: robm at scramworks.net (Robert Mortimer) Date: Mon, 20 Oct 2014 17:29:40 +0100 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <5445221D.5010805@maurand.com> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> Message-ID: <20141020162940.GA31884@bob.bofh.org> Hi, Just to add a bit less light, we implemented this sort of thing about 5 years back and now with the aid of a small script have a solution which is fully RPZ compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item RPZ feed. As said no need to restart when it updates just do a LUA reload. Hopefully I should be able to release what we did soon - am waiting for permission from our legal types. Really not sure if that helps any, except to say it's very doable and can be quite stable. On Mon, 20 Oct 2014, Curtis Maurand wrote: > On 10/20/2014 9:40 AM, Ciro Iriarte wrote: > >2014-10-17 13:35 GMT-03:00 ktm at rice.edu : > >>>>Hi Ciro, > >>>> > >>>>We used a CDB key value store. It was easy to use/update and had > >>>>very good performance. "grepping" is O(n*n) so it will tank as > >>>>your list grows and you really don't want to slow down your DNS > >>>>lookups. > >>>> > >>>>Regards, > >>>>Ken > >>>Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any > >>>document specific for PDNS you can point me to? > >>> > >>>Regards,! > >>> > >>Hi, > >> > >>No PDNS specific documentation, we used the CDB map to allow the > >>blacklist to be update without needing to restart the recursor > >>and lose all the cached DNS lookups. We wrote a function similar > >>to the example Lua script using a CDB map instead. > >> > >>Regards, > >>Ken > >Hi Ken!, would you be willing to publish/share your implementation?. > >Having two different rules (two groups, each group with different > >answers), do you think it's best to use two scripts?, or just push > >more data to the CDB (A record expected + answer) and use one script? > > > >Regards, > > I've been looking for a way to do this as well. I would think that > a separate pdns instance on a different server than your main dns > would do the trick or have one bound to one address and a second > instance bound to another using separate databases. I tried setting > up a zone and delegating it to the current DNS and that doesn't > work. It's an interesting problem. Currently I'm using iptables on > my mail servers, but that get's unwieldy and unmanageable in a > hurry. I've also done it with spamassassin rules, but that also > get's to be unmanageable, too. > > --Curtis > > > > > > -- > Curtis Maurand > curtis at maurand.com > 207-252-7748 > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Robm 873 "Ask not what I can do for the stupid, but what the stupid can do for me" - Graeme Garden From cyruspy at gmail.com Mon Oct 20 16:42:20 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 13:42:20 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <5445221D.5010805@maurand.com> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> Message-ID: 2014-10-20 11:54 GMT-03:00 Curtis Maurand : > On 10/20/2014 9:40 AM, Ciro Iriarte wrote: > > 2014-10-17 13:35 GMT-03:00 ktm at rice.edu : > > Hi Ciro, > > We used a CDB key value store. It was easy to use/update and had > very good performance. "grepping" is O(n*n) so it will tank as > your list grows and you really don't want to slow down your DNS > lookups. > > Regards, > Ken > > Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any > document specific for PDNS you can point me to? > > Regards,! > > Hi, > > No PDNS specific documentation, we used the CDB map to allow the > blacklist to be update without needing to restart the recursor > and lose all the cached DNS lookups. We wrote a function similar > to the example Lua script using a CDB map instead. > > Regards, > Ken > > Hi Ken!, would you be willing to publish/share your implementation?. > Having two different rules (two groups, each group with different > answers), do you think it's best to use two scripts?, or just push > more data to the CDB (A record expected + answer) and use one script? > > Regards, > > > I've been looking for a way to do this as well. I would think that a > separate pdns instance on a different server than your main dns would do the > trick or have one bound to one address and a second instance bound to > another using separate databases. I tried setting up a zone and delegating > it to the current DNS and that doesn't work. It's an interesting problem. > Currently I'm using iptables on my mail servers, but that get's unwieldy and > unmanageable in a hurry. I've also done it with spamassassin rules, but > that also get's to be unmanageable, too. > > --Curtis > > > > > -- > Curtis Maurand > curtis at maurand.com > 207-252-7748 > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > Does that mean that the recursor can only handle one LUA script?. Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 20 17:09:05 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 14:09:05 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020162940.GA31884@bob.bofh.org> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> Message-ID: 2014-10-20 13:29 GMT-03:00 Robert Mortimer : > Hi, > > Just to add a bit less light, we implemented this sort of thing about 5 years back > and now with the aid of a small script have a solution which is fully RPZ > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item > RPZ feed. > > As said no need to restart when it updates just do a LUA reload. Hopefully I > should be able to release what we did soon - am waiting for permission from our > legal types. > > Really not sure if that helps any, except to say it's very doable and can be > quite stable. > > RPZ seem really interesting, and I see there was a request for it in the past*. The thing is, we have direct requests from local government agencies to ban some domains with legal issues (mandated by a judge for example), and we were just approached about being able to block sites from the Internet Watch Foundation black list also (with their own landing page). Both cases will be redirected to different sites, and each has its own data source. Currently on bind we just define the domain as authoritative and it's kind of a hassle. Also, I thought about adding some helpful LUA bits to report date/time or the client's IP address, but from what I understood, only one LUA script can be added to the recursor, maybe a super monster script could be able to achieve all that. Ref: * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html Regards, -- Ciro Iriarte http://iriarte.it -- From ktm at rice.edu Mon Oct 20 18:12:07 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Mon, 20 Oct 2014 13:12:07 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> Message-ID: <20141020181207.GC32559@aart.rice.edu> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: > 2014-10-20 13:29 GMT-03:00 Robert Mortimer : > > Hi, > > > > Just to add a bit less light, we implemented this sort of thing about 5 years back > > and now with the aid of a small script have a solution which is fully RPZ > > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four > > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item > > RPZ feed. > > > > As said no need to restart when it updates just do a LUA reload. Hopefully I > > should be able to release what we did soon - am waiting for permission from our > > legal types. > > > > Really not sure if that helps any, except to say it's very doable and can be > > quite stable. > > > > > > RPZ seem really interesting, and I see there was a request for it in > the past*. The thing is, we have direct requests from local government > agencies to ban some domains with legal issues (mandated by a judge > for example), and we were just approached about being able to block > sites from the Internet Watch Foundation black list also (with their > own landing page). Both cases will be redirected to different sites, > and each has its own data source. Currently on bind we just define the > domain as authoritative and it's kind of a hassle. > > Also, I thought about adding some helpful LUA bits to report date/time > or the client's IP address, but from what I understood, only one LUA > script can be added to the recursor, maybe a super monster script > could be able to achieve all that. > > > Ref: > * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html > > > Regards, > -- > Ciro Iriarte > http://iriarte.it > -- Hi, I would use a single Lua script for all of it. I am trying to find my sample using CDB to post. Regards, Ken From bert.hubert at netherlabs.nl Mon Oct 20 18:15:57 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Mon, 20 Oct 2014 20:15:57 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020181207.GC32559@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: <20141020181557.GA24286@xs.powerdns.com> On Mon, Oct 20, 2014 at 01:12:07PM -0500, ktm at rice.edu wrote: > > Also, I thought about adding some helpful LUA bits to report date/time > > or the client's IP address, but from what I understood, only one LUA > > script can be added to the recursor, maybe a super monster script > > could be able to achieve all that. Ciro, We could allow chaining Lua scripts eventually, but I'm more interested in a solution that works for people. Is everyone happy with RPZ for blacklist purposes? > I would use a single Lua script for all of it. I am trying to find my > sample using CDB to post. Hi Ken, That would be great, perhaps we could ship a version of that as a contrib/. Bert From cyruspy at gmail.com Mon Oct 20 19:00:23 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 16:00:23 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020181557.GA24286@xs.powerdns.com> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141020181557.GA24286@xs.powerdns.com> Message-ID: 2014-10-20 15:15 GMT-03:00 bert hubert : > On Mon, Oct 20, 2014 at 01:12:07PM -0500, ktm at rice.edu wrote: >> > Also, I thought about adding some helpful LUA bits to report date/time >> > or the client's IP address, but from what I understood, only one LUA >> > script can be added to the recursor, maybe a super monster script >> > could be able to achieve all that. > > Ciro, > > We could allow chaining Lua scripts eventually, but I'm more interested in > a solution that works for people. Is everyone happy with RPZ for blacklist > purposes? > >> I would use a single Lua script for all of it. I am trying to find my >> sample using CDB to post. > > Hi Ken, > > That would be great, perhaps we could ship a version of that as a contrib/. > > Bert > Reading a little more about RPZ it seems to be tailored at Bind's convenience, just define a special zone were you could add FQDNs to override. That doesn't seem usual for pdns-recursor, I might be wrong. It would be nice to keep the solution simple, and as clean as it can fit pdns-recursor. It doesn't need to be with RPZ, unless the use cases mandate to copy blindly this special zones from the authorities (it's not the case on my end). Ref: http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/ Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 20 22:38:02 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 19:38:02 -0300 Subject: [Pdns-users] powerdns-recursor: ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' In-Reply-To: References: Message-ID: 2014-10-10 16:20 GMT-03:00 Ciro Iriarte : > Hi!, anybody knows if something changed with the PowerDNS Recursor > support?, I'm trying to add a host and it's giving me this error: > > powerdns-recursor > ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' > > Observium v0.13.10.4586 > > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Anybody has seen this error?. Regards, Ciro -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Tue Oct 21 00:55:12 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 21:55:12 -0300 Subject: [Pdns-users] powerdns-recursor: ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' In-Reply-To: References: Message-ID: 2014-10-20 19:38 GMT-03:00 Ciro Iriarte : > 2014-10-10 16:20 GMT-03:00 Ciro Iriarte : >> Hi!, anybody knows if something changed with the PowerDNS Recursor >> support?, I'm trying to add a host and it's giving me this error: >> >> powerdns-recursor >> ERROR: can't parse argument ' DS:outQ_all:DERIVE:600:0:125000000000' >> >> Observium v0.13.10.4586 >> >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Anybody has seen this error?. > > Regards, > Ciro > > -- > Ciro Iriarte > http://iriarte.it > -- Well, I remember having read this thread last year: http://postman.memetic.org/pipermail/observium/2013-October/003913.html And as like that case, the PowerDNS code has the same issue. Deleting the first backslash allowed the RRD files to be created. It also bothers me the inconsistency given by the fix :P Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Tue Oct 21 00:56:22 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 20 Oct 2014 21:56:22 -0300 Subject: [Pdns-users] Statistics with Observium In-Reply-To: References: Message-ID: 2014-10-10 16:39 GMT-03:00 Ciro Iriarte : > Hi!, anybody happens to collect stats with Observium?. Apparently in > the past it had support for both the Authoritative and Recursive > servers but as of today it's not working with Recursor 3.6.1. > > Ideas, comments?. > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Well, I remember having read this thread last year: http://postman.memetic.org/pipermail/observium/2013-October/003913.html And as like that case, the PowerDNS code has the same issue. Deleting the first backslash allowed the RRD files to be created. It also bothers me the inconsistency given by the fix :P Regards, -- Ciro Iriarte http://iriarte.it -- From bert.hubert at netherlabs.nl Wed Oct 22 19:38:38 2014 From: bert.hubert at netherlabs.nl (bert hubert) Date: Wed, 22 Oct 2014 21:38:38 +0200 Subject: [Pdns-users] New: PowerDNS Security Status Polling Message-ID: <20141022193837.GA24649@xs.powerdns.com> Hi everybody, PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter. To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it. In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes. This feature can easily be disabled, and operators can also point the queries point at their own status service. In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases. Implementation PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request. The data returned is in one of the following forms: * NXDOMAIN or resolution failure * “1 Ok” -> security-status=1 * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2 * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3 In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought. If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem. Distributions Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality. To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. Details and how to disable The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose. If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. Delegation If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly. From zozo at z0z0.tk Wed Oct 22 22:48:26 2014 From: zozo at z0z0.tk (=?utf-8?Q?P=C3=A9ter-Zolt=C3=A1n_Keresztes?=) Date: Thu, 23 Oct 2014 01:48:26 +0300 Subject: [Pdns-users] SRV records Message-ID: Hello, I just want to know if powerdns 3.4 does support SRV records. thanks, Peter From cmouse at youzen.ext.b2.fi Thu Oct 23 06:03:36 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Thu, 23 Oct 2014 09:03:36 +0300 Subject: [Pdns-users] SRV records In-Reply-To: References: Message-ID: <20141023060336.GA1243@pi.ip.fi> On Thu, Oct 23, 2014 at 01:48:26AM +0300, Péter-Zoltán Keresztes wrote: > Hello, > > I just want to know if powerdns 3.4 does support SRV records. > > thanks, > Peter > Yes, those have been supported for long time now. Aki From cyruspy at gmail.com Sun Oct 26 04:17:42 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Sun, 26 Oct 2014 01:17:42 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141020181207.GC32559@aart.rice.edu> References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : > On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : >> > Hi, >> > >> > Just to add a bit less light, we implemented this sort of thing about 5 years back >> > and now with the aid of a small script have a solution which is fully RPZ >> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four >> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item >> > RPZ feed. >> > >> > As said no need to restart when it updates just do a LUA reload. Hopefully I >> > should be able to release what we did soon - am waiting for permission from our >> > legal types. >> > >> > Really not sure if that helps any, except to say it's very doable and can be >> > quite stable. >> > >> > >> >> RPZ seem really interesting, and I see there was a request for it in >> the past*. The thing is, we have direct requests from local government >> agencies to ban some domains with legal issues (mandated by a judge >> for example), and we were just approached about being able to block >> sites from the Internet Watch Foundation black list also (with their >> own landing page). Both cases will be redirected to different sites, >> and each has its own data source. Currently on bind we just define the >> domain as authoritative and it's kind of a hassle. >> >> Also, I thought about adding some helpful LUA bits to report date/time >> or the client's IP address, but from what I understood, only one LUA >> script can be added to the recursor, maybe a super monster script >> could be able to achieve all that. >> >> >> Ref: >> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >> >> >> Regards, >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Hi, > > I would use a single Lua script for all of it. I am trying to find my > sample using CDB to post. > > Regards, > Ken Hi!, got a proof of concept script that successfully does the CDB lookup, but I'm curious about the CNAME answers, how can I call another resolution iteration to find the A record for the final destination? Currently I can only answer a CNAME record, and any attempt to reach a website for example will fail with "Couldn't resolve host". Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Sun Oct 26 04:47:31 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Sun, 26 Oct 2014 01:47:31 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: 2014-10-26 1:17 GMT-03:00 Ciro Iriarte : > 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : >> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : >>> > Hi, >>> > >>> > Just to add a bit less light, we implemented this sort of thing about 5 years back >>> > and now with the aid of a small script have a solution which is fully RPZ >>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four >>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item >>> > RPZ feed. >>> > >>> > As said no need to restart when it updates just do a LUA reload. Hopefully I >>> > should be able to release what we did soon - am waiting for permission from our >>> > legal types. >>> > >>> > Really not sure if that helps any, except to say it's very doable and can be >>> > quite stable. >>> > >>> > >>> >>> RPZ seem really interesting, and I see there was a request for it in >>> the past*. The thing is, we have direct requests from local government >>> agencies to ban some domains with legal issues (mandated by a judge >>> for example), and we were just approached about being able to block >>> sites from the Internet Watch Foundation black list also (with their >>> own landing page). Both cases will be redirected to different sites, >>> and each has its own data source. Currently on bind we just define the >>> domain as authoritative and it's kind of a hassle. >>> >>> Also, I thought about adding some helpful LUA bits to report date/time >>> or the client's IP address, but from what I understood, only one LUA >>> script can be added to the recursor, maybe a super monster script >>> could be able to achieve all that. >>> >>> >>> Ref: >>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >>> >>> >>> Regards, >>> -- >>> Ciro Iriarte >>> http://iriarte.it >>> -- >> >> Hi, >> >> I would use a single Lua script for all of it. I am trying to find my >> sample using CDB to post. >> >> Regards, >> Ken > > Hi!, got a proof of concept script that successfully does the CDB > lookup, but I'm curious about the CNAME answers, how can I call > another resolution iteration to find the A record for the final > destination? > > Currently I can only answer a CNAME record, and any attempt to reach a > website for example will fail with "Couldn't resolve host". > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- Answering to myself, found the followCNAMERecords return option. It works to look for a regular A lookup from the CNAME result. It doesn't cover the case were out overwritten answer should also be blocked (the LUA script is not run on that iteration). Should that case be covered?, is there other return code that will trigger the LUA script again for the CNAME follow up? -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 27 02:52:57 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Sun, 26 Oct 2014 23:52:57 -0300 Subject: [Pdns-users] New: PowerDNS Security Status Polling In-Reply-To: <20141022193837.GA24649@xs.powerdns.com> References: <20141022193837.GA24649@xs.powerdns.com> Message-ID: 2014-10-22 16:38 GMT-03:00 bert hubert : > Hi everybody, > > PowerDNS software sadly sometimes has critical security bugs. Even though we > send out notifications of these via all channels available, our recent > security releases have taught us that not everybody actually finds out about > important security updates via our mailing lists, Facebook and Twitter. > > To solve this, the development versions of PowerDNS software have been > updated to poll for security notifications over DNS, and log these > periodically. Secondly, the security status of the software is available for > monitoring using the built-in metrics. This allows operators to poll for the > PowerDNS security status and alert on it. > > In the implementation of this idea, we have taken the unique role of > operating system distributors into account. Specifically, we can deal with > backported security fixes. > > This feature can easily be disabled, and operators can also point the > queries point at their own status service. > > In this post, we want to inform you that the most recent snapshots of > PowerDNS now include security polling, and we want to solicit your rapid > feedback before this feature becomes part of the next PowerDNS releases. > > Implementation > > PowerDNS software periodically tries to resolve > ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or > ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the > security-poll-suffix setting is left at the default of > secpoll.powerdns.com). No other data is included in the request. > > The data returned is in one of the following forms: > > * NXDOMAIN or resolution failure > * “1 Ok” -> security-status=1 > * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> > security-status=2 > * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> > security-status=3 > > In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The > metric security-status is set to 2 or 3 respectively. The security status > could be lowered however if we discover the issue is less urgent than we > thought. > > If resolution fails, and the previous security-status was 1, the new > security-status becomes 0 (‘no data’). If the security-status was higher > than 1, it will remain that way, and not get set to 0. In this way, > security-status of 0 really means ‘no data’, and can not mask a known > problem. > > Distributions > > Distributions frequently backport security fixes to the PowerDNS versions > they ship. This might lead to a version number that is known to us to be > insecure to be secure in reality. > > To solve this issue, PowerDNS can be compiled with a distribution setting > which will move the security polls from: > ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to > ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com > > Note two things, one, there is a separate namespace for debian, and > secondly, we use the package version of this release. This allows us to know > that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not. > > Details and how to disable > > The configuration setting ‘security-poll-suffix’ is by default set to > ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to > ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available > on github for this purpose. > > If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to > “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”. > > Delegation > > If a distribution wants to host its own file with version information, we > can delegate dist.security-status.secpoll.powerdns.com to their nameservers > directly. > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users I like it, having the possibility to disable polling is good too. Regards, -- Ciro Iriarte http://iriarte.it -- From cyruspy at gmail.com Mon Oct 27 03:49:31 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 27 Oct 2014 00:49:31 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017124203.GL6579@aart.rice.edu> <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: 2014-10-26 1:47 GMT-03:00 Ciro Iriarte : > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte : >> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : >>>> > Hi, >>>> > >>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back >>>> > and now with the aid of a small script have a solution which is fully RPZ >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four >>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item >>>> > RPZ feed. >>>> > >>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I >>>> > should be able to release what we did soon - am waiting for permission from our >>>> > legal types. >>>> > >>>> > Really not sure if that helps any, except to say it's very doable and can be >>>> > quite stable. >>>> > >>>> > >>>> >>>> RPZ seem really interesting, and I see there was a request for it in >>>> the past*. The thing is, we have direct requests from local government >>>> agencies to ban some domains with legal issues (mandated by a judge >>>> for example), and we were just approached about being able to block >>>> sites from the Internet Watch Foundation black list also (with their >>>> own landing page). Both cases will be redirected to different sites, >>>> and each has its own data source. Currently on bind we just define the >>>> domain as authoritative and it's kind of a hassle. >>>> >>>> Also, I thought about adding some helpful LUA bits to report date/time >>>> or the client's IP address, but from what I understood, only one LUA >>>> script can be added to the recursor, maybe a super monster script >>>> could be able to achieve all that. >>>> >>>> >>>> Ref: >>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html >>>> >>>> >>>> Regards, >>>> -- >>>> Ciro Iriarte >>>> http://iriarte.it >>>> -- >>> >>> Hi, >>> >>> I would use a single Lua script for all of it. I am trying to find my >>> sample using CDB to post. >>> >>> Regards, >>> Ken >> >> Hi!, got a proof of concept script that successfully does the CDB >> lookup, but I'm curious about the CNAME answers, how can I call >> another resolution iteration to find the A record for the final >> destination? >> >> Currently I can only answer a CNAME record, and any attempt to reach a >> website for example will fail with "Couldn't resolve host". >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- > > Answering to myself, found the followCNAMERecords return option. It > works to look for a regular A lookup from the CNAME result. It doesn't > cover the case were out overwritten answer should also be blocked (the > LUA script is not run on that iteration). > > Should that case be covered?, is there other return code that will > trigger the LUA script again for the CNAME follow up? > > -- > Ciro Iriarte > http://iriarte.it > -- Got a functional pair of scripts: http://iriarte.it/?p=316 This doesn't address yet the possibility to black list "*.offender.com" por example. Comments? Regards, Ciro -- Ciro Iriarte http://iriarte.it -- From cmouse at youzen.ext.b2.fi Mon Oct 27 06:46:58 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Mon, 27 Oct 2014 08:46:58 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> Message-ID: <20141027064658.GA1956@pi.ip.fi> On Mon, Oct 27, 2014 at 12:49:31AM -0300, Ciro Iriarte wrote: > 2014-10-26 1:47 GMT-03:00 Ciro Iriarte : > > 2014-10-26 1:17 GMT-03:00 Ciro Iriarte : > >> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu : > >>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote: > >>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer : > >>>> > Hi, > >>>> > > >>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back > >>>> > and now with the aid of a small script have a solution which is fully RPZ > >>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four > >>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item > >>>> > RPZ feed. > >>>> > > >>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I > >>>> > should be able to release what we did soon - am waiting for permission from our > >>>> > legal types. > >>>> > > >>>> > Really not sure if that helps any, except to say it's very doable and can be > >>>> > quite stable. > >>>> > > >>>> > > >>>> > >>>> RPZ seem really interesting, and I see there was a request for it in > >>>> the past*. The thing is, we have direct requests from local government > >>>> agencies to ban some domains with legal issues (mandated by a judge > >>>> for example), and we were just approached about being able to block > >>>> sites from the Internet Watch Foundation black list also (with their > >>>> own landing page). Both cases will be redirected to different sites, > >>>> and each has its own data source. Currently on bind we just define the > >>>> domain as authoritative and it's kind of a hassle. > >>>> > >>>> Also, I thought about adding some helpful LUA bits to report date/time > >>>> or the client's IP address, but from what I understood, only one LUA > >>>> script can be added to the recursor, maybe a super monster script > >>>> could be able to achieve all that. > >>>> > >>>> > >>>> Ref: > >>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html > >>>> > >>>> > >>>> Regards, > >>>> -- > >>>> Ciro Iriarte > >>>> http://iriarte.it > >>>> -- > >>> > >>> Hi, > >>> > >>> I would use a single Lua script for all of it. I am trying to find my > >>> sample using CDB to post. > >>> > >>> Regards, > >>> Ken > >> > >> Hi!, got a proof of concept script that successfully does the CDB > >> lookup, but I'm curious about the CNAME answers, how can I call > >> another resolution iteration to find the A record for the final > >> destination? > >> > >> Currently I can only answer a CNAME record, and any attempt to reach a > >> website for example will fail with "Couldn't resolve host". > >> > >> Regards, > >> > >> -- > >> Ciro Iriarte > >> http://iriarte.it > >> -- > > > > Answering to myself, found the followCNAMERecords return option. It > > works to look for a regular A lookup from the CNAME result. It doesn't > > cover the case were out overwritten answer should also be blocked (the > > LUA script is not run on that iteration). > > > > Should that case be covered?, is there other return code that will > > trigger the LUA script again for the CNAME follow up? > > > > -- > > Ciro Iriarte > > http://iriarte.it > > -- > > Got a functional pair of scripts: > > http://iriarte.it/?p=316 > > This doesn't address yet the possibility to black list > "*.offender.com" por example. Comments? > > > Regards, > Ciro > > -- > Ciro Iriarte > http://iriarte.it > -- In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. But, to make it work properly, i'd just add "*.domain.com", and when you lookup, you could reduce it like this with get() www.my.long.name.com => NOT FOUND *.my.long.name.com => NOT FOUND *.long.name.com => NOT FOUND *.name.com => FOUND ( of course you could continue with *.com * ) Aki From cyruspy at gmail.com Mon Oct 27 16:56:17 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Mon, 27 Oct 2014 13:56:17 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027064658.GA1956@pi.ip.fi> References: <20141017163538.GO6579@aart.rice.edu> <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> Message-ID: 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > you could reduce it like this with get() > > www.my.long.name.com => NOT FOUND > *.my.long.name.com => NOT FOUND > *.long.name.com => NOT FOUND > *.name.com => FOUND > > ( > of course you could continue with > *.com > * > ) > > Aki Hi Aki!, I couldn't find a (finished) benchmark that compares directly sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. Given it's SQL I assume we can just use a SELECT with LIKE clause to match an "ending" on the DB with the requested fqdn, would it be faster than doing multiple cdb queries (one for each part of the requested fqdn)? Regards, -- Ciro Iriarte http://iriarte.it -- From cmouse at youzen.ext.b2.fi Mon Oct 27 17:27:15 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Mon, 27 Oct 2014 19:27:15 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: References: <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> Message-ID: <20141027172715.GA6328@pi.ip.fi> On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: > 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > > you could reduce it like this with get() > > > > www.my.long.name.com => NOT FOUND > > *.my.long.name.com => NOT FOUND > > *.long.name.com => NOT FOUND > > *.name.com => FOUND > > > > ( > > of course you could continue with > > *.com > > * > > ) > > > > Aki > > Hi Aki!, I couldn't find a (finished) benchmark that compares directly > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. > Given it's SQL I assume we can just use a SELECT with LIKE clause to > match an "ending" on the DB with the requested fqdn, would it be > faster than doing multiple cdb queries (one for each part of the > requested fqdn)? > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- > The difference, to my eyes, is the diference between SELECT name FROM table WHERE name LIKE '%suffix'; and SELECT name FROM table WHERE name = 'www.my.long.name.com'; SELECT name FROM table WHERE name = '*.my.long.name.com'; SELECT name FROM table WHERE name = '*.long.name.com'; SELECT name FROM table WHERE name = '*.name.com'; SELECT name FROM table WHERE name = '*.com'; (assuming you'll want to filter out, say, *.xxx) Obviously using suffix would require you to know what you are doing, since you'd have to know what suffix to look for, otherwise you'll end up with very unpredicable behaviour. Consider, you have www.name.com in your blacklist, you'll look for %.name.com. It'll always return match. So it's safer to go with repeated lookups for *.parent. Performance-wise you should consider that your most likely usage patterns are, not blacklisted: SELECT name FROM table WHERE name = 'www.name.com'; SELECT name FROM table WHERE name = '*.name.com'; SELECT name FROM table WHERE name = '*.com'; blacklisted: SELECT name FROM table WHERE name = 'www.name.com'; or: SELECT name FROM table WHERE name = 'www.name.com'; SELECT name FROM table WHERE name = '*.name.com'; to give proper answer whether SQLite3 or CDB is better, you'd have to run benchmark tests against these use cases as they cover most of your situations. Also, you might want to consider early-break on any query ending with in-addr.arpa and i6.arpa, unless you are required to filter these too, because you can get pretty long iterations especially with IPv6 reverses. All in all, i'd say go with cdb, since you already have the code there and it's not a big mod to make. Just keep this is mind. --- Aki From ktm at rice.edu Mon Oct 27 17:58:43 2014 From: ktm at rice.edu (ktm at rice.edu) Date: Mon, 27 Oct 2014 12:58:43 -0500 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027172715.GA6328@pi.ip.fi> References: <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> <20141027172715.GA6328@pi.ip.fi> Message-ID: <20141027175843.GN32559@aart.rice.edu> On Mon, Oct 27, 2014 at 07:27:15PM +0200, Aki Tuomi wrote: > On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: > > 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > > > > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > > > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > > > you could reduce it like this with get() > > > > > > www.my.long.name.com => NOT FOUND > > > *.my.long.name.com => NOT FOUND > > > *.long.name.com => NOT FOUND > > > *.name.com => FOUND > > > > > > ( > > > of course you could continue with > > > *.com > > > * > > > ) > > > > > > Aki > > > > Hi Aki!, I couldn't find a (finished) benchmark that compares directly > > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. > > Given it's SQL I assume we can just use a SELECT with LIKE clause to > > match an "ending" on the DB with the requested fqdn, would it be > > faster than doing multiple cdb queries (one for each part of the > > requested fqdn)? > > > > Regards, > > > > -- > > Ciro Iriarte > > http://iriarte.it > > -- > > > > The difference, to my eyes, is the diference between > > SELECT name FROM table WHERE name LIKE '%suffix'; > > and > > SELECT name FROM table WHERE name = 'www.my.long.name.com'; > SELECT name FROM table WHERE name = '*.my.long.name.com'; > SELECT name FROM table WHERE name = '*.long.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > (assuming you'll want to filter out, say, *.xxx) > > Obviously using suffix would require you to know what you are > doing, since you'd have to know what suffix to look for, otherwise > you'll end up with very unpredicable behaviour. > > Consider, you have www.name.com in your blacklist, you'll look for > %.name.com. It'll always return match. So it's safer to go with > repeated lookups for *.parent. > > Performance-wise you should consider that your most likely usage > patterns are, > > not blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > > or: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > > > to give proper answer whether SQLite3 or CDB is better, you'd have to > run benchmark tests against these use cases as they cover most of your > situations. > > Also, you might want to consider early-break on any query ending with > in-addr.arpa and i6.arpa, unless you are required to filter these too, > because you can get pretty long iterations especially with IPv6 reverses. > > All in all, i'd say go with cdb, since you already have the code there > and it's not a big mod to make. Just keep this is mind. > > --- > Aki > Hi, CDB is a very simple key/value store. I would expect it to blow the doors off SQLite for simple lookups. In addition, the size of the library is much, much smaller for CDB (20k) than for SQLite (400k), which means that it should need much fewer resources and produce a lighter weight Lua process. Since the logic is mainly in the Lua function and the the DB backend, the simple CDB key/value store should perform better per amount of resources used. Regards, Ken From cmouse at youzen.ext.b2.fi Mon Oct 27 18:28:21 2014 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Mon, 27 Oct 2014 20:28:21 +0200 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027175843.GN32559@aart.rice.edu> References: <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> <20141027172715.GA6328@pi.ip.fi> <20141027175843.GN32559@aart.rice.edu> Message-ID: <20141027182821.GA6359@pi.ip.fi> On Mon, Oct 27, 2014 at 12:58:43PM -0500, ktm at rice.edu wrote: > On Mon, Oct 27, 2014 at 07:27:15PM +0200, Aki Tuomi wrote: > > On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: > > > 2014-10-27 3:46 GMT-03:00 Aki Tuomi : > > > > > > > > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. > > > > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, > > > > you could reduce it like this with get() > > > > > > > > www.my.long.name.com => NOT FOUND > > > > *.my.long.name.com => NOT FOUND > > > > *.long.name.com => NOT FOUND > > > > *.name.com => FOUND > > > > > > > > ( > > > > of course you could continue with > > > > *.com > > > > * > > > > ) > > > > > > > > Aki > > > > > > Hi Aki!, I couldn't find a (finished) benchmark that compares directly > > > sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. > > > Given it's SQL I assume we can just use a SELECT with LIKE clause to > > > match an "ending" on the DB with the requested fqdn, would it be > > > faster than doing multiple cdb queries (one for each part of the > > > requested fqdn)? > > > > > > Regards, > > > > > > -- > > > Ciro Iriarte > > > http://iriarte.it > > > -- > > > > > > > The difference, to my eyes, is the diference between > > > > SELECT name FROM table WHERE name LIKE '%suffix'; > > > > and > > > > SELECT name FROM table WHERE name = 'www.my.long.name.com'; > > SELECT name FROM table WHERE name = '*.my.long.name.com'; > > SELECT name FROM table WHERE name = '*.long.name.com'; > > SELECT name FROM table WHERE name = '*.name.com'; > > SELECT name FROM table WHERE name = '*.com'; > > > > (assuming you'll want to filter out, say, *.xxx) > > > > Obviously using suffix would require you to know what you are > > doing, since you'd have to know what suffix to look for, otherwise > > you'll end up with very unpredicable behaviour. > > > > Consider, you have www.name.com in your blacklist, you'll look for > > %.name.com. It'll always return match. So it's safer to go with > > repeated lookups for *.parent. > > > > Performance-wise you should consider that your most likely usage > > patterns are, > > > > not blacklisted: > > SELECT name FROM table WHERE name = 'www.name.com'; > > SELECT name FROM table WHERE name = '*.name.com'; > > SELECT name FROM table WHERE name = '*.com'; > > > > blacklisted: > > SELECT name FROM table WHERE name = 'www.name.com'; > > > > or: > > SELECT name FROM table WHERE name = 'www.name.com'; > > SELECT name FROM table WHERE name = '*.name.com'; > > > > > > to give proper answer whether SQLite3 or CDB is better, you'd have to > > run benchmark tests against these use cases as they cover most of your > > situations. > > > > Also, you might want to consider early-break on any query ending with > > in-addr.arpa and i6.arpa, unless you are required to filter these too, > > because you can get pretty long iterations especially with IPv6 reverses. > > > > All in all, i'd say go with cdb, since you already have the code there > > and it's not a big mod to make. Just keep this is mind. > > > > --- > > Aki > > > > Hi, > > CDB is a very simple key/value store. I would expect it to blow the > doors off SQLite for simple lookups. In addition, the size of the > library is much, much smaller for CDB (20k) than for SQLite (400k), > which means that it should need much fewer resources and produce > a lighter weight Lua process. Since the logic is mainly in the Lua > function and the the DB backend, the simple CDB key/value store > should perform better per amount of resources used. > > Regards, > Ken > Ken, you are right. Thank you for pointing this out. Aki From cyruspy at gmail.com Wed Oct 29 04:16:46 2014 From: cyruspy at gmail.com (Ciro Iriarte) Date: Wed, 29 Oct 2014 01:16:46 -0300 Subject: [Pdns-users] Recursor: Black list In-Reply-To: <20141027172715.GA6328@pi.ip.fi> References: <5445221D.5010805@maurand.com> <20141020162940.GA31884@bob.bofh.org> <20141020181207.GC32559@aart.rice.edu> <20141027064658.GA1956@pi.ip.fi> <20141027172715.GA6328@pi.ip.fi> Message-ID: 2014-10-27 14:27 GMT-03:00 Aki Tuomi : > On Mon, Oct 27, 2014 at 01:56:17PM -0300, Ciro Iriarte wrote: >> 2014-10-27 3:46 GMT-03:00 Aki Tuomi : >> > >> > In a way i'd chosen sqlite3 instead as it is pretty much on par with cdb. >> > But, to make it work properly, i'd just add "*.domain.com", and when you lookup, >> > you could reduce it like this with get() >> > >> > www.my.long.name.com => NOT FOUND >> > *.my.long.name.com => NOT FOUND >> > *.long.name.com => NOT FOUND >> > *.name.com => FOUND >> > >> > ( >> > of course you could continue with >> > *.com >> > * >> > ) >> > >> > Aki >> >> Hi Aki!, I couldn't find a (finished) benchmark that compares directly >> sqlite3 vs cdb, but the unfinished tests imply that cdb is faster. >> Given it's SQL I assume we can just use a SELECT with LIKE clause to >> match an "ending" on the DB with the requested fqdn, would it be >> faster than doing multiple cdb queries (one for each part of the >> requested fqdn)? >> >> Regards, >> >> -- >> Ciro Iriarte >> http://iriarte.it >> -- >> > > The difference, to my eyes, is the diference between > > SELECT name FROM table WHERE name LIKE '%suffix'; > > and > > SELECT name FROM table WHERE name = 'www.my.long.name.com'; > SELECT name FROM table WHERE name = '*.my.long.name.com'; > SELECT name FROM table WHERE name = '*.long.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > (assuming you'll want to filter out, say, *.xxx) > > Obviously using suffix would require you to know what you are > doing, since you'd have to know what suffix to look for, otherwise > you'll end up with very unpredicable behaviour. > > Consider, you have www.name.com in your blacklist, you'll look for > %.name.com. It'll always return match. So it's safer to go with > repeated lookups for *.parent. > > Performance-wise you should consider that your most likely usage > patterns are, > > not blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > SELECT name FROM table WHERE name = '*.com'; > > blacklisted: > SELECT name FROM table WHERE name = 'www.name.com'; > > or: > SELECT name FROM table WHERE name = 'www.name.com'; > SELECT name FROM table WHERE name = '*.name.com'; > > > to give proper answer whether SQLite3 or CDB is better, you'd have to > run benchmark tests against these use cases as they cover most of your > situations. > > Also, you might want to consider early-break on any query ending with > in-addr.arpa and i6.arpa, unless you are required to filter these too, > because you can get pretty long iterations especially with IPv6 reverses. > > All in all, i'd say go with cdb, since you already have the code there > and it's not a big mod to make. Just keep this is mind. > > --- > Aki Thanks a lot for the suggestions, got a new version at http://iriarte.it/?p=348, it apparently works fine. Anybody would care to benchmark it? :) Regards, -- Ciro Iriarte http://iriarte.it -- From peter.van.dijk at netherlabs.nl Thu Oct 30 13:26:33 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:26:33 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.1 released Message-ID: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Hi everybody, PowerDNS Authoritative Server 3.4.1 is now available! 3.4.1 is the best version of the PowerDNS Authoratitive Server currently available, and we recommend upgrading to it. Please read http://doc.powerdns.com/html/from3.3.1to3.4.0.html before you do, however! Please see http://doc.powerdns.com/html/changelog.html#changelog-auth-3.4.1 for full release notes and all download links. You can get PowerDNS 3.4.1 from: http://downloads.powerdns.com/releases/pdns-3.4.1.tar.bz2 http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_i386.deb http://downloads.powerdns.com/releases/deb/pdns-static_3.4.1-1_amd64.deb http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.i386.rpm http://downloads.powerdns.com/releases/rpm/pdns-static-3.4.1-1.x86_64.rpm These files also come with GPG signatures (append .sig or .asc). Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS 5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/ This is a bugfix update to 3.4.0 and any earlier version. Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter.van.dijk at netherlabs.nl Thu Oct 30 13:27:50 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 14:27:50 +0100 Subject: [Pdns-users] PowerDNS Recursor 3.6.2 released Message-ID: <59F9179E-AD76-45A8-965E-087575387924@netherlabs.nl> Hi everybody, version 3.6.2 of the PowerDNS Recursor is now available from https://www.powerdns.com/downloads.html Kees Monshouwer provides native RHEL5/6 packages at http://www.monshouwer.eu/download/3rd_party/pdns-recursor/ Full release notes, with clickable links, are available from: http://doc.powerdns.com/html/changelog.html#changelog-recursor-3.6.2 3.6.2 is the best version of the PowerDNS Recursor currently available, and we recommend upgrading to it. This is a bugfix update to 3.6.1. A list of changes since 3.6.1 follows. * gab14b4f: expedite servfail generation for ezdns-like failures (fully abort query resolving if we hit more than 50 outqueries) * g42025be: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, "Security polling". * g5027429: We did not transmit the right 'local' socket address to Lua for TCP/IP queries in the recursor. In addition, we would attempt to lookup a filedescriptor that wasn't there in an unlocked map which could conceivably lead to crashes. Closes t1828, thanks Winfried for reporting * g752756c: Sync embedded yahttp copy. API: Replace HTTP Basic auth with static key in custom header * g6fdd40d: add missing #include to rec-channel.hh (this fixes building on OS X). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From cmeerw at cmeerw.org Thu Oct 30 14:03:01 2014 From: cmeerw at cmeerw.org (Christof Meerwald) Date: Thu, 30 Oct 2014 15:03:01 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.1 released In-Reply-To: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> References: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> Message-ID: <20141030140300.GA7526@edge.cmeerw.net> On Thu, 30 Oct 2014 14:26:33 +0100, Peter van Dijk wrote: > PowerDNS Authoritative Server 3.4.1 is now available! Bit of a shame that this doesn't seem to address http://mailman.powerdns.com/pipermail/pdns-users/2014-October/010950.html Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org From peter.van.dijk at netherlabs.nl Thu Oct 30 15:40:59 2014 From: peter.van.dijk at netherlabs.nl (Peter van Dijk) Date: Thu, 30 Oct 2014 16:40:59 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.1 released In-Reply-To: <20141030140300.GA7526@edge.cmeerw.net> References: <85E96EFF-9E89-43F1-80DD-2A70CB408297@netherlabs.nl> <20141030140300.GA7526@edge.cmeerw.net> Message-ID: Hello Christof, On 30 Oct 2014, at 15:03 , Christof Meerwald wrote: > On Thu, 30 Oct 2014 14:26:33 +0100, Peter van Dijk wrote: >> PowerDNS Authoritative Server 3.4.1 is now available! > > Bit of a shame that this doesn't seem to address > http://mailman.powerdns.com/pipermail/pdns-users/2014-October/010950.html Our apologies for letting that slip by. We strongly recommend filing a Pull Request at GitHub so we have all patches in one place. Sorry! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: