From aj.mckee at druid-dns.com Sun Feb 1 02:41:07 2015 From: aj.mckee at druid-dns.com (AJ McKee) Date: Sun, 1 Feb 2015 02:41:07 +0000 Subject: [Pdns-users] Remote Backend and Query / Packet Cache Message-ID: Being the weekend, I decided to write a HTTP backend for pdns as a fun thing to do. One thing springs to mind however are the packet and query cache. In particular, how they cache. Do they use the remote clients ip as part of the caching key, thus only serving from the cache if the client is repeatedly asking? AFAIK this is not the case. If I added simple bind style views to my backend, would this be pointless? My thinking here, if a request came from netblock A and it was cached, followed by a request from netblock C, C would get the cached answer instead of querying the backend for its corrected view. Is there a way that the remote backend can influence the cache in the response it sends back? I am aware of all the other backend, this is just my fun-time thing to play with the new features. Thanks in advance -- AJ McKee phone: +353 83 1130 545 profile: http://linkedin.com/in/ajmkee jid: aj.mckee at druid-dns.com blog: http://aj.mc-kee.com/ twitter: @ajmckee -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Sun Feb 1 08:14:56 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Sun, 1 Feb 2015 10:14:56 +0200 Subject: [Pdns-users] Remote Backend and Query / Packet Cache In-Reply-To: References: Message-ID: <20150201081456.GA13227@pi.ip.fi> On Sun, Feb 01, 2015 at 02:41:07AM +0000, AJ McKee wrote: > Being the weekend, I decided to write a HTTP backend for pdns as a fun > thing to do. > > One thing springs to mind however are the packet and query cache. In > particular, how they cache. > > Do they use the remote clients ip as part of the caching key, thus only > serving from the cache if the client is repeatedly asking? AFAIK this is > not the case. > > > If I added simple bind style views to my backend, would this be pointless? > > My thinking here, if a request came from netblock A and it was cached, > followed by a request from netblock C, C would get the cached answer > instead of querying the backend for its corrected view. > > Is there a way that the remote backend can influence the cache in the > response it sends back? > > I am aware of all the other backend, this is just my fun-time thing to play > with the new features. > > Thanks in advance > > -- > AJ McKee > phone: +353 83 1130 545 > profile: http://linkedin.com/in/ajmkee > jid: aj.mckee at druid-dns.com > blog: http://aj.mc-kee.com/ > twitter: @ajmckee You can set scopeBits to size of netblock. Should do what you want. Aki From aj.mckee at druid-dns.com Sun Feb 1 11:21:45 2015 From: aj.mckee at druid-dns.com (AJ McKee) Date: Sun, 1 Feb 2015 11:21:45 +0000 Subject: [Pdns-users] Remote Backend and Query / Packet Cache In-Reply-To: <20150201081456.GA13227@pi.ip.fi> References: <20150201081456.GA13227@pi.ip.fi> Message-ID: Ah perfect, there goes my Sunday :) Thank You Aki AJ On 1 February 2015 at 08:14, Aki Tuomi wrote: > On Sun, Feb 01, 2015 at 02:41:07AM +0000, AJ McKee wrote: > > Being the weekend, I decided to write a HTTP backend for pdns as a fun > > thing to do. > > > > One thing springs to mind however are the packet and query cache. In > > particular, how they cache. > > > > Do they use the remote clients ip as part of the caching key, thus only > > serving from the cache if the client is repeatedly asking? AFAIK this is > > not the case. > > > > > > If I added simple bind style views to my backend, would this be > pointless? > > > > My thinking here, if a request came from netblock A and it was cached, > > followed by a request from netblock C, C would get the cached answer > > instead of querying the backend for its corrected view. > > > > Is there a way that the remote backend can influence the cache in the > > response it sends back? > > > > I am aware of all the other backend, this is just my fun-time thing to > play > > with the new features. > > > > Thanks in advance > > > > -- > > AJ McKee > > phone: +353 83 1130 545 > > profile: http://linkedin.com/in/ajmkee > > jid: aj.mckee at druid-dns.com > > blog: http://aj.mc-kee.com/ > > twitter: @ajmckee > > You can set scopeBits to size of netblock. Should do what you > want. > > Aki > -- AJ McKee phone: +353 83 1130 545 profile: http://linkedin.com/in/ajmkee jid: aj.mckee at druid-dns.com blog: http://aj.mc-kee.com/ twitter: @ajmckee -------------- next part -------------- An HTML attachment was scrubbed... URL: From james at jtaylor.id.au Sun Feb 1 11:35:18 2015 From: james at jtaylor.id.au (James Taylor) Date: Sun, 01 Feb 2015 22:35:18 +1100 Subject: [Pdns-users] DS record algorithm suggestions Message-ID: <54CE0F76.8020702@jtaylor.id.au> Hello World Just looking around for some suggestions for DNSSEC algorithms. Currently using RSASHA256, but was looking into possibly using ECDSA P-384 Does anyone have any insight into this? (and also the different NSEC options) Thanks, James Taylor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From carlos at hospedajeydominios.com Sun Feb 1 18:47:47 2015 From: carlos at hospedajeydominios.com (Carlos HyD) Date: Sun, 1 Feb 2015 19:47:47 +0100 Subject: [Pdns-users] Axfr notification not success from super master Message-ID: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3... I build a new system to test 3.4 version and see now this config no longer works with error: Received NOTIFY for XXXXx from XXXX but slave support is disabled in the configuration In doc I see this: However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. Before a supermaster notification succeeds, the following conditions must be met: • The supermaster must carry a SOA record for the notified domain • The supermaster IP must be present in the 'supermaster' table • The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. I can enable slave on conf and zones are imported, but just curious about. Regards Carlos Luna From steffannoord at gmail.com Mon Feb 2 11:41:34 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Mon, 2 Feb 2015 12:41:34 +0100 Subject: [Pdns-users] wildcard proof failed dnssec In-Reply-To: <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> References: <003c01d03c7b$e1f1f980$a5d5ec80$@gmail.com> <20150130110447.GA11175@xs.powerdns.com> <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> Message-ID: <026c01d03edd$32bee450$983cacf0$@gmail.com> Hello Bert, Im just discussing the problem with Marco from SIDN. He did point me to http://dnsviz.net/d/_25._tcp.startmetplate.nl/VMtu8Q/dnssec/ So for the archive this is a good site to check a dnssec error The problem is TLSA Rectify-zone fixed the problem. How often do i have to do that ? After every dns update or every day... -----Oorspronkelijk bericht----- Van: bert hubert [mailto:bert.hubert at powerdns.com] Verzonden: vrijdag 30 januari 2015 12:05 Aan: Steffan Noord CC: pdns-users at mailman.powerdns.com Onderwerp: Re: [Pdns-users] wildcard proof failed dnssec On Fri, Jan 30, 2015 at 11:59:55AM +0100, Steffan Noord wrote: > I have a domein with *.domein in a A record > > After that sidn is sending me reports that > > wildcard proof failed Please tell us which PowerDNS version you use and the name of the domain name so we can check. Thanks! Bert From s.posner at telekom.de Mon Feb 2 12:19:41 2015 From: s.posner at telekom.de (Posner, Sebastian) Date: Mon, 2 Feb 2015 12:19:41 +0000 Subject: [Pdns-users] wildcard proof failed dnssec In-Reply-To: <026c01d03edd$32bee450$983cacf0$@gmail.com> References: <003c01d03c7b$e1f1f980$a5d5ec80$@gmail.com> <20150130110447.GA11175@xs.powerdns.com> <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> <026c01d03edd$32bee450$983cacf0$@gmail.com> Message-ID: <035b058bd35e4b1f90ff5a951e045e85@QEO00410.de.t-online.corp> Steffan Noord wrote: > Rectify-zone fixed the problem. > How often do i have to do that ? > After every dns update or every day... After every zone-update would perfectly do the trick. Some changes like just changing values alone (e.g. changing the IP address of an A-RR) won't need an update, so you could make a differentiation depending on type of update; but if you don't expect overly huge amounts of updates, I'd say there's no huge gain to make. kind regards, Sebastian From bert.hubert at powerdns.com Mon Feb 2 12:54:06 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 2 Feb 2015 13:54:06 +0100 Subject: [Pdns-users] wildcard proof failed dnssec In-Reply-To: <026c01d03edd$32bee450$983cacf0$@gmail.com> References: <003c01d03c7b$e1f1f980$a5d5ec80$@gmail.com> <20150130110447.GA11175@xs.powerdns.com> <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> <026c01d03edd$32bee450$983cacf0$@gmail.com> Message-ID: <20150202125406.GB534@xs.powerdns.com> On Mon, Feb 02, 2015 at 12:41:34PM +0100, Steffan Noord wrote: > Rectify-zone fixed the problem. > How often do i have to do that ? > After every dns update or every day... If you update the database for DNSSEC records, this is what you need to do: https://doc.powerdns.com/md/authoritative/dnssec/#rules-for-filling-out-fields-in-database-backends Good luck! Bert > > > > -----Oorspronkelijk bericht----- > Van: bert hubert [mailto:bert.hubert at powerdns.com] > Verzonden: vrijdag 30 januari 2015 12:05 > Aan: Steffan Noord > CC: pdns-users at mailman.powerdns.com > Onderwerp: Re: [Pdns-users] wildcard proof failed dnssec > > On Fri, Jan 30, 2015 at 11:59:55AM +0100, Steffan Noord wrote: > > I have a domein with *.domein in a A record > > > > After that sidn is sending me reports that > > > > wildcard proof failed > > Please tell us which PowerDNS version you use and the name of the domain > name so we can check. > > Thanks! > > Bert > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From jordan at webnames.ca Mon Feb 2 23:26:57 2015 From: jordan at webnames.ca (Jordan Rieger) Date: Mon, 02 Feb 2015 15:26:57 -0800 Subject: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API Message-ID: Hello. I'm writing code to interface with the HTTP JSON REST API of a PowerDNS 3.4.1 authoritative server with a MySQL backend. I'm submitting a request to modify the records on a zone using a PATCH method as specified at https://doc.powerdns.com/md/httpapi/api_spec/#url-serversserver95idzoneszone95id, and I'm getting back a "405 Method Not Allowed" response. I am able to successfully GET the pre-created example.com zone and POST (create) or DELETE my own test zone. It's only PATCH that's not working. I tried increasing the server log level to 9 (the maximum), and I see my request in the log, but it only shows the request size and the fact that it caused a 405 error, which I already know. It doesn't seem to matter what content the PATCH request actually contains, what zone I use, or even if the zone exists at all. It seems to just be the PATCH method itself causing the problem. This makes me think that it is a simple configuration problem on the server. Maybe the internal HTTP server component is rejecting PATCH requests by default? Anyways, here is the request. This is attempting to delete all TXT records on example.com: 10.9.9.64:8081 /servers/localhost/zones/example.com PATCH {"rrsets":[{"name":"example.com","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]} Response: 405 Method Not Allowed Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Tue Feb 3 10:34:42 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 3 Feb 2015 11:34:42 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.2 Released Message-ID: <20150203103442.GA22731@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use. Find the downloads on our download page, https://www.powerdns.com/downloads.html This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases. Please let us know. We would like to thank Patrik Wallström of IIS, Kees Monshouwer and Fredrik Eriksson of Loopia for working with us on solving several issues that only became apparent on a 750000 domain (!) DNSSEC installation, the last of which we could eventually trace to memory fragmentation in the secure allocator of our cryptography library. This bug chase, which lasted for over a month, led to numerous other improvements, like better statistical metrics for plotting (actual CPU usage, uptime, key cache size, signatures/s) and the 'sharding' of our internal caches to better support multi-CPU operations. A list of changes since 3.4.1 follows. Please see the full clickable changelog at https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-342 Improvements: * implement CORS for the HTTP API * qtype is now case insensitive in API and database * Allow (optional) PIE hardening * json-api: remove priority from json * backport remotebackend fixes * Support Lua 5.3 * support single-type ZSK signing * Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can't reproduce the bug on my local system, but this "should" help. * update polarssl to 1.3.9 Bug fixes: * refuse overly long labels in names * auth: limit long version strings to 63 characters and catch exceptions in secpoll * pdnssec: fix ttl check for RRSIG records * fix up latency reporting for sub-millisecond latencies (would clip to 0) * make sure we don't throw an exception on "pdns_control show" of an unknown variable * fix startup race condition with carbon thread already trying to broadcast uninitialized data * make qsize-q more robust * Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth. * make latency & qsize reporting 'live'. Plus fix that we only reported the qsize of the first distributor. * fix up statbag for carbon protocol and function pointers * get priority from table in Lua axfrfilter; fixes ticket #1857 * various backends: fix records pointing at root * remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243. * api: use uncached results for getKeys() * read ALLOW-AXFR-FROM from the backend with the metadata Minor changes: * move manpages to section 1 * secpoll: Replace ~ with _ * only zones with an active ksk are secure * api: show keys for zones without active ksk New features: * add signatures metric to auth, so we can plot signatures/second * pdns_control: make it posible to notify all zones at once * JSON API: provide flush-cache, notify, axfr-receive * add 'bench-db' to do very simple database backend performance benchmark * enable callback based metrics to statbags, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size Performance improvements: * better key for packetcache * don't do time(0) under signature cache lock * shard the packet cache, closing ticket #1910. * with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlTQpEIACgkQHF7pkNLnFXU9PQCdE8SOyKnZv5L1cNeykn41Hgl8 NxQAoOwPNyqohboVjI5tCy8L7Uy6tedB =VXFO -----END PGP SIGNATURE----- From christian.hofstaedtler at deduktiva.com Tue Feb 3 11:48:34 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Tue, 3 Feb 2015 11:48:34 +0000 Subject: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API In-Reply-To: References: Message-ID: Hi! > On 03 Feb 2015, at 00:26, Jordan Rieger wrote: > I'm writing code to interface with the HTTP JSON REST API of a PowerDNS 3.4.1 authoritative server with a MySQL backend. [..] > I tried increasing the server log level to 9 (the maximum), and I see my request in the log, but it only shows the request size and the fact that it caused a 405 error, which I already know. Indeed, the logging could be more useful. > It doesn't seem to matter what content the PATCH request actually contains, what zone I use, or even if the zone exists at all. It seems to just be the PATCH method itself causing the problem. This makes me think that it is a simple configuration problem on the server. Maybe the internal HTTP server component is rejecting PATCH requests by default? > > Anyways, here is the request. This is attempting to delete all TXT records on example.com: > > 10.9.9.64:8081 /servers/localhost/zones/example.com PATCH {"rrsets":[{"name":"example.com","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]} So, a full `curl` command line or a XHR dump would be useful. For what I can see, if you’re able to POST/DELETE zones, PATCH should also work. Can you try the steps with curl outlined in https://doc.powerdns.com/md/httpapi/README/#try-it , as those exactly create a zone and then PATCH it. Based on the instructions from the intro sections, I tried your request with curl, and that does seem to work: curl -X PATCH --data '{"rrsets":[{"name":"example.org","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]}' -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones/example.org -v < HTTP/1.1 200 OK {"id":"example.org.","url":"/servers/localhost/zones/example.org.","name":"example.org","type":"Zone","kind":"Master","dnssec":false,"soa_edit_api":"","soa_edit":"","masters":[],"serial":2002022401,"notified_serial":0,"last_check":0,"records":[{"name":"bill.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.3"},{"name":"example.org","type":"MX","ttl":86400,"disabled":false,"content":"10 mail.another.com"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns1.example.org"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns2.smokeyjoe.com"},{"name":"example.org","type":"SOA","ttl":86400,"disabled":false,"content":"ns1.example.org. hostmaster.example.org. 2002022401 10800 15 604800 10800"},{"name":"fred.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.4"},{"name":"ftp.example.org","type":"CNAME","ttl":86400,"disabled":false,"content":"www.example.org"},{"name":"ns1.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.1"},{"name":"test.example.org","type":"A","ttl":86400,"disabled":false,"content":"1.1.1.1"},{"name":"www.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.2"}],"comments":[]} Best, -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From jordan at webnames.ca Tue Feb 3 19:13:44 2015 From: jordan at webnames.ca (Jordan Rieger) Date: Tue, 03 Feb 2015 11:13:44 -0800 Subject: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API In-Reply-To: Message-ID: Running the HTTP request in an outside tool, rather than my own code, was the key to debugging it. It looks like the problem was caused by an issue in an HTTP helper method on my end. I thought I was setting the HTTP verb to "PATCH" but my helper method was actually overwriting it with "POST", and that was causing the PowerDNS server, naturally, to reject it. Thanks for your help, Christian. -----Original Message----- From: Christian Hofstaedtler [mailto:christian.hofstaedtler at deduktiva.com] Sent: Tuesday, February 03, 2015 3:49 AM To: Jordan Rieger Cc: pdns-users at mailman.powerdns.com Subject: Re: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API Hi! > On 03 Feb 2015, at 00:26, Jordan Rieger wrote: > I'm writing code to interface with the HTTP JSON REST API of a PowerDNS 3.4.1 authoritative server with a MySQL backend. [..] > I tried increasing the server log level to 9 (the maximum), and I see my request in the log, but it only shows the request size and the fact that it caused a 405 error, which I already know. Indeed, the logging could be more useful. > It doesn't seem to matter what content the PATCH request actually contains, what zone I use, or even if the zone exists at all. It seems to just be the PATCH method itself causing the problem. This makes me think that it is a simple configuration problem on the server. Maybe the internal HTTP server component is rejecting PATCH requests by default? > > Anyways, here is the request. This is attempting to delete all TXT records on example.com: > > 10.9.9.64:8081 /servers/localhost/zones/example.com PATCH {"rrsets":[{"name":"example.com","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]} So, a full `curl` command line or a XHR dump would be useful. For what I can see, if you’re able to POST/DELETE zones, PATCH should also work. Can you try the steps with curl outlined in https://doc.powerdns.com/md/httpapi/README/#try-it , as those exactly create a zone and then PATCH it. Based on the instructions from the intro sections, I tried your request with curl, and that does seem to work: curl -X PATCH --data '{"rrsets":[{"name":"example.org","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]}' -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones/example.org -v < HTTP/1.1 200 OK {"id":"example.org.","url":"/servers/localhost/zones/example.org.","name":"example.org","type":"Zone","kind":"Master","dnssec":false,"soa_edit_api":"","soa_edit":"","masters":[],"serial":2002022401,"notified_serial":0,"last_check":0,"records":[{"name":"bill.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.3"},{"name":"example.org","type":"MX","ttl":86400,"disabled":false,"content":"10 mail.another.com"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns1.example.org"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns2.smokeyjoe.com"},{"name":"example.org","type":"SOA","ttl":86400,"disabled":false,"content":"ns1.example.org. hostmaster.example.org. 2002022401 10800 15 604800 10800"},{"name":"fred.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.4"},{"name":"ftp.example.org","type":"CNAME","ttl":86400,"disabled":false,"content":"www.example.org"},{"name":"ns1.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.1"},{"name":"test.example.org","type":"A","ttl":86400,"disabled":false,"content":"1.1.1.1"},{"name":"www.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.2"}],"comments":[]} Best, -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From bert.hubert at powerdns.com Wed Feb 4 11:22:04 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Wed, 4 Feb 2015 12:22:04 +0100 Subject: [Pdns-users] Introducing 3.7.0 blogpost + PowerDNS Recursor 3.7.0-RC2 available Message-ID: <20150204112204.GA1759@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, We're pleased to announce the second release candidate for 3.7.0. RC1 has seen a lot of production use already, which uncovered a small number of issues which have been addressed in RC2. We are very grateful for the people that test our RCs, it really helps us deliver very reliable and robust formal releases. Thanks! More information about 3.7.0 can be found in our blogpost: http://blog.powerdns.com/2015/01/22/an-introduction-to-powerdns-recursor-3-7-0/ 3.7.0 offers significant performance improvements when using IPv6 for outgoing queries, which is only on if query-local-address6 is set to something. Secondly, we spent a lot of time with very large PowerDNS deployments to preemptively improve our resilience against difficult or malicious traffic. To further enhance our resilience, the Lua module has been enhanced with new (bulk & automated) filtering abilities. This version of the Recursor can also publish live performance graphs & and a realtime overview of (attack) traffic per domain name. A demo of this can be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif . This is an early development, but to try this out, consult https://github.com/ahupowerdns/recuweb Tar.gz and packages are available on: * https://downloads.powerdns.com/testing/ * Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/rc2/ (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer). The changelog with clickable links can also be found on https://doc.powerdns.com/md/changelog/#powerdns-recursor-370 Changes new to RC2 are marked as such. This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads. Minor changes: Removal of dead code here and there 04dc6d618 * Per-qtype response counters are now 64 bit 297bb6acf on 64 bit systems * Add IPv6 addresses for b and c.root-servers.net hints efc259542 * Add IP address to logging about terminated queries 37aa9904d * Improve qtype name logging fab3ed345 (Aki Tuomi) * Redefine 'BAD_NETS' for dont-query based on newer IANA guidance 12cd44ee0 * (lochiiconnectivity) * Add documentation links to systemd unit eb154adfd (Ruben Kerkhof) Improvements: * Upgrade embedded PolarSSL to 1.3.9: d330a2ea1 * yahttp upgrade c29097577 c65a57e88 (Aki Tuomi) * Replace . in hostnames by - for Carbon so as not to confuse Metronome 46541751e * Manpages got a lot of love and are now built from Markdown (Pieter Lexis) * Move to PolarSSL base64 488360551 (Kees Monshouwer) * The quiet=no query logging is now more informative 461df9d20 * We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source b71b60ee7 * We use per-packet timestamps to drop ancient traffic in case of overload b71b60ee7 * Builtin webserver can be queried with the API key in the URL again c89f8cd02 * Ringbuffers are now available via API c89f8cd02 * Lua 5.3 compatibility 59c6fc3e3 (Kees Monshouwer) * No longer leave a stale UNIX domain socket around from rec_control if the recursor was down 524e4f4d8, ticket #2061 (RC2) * Running with 'quiet=no' would strangely actually prevent debug messages from being logged f48d7b657 (RC2) * Webserver now implements CORS for the API ea89a97e8 (RC2), fixing ticket #1984 * Houskeeping thread would sometimes run multiple times simultaneously, which worked, but was odd cc59bce67 (RC2) * Tweaked the DoS timeouts somewhat compared to RC1 c59501468 based on feedback (RC2) New features: * Lua preoutquery filter 3457a2a0e * Lua IP-based filter (ipfilter) before parsing packets 4ea949413 * iputils class for Lua, to quickly process IP addresses and netmasks in their native format * Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries Speedups: * Remove unneeded malloc traffic 93d4a8909 8682c32bc a903b39cf * Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough 891fbf888 * Prioritize new queries over nameserver responses, improving latency under query bursts bf3b0cec3 * Remove escaping in case there was nothing to escape 83b746fd1 * Our logging infrastructure had a lot of locking d1449e4d0 * Reduce logging level of certain common messages, which locked up synchronously logging systems 854d44e31 * Add limit on total wall-clock time spent on a query 9de3e0340 * Packet cache is now case-insensitive, which increases hitrate 90974597a Security relevant: * Check for PIE, RELRO and stack protector during configure 8d0354b18 (Aki Tuomi) * Testing for support of PIE etc was improved in b2053c28c and beyond, fixes #2125 (Ruben Kerkhof) * Max query-per-query limit (max-qperq) is now configurable 173d790ea Bugs fixed: * IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in 76f190f2a and beyond. * rec_control gave incorrect output on a timeout 12997e9d8 * When using the webserver AND having an error in the Lua script, recursor could crash during startup 62f0ae629 * Hugely long version strings would trip up security polling 18b733382 (Kees Monshouwer) * The 'remotes' ringbuffer was sized incorrectly f8f243b01 (RC2) * Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread f8f243b01 (RC2) * Our automatic file descriptor limit raising was attempted after setuid, which made it a lot less effective. Found and fixed by Aki Tuomi a6414fdce (RC2) * Timestamps used for dropping packets were occasionaly wrong 183eb8774 and 4c4765c10 (RC2) with thanks to Winfried for debugging. * In RC1, our new DoS protection measures would crash the Recursor if too many root sersvers were unreachable. 6a6fb05ad. Debugging and testing by Fusl. Various other documentation changes by Christian Hofstaedtler and Ruben Kerkhof. Lots of improvements all over the place by Kees Monshouwer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlTSANwACgkQHF7pkNLnFXViugCfX+KFJbv/s+lWIfALLvB8eRdA yBsAmwbxEZP8KE5+19HnabDFod2bDMr5 =VeDk -----END PGP SIGNATURE----- From james+pdns at atlanticmetro.net Wed Feb 4 12:10:50 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Wed, 4 Feb 2015 07:10:50 -0500 Subject: [Pdns-users] NS delegation problems Message-ID: Hello, I tried to search for the topic however I'm not sure of the proper phrasing and thus didn't end up with clear findings. I have several servers running powerdns..some authoritative only, on version 3.3, and some on the latest as downloadable from the website..3.4.2 (auth) and 3.6.2 (recursor). Across all of them, I'm not able to get NS records to external DNS servers to function. We're using gmysql backend across the board. We've been doing authoritative on this group of systems for a while, but have a legacy cluster of BIND servers that we're now trying to consolidate to pdns but this problem has been a brick wall. Our most common use case is delegating reverse DNS. There are records for 100.94.145.204.in-addr.arpa with type NS and content of ns1.customer.com, however querying that yields no result. Previously in BIND, it works out of the box but I cant find the magic options to let this work in PowerDNS. Some examples are listed below, but here are some facts. - There is an SOA record for the zone 94.145.204.in-addr.arpa - There are NS records for the zone 94.145.204.in-addr.arpa - There is an NS record for 100.94.145.204.in-addr.arpa - The NS server in the content field is not hosted by our DNS servers. - I've tried toggling the out-of-zone-additional-processing, send-root-referral fields - Same behavior on auth only servers vs auth + recursor servers - Have tried setting up a zone with SOA/NS records, and A record for the customer's DNS server, PDNS: Not working. No answer returned. [james at eng:~] % dig @10.250.50.237 100.94.145.204.in-addr.arpa ptr ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 100.94.145.204.in-addr.arpa ptr ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40501 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 100.94.145.204.in-addr.arpa. 3600 IN NS ns17.bitronictech.net. ;; Query time: 3 msec ;; SERVER: 10.250.50.237#53(10.250.50.237) ;; WHEN: Tue Feb 3 15:48:47 2015 ;; MSG SIZE rcvd: 80 Querying from the same server direct to the customers DNS server works fine: [james at eng:~] % dig @ns17.bitronictech.net 100.94.145.204.in-addr.arpa ptr ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @ns17.bitronictech.net 100.94.145.204.in-addr.arpa ptr ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29030 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.94.145.204.in-addr.arpa. 7200 IN PTR lopfar.net. ;; Query time: 2 msec ;; SERVER: 204.145.94.184#53(204.145.94.184) ;; WHEN: Tue Feb 3 15:56:34 2015 ;; MSG SIZE rcvd: 69 BIND. Works fine. [james at eng:~] % dig @208.78.27.4 100.94.145.204.in-addr.arpa ptr ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @208.78.27.4 100.94.145.204.in-addr.arpa ptr ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2875 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.94.145.204.in-addr.arpa. 7200 IN PTR lopfar.net. ;; AUTHORITY SECTION: 100.94.145.204.in-addr.arpa. 3600 IN NS ns17.bitronictech.net. ;; ADDITIONAL SECTION: ns17.bitronictech.net. 5046 IN A 204.145.94.184 ;; Query time: 3 msec ;; SERVER: 208.78.27.4#53(208.78.27.4) ;; WHEN: Tue Feb 3 15:48: Any thoughts or leads are appreciated. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From zaphodb at zaphods.net Wed Feb 4 12:41:42 2015 From: zaphodb at zaphods.net (Stefan Schmidt) Date: Wed, 04 Feb 2015 13:41:42 +0100 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: On 2015-02-04 13:10, James Cornman wrote: > Hello, Hi James, > - There is an SOA record for the zone 94.145.204.in-addr.arpa > - There are NS records for the zone 94.145.204.in-addr.arpa > - There is an NS record for 100.94.145.204.in-addr.arpa > - The NS server in the content field is not hosted by our DNS servers. > - I've tried toggling the out-of-zone-additional-processing, > send-root-referral fields > - Same behavior on auth only servers vs auth + recursor servers > - Have tried setting up a zone with SOA/NS records, and A record for > the customer's DNS server,  > PDNS: Not working. No answer returned. Below it seems that it answers just fine though. > [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa > ptr  > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 > [2] 100.94.145.204.in-addr.arpa ptr > ; (1 server found) > ;; global options:  printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40501 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;100.94.145.204.in-addr.arpa.   IN      PTR > > ;; AUTHORITY SECTION: > 100.94.145.204.in-addr.arpa. 3600 IN    NS     >  ns17.bitronictech.net. > > ;; Query time: 3 msec > ;; SERVER: 10.250.50.237#53(10.250.50.237) > ;; WHEN: Tue Feb  3 15:48:47 2015 > ;; MSG SIZE  rcvd: 80 This does not seem wrong. > BIND. Works fine.  > > [james at eng:~] % dig @208.78.27.4 [5] 100.94.145.204.in-addr.arpa ptr >    > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @208.78.27.4 > [5] 100.94.145.204.in-addr.arpa ptr > ; (1 server found) > ;; global options:  printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2875 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;100.94.145.204.in-addr.arpa.   IN      PTR > > ;; ANSWER SECTION: > 100.94.145.204.in-addr.arpa. 7200 IN    PTR     lopfar.net. > > ;; AUTHORITY SECTION: > 100.94.145.204.in-addr.arpa. 3600 IN    NS     >  ns17.bitronictech.net. > > ;; ADDITIONAL SECTION: > ns17.bitronictech.net.  5046    IN      A       > 204.145.94.184 > > ;; Query time: 3 msec > ;; SERVER: 208.78.27.4#53(208.78.27.4) > ;; WHEN: Tue Feb  3 15:48: Here you ask with the "rd" aka recursion desired flag and it appears that your BIND Server is indeed configured to recurse for you and go ask ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. This is now recursive DNS works, however it is not how authoritative DNS works. BIND just happens to do both at the same time. Did you try setting up a recursive nameserver to ask your PowerDNS auth Server at 10.250.50.237 for 94.145.204.in-addr.arpa and then query it for the PTR of 100.94.145.204.in-addr.arpa? best regards, Stefan From james+pdns at atlanticmetro.net Wed Feb 4 13:00:09 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Wed, 4 Feb 2015 08:00:09 -0500 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: Hello, thanks for your response. On Wed, Feb 4, 2015 at 7:41 AM, Stefan Schmidt wrote: > > Below it seems that it answers just fine though. > > [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa >> ptr >> >> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;100.94.145.204.in-addr.arpa. IN PTR >> >> ;; AUTHORITY SECTION: >> 100.94.145.204.in-addr.arpa. 3600 IN NS >> ns17.bitronictech.net. >> > It indeed returns with the authoritative answer, but I believe my expectation was that since recursion is desired, and there is a pdns-recursor available, that it would do the deed. Mainly that dig or nslookup off of the pdns-authoritative server, with recursion enabled, would end up with an actual PTR answer. You mention that BIND just happens to do both at the same time..is that something that PDNS can't do, or something I'm doing wrong, or in general a false perception of what is right? Here you ask with the "rd" aka recursion desired flag and it appears that > your BIND Server is indeed configured to recurse for you and go ask > ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. This > is now recursive DNS works, however it is not how authoritative DNS works. > BIND just happens to do both at the same time. > Querying the pdns-recursor directly does return the proper result, however ARIN isn't set to point to this pool of pdns servers and thus this recursion is likely interacting with BIND which is still authoritative for the reverse in-addr.arpa zone....none of which helps my troubleshooting [root at lga1dns1 amc]# dig -p 5300 ptr 100.94.145.204.in-addr.arpa @127.0.0.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> -p 5300 ptr 100.94.145.204.in-addr.arpa @127.0.0.1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.94.145.204.in-addr.arpa. 7200 IN PTR lopfar.net. Thanks -James -------------- next part -------------- An HTML attachment was scrubbed... URL: From zaphodb at zaphods.net Wed Feb 4 13:57:13 2015 From: zaphodb at zaphods.net (Stefan Schmidt) Date: Wed, 04 Feb 2015 14:57:13 +0100 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: On 2015-02-04 14:00, James Cornman wrote: >> [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa >>> ptr >>> >>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;100.94.145.204.in-addr.arpa. IN PTR >>> >>> ;; AUTHORITY SECTION: >>> 100.94.145.204.in-addr.arpa. 3600 IN NS >>> ns17.bitronictech.net. >>> >> > It indeed returns with the authoritative answer, but I believe my > expectation was that since recursion is desired, and there is a > pdns-recursor available, that it would do the deed. Mainly that dig or > nslookup off of the pdns-authoritative server, with recursion enabled, > would end up with an actual PTR answer. You mention that BIND just > happens > to do both at the same time..is that something that PDNS can't do, or > something I'm doing wrong, or in general a false perception of what is > right? For recursion to become available on the authoritative Server (i.e. pdns-server) the config variables https://doc.powerdns.com/md/authoritative/settings/#recursor and https://doc.powerdns.com/md/authoritative/settings/#allow-recursion will have to be set accordingly. However it is discouraged to do recursion with the auth Server because it leads to exactly the kind of confusion you ran into. Also http://cr.yp.to/djbdns/separation.html lists some good reasons for keeping those two services separated from each other. BIND9 also changed its default behaviour in that regard. ( https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html ) > Here you ask with the "rd" aka recursion desired flag and it appears > that >> your BIND Server is indeed configured to recurse for you and go ask >> ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. >> This >> is now recursive DNS works, however it is not how authoritative DNS >> works. >> BIND just happens to do both at the same time. >> > Querying the pdns-recursor directly does return the proper result, > however > ARIN isn't set to point to this pool of pdns servers and thus this > recursion is likely interacting with BIND which is still authoritative > for > the reverse in-addr.arpa zone....none of which helps my troubleshooting Correct, if the ARIN nameservers are still pointing to the IPs of your BIND9 setup then there is no easy way to test if your new setup works with recursive nameservers. As i said already you could tell your recursive Server to ask the IP of your PowerDNS auth setup directly, thus bypassing the ARIN delegation. In PowerDNS recursor you could do that with the https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse option. For example put forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237 in your recursor.conf. Stefan From james+pdns at atlanticmetro.net Wed Feb 4 14:25:30 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Wed, 4 Feb 2015 09:25:30 -0500 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: I set the forward-zones-recurse option and it seems to be working correctly. It makes me question if the understanding of the query flow is just all wrong. I will pursue separating authoritative and recursive since this isn't working as expected. I guess I'm curious why the recursor options are even present if this functionality doesnt work for any zones that are authoritative. All other recursion is working with exception to zones we're authoritative of that need additional recursion. I'll review the materials you suggested to get some more insight though it seems to stand that some additional clarification might be necessary for the pdns documentation :) I appreciate the help. Thank you. On Wed, Feb 4, 2015 at 8:57 AM, Stefan Schmidt wrote: > On 2015-02-04 14:00, James Cornman wrote: > >> [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa >>> >>>> ptr >>>> >>>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >>>> >>>> ;; QUESTION SECTION: >>>> ;100.94.145.204.in-addr.arpa. IN PTR >>>> >>>> ;; AUTHORITY SECTION: >>>> 100.94.145.204.in-addr.arpa. 3600 IN NS >>>> ns17.bitronictech.net. >>>> >>>> >>> It indeed returns with the authoritative answer, but I believe my >> expectation was that since recursion is desired, and there is a >> pdns-recursor available, that it would do the deed. Mainly that dig or >> nslookup off of the pdns-authoritative server, with recursion enabled, >> would end up with an actual PTR answer. You mention that BIND just happens >> to do both at the same time..is that something that PDNS can't do, or >> something I'm doing wrong, or in general a false perception of what is >> right? >> > > For recursion to become available on the authoritative Server (i.e. > pdns-server) the config variables > https://doc.powerdns.com/md/authoritative/settings/#recursor > and > https://doc.powerdns.com/md/authoritative/settings/#allow-recursion > will have to be set accordingly. > However it is discouraged to do recursion with the auth Server because it > leads to exactly the kind of confusion you ran into. > Also http://cr.yp.to/djbdns/separation.html lists some good reasons for > keeping those two services separated from each other. > BIND9 also changed its default behaviour in that regard. ( > https://kb.isc.org/article/AA-00269/0/What-has-changed-in- > the-behavior-of-allow-recursion-and-allow-query-cache.html ) > > Here you ask with the "rd" aka recursion desired flag and it appears that >> >>> your BIND Server is indeed configured to recurse for you and go ask >>> ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. >>> This >>> is now recursive DNS works, however it is not how authoritative DNS >>> works. >>> BIND just happens to do both at the same time. >>> >>> Querying the pdns-recursor directly does return the proper result, >> however >> ARIN isn't set to point to this pool of pdns servers and thus this >> recursion is likely interacting with BIND which is still authoritative for >> the reverse in-addr.arpa zone....none of which helps my troubleshooting >> > > Correct, if the ARIN nameservers are still pointing to the IPs of your > BIND9 setup then there is no easy way to test if your new setup works with > recursive nameservers. > As i said already you could tell your recursive Server to ask the IP of > your PowerDNS auth setup directly, thus bypassing the ARIN delegation. > In PowerDNS recursor you could do that with the > https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse > option. > For example put > forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237 > in your recursor.conf. > > Stefan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Thu Feb 5 13:59:43 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 5 Feb 2015 14:59:43 +0100 Subject: [Pdns-users] rectify-zone on non DNSSEC domains In-Reply-To: <54CB0100.2040901@aventer.net> References: <54C9D705.2060504@aventer.net> <55A633E4-1EE9-4C60-9337-43E741A21346@powerdns.com> <54CB0100.2040901@aventer.net> Message-ID: <6E196F9D-FB89-4871-9BA5-8B0484CB889B@powerdns.com> Hello Martin, On 30 Jan 2015, at 4:56 , Martin Chandler wrote: >> On 29 Jan 2015, at 7:45 , Martin Chandler wrote: >> >>> I am running a PowerDNS hidden master behind BIND dns servers serving to >>> the public. >>> >>> We have a mix of DNSSEC secure zones, and non-secure zones. >>> >>> My question is do I have to 'rectify-zone' on the non-secure zones? >>> (does Powerdns still need the auth and ordername for non-secure zones?) >> >> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default. > > Just curious, as a hidden master that only sends zone transfers to the > front end BIND servers, what will I lose with the 'old' behaviour? If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From steven.spencer at kdsi.com Thu Feb 5 19:04:46 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Thu, 05 Feb 2015 13:04:46 -0600 Subject: [Pdns-users] Forklift upgrade from 2.9.22 to 3.3.1-1 : what is launch=bind? Message-ID: <54D3BECE.7030504@kdsi.com> We are very close to launching 3.3.1-1 and I have a quick question: At the top of the pdns.conf file, third line down, there is: launch=bind Is this required if you are using the gmysql back-end? If so, is bind then required to be installed? Install is on CentOS 6.6 Thanks, -- -- Steven G. Spencer, Network Administrator From aj.mckee at druid-dns.com Thu Feb 5 20:06:24 2015 From: aj.mckee at druid-dns.com (AJ McKee) Date: Thu, 5 Feb 2015 20:06:24 +0000 Subject: [Pdns-users] Forklift upgrade from 2.9.22 to 3.3.1-1 : what is launch=bind? In-Reply-To: <54D3BECE.7030504@kdsi.com> References: <54D3BECE.7030504@kdsi.com> Message-ID: Hi Stephen, That is used for launching the bind backends. Not required if you are using MySQL, bind is not required. Comment out the line and ensure you have the Mysql backend launched instead (gmysql) AJ On 5 February 2015 at 19:04, Steven Spencer wrote: > We are very close to launching 3.3.1-1 and I have a quick question: > > At the top of the pdns.conf file, third line down, there is: > > launch=bind > > Is this required if you are using the gmysql back-end? If so, is bind > then required to be installed? > > Install is on CentOS 6.6 > > Thanks, > > -- > -- > Steven G. Spencer, Network Administrator > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- AJ McKee phone: +353 83 1130 545 profile: http://linkedin.com/in/ajmkee jid: aj.mckee at druid-dns.com blog: http://aj.mc-kee.com/ twitter: @ajmckee -------------- next part -------------- An HTML attachment was scrubbed... URL: From steven.spencer at kdsi.com Thu Feb 5 20:30:16 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Thu, 05 Feb 2015 14:30:16 -0600 Subject: [Pdns-users] Forklift upgrade from 2.9.22 to 3.3.1-1 : what is launch=bind? In-Reply-To: References: <54D3BECE.7030504@kdsi.com> Message-ID: <54D3D2D8.2070803@kdsi.com> Perfect! Thanks! On 02/05/2015 02:06 PM, AJ McKee wrote: > Hi Stephen, > > That is used for launching the bind backends. Not required if you are > using MySQL, bind is not required. > > Comment out the line and ensure you have the Mysql backend launched > instead (gmysql) > > AJ > > On 5 February 2015 at 19:04, Steven Spencer > wrote: > > We are very close to launching 3.3.1-1 and I have a quick question: > > At the top of the pdns.conf file, third line down, there is: > > launch=bind > > Is this required if you are using the gmysql back-end? If so, is > bind then required to be installed? > > Install is on CentOS 6.6 > > Thanks, > -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Thu Feb 5 21:45:02 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 5 Feb 2015 22:45:02 +0100 Subject: [Pdns-users] Axfr notification not success from super master In-Reply-To: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> References: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Message-ID: Hello Carlos, On 01 Feb 2015, at 19:47 , Carlos HyD wrote: > Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3… If the binds are supermasters to it, the pdns is a slave. > I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. > Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. > I can enable slave on conf and zones are imported, but just curious about. Yes, you need to enable slave in the config. If your 2.9 worked without this, this was a bug :) Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From peter.van.dijk at powerdns.com Fri Feb 6 06:47:19 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Fri, 6 Feb 2015 07:47:19 +0100 Subject: [Pdns-users] iputils not available, but LUA support is. In-Reply-To: <7f3598b62af34ac49d134ed4b18eeff3@falken.creativemicrosolutions.com> References: <1421691450991-11195.post@n7.nabble.com> <20150119185353.GA4626@xs.powerdns.com> <7f3598b62af34ac49d134ed4b18eeff3@falken.creativemicrosolutions.com> Message-ID: Hello Doug, On 20 Jan 2015, at 0:07 , Doug Preston wrote: > I don’t see any mention in the docs yet about lua script threads sharing state, is that possible? Right now there is indeed one Lua state per thread, with no sharing of data (for performance reasons the threads are as independent as possible). It might help if you could explain what you’re trying to accomplish with state sharing? We can think of a few things but real world issues are best! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From zane.thomas at gmail.com Fri Feb 6 20:03:06 2015 From: zane.thomas at gmail.com (Zane Thomas) Date: Fri, 06 Feb 2015 12:03:06 -0800 Subject: [Pdns-users] We need your help getting back powerdns.org In-Reply-To: <20150121111503.GA12999@xs.powerdns.com> References: <20150121111503.GA12999@xs.powerdns.com> Message-ID: <54D51DFA.4050601@gmail.com> Bert, > could you please reach out to us or them, so we can start using > powerdns.org Linkedin tells me I know someone who knows the VP of Engineering at Archeo. I will reach out to her and see if she can help. Zane From carlos at hospedajeydominios.com Sat Feb 7 10:32:16 2015 From: carlos at hospedajeydominios.com (Carlos HyD) Date: Sat, 7 Feb 2015 11:32:16 +0100 Subject: [Pdns-users] Axfr notification not success from super master In-Reply-To: References: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Message-ID: <4496A59E-76C3-46A6-B1F9-857EF99D9D71@hospedajeydominios.com> Hi Bert and Peter, thanks for your answer, yes, it does. Regards Carlos Luna > El 1/2/2015, a las 21:13, bert hubert escribió: > > Hi Carlos, > > If 2.9 accepted notifications without ‘slave’ in the configuration, that was a bug. So in 3.4 you should set ‘slave’ if you want to process notifications. > > I’m not entirely sure if this answers your question. 2.9 was a *very* long time ago. > > Bert > > On 01 Feb 2015, at 19:47, Carlos HyD wrote: > >> Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3... >> >> I build a new system to test 3.4 version and see now this config no longer works with error: >> >> Received NOTIFY for XXXXx from XXXX but slave support is disabled in the configuration >> >> In doc I see this: >> >> However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. >> Before a supermaster notification succeeds, the following conditions must be met: >> >> • The supermaster must carry a SOA record for the notified domain >> >> • The supermaster IP must be present in the 'supermaster' table >> >> • The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table >> >> >> I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. >> Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. >> I can enable slave on conf and zones are imported, but just curious about. >> >> Regards >> Carlos Luna >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > From carlos at hospedajeydominios.com Sat Feb 7 10:32:40 2015 From: carlos at hospedajeydominios.com (Carlos HyD) Date: Sat, 7 Feb 2015 11:32:40 +0100 Subject: [Pdns-users] Axfr notification not success from super master In-Reply-To: References: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Message-ID: Hi Bert, thanks for your answer, yes, it does. Regards Carlos Luna > El 1/2/2015, a las 21:13, bert hubert escribió: > > Hi Carlos, > > If 2.9 accepted notifications without ‘slave’ in the configuration, that was a bug. So in 3.4 you should set ‘slave’ if you want to process notifications. > > I’m not entirely sure if this answers your question. 2.9 was a *very* long time ago. > > Bert > > On 01 Feb 2015, at 19:47, Carlos HyD wrote: > >> Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3... >> >> I build a new system to test 3.4 version and see now this config no longer works with error: >> >> Received NOTIFY for XXXXx from XXXX but slave support is disabled in the configuration >> >> In doc I see this: >> >> However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. >> Before a supermaster notification succeeds, the following conditions must be met: >> >> • The supermaster must carry a SOA record for the notified domain >> >> • The supermaster IP must be present in the 'supermaster' table >> >> • The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table >> >> >> I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. >> Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. >> I can enable slave on conf and zones are imported, but just curious about. >> >> Regards >> Carlos Luna >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > From mchandler at aventer.net Sat Feb 7 11:39:19 2015 From: mchandler at aventer.net (Martin Chandler) Date: Sat, 07 Feb 2015 20:39:19 +0900 Subject: [Pdns-users] rectify-zone on non DNSSEC domains In-Reply-To: <6E196F9D-FB89-4871-9BA5-8B0484CB889B@powerdns.com> References: <54C9D705.2060504@aventer.net> <55A633E4-1EE9-4C60-9337-43E741A21346@powerdns.com> <54CB0100.2040901@aventer.net> <6E196F9D-FB89-4871-9BA5-8B0484CB889B@powerdns.com> Message-ID: <54D5F967.6050102@aventer.net> Hello Peter, On 2015/02/05 22:59, Peter van Dijk wrote: > Hello Martin, > > On 30 Jan 2015, at 4:56 , Martin Chandler wrote: > >>> On 29 Jan 2015, at 7:45 , Martin Chandler wrote: >>> >>>> I am running a PowerDNS hidden master behind BIND dns servers serving to >>>> the public. >>>> >>>> We have a mix of DNSSEC secure zones, and non-secure zones. >>>> >>>> My question is do I have to 'rectify-zone' on the non-secure zones? >>>> (does Powerdns still need the auth and ordername for non-secure zones?) >>> >>> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default. >> >> Just curious, as a hidden master that only sends zone transfers to the >> front end BIND servers, what will I lose with the 'old' behaviour? > > If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail. > Thank you very much for the clarification. Regards, Martin -- Cellular phone : 090-7849-6808 e-mail:mchandler at aventer.net URL :http://www.aventer.net/ From zozo at z0z0.tk Tue Feb 10 20:26:25 2015 From: zozo at z0z0.tk (=?utf-8?Q?Keresztes_P=C3=A9ter-Zolt=C3=A1n?=) Date: Tue, 10 Feb 2015 22:26:25 +0200 Subject: [Pdns-users] hiding version Message-ID: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Hello, Is there a way to hide the powerdns version from public? Peter From james+pdns at atlanticmetro.net Tue Feb 10 20:30:43 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Tue, 10 Feb 2015 15:30:43 -0500 Subject: [Pdns-users] hiding version In-Reply-To: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Message-ID: Hello: For authoritative: # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # version-string=anonymous For recursor: I dont know if it has the same keywords (full, powerdns, etc), but you could do # version-string string reported on version.pdns or version.bind # version-string=anonymous On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán wrote: > Hello, > > Is there a way to hide the powerdns version from public? > > Peter > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Tue Feb 10 20:33:52 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Tue, 10 Feb 2015 22:33:52 +0200 Subject: [Pdns-users] hiding version In-Reply-To: References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Message-ID: <20150210203352.GA18201@pi.ip.fi> It has the same semantics, you can use 'custom' as in, put in whatever you want. Aki On Tue, Feb 10, 2015 at 03:30:43PM -0500, James Cornman wrote: > Hello: > > For authoritative: > > # version-string PowerDNS version in packets - full, anonymous, > powerdns or custom > # > version-string=anonymous > > > For recursor: > > I dont know if it has the same keywords (full, powerdns, etc), but you > could do > > # version-string string reported on version.pdns or version.bind > # > version-string=anonymous > > On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán > wrote: > > > Hello, > > > > Is there a way to hide the powerdns version from public? > > > > Peter > > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users at mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From zozo at z0z0.tk Tue Feb 10 20:46:21 2015 From: zozo at z0z0.tk (=?utf-8?Q?Keresztes_P=C3=A9ter-Zolt=C3=A1n?=) Date: Tue, 10 Feb 2015 22:46:21 +0200 Subject: [Pdns-users] hiding version In-Reply-To: <20150210203352.GA18201@pi.ip.fi> References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> <20150210203352.GA18201@pi.ip.fi> Message-ID: <24CFB000-042F-4B19-A093-71E02BA49B6F@z0z0.tk> Thanks for you quick help. anonymous as version would do it for now. > On Feb 10, 2015, at 10:33 PM, Aki Tuomi wrote: > > It has the same semantics, you can use 'custom' as in, put in whatever you > want. > > Aki > > On Tue, Feb 10, 2015 at 03:30:43PM -0500, James Cornman wrote: >> Hello: >> >> For authoritative: >> >> # version-string PowerDNS version in packets - full, anonymous, >> powerdns or custom >> # >> version-string=anonymous >> >> >> For recursor: >> >> I dont know if it has the same keywords (full, powerdns, etc), but you >> could do >> >> # version-string string reported on version.pdns or version.bind >> # >> version-string=anonymous >> >> On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán >> wrote: >> >>> Hello, >>> >>> Is there a way to hide the powerdns version from public? >>> >>> Peter >>> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users at mailman.powerdns.com >>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >>> > >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > From hunterj91 at hotmail.com Wed Feb 11 13:09:29 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Wed, 11 Feb 2015 13:09:29 +0000 Subject: [Pdns-users] Modify Records Table-Time of Day records Message-ID: Hi Guys, I have implemented an ENUM server using powerdns and its working well. I store data of course in the powerdns database, and in particular the records table. Is it possible to modify the structure of the records table, to add new fields? Also has anyone implemented Time of day routing with ENUM and powerdns previously? Any help would be great. Many thanks Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpmens.dns at gmail.com Wed Feb 11 13:35:15 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Wed, 11 Feb 2015 14:35:15 +0100 Subject: [Pdns-users] Modify Records Table-Time of Day records In-Reply-To: References: Message-ID: <20150211133515.GA55436@tiggr.ww.mens.de> > Is it possible to modify the structure of the records table, to add new fields? You can add as many columns as you need; that will not interfere with PowerDNS Auth operation. (You can also rename existing columns, but you'd need to redefine the queries PowerDNS uses, so I don't recommend you doing that.) -JP From mchandler at aventer.net Wed Feb 11 23:35:57 2015 From: mchandler at aventer.net (Martin Chandler) Date: Thu, 12 Feb 2015 08:35:57 +0900 Subject: [Pdns-users] Modify Records Table-Time of Day records In-Reply-To: <20150211133515.GA55436@tiggr.ww.mens.de> References: <20150211133515.GA55436@tiggr.ww.mens.de> Message-ID: <54DBE75D.2090508@aventer.net> On 2015/02/11 22:35, Jan-Piet Mens wrote: >> Is it possible to modify the structure of the records table, to add new fields? > > You can add as many columns as you need; that will not interfere with > PowerDNS Auth operation. (You can also rename existing columns, but > you'd need to redefine the queries PowerDNS uses, so I don't recommend > you doing that.) > Even if you rename columns, etc it is also possible to then create a view for PowerDNS that matches the recommended schema. That way you don't have to redefine the queries... Regards, Martin -- Cellular phone : 090-7849-6808 e-mail:mchandler at aventer.net URL :http://www.aventer.net/ From nicholas at nicholaswilliams.net Thu Feb 12 05:15:11 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Wed, 11 Feb 2015 23:15:11 -0600 Subject: [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS In-Reply-To: <27EE415C-EB2F-401D-A6A9-13C107E801D8@netherlabs.nl> References: <20140921105407.GA16178@xs.powerdns.com> <77B292FB-C4A0-4AA4-A5FE-FD0A85863361@netherlabs.nl> <1DF2DEA9-4BB8-4D55-9666-9138920CA8D2@nicholaswilliams.net> <27EE415C-EB2F-401D-A6A9-13C107E801D8@netherlabs.nl> Message-ID: <69A5B7D0-99E3-4A47-A156-7A61FD0006A8@nicholaswilliams.net> Do you think it's possible that release candidates for 3.5 could be coming soon? =D N On Jan 12, 2015, at 6:35 AM, Peter van Dijk wrote: > Hello Nick, > > this code would be in release 3.5.0, for which no date has been set yet. However, as said below, the autotest website has development snapshots including packages. > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > On 06 Jan 2015, at 22:30 , Nicholas Williams wrote: > >> I'm not clear on how y'all do releases in relation to your GitHub branches. What is the next version that code in master today can be expected to be released? Is there an estimated timeline/date for that release? >> >> Thanks, >> >> Nick >> >> Sent from my iPhone, so please forgive brief replies and frequent typos >> >>> On Jan 5, 2015, at 04:34, Peter van Dijk wrote: >>> >>> Hello Pepe, >>> >>>> On 30 Dec 2014, at 9:28 , Pepe Charli wrote: >>>> >>>> Hi, >>>> >>>> Are implemented these ALIAS/ANAME records in PowerDNS Authoritative >>>> Server 3.4.1 ? >>> >>> our ‘first stab’ attempt at this feature is on git master (https://github.com/PowerDNS/pdns/commit/d59b894ddccbd7c280e1b6d212e6b7d754016d38) but not in any released version. >>> >>> You can find snapshots and packages at https://autotest.powerdns.com/ >>> >>> Kind regards, >>> -- >>> Peter van Dijk >>> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ >>> >>> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users at mailman.powerdns.com >>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From bert.hubert at powerdns.com Thu Feb 12 08:47:34 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Thu, 12 Feb 2015 09:47:34 +0100 Subject: [Pdns-users] New PowerDNS employee, the importance of testing RCs, skipping 3.7.0, World Hosting Days 2015 Message-ID: <20150212084733.GA28616@xs.powerdns.com> Hi everybody, Some assorted remarks & PowerDNS news: 1) New employee 2) Please test our release candidates 3) 3.7.0 has been skipped, all hail 3.7.1 4) World Hosting days in Germany New employee ------------ To start with, the great news is that on March 2nd, Pieter Lexis will be joining PowerDNS as a fulltime employee! Pieter wrote a paper and software on DANE under our mentorship while at the OS3 program at the University of Amsterdam, and later did an amazing job converting our documentation to the splendor you can now find on http://doc.powerdns.com/ Based on this work, we offered Pieter a job and we're very happy he accepted! Pieter (not to be confused with existing employee Peter) will focus on helping customers, improving our code & infrastructure, fixing bugs and working on internet standards relevant for DNS. Release candidates ------------------ When we work on a PowerDNS release, once we feel that it is ready to be used, we issue a Release Candidate. This is something you can run in production, and we expect it to work fine. If you have issues with an RC, we'll jump on them and resolve them as quickly as is possible. In the 3.7.0 release process this worked well, and because RC1 and RC2 saw wide deployment, many small issues were found before the actual release. 3.7.0 was looking good, and we tagged it for release. And then PowerDNS user & packager Ralf van der Enden reported that the 3.7.0 we uploaded did exactly nothing on his FreeBSD system. After intense debugging to see if we could save 3.7.0, we found that we indeed had a bug which meant 3.7.0 compiled on FreeBSD, but did nothing. This was fixed. Today, we are increasing our regression tests to run on FreeBSD as well to prevent a repeat of this. But we'd like to urge our users, especially the ones on less mainstream platforms than Debian, Ubuntu, Fedora and Red Hat, to test our release candidates. This is one of the best ways you, like Ralf did, can help us deliver quality products! 3.7.0 will be skipped --------------------- Because we had uploaded 3.7.0 and had it built for our various platforms, we are not going to slip the FreeBSD fix into 3.7.0 and end up with two different 3.7.0 releases. The next PowerDNS Recursor release will be 3.7.1. This release is imminent, after we complete our FreeBSD regression testing. World Hosting Days 2015 in Rust ------------------------------- PowerDNS and several of our Certified Consultants will be at World Hosting Days 2015 in Rust, Germany (March 24-26). As always, we enjoy meeting with PowerDNS users. If you or your management will be there and want to talk, please let us know! Kind regards, Bert PowerDNS From peter.van.dijk at powerdns.com Thu Feb 12 12:17:08 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 12 Feb 2015 13:17:08 +0100 Subject: [Pdns-users] Recursor 3.7.1 released Message-ID: <5BCD7136-FAE1-47A7-B3A0-D5EB26133A89@powerdns.com> Hi everybody, We're pleased to announce the final release for 3.7.1. RC1 and RC2 have seen a lot of production use already, which uncovered a small number of issues which have been addressed in this release. We are very grateful for the people that test our RCs, it really helps us deliver very reliable and robust formal releases. Thanks! As noted in a separate announcement earlier today (http://blog.powerdns.com/2015/02/12/new-powerdns-employee-the-importance-of-testing-rcs-skipping-3-7-0-world-hosting-days-2015/), 3.7.0 has been skipped and we are now releasing 3.7.1 instead. More information about 3.7.1 can be found in our blogpost: http://blog.powerdns.com/2015/01/22/an-introduction-to-powerdns-recursor-3-7-0/ 3.7.1 offers significant performance improvements when using IPv6 for outgoing queries, which is only on if query-local-address6 is set to something. Secondly, we spent a lot of time with very large PowerDNS deployments to preemptively improve our resilience against difficult or malicious traffic. To further enhance our resilience, the Lua module has been enhanced with new (bulk & automated) filtering abilities. This version of the Recursor can also publish live performance graphs & and a realtime overview of (attack) traffic per domain name. A demo of this can be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif . This is an early development, but to try this out, consult https://github.com/ahupowerdns/recuweb Tar.gz and packages are available on: * https://downloads.powerdns.com/releases/ * Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/ (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer). The changelog with clickable links can also be found on https://doc.powerdns.com/md/changelog/#powerdns-recursor-371 This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads. PowerDNS Recursor 3.7.1 Released February 12th, 2015. This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads. Of further note is the massive community contribution, mostly over Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and Aki Tuomi delivered a lot of love. Thanks! Minor changes: * Removal of dead code here and there [399]04dc6d618 * Per-qtype response counters are now 64 bit [400]297bb6acf on 64 bit systems * Add IPv6 addresses for b and c.root-servers.net hints [401]efc259542 * Add IP address to logging about terminated queries [402]37aa9904d * Improve qtype name logging [403]fab3ed345 (Aki Tuomi) * Redefine 'BAD_NETS' for dont-query based on newer IANA guidance [404]12cd44ee0 (lochiiconnectivity) * Add documentation links to systemd unit [405]eb154adfd (Ruben Kerkhof) Improvements: * Upgrade embedded PolarSSL to 1.3.9: [406]d330a2ea1 * yahttp upgrade [407]c29097577 [408]c65a57e88 (Aki Tuomi) * Replace . in hostnames by - for Carbon so as not to confuse Metronome [409]46541751e * Manpages got a lot of love and are now built from Markdown (Pieter Lexis) * Move to PolarSSL base64 [410]488360551 (Kees Monshouwer) * The quiet=no query logging is now more informative [411]461df9d20 * We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source [412]b71b60ee7 * We use per-packet timestamps to drop ancient traffic in case of overload [413]b71b60ee7, non-Linux portability in [414]d63f0d836 * Builtin webserver can be queried with the API key in the URL again [415]c89f8cd02 * Ringbuffers are now available via API [416]c89f8cd02 * Lua 5.3 compatibility [417]59c6fc3e3 (Kees Monshouwer) * No longer leave a stale UNIX domain socket around from rec_control if the recursor was down [418]524e4f4d8, ticket #2061 * Running with 'quiet=no' would strangely actually prevent debug messages from being logged [419]f48d7b657 * Webserver now implements CORS for the API [420]ea89a97e8, fixing ticket #1984 * Houskeeping thread would sometimes run multiple times simultaneously, which worked, but was odd [421]cc59bce67 New features: * New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses from the root-servers [422]01402d568 * getregisteredname() for Lua, which turns 'www.bbc.co.uk' into 'bbc.co.uk' [423]8cd4851be * Lua preoutquery filter [424]3457a2a0e * Lua IP-based filter (ipfilter) before parsing packets [425]4ea949413 * iputils class for Lua, to quickly process IP addresses and netmasks in their native format * getregisteredname function for Lua, to find the registered domain for a given name * Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries Speedups: * Remove unneeded malloc traffic [426]93d4a8909 [427]8682c32bc [428]a903b39cf * Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough [429]891fbf888 * Prioritize new queries over nameserver responses, improving latency under query bursts [430]bf3b0cec3 * Remove escaping in case there was nothing to escape [431]83b746fd1 * Our logging infrastructure had a lot of locking [432]d1449e4d0 * Reduce logging level of certain common messages, which locked up synchronously logging systems [433]854d44e31 * Add limit on total wall-clock time spent on a query [434]9de3e0340 * Packet cache is now case-insensitive, which increases hitrate [435]90974597a Security relevant: * Check for PIE, RELRO and stack protector during configure [436]8d0354b18 (Aki Tuomi) * Testing for support of PIE etc was improved in [437]b2053c28c and beyond, fixes #2125 (Ruben Kerkhof) * Max query-per-query limit (max-qperq) is now configurable [438]173d790ea Bugs fixed: * IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in [439]76f190f2a and beyond. * rec_control gave incorrect output on a timeout [440]12997e9d8 * When using the webserver AND having an error in the Lua script, recursor could crash during startup [441]62f0ae629 * Hugely long version strings would trip up security polling [442]18b733382 (Kees Monshouwer) * The 'remotes' ringbuffer was sized incorrectly [443]f8f243b01 * Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread [444]f8f243b01 * Our automatic file descriptor limit raising was attempted after setuid, which made it a lot less effective. Found and fixed by Aki Tuomi [445]a6414fdce * Timestamps used for dropping packets were occasionaly wrong [446]183eb8774 and [447]4c4765c10 (RC2) with thanks to Winfried for debugging. * In RC1, our new DoS protection measures would crash the Recursor if too many root sersvers were unreachable. [448]6a6fb05ad. Debugging and testing by Fusl. Various other documentation changes by Christian Hofstaedtler and Ruben Kerkhof. Lots of improvements all over the place by Kees Monshouwer. From nicholas at nicholaswilliams.net Thu Feb 12 15:00:30 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 12 Feb 2015 09:00:30 -0600 Subject: [Pdns-users] Currently using distro packages, want to update Message-ID: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. I pretty much never manually deal with RPMs (so please forgive some of my ignorance). But my distro is currently on PDNS Authoritative 3.1, and upgrading my OS isn't anywhere on my radar right now. I want to get to 3.4.2, so (I think) I'll need to forego the package manager and install the RPM packages manually (if there are alternatives, I'm all ears). Some questions: - Since I won't have auto dependency management, what dependencies do I need installed to install PDNS from RPM? - Does pdns-static-3.4.2-1.x86_64.rpm _just_ install the binaries, or does it install the service, too, so that I can call `service pdns start` and configure the service to start automatically on boot? If the RPM doesn't do that, is there documentation / what is the recommended way to install PDNS as a service when installed manually with an RPM? - Should I just be able to uninstall the package using my package manager and then install the RPM as a drop-in replacement? Thanks in advance for putting up with my lack of knowledge! Nick From michael at stroeder.com Thu Feb 12 15:22:57 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 12 Feb 2015 16:22:57 +0100 Subject: [Pdns-users] Currently using distro packages, want to update In-Reply-To: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> References: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> Message-ID: <54DCC551.5050102@stroeder.com> Nick Williams wrote: > I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. > > But my distro Which is your distro? Vendor and exact version number? For openSUSE I'm trying to keep up with powerdns releases and my submissions most times end up here pretty soon: https://build.opensuse.org/package/show/server:dns/pdns (currently pdns-3.4.2) https://build.opensuse.org/package/show/server:dns/pdns-recursor (currently pdns-recursor-3.6.2, 3.7.1 is in my home project but not built yet) Sooner or later this will be passed downstream in openSUSE Factory for the next openSUSE release. You can see here which platforms are enabled for default builds: https://build.opensuse.org/project/repositories/server:dns There you will also find the direct download links to zypper repo for your openSUSE version. In my OBS home project I'm also building openSUSE Factory_ARM for running the packages on rasperry pi. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From s.posner at telekom.de Thu Feb 12 16:22:58 2015 From: s.posner at telekom.de (Posner, Sebastian) Date: Thu, 12 Feb 2015 16:22:58 +0000 Subject: [Pdns-users] Modify Records Table-Time of Day records In-Reply-To: <54DBE75D.2090508@aventer.net> References: <20150211133515.GA55436@tiggr.ww.mens.de> <54DBE75D.2090508@aventer.net> Message-ID: Martin Chandler wrote: > > > Is it possible to modify the structure of the records table, > > > to add new fields? > > > > You can add as many columns as you need; that will not interfere with > > PowerDNS Auth operation. (You can also rename existing columns, but > > you'd need to redefine the queries PowerDNS uses, so I don't > > recommend you doing that.) > > > > Even if you rename columns, etc it is also possible to then create a > view for PowerDNS that matches the recommended schema. > That way you don't have to redefine the queries... Yes, and no. Don't be surprised if things don't work anymore, depending on your setup. PDNS needs to write into the database/records table for several applications, and a view is not neccesarily writeable, depending on how it is created. Notably here would be Superslave operation; or probably any slave operation mode where replication is done by AXFR and not database means, as the transferred RRs need to be inserted into the DB at the slave. So, despite having a view representing the original database layout, you still may have to redefine some queries. On a side note: Dear staff, I am lacking to find the empty-non-terminal-queries at https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/ - did they become obsolete in recent revisions? Sebastian From spork at bway.net Mon Feb 16 04:19:24 2015 From: spork at bway.net (Charles Sprickman) Date: Sun, 15 Feb 2015 23:19:24 -0500 Subject: [Pdns-users] Any status on DNSSEC in Recursor? Message-ID: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> While asking Google, the same, I hit this old blog post: http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ Any new timeline on when this might happen? Does the plan to implement it still look the same? Thanks, Charles -- Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet www.bway.net spork at bway.net - 212.655.9344 From steffannoord at gmail.com Mon Feb 16 16:04:51 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Mon, 16 Feb 2015 17:04:51 +0100 Subject: [Pdns-users] dns problem Message-ID: <020a01d04a02$4c7e4cc0$e57ae640$@gmail.com> I have a domein with no www record The domain has a *. verbaasdonline.nl record On my dns servers it is wordking dig www.verbaasdonline.nl @ns1.tikklik.nl ;; ANSWER SECTION: www.verbaasdonline.nl. 3600 IN A 5.22.255.211 but when using google dns www is not found dig www.verbaasdonline.nl @8.8.8.8 ;; QUESTION SECTION: ;www.verbaasdonline.nl. IN A is this a problem in my dns or a problem with google and wildcards pdns.i386 3.4.2-1.el5.MIND -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Mon Feb 16 16:12:18 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 16 Feb 2015 17:12:18 +0100 Subject: [Pdns-users] dns problem In-Reply-To: <020a01d04a02$4c7e4cc0$e57ae640$@gmail.com> References: <020a01d04a02$4c7e4cc0$e57ae640$@gmail.com> Message-ID: <20150216161218.GA8177@xs.powerdns.com> On Mon, Feb 16, 2015 at 05:04:51PM +0100, Steffan Noord wrote: > I have a domein with no www record Can you run: pdnssec rectify-zone verbaasdonline.nl pdnssec check-zone verbaasdonline.nl ? This is probably a DNSSEC issue. Bert > > The domain has a > *. verbaasdonline.nl record > > > > On my dns servers it is wordking > > > > dig www.verbaasdonline.nl @ns1.tikklik.nl > ;; ANSWER SECTION: > www.verbaasdonline.nl. 3600 IN A 5.22.255.211 > > but when using google dns www is not found > > dig www.verbaasdonline.nl @8.8.8.8 > ;; QUESTION SECTION: > ;www.verbaasdonline.nl. IN A > > is this a problem in my dns or a problem with google and wildcards > > > > > > pdns.i386 3.4.2-1.el5.MIND > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steffannoord at gmail.com Tue Feb 17 08:11:44 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Tue, 17 Feb 2015 09:11:44 +0100 Subject: [Pdns-users] cnames Message-ID: <004b01d04a89$5e873a80$1b95af80$@gmail.com> Yes cnames are eval But some clients want to use them. After checking my dns server i see a error [Error] CNAME cmsetup.nl found, but other records with same label exist. The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up to another domain. But why is that a error. If i remove one of the cnames (say www. cmsetup.nl) then the domain is not responding anymore. Thanxs Steffan From bert.hubert at powerdns.com Tue Feb 17 08:16:03 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 17 Feb 2015 09:16:03 +0100 Subject: [Pdns-users] cnames In-Reply-To: <004b01d04a89$5e873a80$1b95af80$@gmail.com> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> Message-ID: <20150217081603.GD14514@xs.powerdns.com> On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote: > Yes cnames are eval > But some clients want to use them. > > After checking my dns server i see a error > [Error] CNAME cmsetup.nl found, but other records with same label exist. > > The client has a cname www. cmsetup.nl > and a cname cmsetup.nl se up to another domain. > But why is that a error. Because sadly that is how DNS works. You can't have a CNAME together with a SOA. This is not a powerdns issues. Bert From steffannoord at gmail.com Tue Feb 17 08:17:39 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Tue, 17 Feb 2015 09:17:39 +0100 Subject: [Pdns-users] cnames In-Reply-To: <20150217081603.GD14514@xs.powerdns.com> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> <20150217081603.GD14514@xs.powerdns.com> Message-ID: <005001d04a8a$31fde710$95f9b530$@gmail.com> So the soa needs tob e removed ? -----Oorspronkelijk bericht----- Van: bert hubert [mailto:bert.hubert at powerdns.com] Verzonden: dinsdag 17 februari 2015 9:16 Aan: Steffan Noord CC: 'Pdns' Onderwerp: Re: [Pdns-users] cnames On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote: > Yes cnames are eval > But some clients want to use them. > > After checking my dns server i see a error [Error] CNAME cmsetup.nl > found, but other records with same label exist. > > The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up > to another domain. > But why is that a error. Because sadly that is how DNS works. You can't have a CNAME together with a SOA. This is not a powerdns issues. Bert From bert.hubert at powerdns.com Tue Feb 17 08:27:10 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 17 Feb 2015 09:27:10 +0100 Subject: [Pdns-users] cnames In-Reply-To: <005001d04a8a$31fde710$95f9b530$@gmail.com> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> <20150217081603.GD14514@xs.powerdns.com> <005001d04a8a$31fde710$95f9b530$@gmail.com> Message-ID: <20150217082710.GE14514@xs.powerdns.com> I recommend learning about DNS. http://shop.oreilly.com/product/9780596100575.do is probably a good start. I'm sorry we can't be more helpful, but basic knowledge about DNS can be really helful when running DNS. Do not remove your SOA record in any case! Bert On Tue, Feb 17, 2015 at 09:17:39AM +0100, Steffan Noord wrote: > So the soa needs tob e removed ? > > > -----Oorspronkelijk bericht----- > Van: bert hubert [mailto:bert.hubert at powerdns.com] > Verzonden: dinsdag 17 februari 2015 9:16 > Aan: Steffan Noord > CC: 'Pdns' > Onderwerp: Re: [Pdns-users] cnames > > On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote: > > Yes cnames are eval > > But some clients want to use them. > > > > After checking my dns server i see a error [Error] CNAME cmsetup.nl > > found, but other records with same label exist. > > > > The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up > > to another domain. > > But why is that a error. > > Because sadly that is how DNS works. You can't have a CNAME together with a > SOA. This is not a powerdns issues. > > Bert > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From steffannoord at gmail.com Tue Feb 17 13:07:38 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Tue, 17 Feb 2015 14:07:38 +0100 Subject: [Pdns-users] cnames In-Reply-To: <-1587561429133483169@unknownmsgid> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> <-1587561429133483169@unknownmsgid> Message-ID: <00b301d04ab2$b4e931c0$1ebb9540$@gmail.com> Thanxs I never use cnames i found it and updating my panel to not let this be added again. -----Oorspronkelijk bericht----- Van: James Cornman [mailto:james at atlanticmetro.net] Verzonden: dinsdag 17 februari 2015 14:06 Aan: Steffan Noord CC: Pdns Onderwerp: Re: [Pdns-users] cnames To be more clear than the others, you can't have a CNAME record for domain.com. > On Feb 17, 2015, at 3:13 AM, Steffan Noord wrote: > > Yes cnames are eval > But some clients want to use them. > > After checking my dns server i see a error [Error] CNAME cmsetup.nl > found, but other records with same label exist. > > The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up > to another domain. > But why is that a error. > If i remove one of the cnames (say www. cmsetup.nl) then the domain > is not responding anymore. > > Thanxs > > Steffan > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steven.spencer at kdsi.com Tue Feb 17 21:59:46 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Tue, 17 Feb 2015 15:59:46 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused Message-ID: <54E3B9D2.6050206@kdsi.com> List, I need to preface this that we are not using DNSSEC. In doing the schema changes, I've run into problems, or what appear to be a problems: Schema changes required (according to the upgrade notes) for 2.9.x to 3.1: |mysql> ALTER TABLE records MODIFY content VARCHAR(64000); mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);| The first one (above) works as expected, second one gives this error: ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist In reading, it says that this change is required for DNSSEC, so I went on: Changes required for 3.1 to 3.2: |alter table records modify ordername VARCHAR(255) BINARY; drop index orderindex on records; create index recordorder on records (domain_id, ordername);| All of these generate errors ERROR 1054 (42S22): Unknown column 'ordername' in 'records' ERROR 1091 (42000): Can't DROP 'orderindex'; check that column/key exist ERROR 1072 (42000): Key column 'ordername' doesn't exist in table Last error is obvious, since it already argued on the first command as an unknown column Changes required for 3.2 to 3.3: alter table supermasters modify ip VARCHAR(64); This works as expected. Am I missing earlier schema changes? This is the second time through this. Thanks, -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ktm at rice.edu Tue Feb 17 22:08:09 2015 From: ktm at rice.edu (ktm at rice.edu) Date: Tue, 17 Feb 2015 16:08:09 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused In-Reply-To: <54E3B9D2.6050206@kdsi.com> References: <54E3B9D2.6050206@kdsi.com> Message-ID: <20150217220809.GN5510@aart.rice.edu> Hi Steven, Review the schema and if the tables do not exist create them as specified. The alter's should be run against existing tables. Regards, Ken On Tue, Feb 17, 2015 at 03:59:46PM -0600, Steven Spencer wrote: > List, > > I need to preface this that we are not using DNSSEC. > > In doing the schema changes, I've run into problems, or what appear > to be a problems: > > Schema changes required (according to the upgrade notes) for 2.9.x to 3.1: > > |mysql> ALTER TABLE records MODIFY content VARCHAR(64000); > mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);| > > > The first one (above) works as expected, second one gives this error: > > ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist ... From steven.spencer at kdsi.com Wed Feb 18 14:40:47 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Wed, 18 Feb 2015 08:40:47 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused In-Reply-To: <20150217220809.GN5510@aart.rice.edu> References: <54E3B9D2.6050206@kdsi.com> <20150217220809.GN5510@aart.rice.edu> Message-ID: <54E4A46F.3030705@kdsi.com> That makes perfect sense, but since I do not have DNSSEC enabled, none of the tables or columns specific to that are in the schema. The very first set from my original email shows the ALTER TABLE tsigkeys line, and that table and none of the columns associated with it, are in the database at all. In my searching the upgrade notes, there is no mention of what /should/ be in that table. So, what I'm trying to do is make sure I have a working DNS server after the upgrade. If the table 'tsigkeys' is required, then I need to know how to create that and what columns/fields it should contain. Thanks, Steve On 02/17/2015 04:08 PM, ktm at rice.edu wrote: > Hi Steven, > > Review the schema and if the tables do not exist create them as > specified. The alter's should be run against existing tables. > > Regards, > Ken > > On Tue, Feb 17, 2015 at 03:59:46PM -0600, Steven Spencer wrote: >> List, >> >> I need to preface this that we are not using DNSSEC. >> >> In doing the schema changes, I've run into problems, or what appear >> to be a problems: >> >> Schema changes required (according to the upgrade notes) for 2.9.x to 3.1: >> >> |mysql> ALTER TABLE records MODIFY content VARCHAR(64000); >> mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);| >> >> >> The first one (above) works as expected, second one gives this error: >> >> ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist > ... > > -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 From ktm at rice.edu Wed Feb 18 15:09:31 2015 From: ktm at rice.edu (ktm at rice.edu) Date: Wed, 18 Feb 2015 09:09:31 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused In-Reply-To: <54E4A46F.3030705@kdsi.com> References: <54E3B9D2.6050206@kdsi.com> <20150217220809.GN5510@aart.rice.edu> <54E4A46F.3030705@kdsi.com> Message-ID: <20150218150931.GO5510@aart.rice.edu> On Wed, Feb 18, 2015 at 08:40:47AM -0600, Steven Spencer wrote: > That makes perfect sense, but since I do not have DNSSEC enabled, > none of the tables or columns specific to that are in the schema. > The very first set from my original email shows the ALTER TABLE > tsigkeys line, and that table and none of the columns associated > with it, are in the database at all. In my searching the upgrade > notes, there is no mention of what /should/ be in that table. So, > what I'm trying to do is make sure I have a working DNS server after > the upgrade. If the table 'tsigkeys' is required, then I need to > know how to create that and what columns/fields it should contain. > > Thanks, > Steve Hi Steve, The documentation has all of the schema definitions. There are also schema definitions in the source code tar file. Regards, Ken From hw at nitramlexa.com Thu Feb 19 14:26:42 2015 From: hw at nitramlexa.com (hw at nitramlexa.com) Date: Thu, 19 Feb 2015 15:26:42 +0100 Subject: [Pdns-users] Windows 7 computers not getting split horizon change made by Lua script Message-ID: <54e5f2a2.711f.fa37d700.37fe93f7@woffinden.co.uk> My setup is as follows: All servers are Centos 7 x86_64 running under VMware ESXi 5.1. My DNS/firewall running PDNS 3.4.1 and PDNS-RECURSOR 3.6.2 has 2 NICs. 1 has one static public IP (79.142.xx.yy), and the other is on my LAN (192.168.3.1/24). The IP in my DNS for the mail server is the public, and ports are then forwarded. mail server is at 192.168.3.50 internal PDNS-recursor (3.6.2) with a Lua script to change address to LAN address is located at 192.168.3.51, and it's the only DNS specified in all workstations network setup. It works like a dream for everybody BUT Windows 7. Android, Linux and Windows XP all get the LAN address when asking for mail.example.com, but Windows 7 gets the public address. I can see in logging in the Lua script that the Windows 7 machine asks for the name, and Lua returns the LAN address, but Windows 7 still gets the public IP. Any ideas to why? I'm also running Samba on the PDNS-recursor to let Windows access the NAS shares, but there's no wins defined anywhere, and the firewall / auth dns is not running Samba. Kind regards, Henrik Woffinden -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Thu Feb 19 15:00:05 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Thu, 19 Feb 2015 16:00:05 +0100 Subject: [Pdns-users] Windows 7 computers not getting split horizon change made by Lua script In-Reply-To: <54e5f2a2.711f.fa37d700.37fe93f7@woffinden.co.uk> References: <54e5f2a2.711f.fa37d700.37fe93f7@woffinden.co.uk> Message-ID: <20150219150005.GA31941@xs.powerdns.com> On Thu, Feb 19, 2015 at 03:26:42PM +0100, hw at nitramlexa.com wrote: > It works like a dream for everybody BUT Windows 7. > Android, Linux and Windows XP all get the LAN address when asking > for mail.example.com, but Windows 7 gets the public address. Check with tcpdump what answers you are really sending out. Did you remember to use setvariable() to make sure PowerDNS doesn't packetcache your lua answers? Good luck! Bert > > I can see in logging in the Lua script that the Windows 7 machine > asks for the name, and Lua returns the LAN address, > but Windows 7 still gets the public IP. > > Any ideas to why? > > I'm also running Samba on the PDNS-recursor to let Windows access > the NAS shares, but there's no wins defined anywhere, > and the firewall / auth dns is not running Samba. > > Kind regards, > Henrik Woffinden > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From niels at peen.ch Thu Feb 19 16:40:47 2015 From: niels at peen.ch (Niels Peen) Date: Thu, 19 Feb 2015 17:40:47 +0100 Subject: [Pdns-users] LUA iputils netmaskgroup match Message-ID: <83978FC5-E77B-41A4-AD94-141D63ECDCBF@peen.ch> Hello, I’m using a netmaskgroup to see if a given IP matches: if nmg:match(ca) then .. This works very well but I would like to know which specific netmask matched. E.g. by having :match (also) return the matching netmask rather than (just) returning true. Am I correct that this is currently not possible? If so, could this be considered for a future release? Thanks, Niels From nicholas at nicholaswilliams.net Thu Feb 19 21:12:23 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 15:12:23 -0600 Subject: [Pdns-users] Why was content length increased? Message-ID: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> I'm upgrading to authoritative 3.4 and noticed that the records.content column has been increased from 255 characters to 64000 characters. Because my table is UTF-8, I get the following error: mysql> ALTER TABLE records MODIFY content VARCHAR(64000); ERROR 1074 (42000): Column length too big for column 'content' (max = 21845); use BLOB or TEXT instead I know I can use latin1, but I tend to avoid any non-Unicode character sets completely, and would prefer to stick with UTF-8. Given that: - What changed that required the increase from 255 to 64,000 characters? - Is there any reason that I couldn't just use VARCHAR(21845)? - Are there any performance implications to using TEXT instead of VARCHAR(64000)? Thanks, Nick From nicholas at nicholaswilliams.net Thu Feb 19 21:13:51 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Thu, 19 Feb 2015 15:13:51 -0600 Subject: [Pdns-users] Currently using distro packages, want to update In-Reply-To: References: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> <54DCC551.5050102@stroeder.com> <54DCCEFA.7050604@stroeder.com> <54DCE95B.90709@stroeder.com> Message-ID: So I've gathered now that I can get 3.4.2 from https://www.monshouwer.eu/download/3rd_party/pdns/el6/ for my CentOS 6 machine, https://www.monshouwer.eu/download/3rd_party/pdns/el7/ fro my CentOS 7 machine, and http://download.opensuse.org/repositories/server:/dns/SLE_12/ for my OpenSUSE 12 machine (or update to OpenSUSE 13 and use http://download.opensuse.org/repositories/server:/dns/openSUSE_13.2/). But the problem that doesn't solve is my impending need to install the PDNS 3.5 release candidate when it's available. I gather there will be RPMs available, but I doubt I'll be able to get it on any of these repos. Is there anyone who can answer my original 3 questions (below) about this? > - Since I won't have auto dependency management, what dependencies do I need installed to install PDNS from RPM? > > - Does pdns-static-3.4.2-1.x86_64.rpm _just_ install the binaries, or does it install the service, too, so that I can call `service pdns start` and configure the service to start automatically on boot? If the RPM doesn't do that, is there documentation / what is the recommended way to install PDNS as a service when installed manually with an RPM? > > - Should I just be able to uninstall the package using my package manager and then install the RPM as a drop-in replacement? Thanks! Nick On Thu, Feb 12, 2015 at 12:02 PM, Nicholas Williams wrote: I know this is off-topic, but have you ever used `zypper dist-upgrade`? It scares me, but if it would make the upgrade easier... I don't like the idea of going without security updates. Nick Sent from my iPhone, so please forgive brief replies and frequent typos > On Feb 12, 2015, at 11:56, Michael Ströder wrote: > > Nicholas Williams wrote: >> Sorry, you're right—OpenSUSE 12.3. Upgrading is a hassle that I don't have >> time for right now. It'll probably be another 8-12 months before I can >> upgrade it. > > You could try SLES11SP3 packages. But you're own your own. > > Also note that openSUSE 12.3 does *not* receive security updates anymore. > > Ciao, Michael. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ahodgson at simkin.ca Thu Feb 19 21:31:31 2015 From: ahodgson at simkin.ca (Alan Hodgson) Date: Thu, 19 Feb 2015 13:31:31 -0800 Subject: [Pdns-users] Currently using distro packages, want to update In-Reply-To: References: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> Message-ID: <41905273.9WmEUAvrse@skynet.simkin.ca> On Thursday, February 19, 2015 03:13:51 PM Nicholas Williams wrote: > > - Since I won't have auto dependency management, what dependencies do I > > need installed to install PDNS from RPM? You can use yum to install a local RPM, and it will resolve dependencies (yum localinstall rpmfile, I believe) > > > > - Does pdns-static-3.4.2-1.x86_64.rpm _just_ install the binaries, or does > > it install the service, too, so that I can call `service pdns start` and > > configure the service to start automatically on boot? If the RPM doesn't > > do that, is there documentation / what is the recommended way to install > > PDNS as a service when installed manually with an RPM? rpm -q -l -p pdns-static-3.4.2-1.x86_64.rpm, see if it puts a file in /etc/init.d. If it does, you still may need to chkconfig --add it, and chkconfig --level 345 service_name on to add it to boot). never used the static rpms myself. Building RPMs, deconstructing them, and even creating your own init scripts are pretty common linux system administration tasks, especially if you want to run bleeding edge software on CentOS. You might want to dig into them at some point. From nicholas at nicholaswilliams.net Thu Feb 19 21:34:06 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 15:34:06 -0600 Subject: [Pdns-users] When was ordername column added to records table? Message-ID: I'm a bit curious because, looking through the code history, I can't find any evidence of it. The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 This doesn't compute. Can someone provide me some perspective on this? Thanks, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From ktm at rice.edu Thu Feb 19 21:37:16 2015 From: ktm at rice.edu (ktm at rice.edu) Date: Thu, 19 Feb 2015 15:37:16 -0600 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: References: Message-ID: <20150219213716.GB5510@aart.rice.edu> On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: > I'm a bit curious because, looking through the code history, I can't find any evidence of it. > > The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: > > https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql > > And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: > > https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 > > But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: > > https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 > > This doesn't compute. > > Can someone provide me some perspective on this? > > Thanks, > > Nick Hi Nick, Please check the release documentation for the new release for the schema definitions used and add any missing tables. The ALTER TABLE will only apply to previously existing tables, not create the needed new ones. Regards, Ken From nicholas at nicholaswilliams.net Thu Feb 19 21:44:00 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 15:44:00 -0600 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: <20150219213716.GB5510@aart.rice.edu> References: <20150219213716.GB5510@aart.rice.edu> Message-ID: <79E5C562-FBD0-467E-87B7-7A3598D09A7E@nicholaswilliams.net> On Feb 19, 2015, at 3:37 PM, ktm at rice.edu wrote: > On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: >> I'm a bit curious because, looking through the code history, I can't find any evidence of it. >> >> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: >> >> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql >> >> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: >> >> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 >> >> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: >> >> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 >> >> This doesn't compute. >> >> Can someone provide me some perspective on this? >> >> Thanks, >> >> Nick > > Hi Nick, > > Please check the release documentation for the new release for the schema definitions > used and add any missing tables. The ALTER TABLE will only apply to previously existing > tables, not create the needed new ones. > > Regards, > Ken Ken, you misread my email. I'm not talking about adding a new table. I'm saying that apparently a new _column_ and a new _index_ was added between 3.0 and 3.1 but not listed on the 3.0 -> 3.1 upgrade instructions. Please re-read my email carefully to see the discrepancy. Thanks, Nick From christian.hofstaedtler at deduktiva.com Thu Feb 19 21:05:54 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Thu, 19 Feb 2015 21:05:54 +0000 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: <20150219213716.GB5510@aart.rice.edu> References: <20150219213716.GB5510@aart.rice.edu> Message-ID: <92AD7E39-A082-4A04-80D4-71AFA69644E3@deduktiva.com> > On 19 Feb 2015, at 22:37, ktm at rice.edu wrote: > On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: >> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: >> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql >> >> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: >> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 >> >> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: >> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 >> >> […] >> Can someone provide me some perspective on this? ordername was added in 3.0, as part of the DNSSEC schema upgrade. (see https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/dnssec.schema.pgsql.sql ) > […] The ALTER TABLE will only apply to previously existing > tables, not create the needed new ones. The upgrade SQL scripts in general add/modify tables and columns. The instructions for upgrading to 3.4.0 include consolidated update scripts, see https://doc.powerdns.com/md/authoritative/upgrading/#database-schema . Pick the backend and schema type you currently have (if you come from 2.9.22, it’s always the ‘non-dnssec’ type), and you’ll end up with the correct schema. Best, -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From nicholas at nicholaswilliams.net Thu Feb 19 22:35:42 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 16:35:42 -0600 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: <92AD7E39-A082-4A04-80D4-71AFA69644E3@deduktiva.com> References: <20150219213716.GB5510@aart.rice.edu> <92AD7E39-A082-4A04-80D4-71AFA69644E3@deduktiva.com> Message-ID: <31A3A89D-88D8-4307-9232-F659DA2F5BC0@nicholaswilliams.net> On Feb 19, 2015, at 3:05 PM, Christian Hofstaedtler wrote: > >> On 19 Feb 2015, at 22:37, ktm at rice.edu wrote: >> On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: >>> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: >>> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql >>> >>> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: >>> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 >>> >>> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: >>> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 >>> >>> […] > >>> Can someone provide me some perspective on this? > > ordername was added in 3.0, as part of the DNSSEC schema upgrade. (see https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/dnssec.schema.pgsql.sql ) > > >> […] The ALTER TABLE will only apply to previously existing >> tables, not create the needed new ones. > > The upgrade SQL scripts in general add/modify tables and columns. > > The instructions for upgrading to 3.4.0 include consolidated update scripts, see https://doc.powerdns.com/md/authoritative/upgrading/#database-schema . > Pick the backend and schema type you currently have (if you come from 2.9.22, it’s always the ‘non-dnssec’ type), and you’ll end up with the correct schema. > > Best, > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 Thanks, Christian. Interesting that the ordername column was added in 3.0, but the schema file in the 3.0 tag (https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql) doesn't include that column. Thanks for clearing it up from me. Interestingly, I'm coming from 3.0.1 and my database does not have that column in it. But the consolidated script definitely helped. Nick From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:23:15 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:23:15 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: I had an e-mail client issue and this message was never sent. Sending now. There are three other messages with the same problem. *** > On 2015-01-29, at 8:02 AM, Peter van Dijk wrote: > > Hello Rooster, > We had a similar report from a Solaris SPARC user; a fix for his problem went into the 3.4.0 release, but we never got an answer about whether it helped. > > Can you please try with pens-server 3.4.0 or higher, and let us know if that fixes it? > > Kind regards, > -- > Peter van Dijk Hi there Peter, Thank you for this information. I had seen talk about big endian versus little endian and I think I saw that same sparc post. I will install pdns-server 3.4.0 or higher and report back. Thank you again. -- From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:29:51 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:29:51 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: > We had a similar report from a Solaris SPARC user; a fix for his problem went into the 3.4.0 release, but we never got an answer about whether it helped. > > Can you please try with pens-server 3.4.0 or higher, and let us know if that fixes it? > > Kind regards, > -- > Peter van Dijk Hi again Peter, Here are my results of the installation I did tonight. I grabbed the following files : ftp://ftp.debian.org//debian/pool/main/p/pdns/pdns_3.4.1-4.debian.tar.xz ftp://ftp.debian.org//debian/pool/main/p/pdns/pdns_3.4.1-4.dsc ftp://ftp.debian.org//debian/pool/main/p/pdns/pdns_3.4.1.orig.tar.bz2 Compiled, built and installed pdns-server_3.4.1. PowerDNS version now reports as the following : Jan 30 01:55:06 PowerDNS Authoritative Server 3.4.1 (jenkins at autotest.powerdns.com) (C) 2001-2014 PowerDNS.COM BV Jan 30 01:55:06 Using 32-bits mode. Built on 20150130004723 by root at host, gcc 4.8.2. Jan 30 01:55:06 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Jan 30 01:55:06 Features: botan1.10 cryptopp libdl lua Jan 30 01:55:06 Built-in modules: Now when I do a lookup from the host (dig @IPADDRESS google.com), I see this in the syslog : Jan 30 01:54:40 host pdns_recursor[995]: 1 question answered from packet cache from 127.0.0.1 Jan 30 01:54:40 host pdns[23000]: Discarding untracked packet from recursor backend with id 24672. Conntrack table size=1 End result, same as before. :( I will go looking for a version higher than 3.4.1 and try again. -- From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:32:58 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:32:58 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: > We had a similar report from a Solaris SPARC user; a fix for his problem went into the 3.4.0 release, but we never got an answer about whether it helped. > > Can you please try with pens-server 3.4.0 or higher, and let us know if that fixes it? > > Kind regards, > -- > Peter van Dijk Hi again Peter, I downloaded, compiled and installed the recently released 3.4.2 from the PowerDNS releases web page but I was unable to get it to launch. :( The error I am getting is “Unable to launch, no backends configured for querying” which is very odd since when I did the compile, I explicitly compiled with the bind module option. Also, my local config file does have “launch=bind” parameter set. host - PowerPC 32bit, ubuntu 14.04 LTS release -- From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:34:13 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:34:13 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: <78ADE2F8-333E-4D5A-A7FC-A9A0FD9386E0@nuclei.ca> > I downloaded, compiled and installed the recently released 3.4.2 from the PowerDNS releases web page but I was unable to get it to launch. :( > > The error I am getting is “Unable to launch, no backends configured for querying” which is very odd since when I did the compile, I explicitly compiled with the bind module option. Also, my local config file does have “launch=bind” parameter set. > > host - PowerPC 32bit, ubuntu 14.04 LTS release Here is an update to this new problem that Habbie and ahu on the IRC channel helped me with. What was happening was when pdns was launched, it would look in /usr/local/etc/ for it’s configuration files. Of course this was wrong. After some short deliberation and with a hint from Fusl in the IRC channel, I modified /etc/default/pdns to add --config-dir=/etc/powerdns in the DAEMON_ARGS=“” line. The two other options are : add this same modification to the init.d script that was generated from the compile or at the time of compile, add --sysconfdir=/etc/powerdns to the ./configure command. Now I have a running 3.4.2 pdns but I still have the problem of the precursor responses being discarded. Right ha has me running a testrunner. -- From roblocke at gmail.com Fri Feb 20 02:06:00 2015 From: roblocke at gmail.com (Robert Locke) Date: Fri, 20 Feb 2015 10:06:00 +0800 Subject: [Pdns-users] Why was content length increased? In-Reply-To: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> References: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> Message-ID: Hi Nick, We use TEXT (utf-8) and have had no performance issues so far. My understanding is that the innodb engine handles text efficiently - the “content” data is stored inline in the general case, and only stored on a separate page if it’s above a certain size for a given row. Cheers, Rob > On Feb 20, 2015, at 5:12 AM, Nick Williams wrote: > > I'm upgrading to authoritative 3.4 and noticed that the records.content column has been increased from 255 characters to 64000 characters. Because my table is UTF-8, I get the following error: > > mysql> ALTER TABLE records MODIFY content VARCHAR(64000); > ERROR 1074 (42000): Column length too big for column 'content' (max = 21845); use BLOB or TEXT instead > > I know I can use latin1, but I tend to avoid any non-Unicode character sets completely, and would prefer to stick with UTF-8. Given that: > > - What changed that required the increase from 255 to 64,000 characters? > - Is there any reason that I couldn't just use VARCHAR(21845)? > - Are there any performance implications to using TEXT instead of VARCHAR(64000)? > > Thanks, > > Nick > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From yawowb+pdns-users at nuclei.ca Fri Feb 20 02:48:06 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 18:48:06 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: Message-ID: <4FF468BA-9016-44DB-9735-F35811BA93F0@nuclei.ca> > On 2015-01-26, at 5:38 PM, rooster wrote: > > Hello list, > > I have pdns-recursor and pdns on the same host and port but on different IP’s. When I query pdns and it can not answer, so it passes the query on to pdns-recursor, which then responds with the answer but then pdns discards the packets. What did I do wrong? I have tried this with the firewall both on and off and the result is the same. Below is a snippet of the log file with the error, followed by my configuration for the recursor and pdns itself. The host is a PowerPC computer running ubuntu 14.04 LTS. > > /var/log/syslog > > Jan 26 16:45:55 host pdns_recursor[29993]: 0 question answered from packet cache from 127.0.0.1 > Jan 26 16:45:55 host pdns[26791]: Discarding untracked packet from recursor backend with id 49601. Conntrack table size=1 > Jan 26 16:46:00 host pdns_recursor[29993]: 1 [42] question for ‘google.com.|A' from 127.0.0.1 > Jan 26 16:46:01 host pdns[26791]: Discarding untracked packet from recursor backend with id 49345. Conntrack table size=2 > Jan 26 16:46:01 host pdns_recursor[29993]: 1 [42] answer to question ‘google.com.|A': 1 answers, 0 additional, took 2 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 > Jan 26 16:46:05 host pdns_recursor[29993]: 0 question answered from packet cache from 127.0.0.1 > Jan 26 16:46:05 host pdns[26791]: Discarding untracked packet from recursor backend with id 50113. Conntrack table size=3 Here is a final update with success. I removed recursor=127.0.0.1 from pdns.local.conf. I will also note that, my original problem was not so much a problem caused by a bug or some other such issue but more precisely, it was a configuration error. I theorize that the error I was seeing in my logs was not so much an error but an indication of the configuration error. In short, I had misconfigured the auth server to allow recursion. As such, when a non-authorized query came in, auth server passed it on to the recursor like it was configured to do and the recursor would respond correctly but the auth server then would drop the packets instead of routing them back to the source of the query. If anyone else has theories or additional input, please feel free to post a message to the list. As I mentioned, I’d mark this as solved and not as a bug in the pdns auth server code (big endian vs. little endian) but instead a user configuration error. Thank you everyone for your assistance on this "problem". -- From mloftis at wgops.com Fri Feb 20 03:00:51 2015 From: mloftis at wgops.com (Michael Loftis) Date: Thu, 19 Feb 2015 19:00:51 -0800 Subject: [Pdns-users] Why was content length increased? In-Reply-To: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> References: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> Message-ID: DNSSEC and DKIM. On Thursday, February 19, 2015, Nick Williams wrote: > I'm upgrading to authoritative 3.4 and noticed that the records.content > column has been increased from 255 characters to 64000 characters. Because > my table is UTF-8, I get the following error: > > mysql> ALTER TABLE records MODIFY content VARCHAR(64000); > ERROR 1074 (42000): Column length too big for column 'content' (max = > 21845); use BLOB or TEXT instead > > I know I can use latin1, but I tend to avoid any non-Unicode character > sets completely, and would prefer to stick with UTF-8. Given that: > > - What changed that required the increase from 255 to 64,000 characters? > - Is there any reason that I couldn't just use VARCHAR(21845)? > - Are there any performance implications to using TEXT instead of > VARCHAR(64000)? > > Thanks, > > Nick > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Fri Feb 20 11:53:41 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Fri, 20 Feb 2015 12:53:41 +0100 Subject: [Pdns-users] LUA iputils netmaskgroup match In-Reply-To: <83978FC5-E77B-41A4-AD94-141D63ECDCBF@peen.ch> References: <83978FC5-E77B-41A4-AD94-141D63ECDCBF@peen.ch> Message-ID: <20150220115341.GA5829@xs.powerdns.com> On Thu, Feb 19, 2015 at 05:40:47PM +0100, Niels Peen wrote: > Hello, > > I’m using a netmaskgroup to see if a given IP matches: > > if nmg:match(ca) then .. > > This works very well but I would like to know which specific netmask matched. E.g. by having :match (also) return the matching netmask rather than (just) returning true. > > Am I correct that this is currently not possible? If so, could this be considered for a future release? Hi Niels, This is currently not possible, but it sounds like a great idea. It may be good to know that the netmaskgroup currently just tries all netmasks to see if one fits, you could easily emulate this in Lua itself, and it would not be slower. And then you would know which address matched. Could you open a ticket requesting this feature on github? Please put a note in there we find it a fine idea. Bert From bert.hubert at powerdns.com Fri Feb 20 12:03:43 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Fri, 20 Feb 2015 13:03:43 +0100 Subject: [Pdns-users] Any status on DNSSEC in Recursor? In-Reply-To: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> References: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> Message-ID: <20150220120342.GB5829@xs.powerdns.com> Hi Charles, The status is that it is happening, and it should soon become more visible. The start of this is described in our post from this morning: http://mailman.powerdns.com/pipermail/pdns-dev/2015-February/001481.html Please join us in testing 4.x as it will be appearing! Bert On Sun, Feb 15, 2015 at 11:19:24PM -0500, Charles Sprickman wrote: > While asking Google, the same, I hit this old blog post: > > http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ > > Any new timeline on when this might happen? Does the plan to implement it still look the same? > > Thanks, > > Charles > > -- > Charles Sprickman > NetEng/SysAdmin > Bway.net - New York's Best Internet www.bway.net > spork at bway.net - 212.655.9344 > > > > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From margus.kiting at gmail.com Fri Feb 20 12:09:00 2015 From: margus.kiting at gmail.com (Margus Kiting) Date: Fri, 20 Feb 2015 14:09:00 +0200 Subject: [Pdns-users] Oracle backend and axfr problems. Message-ID: Hello. I am experiencing weird problems in my PowerDNS setup. I'll describe my setup below. The problem is, that our superslave servers are getting Network Timeouts if they are requesting AXFR. We have some BIND slaves also, and it seems like BIND waits for received information longer before it gets timeout. I tried configuring more distributor-threads and both caches TTL to bit longer, bit it does not help at all. All other requests are coming from master server fast without any delay. The problem raises only on axfr requests. Our setup: Authoritative Master DNS server (hosts about 1000 forward and reverse zones) PowerDNS 3.3.1 with Oracle backend using dnssec for ALLOW-AXFR-FROM configuration flag. Super Slave Server: PowerDNS 3.3.1 with sqlite3 backend is configured as slave. and there is supermaster configured in database. Both master and slave servers are rinning on the same network segment and there are no restrictions between servers on network side. Firewalls are also disabled. Log's from Master DNS server: AXFR of domain 'transferring zone' allowed: client IP slave.server.ip is in NSset TCP Connection Thread died because of network error: Writing data: Broken pipe Logs from Slave DNS server: Initiating transfer of 'Transferring zone' from remote 'master.name.server.ip' Unable to AXFR zone 'Transferring zone' from remote 'master.name.server.ip' (resolver): Timeout waiting for answer from master.name.server.ip:53 during AXFR Thank You in advance! Margus -------------- next part -------------- An HTML attachment was scrubbed... URL: From hunterj91 at hotmail.com Fri Feb 20 17:28:53 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Fri, 20 Feb 2015 17:28:53 +0000 Subject: [Pdns-users] Multiple Entries in the Content field of NAPTR records. Message-ID: Hi All, Is it possible when implementing NAPTR records in the records table to add multiple entries within the content field of a record? Im just trying to reduce the number of entries in the database, so wondered if I could have more than one content entry, and if so how do you split them up? So for example I have; select * from records;+----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+| id | domain_id | name | type | content | ttl | prio | change_date |+----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+ | 27 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". | 120 | NULL | NULL || 26 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". | 120 | NULL | NULL | Can I add both 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". and 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". into the content of id 27 without breaking a query? Many thanks Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From spork at bway.net Fri Feb 20 19:08:20 2015 From: spork at bway.net (Charles Sprickman) Date: Fri, 20 Feb 2015 14:08:20 -0500 Subject: [Pdns-users] Any status on DNSSEC in Recursor? In-Reply-To: <20150220120342.GB5829@xs.powerdns.com> References: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> <20150220120342.GB5829@xs.powerdns.com> Message-ID: <22E5E7F8-5358-4DBF-8EAE-A9497506EC9E@bway.net> On Feb 20, 2015, at 7:03 AM, bert hubert wrote: > Hi Charles, > > The status is that it is happening, and it should soon become more visible. > > The start of this is described in our post from this morning: > http://mailman.powerdns.com/pipermail/pdns-dev/2015-February/001481.html > > Please join us in testing 4.x as it will be appearing! Sounds good. I’m itching to tell our users they’re a bit “safer”, and I have about zero interest in learning a third DNS server (unbound). The old blog post noted that you’d be leveraging another server for the key verification, is that still the case or will everything happen within pdns recursor? I just did my first DNSSEC setup with BIND, kind of a pain. Now I’ll be toying with my personal box that runs PDNS and then an actual production setup. From what I’m reading, it seems almost too simple to setup. :) Charles > > Bert > > > On Sun, Feb 15, 2015 at 11:19:24PM -0500, Charles Sprickman wrote: >> While asking Google, the same, I hit this old blog post: >> >> http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ >> >> Any new timeline on when this might happen? Does the plan to implement it still look the same? >> >> Thanks, >> >> Charles >> >> -- >> Charles Sprickman >> NetEng/SysAdmin >> Bway.net - New York's Best Internet www.bway.net >> spork at bway.net - 212.655.9344 >> >> >> >> >> >> >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> From hongyi.zhao at gmail.com Mon Feb 23 05:09:13 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 13:09:13 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. Message-ID: Hi all, >From the manual of PowerDNS Recursor, learned the following settings can be used in its config file: forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? Any hints on this issue will be highly appreciated. Regards -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Mon Feb 23 10:26:01 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 11:26:01 +0100 Subject: [Pdns-users] Multiple Entries in the Content field of NAPTR records. In-Reply-To: References: Message-ID: <6FA5BE73-D765-44AC-A7D7-C0CAAB80EB52@powerdns.com> Hello Jonathan, On 20 Feb 2015, at 18:28 , Jonathan Hunter wrote: > Is it possible when implementing NAPTR records in the records table to add multiple entries within the content field of a record? > > Im just trying to reduce the number of entries in the database, so wondered if I could have more than one content entry, and if so how do you split them up? > > So for example I have; > > > select * from records; > +----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+ > | id | domain_id | name | type | content | ttl | prio | change_date | > +----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+ > > | 27 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". | 120 | NULL | NULL | > | 26 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". | 120 | NULL | NULL | > > Can I add both 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". and 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". into the content of id 27 without breaking a query? No, this will not work. One database row is one DNS record, there are no exceptions to this. What problem are you trying to solve by combining the records? Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From peter.van.dijk at powerdns.com Mon Feb 23 10:27:37 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 11:27:37 +0100 Subject: [Pdns-users] Any status on DNSSEC in Recursor? In-Reply-To: <22E5E7F8-5358-4DBF-8EAE-A9497506EC9E@bway.net> References: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> <20150220120342.GB5829@xs.powerdns.com> <22E5E7F8-5358-4DBF-8EAE-A9497506EC9E@bway.net> Message-ID: <9D04E920-7A7D-4BE7-8824-C7B4E1E2DA49@powerdns.com> Hello Charles, On 20 Feb 2015, at 20:08 , Charles Sprickman wrote: > Sounds good. I’m itching to tell our users they’re a bit “safer”, and I have about zero interest in learning a third DNS server (unbound). > > The old blog post noted that you’d be leveraging another server for the key verification, is that still the case or will everything happen within pdns recursor? For various reasons, yes, it makes sense to do validation in another server/daemon/process. However, you should still expect something that’s as simple as ‘verify-dnssec=yes’ in recursor.conf. We hope :) Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From peter.van.dijk at powerdns.com Mon Feb 23 10:28:44 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 11:28:44 +0100 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: References: Message-ID: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Hello, On 23 Feb 2015, at 6:09 , Hongyi Zhao wrote: > forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. > Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 > > I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? It’s best to assume the process is random. For any given query, the resulting data can come from any of the IPs, and there is no guarantee from which one. So, in general, make sure your backend IPs agree on the data! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From hongyi.zhao at gmail.com Mon Feb 23 10:49:50 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 18:49:50 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Message-ID: Why not let the process run parallely and then picked out the one which is retured firstly to the client? Regards 2015-02-23 18:28 GMT+08:00 Peter van Dijk : > Hello, > > On 23 Feb 2015, at 6:09 , Hongyi Zhao wrote: > > > forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for > zones listed here will be forwarded to the IP address listed. Since version > 3.1.5, multiple IP addresses can be specified. Additionally, port numbers > other than 53 can be configured. > > Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, > powerdns.com=127.0.0.1;198.51.100.10:530 > > > > I just want to know the mechanism when we use multiple ip for Query a > zone. I mean is this process sequel or parallel? When we using multiple > ip for resoving a specific domain-name, which answer given by the > forwarders should be picked up by PowerDNS Recursor and then return it to > user's client program? > > It’s best to assume the process is random. For any given query, the > resulting data can come from any of the IPs, and there is no guarantee from > which one. So, in general, make sure your backend IPs agree on the data! > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From hongyi.zhao at gmail.com Mon Feb 23 11:16:14 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 19:16:14 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Message-ID: Considering that the backend/forwarder IPs are always NOT owned by the authoritive servers of the queryer. It wil be difficult to ensure all of them online all the time. So, if we can let the process run parallely and then picked out the one which is retured firstly to the client. At least the query efficiency will be raised to some extent, IMO. Regards 2015-02-23 18:49 GMT+08:00 Hongyi Zhao : > Why not let the process run parallely and then picked out the one which is > retured firstly to the client? > > Regards > > 2015-02-23 18:28 GMT+08:00 Peter van Dijk : > >> Hello, >> >> On 23 Feb 2015, at 6:09 , Hongyi Zhao wrote: >> >> > forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for >> zones listed here will be forwarded to the IP address listed. Since version >> 3.1.5, multiple IP addresses can be specified. Additionally, port numbers >> other than 53 can be configured. >> > Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, >> powerdns.com=127.0.0.1;198.51.100.10:530 >> > >> > I just want to know the mechanism when we use multiple ip for Query a >> zone. I mean is this process sequel or parallel? When we using multiple >> ip for resoving a specific domain-name, which answer given by the >> forwarders should be picked up by PowerDNS Recursor and then return it to >> user's client program? >> >> It’s best to assume the process is random. For any given query, the >> resulting data can come from any of the IPs, and there is no guarantee from >> which one. So, in general, make sure your backend IPs agree on the data! >> >> Kind regards, >> -- >> Peter van Dijk >> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ >> >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> > > > > -- > Hongyi Zhao > Xinjiang Technical Institute of Physics and Chemistry > Chinese Academy of Sciences > GnuPG DSA: 0xD108493 > -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Mon Feb 23 11:20:58 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 12:20:58 +0100 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Message-ID: <856ED1CE-E97E-44B7-B61A-83AF5A8F5ED3@powerdns.com> Hello, On 23 Feb 2015, at 11:49 , Hongyi Zhao wrote: > Why not let the process run parallely and then picked out the one which is retured firstly to the client? In general (without forward-rules), we do something better - we try the servers and remember which one was faster. That way you get the performance benefits without unnecessarily overloading the other servers. I’m not entirely sure we do this for forward rules. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From hongyi.zhao at gmail.com Mon Feb 23 12:05:19 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 20:05:19 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: <856ED1CE-E97E-44B7-B61A-83AF5A8F5ED3@powerdns.com> References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> <856ED1CE-E97E-44B7-B61A-83AF5A8F5ED3@powerdns.com> Message-ID: Which forward-rules do you meant to by saying "without forward-rules"? Are these forward rules can all be setted or controlled by using config file fo pdns_recurrsor? Why these rules cann't be treated combinedly into the inner optimizing algrithems for determining the maybe-best servers? Regards 2015-02-23 19:20 GMT+08:00 Peter van Dijk : > Hello, > > On 23 Feb 2015, at 11:49 , Hongyi Zhao wrote: > > > Why not let the process run parallely and then picked out the one which > is retured firstly to the client? > > In general (without forward-rules), we do something better - we try the > servers and remember which one was faster. That way you get the performance > benefits without unnecessarily overloading the other servers. I’m not > entirely sure we do this for forward rules. > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Mon Feb 23 14:58:14 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 23 Feb 2015 15:58:14 +0100 Subject: [Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011! Message-ID: <20150223145813.GA15931@xs.powerdns.com> In this post, we’d like to share our current plans for .. PowerDNS 4.x! We shared this first with the PowerDNS-development community, and after we gathered feedback, we’re now announcing it more broadly. The tl;dr: For the next few months we will be spring cleaning git master, and stable code and releases can be found in the auth-3.4 and rec-3.7 branches. We'll also be moving to C++ 2011. Please read on for the whole story. First some background. PowerDNS is a 15 year old software project, and over these 1.5 decades, we have built up some ‘technical debt’ (http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring cleaning in our code. Meanwhile, we are broadening what our code does, to include for example smart, DNS-native, load balancing and further denial of service mitigation. And of course, the major work of bringing carrier-grade DNSSEC to the recursor. Finally, we’ve fallen in love with C++ 2011, and we would like to start taking advantage of this now 4 year old revision of C++. All this means some important changes. For one, where it used to be the case that our git ‘master’ was usually fit to run in production (and people actually did this), for the coming few months please consider our master branch a ‘heavy development zone’. While we’ll try to keep things working, it might break for hours or even days at a time. Even though there will be somewhat of a wild-west aspect to development, major changes will be implemented as pull requests from separate branches that can be studied by the community. Meanwhile, PowerDNS 3.x development and maintenance will continue on separate release branches. The latest 3.x releases will remain actively supported until 4.x is more powerful, more stable, and can be compiled on Debian Stable (more about this later). Active support means more than passive maintenance, if there are pressing things that need to happen, they will happen. But the focus for new things will shift to 4.x. (as an example, we are currently gathering the patches for auth-3.4.3, see https://twitter.com/powerdns/status/569872447757025280 ) Things we will be addressing during our spring cleaning include: * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. * The PowerDNS Authoritative Server distributes queries to multiple backends inefficiently * The PowerDNS Recursor cache is both slower and less memory efficient than it could be * DNSSEC in the PowerDNS Recursor * Move our own atomic, locking and semaphore infrastructure to C++ 2011 native * The Lua APIs use an ascii based interface for domain names and IP addresses, and this could be faster One thing we are probably not going to do is change the database format, by the way. The somewhat bad news about the spring cleaning is that we’ll come out of it as a C++ 2011 project, which means that to compile PowerDNS, you’ll need GCC 4.8 (released in March 2013). Gcc 4.8 is not currently the default in Debian stable or RHEL/CentOS 6, but it is available. It is the default in RHEL7 and in what will become the next Debian stable. It also ships in Ubuntu 14. We will also be targeting clang 3.5. We have chosen C++ 2011 for a variety of reasons, many of which are described in an earlier blogpost (http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html). NOTE: PowerDNS 4.x products WILL run on older distribution releases of course! However, on older distros, compiling with the system default compiler may not work. To clarify, the 4.x branch will not fundamentally alter PowerDNS. This should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). Fundamentally we think the PowerDNS design is sound, it just needs a decent spring cleaning. This will come in especially handy when deploying our DNSSEC validation. So how long will it take until 4.x is production ready? We’ll let you know once we get there, but we are hoping to finish the cleanup in several months, after which we expect further work to iron out remaining issues. In any case, 3.x will remain supported until gcc 4.8 is widely available on currently shipping distributions. Thanks, and please again let us know your thoughts about this proposed plan. Although this is what we intend to do, we can be change our mind if there are good reasons to do so! PowerDNS From nicholas at nicholaswilliams.net Mon Feb 23 16:52:14 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Mon, 23 Feb 2015 10:52:14 -0600 Subject: [Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011! In-Reply-To: <20150223145813.GA15931@xs.powerdns.com> References: <20150223145813.GA15931@xs.powerdns.com> Message-ID: This is exciting news, Bert! Some follow-up questions/comments: - Will 3.x development end on the 3.4 track, or is there still a plan for 3.5? If 3.4 is it, what's the plan for features (such as ALIAS) that were scheduled for 3.5? Are they delayed to 4.0 (if so, sad face)? - Currently, PowerDNS Authoritative and PowerDNS Recursor share a repository (https://github.com/PowerDNS/pdns). This can make things especially confusing, since there are recursor development branches, authoritative development branches, recursor version branches, authoritative version branches, recursor release tags, and authoritative release tags all within the same repository. During all this work being done on master, can the opportunity be taken to move shared code into X repository and then have a repo for Recursor and a separate repo for Authoritative? It seems like it would be a much cleaner arrangement. Good luck in this new challenge! Nick On Mon, Feb 23, 2015 at 8:58 AM, bert hubert wrote: > In this post, we’d like to share our current plans for .. PowerDNS 4.x! We > shared this first with the PowerDNS-development community, and after we > gathered feedback, we’re now announcing it more broadly. > > The tl;dr: For the next few months we will be spring cleaning git master, > and stable code and releases can be found in the auth-3.4 and rec-3.7 > branches. We'll also be moving to C++ 2011. Please read on for the > whole story. > > First some background. PowerDNS is a 15 year old software project, and over > these 1.5 decades, we have built up some ‘technical debt’ > (http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring > cleaning in our code. > > Meanwhile, we are broadening what our code does, to include for example > smart, DNS-native, load balancing and further denial of service mitigation. > And of course, the major work of bringing carrier-grade DNSSEC to the > recursor. > > Finally, we’ve fallen in love with C++ 2011, and we would like to start > taking advantage of this now 4 year old revision of C++. > > All this means some important changes. For one, where it used to be the > case > that our git ‘master’ was usually fit to run in production (and people > actually did this), for the coming few months please consider our master > branch a ‘heavy development zone’. While we’ll try to keep things working, > it might break for hours or even days at a time. Even though there will > be somewhat of a wild-west aspect to development, major changes will be > implemented as pull requests from separate branches that can be studied by > the community. > > Meanwhile, PowerDNS 3.x development and maintenance will continue on > separate release branches. The latest 3.x releases will remain actively > supported until 4.x is more powerful, more stable, and can be compiled on > Debian Stable (more about this later). Active support means more than > passive maintenance, if there are pressing things that need to happen, they > will happen. But the focus for new things will shift to 4.x. > > (as an example, we are currently gathering the patches for auth-3.4.3, see > https://twitter.com/powerdns/status/569872447757025280 ) > > Things we will be addressing during our spring cleaning include: > > * We treat DNS names as ASCII strings, which we escape and unescape > repeatedly. DNS names are not ascii strings, and we keep finding > issues related to us treating them like strings. > > * The PowerDNS Authoritative Server distributes queries to multiple > backends inefficiently > > * The PowerDNS Recursor cache is both slower and less memory efficient > than it could be > > * DNSSEC in the PowerDNS Recursor > > * Move our own atomic, locking and semaphore infrastructure to C++ 2011 > native > > * The Lua APIs use an ascii based interface for domain names and IP > addresses, and this could be faster > > One thing we are probably not going to do is change the database format, by > the way. > > The somewhat bad news about the spring cleaning is that we’ll come out of > it > as a C++ 2011 project, which means that to compile PowerDNS, you’ll need > GCC > 4.8 (released in March 2013). Gcc 4.8 is not currently the default in > Debian stable or RHEL/CentOS 6, but it is available. > > It is the default in RHEL7 and in what will become the next Debian stable. > It also ships in Ubuntu 14. We will also be targeting clang 3.5. We have > chosen C++ 2011 for a variety of reasons, many of which are described in an > earlier blogpost > ( > http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html > ). > > NOTE: PowerDNS 4.x products WILL run on older distribution releases of > course! However, on older distros, compiling with the system default > compiler may not work. > > To clarify, the 4.x branch will not fundamentally alter PowerDNS. This > should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). > Fundamentally we think the PowerDNS design is sound, it just needs a decent > spring cleaning. This will come in especially handy when deploying our > DNSSEC validation. > > So how long will it take until 4.x is production ready? We’ll let you know > once we get there, but we are hoping to finish the cleanup in several > months, after which we expect further work to iron out remaining issues. > In > any case, 3.x will remain supported until gcc 4.8 is widely available on > currently shipping distributions. > > Thanks, and please again let us know your thoughts about this proposed > plan. > Although this is what we intend to do, we can be change our mind if there > are good reasons to do so! > > PowerDNS > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Feb 23 17:50:16 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 23 Feb 2015 18:50:16 +0100 Subject: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!) In-Reply-To: <20150223145813.GA15931@xs.powerdns.com> References: <20150223145813.GA15931@xs.powerdns.com> Message-ID: <54EB6858.703@stroeder.com> bert hubert wrote: > In this post, we’d like to share our current plans for .. PowerDNS 4.x! Glad to read all your plans. > * We treat DNS names as ASCII strings, which we escape and unescape > repeatedly. DNS names are not ascii strings, and we keep finding > issues related to us treating them like strings. Unfortunately the term string is used in many different ways. Could you please elaborate on what that means exactly? E.g. will this affect the way NON-ASCII DNS names are stored in backend files? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas at nicholaswilliams.net Mon Feb 23 18:44:54 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Mon, 23 Feb 2015 12:44:54 -0600 Subject: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!) In-Reply-To: <54EB6858.703@stroeder.com> References: <20150223145813.GA15931@xs.powerdns.com> <54EB6858.703@stroeder.com> Message-ID: I'm also very interested in finding out more about the change around ASCII names. N On Mon, Feb 23, 2015 at 11:50 AM, Michael Ströder wrote: > bert hubert wrote: > > In this post, we’d like to share our current plans for .. PowerDNS 4.x! > > Glad to read all your plans. > > > * We treat DNS names as ASCII strings, which we escape and unescape > > repeatedly. DNS names are not ascii strings, and we keep finding > > issues related to us treating them like strings. > > Unfortunately the term string is used in many different ways. > Could you please elaborate on what that means exactly? > E.g. will this affect the way NON-ASCII DNS names are stored in backend > files? > > Ciao, Michael. > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicholas at nicholaswilliams.net Mon Feb 23 18:48:49 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Mon, 23 Feb 2015 12:48:49 -0600 Subject: [Pdns-users] Reply-To Change? Message-ID: PowerDNS's users list (and possibly the other lists—I'm not on those) is the only list I use (and I'm on a LOT of dev/user mailing lists) where hitting "reply" replies to the person who sent the email. Every other list I'm on, messages are modified by the list software to include a Reply-To header containing the list's address so that hitting reply _only_ puts the list's address in the recipient field and hitting "Reply All" isn't necessary. This frequently trips me up a lot, and I end up replying directly to people and not sending to the list. I don't see any good reason for not having a list reply-to. Also, IIRC, the list software PowerDNS is using supports having a list reply-to. Can we get this change implemented? Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Mon Feb 23 18:49:35 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 23 Feb 2015 19:49:35 +0100 Subject: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!) In-Reply-To: References: <20150223145813.GA15931@xs.powerdns.com> <54EB6858.703@stroeder.com> Message-ID: <20150223184935.GA19557@xs.powerdns.com> On Mon, Feb 23, 2015 at 12:44:54PM -0600, Nicholas Williams wrote: > I'm also very interested in finding out more about the change around ASCII > names. I can recommend our ever growing set of test cases: https://github.com/ahupowerdns/pdns/blob/dnsname/pdns/test-dnsname_cc.cc DNS, surprisingly, is 8-bit clean. You can put any stream of octets in DNS (up to a certain length). However, this is not how we print it. http://www.ietf.org/rfc/rfc4343.txt has some words on this. > > Unfortunately the term string is used in many different ways. > > Could you please elaborate on what that means exactly? > > E.g. will this affect the way NON-ASCII DNS names are stored in backend > > files? No, it is not intended to make any changes, except for where we got it wrong. Wr internally have loads of places where we convert to and from (un)escaped versions, add dots, remove dots etc. We get it wrong in some places now. Bert From bert.hubert at powerdns.com Mon Feb 23 18:54:29 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 23 Feb 2015 19:54:29 +0100 Subject: [Pdns-users] Reply-To Change? In-Reply-To: References: Message-ID: <20150223185429.GB19557@xs.powerdns.com> On Mon, Feb 23, 2015 at 12:48:49PM -0600, Nicholas Williams wrote: > This frequently trips me up a lot, and I end up replying directly to people > and not sending to the list. I don't see any good reason for not having a > list reply-to. Also, IIRC, the list software PowerDNS is using supports > having a list reply-to. Oddly enough, the lists we are on do it 'our' way. We rather have it err to your reply being more private than you intended than being more public than you intended. > Can we get this change implemented? Probably not - this has been the setting for 15 years, we've not heard more complaints. Sorry! Bert From sksumit1 at gmail.com Tue Feb 24 09:29:19 2015 From: sksumit1 at gmail.com (sumit sharma) Date: Tue, 24 Feb 2015 14:59:19 +0530 Subject: [Pdns-users] SOA record is coming in answer section Message-ID: Hi All, I am currently using the pipe backend to server powerdns response. I am trying to make powerdns as all authoritative server. dig query -> dig ANY subdomain.mydomain.com I am sending the following response to powerdns 1. pdns requests for SOA record 2. I send back subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com. 2008080300 1800 3600 604800 3600 3. pdns requests for ANY record 4. I send back A & TXT records. I see the SOA record coming in ANSWER SECTION of dig query response. I want to make it come to AUTHORITY SECTION. What can i do to make it happen? Thanks, Sumit -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Tue Feb 24 09:50:47 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Tue, 24 Feb 2015 11:50:47 +0200 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: References: Message-ID: <20150224095047.GA27951@pi.ip.fi> On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > Hi All, > > I am currently using the pipe backend to server powerdns response. > I am trying to make powerdns as all authoritative server. > > dig query -> dig ANY subdomain.mydomain.com > > I am sending the following response to powerdns > 1. pdns requests for SOA record > 2. I send back > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com. > 2008080300 1800 3600 604800 3600 > 3. pdns requests for ANY record > 4. I send back A & TXT records. > > I see the SOA record coming in ANSWER SECTION of dig query response. > I want to make it come to AUTHORITY SECTION. > > What can i do to make it happen? > > Thanks, > Sumit Why exactly do you want it in AUTHORITY SECTION? Aki > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From sksumit1 at gmail.com Tue Feb 24 10:51:28 2015 From: sksumit1 at gmail.com (sumit sharma) Date: Tue, 24 Feb 2015 16:21:28 +0530 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: <20150224095047.GA27951@pi.ip.fi> References: <20150224095047.GA27951@pi.ip.fi> Message-ID: Hi Aki, I want the SOA record that i am sending from the backend to come in the AUTHORITY section of dig response. Sometimes SOA record comes in AUTHORITY SECTION. But mostly it comes in ANSWER SECTION. I want the response to be consistent. A and TXT records always comes as expected in ANSWER SECTION. Hence from dig, sometimes i get 1 authority & 2 answers but mostly i get 0 authority and 3 answers Regards, Sumit On Tue, Feb 24, 2015 at 3:20 PM, Aki Tuomi wrote: > On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > > Hi All, > > > > I am currently using the pipe backend to server powerdns response. > > I am trying to make powerdns as all authoritative server. > > > > dig query -> dig ANY subdomain.mydomain.com > > > > I am sending the following response to powerdns > > 1. pdns requests for SOA record > > 2. I send back > > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com > . > > 2008080300 1800 3600 604800 3600 > > 3. pdns requests for ANY record > > 4. I send back A & TXT records. > > > > I see the SOA record coming in ANSWER SECTION of dig query response. > > I want to make it come to AUTHORITY SECTION. > > > > What can i do to make it happen? > > > > Thanks, > > Sumit > > Why exactly do you want it in AUTHORITY SECTION? > > Aki > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users at mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Tue Feb 24 13:06:16 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Tue, 24 Feb 2015 15:06:16 +0200 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: References: <20150224095047.GA27951@pi.ip.fi> Message-ID: <20150224130616.GA30170@pi.ip.fi> But there is a reason why it's sometimes in either one, there is no sense in trying to fix this for consistency. SOA record goes in ANSWER section, when you ask for SOA record (or ANY). SOA record goes in AUTHORITY section, when a record is not found in the zone. Aki On Tue, Feb 24, 2015 at 04:21:28PM +0530, sumit sharma wrote: > Hi Aki, > > I want the SOA record that i am sending from the backend to come in the > AUTHORITY section of dig response. > Sometimes SOA record comes in AUTHORITY SECTION. But mostly it comes in > ANSWER SECTION. I want the response to be consistent. A and TXT records > always comes as expected in ANSWER SECTION. > Hence from dig, sometimes i get 1 authority & 2 answers but mostly i get 0 > authority and 3 answers > > Regards, > Sumit > > On Tue, Feb 24, 2015 at 3:20 PM, Aki Tuomi wrote: > > > On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > > > Hi All, > > > > > > I am currently using the pipe backend to server powerdns response. > > > I am trying to make powerdns as all authoritative server. > > > > > > dig query -> dig ANY subdomain.mydomain.com > > > > > > I am sending the following response to powerdns > > > 1. pdns requests for SOA record > > > 2. I send back > > > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com > > . > > > 2008080300 1800 3600 604800 3600 > > > 3. pdns requests for ANY record > > > 4. I send back A & TXT records. > > > > > > I see the SOA record coming in ANSWER SECTION of dig query response. > > > I want to make it come to AUTHORITY SECTION. > > > > > > What can i do to make it happen? > > > > > > Thanks, > > > Sumit > > > > Why exactly do you want it in AUTHORITY SECTION? > > > > Aki > > > > > _______________________________________________ > > > Pdns-users mailing list > > > Pdns-users at mailman.powerdns.com > > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > From hunterj91 at hotmail.com Tue Feb 24 14:04:46 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Tue, 24 Feb 2015 14:04:46 +0000 Subject: [Pdns-users] longest-digit match in records name lookup NAPTR Message-ID: Hi Guys, Sorry, last question for a while! Is it possible to disable longest-digit match in the name lookup? I only ask as running queries on the following entries (shown below from records table) using for example a dig to NAPTR 4.3.2.1.5.5.5.4.0.7.1.0.0.e164.sip.mn, the call is always routed tocarrier 3, where as Id like to be in a position ideally where it would pickup the wildcard with the higher priority (carrier1.com) ideally. Is it an option or not designed due to RFC? Thanks Jon mysql> select * from records;+----+-----------+---------------------------------+-------+----------------------------------------------------+-------+------+-------------+----------+-----------+------+| id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername | auth |+----+-----------+---------------------------------+-------+----------------------------------------------------+-------+------+-------------+----------+-----------+------+ | 5 | 1 | *.1.0.0.e164.sip.mn | NAPTR | 1 1 "U" "E2U+sip" "!^(.*)$!sip:\\1 at carrier1.com!" . | 120 | NULL | NULL | 0 | NULL | 1 || 6 | 1 | *.1.0.0.e164.sip.mn | NAPTR | 3 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at carrier2.com!". | 120 | NULL | NULL | 0 | NULL | 1 || 7 | 1 | *.5.5.5.4.0.7.1.0.0.e164.sip.mn | NAPTR | 5 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at carrier3.com!". | 120 | NULL | NULL | 0 | NULL | 1 |+----+-----------+---------------------------------+-------+----------------------------------------------------+-------+------+-------------+----------+-----------+------+ -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Tue Feb 24 14:49:10 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Tue, 24 Feb 2015 15:49:10 +0100 Subject: [Pdns-users] longest-digit match in records name lookup NAPTR In-Reply-To: References: Message-ID: <9FE5E28D-EDE2-471E-B832-A6887AF81714@powerdns.com> Hello Jonathan, On 24 Feb 2015, at 15:04 , Jonathan Hunter wrote: > Is it possible to disable longest-digit match in the name lookup? > > I only ask as running queries on the following entries (shown below from records table) using for example a dig to NAPTR 4.3.2.1.5.5.5.4.0.7.1.0.0.e164.sip.mn, the call is always routed to > carrier 3, where as Id like to be in a position ideally where it would pickup the wildcard with the higher priority (carrier1.com) ideally. > > Is it an option or not designed due to RFC? The current behaviour is indeed mandated by the relevant RFCs. If you don’t want *.5.5.5 to match, why not remove or disable it? Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From sksumit1 at gmail.com Tue Feb 24 19:11:30 2015 From: sksumit1 at gmail.com (sumit sharma) Date: Wed, 25 Feb 2015 00:41:30 +0530 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: <20150224130616.GA30170@pi.ip.fi> References: <20150224095047.GA27951@pi.ip.fi> <20150224130616.GA30170@pi.ip.fi> Message-ID: Thanks for the answer. One more question. During high performance runs using my dig command, sometimes my pipe backend recieves queries Q AXFR -1. Is there a way to disable that. My current AXFR configurations in pdns.conf allow-axfr-ips (this is commented) disable-axfr=yes disable-axfr-rectify=yes Thanks, Sumit On Tue, Feb 24, 2015 at 6:36 PM, Aki Tuomi wrote: > But there is a reason why it's sometimes in either one, there is no sense > in trying to fix this for consistency. > > SOA record goes in ANSWER section, when you ask for SOA record (or ANY). > > SOA record goes in AUTHORITY section, when a record is not found in the > zone. > > Aki > > On Tue, Feb 24, 2015 at 04:21:28PM +0530, sumit sharma wrote: > > Hi Aki, > > > > I want the SOA record that i am sending from the backend to come in the > > AUTHORITY section of dig response. > > Sometimes SOA record comes in AUTHORITY SECTION. But mostly it comes in > > ANSWER SECTION. I want the response to be consistent. A and TXT records > > always comes as expected in ANSWER SECTION. > > Hence from dig, sometimes i get 1 authority & 2 answers but mostly i get > 0 > > authority and 3 answers > > > > Regards, > > Sumit > > > > On Tue, Feb 24, 2015 at 3:20 PM, Aki Tuomi > wrote: > > > > > On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > > > > Hi All, > > > > > > > > I am currently using the pipe backend to server powerdns response. > > > > I am trying to make powerdns as all authoritative server. > > > > > > > > dig query -> dig ANY subdomain.mydomain.com > > > > > > > > I am sending the following response to powerdns > > > > 1. pdns requests for SOA record > > > > 2. I send back > > > > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. > ns1.mydomain.com > > > . > > > > 2008080300 1800 3600 604800 3600 > > > > 3. pdns requests for ANY record > > > > 4. I send back A & TXT records. > > > > > > > > I see the SOA record coming in ANSWER SECTION of dig query response. > > > > I want to make it come to AUTHORITY SECTION. > > > > > > > > What can i do to make it happen? > > > > > > > > Thanks, > > > > Sumit > > > > > > Why exactly do you want it in AUTHORITY SECTION? > > > > > > Aki > > > > > > > _______________________________________________ > > > > Pdns-users mailing list > > > > Pdns-users at mailman.powerdns.com > > > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cyruspy at gmail.com Tue Feb 24 20:49:27 2015 From: cyruspy at gmail.com (Ciro Iriarte) Date: Tue, 24 Feb 2015 17:49:27 -0300 Subject: [Pdns-users] ANY+Reflection Attacks? Message-ID: Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". Is this usual?, is there anyway to identify the attackers?. The service is working fine and we have in our roadmap constant packed capture for data mining but I find this behaviour new/interesting today :) Any comments? Regards, -- Ciro Iriarte http://iriarte.it -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From cyruspy at gmail.com Wed Feb 25 02:30:15 2015 From: cyruspy at gmail.com (Ciro Iriarte) Date: Tue, 24 Feb 2015 23:30:15 -0300 Subject: [Pdns-users] ANY+Reflection Attacks? In-Reply-To: References: Message-ID: 2015-02-24 17:49 GMT-03:00 Ciro Iriarte : > Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client > 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". > > Is this usual?, is there anyway to identify the attackers?. The service is > working fine and we have in our roadmap constant packed capture for data > mining but I find this behaviour new/interesting today :) > > Any comments? > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- > Well, never mind. After all, those are legitimate clients and there seems to be a firewall with connection tracking issues. What's unexpected to me is having TCP requests, I was expecting only UDP traffic from end users. Regards, -- Ciro Iriarte http://iriarte.it -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Feb 25 08:25:21 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 25 Feb 2015 09:25:21 +0100 Subject: [Pdns-users] ANY+Reflection Attacks? In-Reply-To: References: Message-ID: <54ED86F1.4030304@stroeder.com> Ciro Iriarte wrote: > 2015-02-24 17:49 GMT-03:00 Ciro Iriarte : > >> Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client >> 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". >> >> Is this usual?, is there anyway to identify the attackers?. The service is >> working fine and we have in our roadmap constant packed capture for data >> mining but I find this behaviour new/interesting today :) >> >> Any comments? >> >> Regards, > > Well, never mind. After all, those are legitimate clients and there seems > to be a firewall with connection tracking issues. What's unexpected to me > is having TCP requests, I was expecting only UDP traffic from end users. DNSSEC used? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From cyruspy at gmail.com Wed Feb 25 17:34:09 2015 From: cyruspy at gmail.com (Ciro Iriarte) Date: Wed, 25 Feb 2015 14:34:09 -0300 Subject: [Pdns-users] ANY+Reflection Attacks? In-Reply-To: <54ED86F1.4030304@stroeder.com> References: <54ED86F1.4030304@stroeder.com> Message-ID: El feb 25, 2015 5:25 AM, "Michael Ströder" escribió: > > Ciro Iriarte wrote: > > 2015-02-24 17:49 GMT-03:00 Ciro Iriarte : > > > >> Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client > >> 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". > >> > >> Is this usual?, is there anyway to identify the attackers?. The service is > >> working fine and we have in our roadmap constant packed capture for data > >> mining but I find this behaviour new/interesting today :) > >> > >> Any comments? > >> > >> Regards, > > > > Well, never mind. After all, those are legitimate clients and there seems > > to be a firewall with connection tracking issues. What's unexpected to me > > is having TCP requests, I was expecting only UDP traffic from end users. > > DNSSEC used? > > Ciao, Michael. > As far as I remember, pdns-recursor doesn't support DNSSEC. Regards, Ciro -------------- next part -------------- An HTML attachment was scrubbed... URL: From hunterj91 at hotmail.com Wed Feb 25 18:40:07 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Wed, 25 Feb 2015 18:40:07 +0000 Subject: [Pdns-users] Optimize Powerdns and Mysql for DB with 500K entries Message-ID: Hi Guys, I appreciate there are optimization tips on the website, however I wondered if there are any specific tips for optimization when dealing with a records table or associated view of 500K rows in a Mysql backend database on a Virtual Centos Machine with 2 x 3Ghz processors, 1GB RAM and 20GB Memory. I am seeing some slow responses in terms of using dig to perform NAPTR record lookups. Any help would be great. Many thanks Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From mh+pdns-users at zugschlus.de Wed Feb 25 20:50:40 2015 From: mh+pdns-users at zugschlus.de (Marc Haber) Date: Wed, 25 Feb 2015 21:50:40 +0100 Subject: [Pdns-users] Reply-To Change? In-Reply-To: References: Message-ID: <20150225205040.GK26963@torres.zugschlus.de> On Mon, Feb 23, 2015 at 12:48:49PM -0600, Nicholas Williams wrote: > PowerDNS's users list (and possibly the other lists—I'm not on those) is > the only list I use (and I'm on a LOT of dev/user mailing lists) where > hitting "reply" replies to the person who sent the email. Every other list > I'm on, messages are modified by the list software to include a Reply-To > header containing the list's address so that hitting reply _only_ puts the > list's address in the recipient field and hitting "Reply All" isn't > necessary. http://www.unicom.com/pw/reply-to-harmful.html Most of the mailing lists I am on don't munge Reply-To. I'd say, the vast majority, this being the opposite of your experience. I must be on a different intraweb then. That being said, kindly use your mail reader's list reply function. Decent software has such a function. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600420 From lists at shthead.com Thu Feb 26 02:14:41 2015 From: lists at shthead.com (Chris) Date: Thu, 26 Feb 2015 10:14:41 +0800 Subject: [Pdns-users] Optimize Powerdns and Mysql for DB with 500K entries In-Reply-To: References: Message-ID: <54EE8191.1090503@shthead.com> Hi, I have 3 PowerDNS instances running with the MySQL backend across 4 DNS servers. The largest has 1,883,763 domains with 9,736,133 records (With all instances combined there is a total of 21M rows in the records table). The only things I have done for performance are: - All tables are InnoDB - All DNS servers have 16GB or more of memory, InnoDB buffer pool size is at least 10GB on each - MySQL 5.6 (actually running Percona, upgrading from 5.5 to 5.6 gave me a slight performance increase) - InnoDB file format is barracuda, tables are compressed with 4KB page size With table compression my largest instance uses a total of 750mb on disk. The minimum specs for my DNS servers are: - 2 x E5-2620 CPU (6 cores + hyperthreading each) - 16GB of RAM - 2 x 15K SAS in RAID 1 With the 3 power DNS instances + unbound instance for caching name server the load average on the servers is less than 1, there is no IO wait. Each DNS server is handling an average of 6,714 queries per second across the 3 PowerDNS instances and Unbound. Using dnsscope for my biggest instance I can see that I get these stats: 0.01% of questions answered within 50 usec (0.01%) 51.67% of questions answered within 100 usec (51.67%) 60.11% of questions answered within 200 usec (8.44%) 60.40% of questions answered within 300 usec (0.29%) 60.70% of questions answered within 400 usec (0.30%) 63.85% of questions answered within 800 usec (3.14%) 67.78% of questions answered within 1000 usec (3.93%) 97.93% of questions answered within 2.00 msec (30.15%) 99.71% of questions answered within 4.00 msec (1.78%) 99.97% of questions answered within 8.00 msec (0.26%) 100.00% of questions answered within 32.00 msec (0.03%) 100.00% of questions answered within 64.00 msec (0.00%) 0 responses (0.00%) older than 2 seconds Average non-late response time: 569.60 usec What kind of statistics are you seeing? Do you get large amounts of I/O wait on the server? Is your mysql innodb buffer pool size large enough to hold the entire table in RAM? Chris On 26/02/2015 2:40 AM, Jonathan Hunter wrote: > Hi Guys, > > I appreciate there are optimization tips on the website, however I > wondered if there are any specific tips for optimization when dealing > with a records table or associated view of 500K rows in a Mysql > backend database on a Virtual Centos Machine with 2 x 3Ghz processors, > 1GB RAM and 20GB Memory. > > I am seeing some slow responses in terms of using dig to perform NAPTR > record lookups. > > Any help would be great. > > Many thanks > > Jon > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From geirskjo at gmail.com Thu Feb 26 07:11:55 2015 From: geirskjo at gmail.com (xxsyys) Date: Thu, 26 Feb 2015 00:11:55 -0700 (MST) Subject: [Pdns-users] Proper response to PING on pipe backend. Message-ID: <1424934715700-11341.post@n7.nabble.com> Hi, I am implementing a pipe backend for pdns. What is the proper response to the "PING" command? The documentation at https://doc.powerdns.com/md/authoritative/backend-pipe/#pipebackend-protocol does not say. I would assume it is "PONG" but the list of acceptable answer tags does not contain PONG, leading me to belive it would be either just END or DATA\tPONG END In advance, thanks. best regards, -geir -- View this message in context: http://powerdns.13854.n7.nabble.com/Proper-response-to-PING-on-pipe-backend-tp11341.html Sent from the PowerDNS mailing list archive at Nabble.com. From christian.hofstaedtler at deduktiva.com Thu Feb 26 07:37:06 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Thu, 26 Feb 2015 07:37:06 +0000 Subject: [Pdns-users] Proper response to PING on pipe backend. In-Reply-To: <1424934715700-11341.post@n7.nabble.com> References: <1424934715700-11341.post@n7.nabble.com> Message-ID: <1A19410E-9C2D-44CE-9F92-DC3E9E9970F8@deduktiva.com> > On 26 Feb 2015, at 08:11, xxsyys wrote: > > Hi, > > I am implementing a pipe backend for pdns. > > What is the proper response to the "PING" command? The documentation at > https://doc.powerdns.com/md/authoritative/backend-pipe/#pipebackend-protocol > does not say. > > I would assume it is "PONG" but the list of acceptable answer tags does not > contain PONG, leading me to belive it would be either just > END > or > DATA\tPONG > END The documentation says nothing about a reply to PING, because it doesn’t say anything about PING in the first place. PING is not a command/query for pipebackend coprocesses. -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From geirskjo at gmail.com Thu Feb 26 08:55:06 2015 From: geirskjo at gmail.com (xxsyys) Date: Thu, 26 Feb 2015 01:55:06 -0700 (MST) Subject: [Pdns-users] Proper response to PING on pipe backend. In-Reply-To: <1A19410E-9C2D-44CE-9F92-DC3E9E9970F8@deduktiva.com> References: <1424934715700-11341.post@n7.nabble.com> <1A19410E-9C2D-44CE-9F92-DC3E9E9970F8@deduktiva.com> Message-ID: In Appendic A1.1 of http://downloads.powerdns.com/documentation/pdns.pdf it does say that there are three forms of Questions. A.1.1.2 Questions Questions come in three forms and are prefixed by a tag indicating the type: Q Regular queries AXFR List requests, which mean that an entire zone should be listed PING Check if the coprocess is functioning On Thu, Feb 26, 2015 at 9:30 AM, Christian Hofstaedtler [via PowerDNS] < ml-node+s13854n11342h49 at n7.nabble.com> wrote: > > > On 26 Feb 2015, at 08:11, xxsyys <[hidden email] > > wrote: > > > > Hi, > > > > I am implementing a pipe backend for pdns. > > > > What is the proper response to the "PING" command? The documentation at > > > https://doc.powerdns.com/md/authoritative/backend-pipe/#pipebackend-protocol > > does not say. > > > > I would assume it is "PONG" but the list of acceptable answer tags does > not > > contain PONG, leading me to belive it would be either just > > END > > or > > DATA\tPONG > > END > > The documentation says nothing about a reply to PING, because it doesn’t > say anything about PING in the first place. > > PING is not a command/query for pipebackend coprocesses. > > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > _______________________________________________ > Pdns-users mailing list > [hidden email] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://powerdns.13854.n7.nabble.com/Proper-response-to-PING-on-pipe-backend-tp11341p11342.html > To unsubscribe from Proper response to PING on pipe backend., click here > > . > NAML > > -- *Geir Skjøtskift* Røykenviklinna 532 N-2760 BRANDBU +47 951 05 109 -- View this message in context: http://powerdns.13854.n7.nabble.com/Proper-response-to-PING-on-pipe-backend-tp11341p11343.html Sent from the PowerDNS mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hunterj91 at hotmail.com Thu Feb 26 16:20:32 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Thu, 26 Feb 2015 16:20:32 +0000 Subject: [Pdns-users] FW: Optimize Powerdns and Mysql for DB with 500K entries In-Reply-To: References: , <54EE8191.1090503@shthead.com>, Message-ID: Hi chris,(and AJ) Thanks for the detailed response. I now have 4GB of RAM available and looking at the size of my records_orig table, I have set innodb-buffer-pool-size = 950M +----------------------------+---------+------------+----------+--------+------------+| schema_table | data_MB | indexes_MB | total_MB | engine | row_format |+----------------------------+---------+------------+----------+--------+------------+| powerdns.records_orig | 449.95 | 399.16 | 849.11 | InnoDB | Compact | In terms of my setup, I am using pdns 3.4.2.1 and I am running NAPTR queries from another server using the dig utility to test query time. The powerdns database is made using the standard guide, however I have renamed the table to records_orig from records. Structure below; | records_orig | CREATE TABLE `records_orig` ( `id` int(11) NOT NULL AUTO_INCREMENT, `domain_id` int(11) DEFAULT NULL, `name` varchar(255) DEFAULT NULL, `type` varchar(10) DEFAULT NULL, `content` varchar(64000) DEFAULT NULL, `ttl` int(11) DEFAULT NULL, `prio` int(11) DEFAULT NULL, `change_date` int(11) DEFAULT NULL, `disabled` tinyint(1) DEFAULT '0', `ordername` varchar(255) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `auth` tinyint(1) DEFAULT '1', `carrierrate` varchar(255) DEFAULT NULL, PRIMARY KEY (`id`), KEY `nametype_index` (`name`,`type`), KEY `domain_id` (`domain_id`), KEY `recordorder` (`domain_id`,`ordername`)) ENGINE=InnoDB AUTO_INCREMENT=14077920 DEFAULT CHARSET=latin1 | Now that has 3.5 million entries in it, however there are particular time of day entries required, so I infact made a view called records that pdns will then query, and is shown below, and contains a new field I added called carrierrate. | records | CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `records` AS select `records_orig`.`id` AS `id`,`records_orig`.`domain_id` AS `domain_id`,`records_orig`.`name` AS `name`,`records_orig`.`type` AS `type`,`records_orig`.`content` AS `content`,`records_orig`.`ttl` AS `ttl`,`records_orig`.`prio` AS `prio`,`records_orig`.`change_date` AS `change_date`,`records_orig`.`disabled` AS `disabled`,`records_orig`.`ordername` AS `ordername`,`records_orig`.`auth` AS `auth`,`records_orig`.`carrierrate` AS `carrierrate` from `records_orig` where ((`records_orig`.`carrierrate` = 'BT-Peak') or (`records_orig`.`carrierrate` = 'BTI-Weekend') or (`records_orig`.`carrierrate` = 'Colt-OffPeak') or (`records_orig`.`carrierrate` = 'ColtI-OffPeak') or (`records_orig`.`carrierrate` = 'Gamma-OffPeak') or (`records_orig`.`carrierrate` = 'UPC-\n\nOffPeak') or (`records_orig`.`carrierrate` = 'Verizon-OffPeak') or (`records_orig`.`carrierrate` = 'Bandwidth-Allday') or (`records_orig`.`carrierrate` = 'BBCOM-Allday') or (`records_orig`.`carrierrate` = 'TATA-Allday') or (`records_orig`.`carrierrate` = 'SOA')) | latin1 | latin1_swedish_ci | Now as this is a view, no indexes are there, could this be causing me problems? And the pdns.conf is as standard, I haven't modifed it.Also I havent modified the query powerdns performs, as I am purely holding NAPTR records in a single domain, would changing the mysql query help, as I notice it goes through the SOA,NS and so on queries until it gets to NAPTR. In terms of your question about performance, I can see that some query times are 0-8ms, however others are up to 4500ms, so I need to understand where I can optimize further on this current VM server, as the table view it is querying is around 500K rows. Any help would be great. Many thanks Jon Date: Thu, 26 Feb 2015 10:14:41 +0800 From: lists at shthead.com To: pdns-users at mailman.powerdns.com Subject: Re: [Pdns-users] Optimize Powerdns and Mysql for DB with 500K entries Hi, I have 3 PowerDNS instances running with the MySQL backend across 4 DNS servers. The largest has 1,883,763 domains with 9,736,133 records (With all instances combined there is a total of 21M rows in the records table). The only things I have done for performance are: - All tables are InnoDB - All DNS servers have 16GB or more of memory, InnoDB buffer pool size is at least 10GB on each - MySQL 5.6 (actually running Percona, upgrading from 5.5 to 5.6 gave me a slight performance increase) - InnoDB file format is barracuda, tables are compressed with 4KB page size With table compression my largest instance uses a total of 750mb on disk. The minimum specs for my DNS servers are: - 2 x E5-2620 CPU (6 cores + hyperthreading each) - 16GB of RAM - 2 x 15K SAS in RAID 1 With the 3 power DNS instances + unbound instance for caching name server the load average on the servers is less than 1, there is no IO wait. Each DNS server is handling an average of 6,714 queries per second across the 3 PowerDNS instances and Unbound. Using dnsscope for my biggest instance I can see that I get these stats: 0.01% of questions answered within 50 usec (0.01%) 51.67% of questions answered within 100 usec (51.67%) 60.11% of questions answered within 200 usec (8.44%) 60.40% of questions answered within 300 usec (0.29%) 60.70% of questions answered within 400 usec (0.30%) 63.85% of questions answered within 800 usec (3.14%) 67.78% of questions answered within 1000 usec (3.93%) 97.93% of questions answered within 2.00 msec (30.15%) 99.71% of questions answered within 4.00 msec (1.78%) 99.97% of questions answered within 8.00 msec (0.26%) 100.00% of questions answered within 32.00 msec (0.03%) 100.00% of questions answered within 64.00 msec (0.00%) 0 responses (0.00%) older than 2 seconds Average non-late response time: 569.60 usec What kind of statistics are you seeing? Do you get large amounts of I/O wait on the server? Is your mysql innodb buffer pool size large enough to hold the entire table in RAM? Chris On 26/02/2015 2:40 AM, Jonathan Hunter wrote: Hi Guys, I appreciate there are optimization tips on the website, however I wondered if there are any specific tips for optimization when dealing with a records table or associated view of 500K rows in a Mysql backend database on a Virtual Centos Machine with 2 x 3Ghz processors, 1GB RAM and 20GB Memory. I am seeing some slow responses in terms of using dig to perform NAPTR record lookups. Any help would be great. Many thanks Jon _______________________________________________ Pdns-users mailing list Pdns-users at mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users at mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From melvin at mughal.nu Thu Feb 26 18:41:04 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Thu, 26 Feb 2015 19:41:04 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? Message-ID: We're running a master-slave setup. We want to use the PowerDNS API to automatically create master zones on the master server from our application. We created a master zone template, so when a domain is added the zonefile is automatically filled with the correct records and notifies the slave. I can't find any good reference on how to do this through the PowerDNS API. I want to post it a domain from the application via an API call and request to make a new master zone file for the domain with the zone template. Does anyone have an API call example on how to do this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Thu Feb 26 19:05:32 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Thu, 26 Feb 2015 20:05:32 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: Message-ID: <20150226190531.GA8771@xs.powerdns.com> On Thu, Feb 26, 2015 at 07:41:04PM +0100, Melvin Mughal wrote: > I can't find any good reference on how to do this through the PowerDNS API. > I want to post it a domain from the application via an API call and request > to make a new master zone file for the domain with the zone template. Hi Melvin, Try: # Create new zone "example.org" with nameservers ns1.example.org, # ns2.example.org curl -X POST --data '{"name":"example.org", "kind": "Master", "masters": [], "nameservers": ["ns1.example.org", "ns2.example.org"]}' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones | jq . This is from: https://doc.powerdns.com/md/httpapi/README/ Can you let us know if this works? Bert From jpmens.dns at gmail.com Thu Feb 26 19:06:40 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Thu, 26 Feb 2015 20:06:40 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: Message-ID: <20150226190640.GA7480@tiggr.ww.mens.de> > Does anyone have an API call example on how to do this? There is an example in the documentation [1]. -JP [1] http://doc.powerdns.com/md/httpapi/README/ From melvin at mughal.nu Thu Feb 26 20:06:17 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Thu, 26 Feb 2015 21:06:17 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <20150226190640.GA7480@tiggr.ww.mens.de> References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), but it doesn't show how to create a new zone with an existing zone template. How can I include the zone template in that API call? 2015-02-26 20:06 GMT+01:00 Jan-Piet Mens : > > Does anyone have an API call example on how to do this? > > There is an example in the documentation [1]. > > -JP > > [1] http://doc.powerdns.com/md/httpapi/README/ > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christian.hofstaedtler at deduktiva.com Thu Feb 26 20:06:11 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Thu, 26 Feb 2015 20:06:11 +0000 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), but it doesn't show how to create a new zone with an existing zone template. How can I include the zone template in that API call? There are no templates, but you can include records with the create call. Example: curl -X POST --data '{ "name": "example.com", "kind": "Native", "masters": [], "nameservers": ["ns1.example.org", "ns2.example.org"], "records": [ { "name": "www.example.com", "type": "A", "ttl": 3600, "content": “192.0.2.4", "disabled": false } ] }' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones Christian -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From msienema at unet.nl Fri Feb 27 08:44:56 2015 From: msienema at unet.nl (Maurice Sienema) Date: Fri, 27 Feb 2015 09:44:56 +0100 Subject: [Pdns-users] Slave DNSKeys Message-ID: We are testing with DNSSEC on our PowerDNS setup, everything seems to be working except the slave server isn't using the DNSKEY set from the master, am I missing the concept and should I register both keys at the parrent zone, or is the slave capable of using the key set from the master? see here what is going wrong: http://dnsviz.net/d/uned.nl/dnssec/ Some details about the setup: Both servers running PowerDNS version 3.1 ( standard Debian wheezy package ) Both servers are running gmysql back-end connected to a local database NS1 is a supermaster for NS2, zones updates are done by NOTIFY/AXFR Regards, Maurice -------------- next part -------------- An HTML attachment was scrubbed... URL: From s.maddox at lantizia.me.uk Fri Feb 27 09:33:19 2015 From: s.maddox at lantizia.me.uk (Steven Maddox) Date: Fri, 27 Feb 2015 09:33:19 +0000 Subject: [Pdns-users] hiding version In-Reply-To: References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Message-ID: Wow this'll be so handy, Thanks for that On 10/02/15 20:30, James Cornman wrote: > Hello: > > For authoritative: > > # version-string PowerDNS version in packets - full, anonymous, > powerdns or custom > # > version-string=anonymous > > > For recursor: > > I dont know if it has the same keywords (full, powerdns, etc), but you > could do > > # version-string string reported on version.pdns or version.bind > # > version-string=anonymous > > On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán > wrote: > > Hello, > > Is there a way to hide the powerdns version from public? > > Peter > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From melvin at mughal.nu Fri Feb 27 10:09:55 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Fri, 27 Feb 2015 11:09:55 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: That's a shame. It would be great if you could give the template name with the API call and it would automatically create records from that template. That would be a feature request ;) 2015-02-26 21:06 GMT+01:00 Christian Hofstaedtler < christian.hofstaedtler at deduktiva.com>: > > > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), > but it doesn't show how to create a new zone with an existing zone > template. How can I include the zone template in that API call? > > There are no templates, but you can include records with the create call. > > Example: > > curl -X POST --data '{ > "name": "example.com", > "kind": "Native", > "masters": [], > "nameservers": ["ns1.example.org", "ns2.example.org"], > "records": [ > { > "name": "www.example.com", > "type": "A", > "ttl": 3600, > "content": “192.0.2.4", > "disabled": false > } > ] > }' -v -H 'X-API-Key: changeme' > http://127.0.0.1:8081/servers/localhost/zones > > > Christian > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christian.hofstaedtler at deduktiva.com Fri Feb 27 09:57:00 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Fri, 27 Feb 2015 09:57:00 +0000 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> PowerDNS doesn’t know anything about templates. What are you talking about? -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 > On 27 Feb 2015, at 11:09, Melvin Mughal wrote: > > That's a shame. It would be great if you could give the template name with the API call and it would automatically create records from that template. That would be a feature request ;) > > 2015-02-26 21:06 GMT+01:00 Christian Hofstaedtler : > > > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), but it doesn't show how to create a new zone with an existing zone template. How can I include the zone template in that API call? > > There are no templates, but you can include records with the create call. > > Example: > > curl -X POST --data '{ > "name": "example.com", > "kind": "Native", > "masters": [], > "nameservers": ["ns1.example.org", "ns2.example.org"], > "records": [ > { > "name": "www.example.com", > "type": "A", > "ttl": 3600, > "content": “192.0.2.4", > "disabled": false > } > ] > }' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones > > > Christian > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From melvin at mughal.nu Fri Feb 27 12:12:02 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Fri, 27 Feb 2015 13:12:02 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> Message-ID: Probably it's a Poweradmin thing. I thought it was a PowerDNS feature. In Poweradmin, you can create zone templates and when creating a zone, you can select a template you wish to use for the records to be automatically created. Very handy feature. 2015-02-27 10:57 GMT+01:00 Christian Hofstaedtler < christian.hofstaedtler at deduktiva.com>: > PowerDNS doesn’t know anything about templates. > What are you talking about? > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > > On 27 Feb 2015, at 11:09, Melvin Mughal wrote: > > > > That's a shame. It would be great if you could give the template name > with the API call and it would automatically create records from that > template. That would be a feature request ;) > > > > 2015-02-26 21:06 GMT+01:00 Christian Hofstaedtler < > christian.hofstaedtler at deduktiva.com>: > > > > > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > > > > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), > but it doesn't show how to create a new zone with an existing zone > template. How can I include the zone template in that API call? > > > > There are no templates, but you can include records with the create call. > > > > Example: > > > > curl -X POST --data '{ > > "name": "example.com", > > "kind": "Native", > > "masters": [], > > "nameservers": ["ns1.example.org", "ns2.example.org"], > > "records": [ > > { > > "name": "www.example.com", > > "type": "A", > > "ttl": 3600, > > "content": “192.0.2.4", > > "disabled": false > > } > > ] > > }' -v -H 'X-API-Key: changeme' > http://127.0.0.1:8081/servers/localhost/zones > > > > > > Christian > > > > -- > > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > > www.deduktiva.com / +43 1 353 1707 > > > > > > > > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users at mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From koko at wijatmoko.name Fri Feb 27 12:42:46 2015 From: koko at wijatmoko.name (Koko Wijatmoko) Date: Fri, 27 Feb 2015 19:42:46 +0700 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> Message-ID: <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> On Fri, 27 Feb 2015 13:12:02 +0100 Melvin Mughal wrote: > Probably it's a Poweradmin thing. I thought it was a > PowerDNS feature. In Poweradmin, you can create zone > templates and when creating a zone, you can select a > template you wish to use for the records to be > automatically created. Very handy feature. > template are not standard for everyone. so this useless. From jpmens.dns at gmail.com Fri Feb 27 15:00:08 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Fri, 27 Feb 2015 16:00:08 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> Message-ID: <20150227150008.GA28679@tiggr.ww.mens.de> > template are not standard for everyone. so this useless. Utterly useless, yes. -JP From melvin at mughal.nu Fri Feb 27 16:10:08 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Fri, 27 Feb 2015 17:10:08 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <20150227150008.GA28679@tiggr.ww.mens.de> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> Message-ID: I'm not a DNS expert, but why exactly is zone templates something which you guys politely call useless? In our perspective, it seems efficient and clean when: 1. You need to import a lot of zones (in our case more than 50k). Just adding a template attribute to the API call makes it a bit more easy. Now I'm explaining to devs what goes where and why, instead of just giving a more straight forward call. 2. You have several parties using your DNS API and the administrator can set a fixed template so records are filled in a certain way with required values by the administrator. We work with different parties an different requirements. Gives a bit more control. 3. Less error prone if multiple devs are working with it within different implementations and don't have any knowledge about nameservers and how to set things properly. Again explaining stuff to devs where these things aren't within their primary focus. I can guess the counter argument already: just give the damn API example and be done with it. But I'd rather explain why this seems useful in our perspective to keep the topic constructive instead of calling things 'utterly useless' by some without giving any real arguments. 2015-02-27 16:00 GMT+01:00 Jan-Piet Mens : > > template are not standard for everyone. so this useless. > > Utterly useless, yes. > > -JP > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zozo at z0z0.tk Fri Feb 27 16:44:47 2015 From: zozo at z0z0.tk (=?utf-8?Q?Keresztes_P=C3=A9ter-Zolt=C3=A1n?=) Date: Fri, 27 Feb 2015 18:44:47 +0200 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> Message-ID: <92EEA3B9-BC61-4A86-9957-4A4862867BB0@z0z0.tk> Think at something else. templates are different from company to company however api is a standard thing therefore you design your template to match the API requirements and not vice versa. > On Feb 27, 2015, at 6:10 PM, Melvin Mughal wrote: > > in -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Fri Feb 27 17:18:04 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Fri, 27 Feb 2015 19:18:04 +0200 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <92EEA3B9-BC61-4A86-9957-4A4862867BB0@z0z0.tk> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> <92EEA3B9-BC61-4A86-9957-4A4862867BB0@z0z0.tk> Message-ID: <20150227171804.GA14075@pi.ip.fi> On Fri, Feb 27, 2015 at 06:44:47PM +0200, Keresztes Péter-Zoltán wrote: > Think at something else. > > templates are different from company to company however api is a standard thing therefore you design your template to match the API requirements and not vice versa. > > > > On Feb 27, 2015, at 6:10 PM, Melvin Mughal wrote: > > > > in > Configurable templates, referrable by template ID would make sense, but I suspect that it might take a while unless someone gets inspiration to do them. This way your templates can vary by instance, but API can still supports them. Aki From nicholas at nicholaswilliams.net Fri Feb 27 17:22:33 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 11:22:33 -0600 Subject: [Pdns-users] pdnssec set-nsec3 for all zones Message-ID: Is there not a way to set NSEC3 parameters (pdnssec set-nsec3) for all zones? There's secure-all-zones and rectify-all-zones, but nothing about set-nsec3 for all zones. That could certainly get cumbersome on very large installations. :-/ Thanks, Nick From jpmens.dns at gmail.com Fri Feb 27 17:30:43 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Fri, 27 Feb 2015 18:30:43 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> Message-ID: <20150227173043.GA31541@tiggr.ww.mens.de> > but why exactly is zone templates something which you guys politely > call useless? OK, maybe I ought to apologize for my tone, so I apologize. If you're going to use an API, it seems natural (to me at least) that you'll be creating an application of sorts to leverage that API to create, populate, delete, and otherwise manipulate zones. In that application you would ensure all basic records and settings for a zone are properly defined (I assume this is what you're referring to as a 'template'). As others have said, templates are non-standard and can be defined only by the infrastructure which creates zones. It may well be that it would be nice to have something akin to "please include the records in this file when creating a zone", but this is precisely what the wrapping application should do. -JP From jpmens.dns at gmail.com Fri Feb 27 17:34:34 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Fri, 27 Feb 2015 18:34:34 +0100 Subject: [Pdns-users] pdnssec set-nsec3 for all zones In-Reply-To: References: Message-ID: <20150227173434.GB31541@tiggr.ww.mens.de> > Is there not a way to set NSEC3 parameters (pdnssec set-nsec3) for all zones? No, because most people chose differing NSEC3PARAMs for their zones. pdnssec list-all-zones | grep -v '^All zonecount:' | while read z do pdnssec set-nsec3 ... done Not terribly efficient, but it may do. :) -JP From nicholas at nicholaswilliams.net Fri Feb 27 18:19:39 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 12:19:39 -0600 Subject: [Pdns-users] Error Running pdnssec from PHP Message-ID: <6B3CF642-B88F-41C4-8D2D-4273B43E3E78@nicholaswilliams.net> I have a (secured) PHP browser GUI (that I can only access while connected to the VPN) that I use to manage my domains. I'm enabling DNSSEC, so I decided to update my PHP GUI to run the necessary pdnssec commands (secure-zone, set-nsec3, rectify-zone) when applicable. However, when I use PHP's exec() to call pdnssec, I get the following error: Error: No database backends configured for launch, unable to function I can run pdnssec from the command line just fine, so I know that's not the problem. I thought maybe the apache user didn't have permission to access pdns.conf, and I was right, but after adding read permissions it still can't access it. The file is in the default place pdnssec would look for it (/etc/pdns). Any ideas on what I need to do? Thanks, Nick From nicholas at nicholaswilliams.net Fri Feb 27 18:25:35 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 12:25:35 -0600 Subject: [Pdns-users] Error Running pdnssec from PHP In-Reply-To: <6B3CF642-B88F-41C4-8D2D-4273B43E3E78@nicholaswilliams.net> References: <6B3CF642-B88F-41C4-8D2D-4273B43E3E78@nicholaswilliams.net> Message-ID: Nevermind, my bad. It's not enough for the user to have read permissions on the /etc/pdns directory and /etc/pdns/pdns.conf file. The user also must have execute permissions on the /etc/pdns directory. When I added that, it worked. Thanks! Nick On Feb 27, 2015, at 12:19 PM, Nick Williams wrote: > I have a (secured) PHP browser GUI (that I can only access while connected to the VPN) that I use to manage my domains. I'm enabling DNSSEC, so I decided to update my PHP GUI to run the necessary pdnssec commands (secure-zone, set-nsec3, rectify-zone) when applicable. However, when I use PHP's exec() to call pdnssec, I get the following error: > > Error: No database backends configured for launch, unable to function > > I can run pdnssec from the command line just fine, so I know that's not the problem. I thought maybe the apache user didn't have permission to access pdns.conf, and I was right, but after adding read permissions it still can't access it. > > The file is in the default place pdnssec would look for it (/etc/pdns). > > Any ideas on what I need to do? > > Thanks, > > Nick From nicholas at nicholaswilliams.net Fri Feb 27 18:27:15 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 12:27:15 -0600 Subject: [Pdns-users] Do I need to run pdnssec when removing a zone? Message-ID: <9484254D-3D55-453F-94C9-5898D7B486E9@nicholaswilliams.net> I've recently enabled DNSSEC with the MySQL backend. I'm using the MySQL Backend for everything (including storage of zones/records). If I remove a zone completely from the MySQL domains/records tables (all data deleted), do I need to also A) Run pdnssec , B) delete anything else from MySQL, or C) both? Thanks, Nick From moseleymark at gmail.com Fri Feb 27 22:15:12 2015 From: moseleymark at gmail.com (Mark Moseley) Date: Fri, 27 Feb 2015 14:15:12 -0800 Subject: [Pdns-users] AXFR Crashses Message-ID: We don't do a lot (or practically any) AXFRs, so I hadn't noticed this before now. For every domain of ours that I've tried, doing an AXFR (to a pdns running on localhost -- mysqld running on localhost too; running the powerdns ubuntu precise package for 3.4.2, not running dnssec), it appears to crash the server. The database was massaged from a 2.9.x era database, so could easily be something there. I tried trimming the below domain down to literally a single record (to make sure it wasn't garbage in other records): mysql> select * from records where domain_id = 6084603\G *************************** 1. row *************************** id: 688982903 domain_id: 6084603 name: example2.com type: SOA content: ns1.example2.com dnsadmin.example2.com 2015022701 10800 3600 604800 3600 ttl: 3600 prio: NULL change_date: 1425073508 disabled: 0 ordername: NULL auth: 1 1 row in set (0.00 sec) Here's the logs: gmysql Connection successful. Connected to database 'dns' on '127.0.0.1'. AXFR of domain 'example2.com' initiated by 127.0.0.1 AXFR of domain 'example2.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips gmysql Connection successful. Connected to database 'dns' on '127.0.0.1'. gmysql Connection successful. Connected to database 'dns' on '127.0.0.1'. Got a signal 11, attempting to print trace: /usr/sbin/pdns_server-instance() [0x65c4d0] /lib/x86_64-linux-gnu/libc.so.6(+0x36150) [0x6c3d088cd150] /usr/sbin/pdns_server-instance(_ZNSs6assignERKSs+0x24) [0xa68424] /usr/sbin/pdns_server-instance(_ZN11GSQLBackend3getER17DNSResourceRecord+0x1d2) [0x6aaea2] /usr/sbin/pdns_server-instance(_ZN13TCPNameserver6doAXFRERKSsN5boost10shared_ptrI9DNSPacketEEi+0xe4d) [0x611ced] /usr/sbin/pdns_server-instance(_ZN13TCPNameserver12doConnectionEPv+0xacd) [0x6181ad] /lib/x86_64-linux-gnu/libpthread.so.0(+0x7e9a) [0x6c3d08c5de9a] /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d) [0x6c3d0898a8bd] Our pdns instance (11029) exited after signal 6 Respawning Guardian is launching an instance Reading random entropy from '/dev/urandom' This is a guarded instance of pdns Listening on controlsocket on '0.0.0.0:53000' Only allowing TCP control from: 127.0.0.0/8, 10.0.0.0/8 UDP server bound to 0.0.0.0:53 TCP server bound to 0.0.0.0:53 PowerDNS Authoritative Server 3.4.2 (jenkins at autotest.powerdns.com) (C) 2001-2015 PowerDNS.COM BV Using 64-bits mode. Built on 20150203085343 by root at autotest.powerdns.com, gcc 4.7.2. Attaching to gdb yields this: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x6a376dc97700 (LWP 4618)] 0x0000000000654087 in endsOn(std::string const&, std::string const&) () (gdb) bt #0 0x0000000000654087 in endsOn(std::string const&, std::string const&) () #1 0x0000000000611d07 in TCPNameserver::doAXFR(std::string const&, boost::shared_ptr, int) () #2 0x00000000006181ad in TCPNameserver::doConnection(void*) () #3 0x00006a3897018e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #4 0x00006a3896d458bd in clone () from /lib/x86_64-linux-gnu/libc.so.6 #5 0x0000000000000000 in ?? () Any idea what's making it unhappy? I've got no issues with the current server otherwise. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Fri Feb 27 22:18:49 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Fri, 27 Feb 2015 23:18:49 +0100 Subject: [Pdns-users] AXFR Crashses In-Reply-To: References: Message-ID: <20150227221849.GA29966@xs.powerdns.com> On Fri, Feb 27, 2015 at 02:15:12PM -0800, Mark Moseley wrote: > We don't do a lot (or practically any) AXFRs, so I hadn't noticed this > before now. Hi Mark, You probably have something in the database that upsets us (which should not happen of course). Can you run pdnssec check-zone on example2.com and see what it says? Bert From moseleymark at gmail.com Fri Feb 27 23:09:59 2015 From: moseleymark at gmail.com (Mark Moseley) Date: Fri, 27 Feb 2015 15:09:59 -0800 Subject: [Pdns-users] AXFR Crashses In-Reply-To: <20150227221849.GA29966@xs.powerdns.com> References: <20150227221849.GA29966@xs.powerdns.com> Message-ID: On Fri, Feb 27, 2015 at 2:18 PM, bert hubert wrote: > On Fri, Feb 27, 2015 at 02:15:12PM -0800, Mark Moseley wrote: > > We don't do a lot (or practically any) AXFRs, so I hadn't noticed this > > before now. > > Hi Mark, > > You probably have something in the database that upsets us (which should > not > happen of course). > > Can you run pdnssec check-zone on example2.com and see what it says? > > Bert > It's actually more likely I'm an idiot. I forgot to remove a custom 'gmysql-list-query' query from when I was trying to make pdns 3.4 work with the 2.9.x schema (and gave up -- but forgot to remove the query from the config at the time). Removing it makes AXFRs work just fine. Amazing that no matter how long you look for, it never fails that you find the answer right after you post to a public forum :) There's got to be some sort of sysadmin "law" for that, a la Murphy's Law. Apologies for the noise. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aj.mckee at druid-dns.com Sun Feb 1 02:41:07 2015 From: aj.mckee at druid-dns.com (AJ McKee) Date: Sun, 1 Feb 2015 02:41:07 +0000 Subject: [Pdns-users] Remote Backend and Query / Packet Cache Message-ID: Being the weekend, I decided to write a HTTP backend for pdns as a fun thing to do. One thing springs to mind however are the packet and query cache. In particular, how they cache. Do they use the remote clients ip as part of the caching key, thus only serving from the cache if the client is repeatedly asking? AFAIK this is not the case. If I added simple bind style views to my backend, would this be pointless? My thinking here, if a request came from netblock A and it was cached, followed by a request from netblock C, C would get the cached answer instead of querying the backend for its corrected view. Is there a way that the remote backend can influence the cache in the response it sends back? I am aware of all the other backend, this is just my fun-time thing to play with the new features. Thanks in advance -- AJ McKee phone: +353 83 1130 545 profile: http://linkedin.com/in/ajmkee jid: aj.mckee at druid-dns.com blog: http://aj.mc-kee.com/ twitter: @ajmckee -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Sun Feb 1 08:14:56 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Sun, 1 Feb 2015 10:14:56 +0200 Subject: [Pdns-users] Remote Backend and Query / Packet Cache In-Reply-To: References: Message-ID: <20150201081456.GA13227@pi.ip.fi> On Sun, Feb 01, 2015 at 02:41:07AM +0000, AJ McKee wrote: > Being the weekend, I decided to write a HTTP backend for pdns as a fun > thing to do. > > One thing springs to mind however are the packet and query cache. In > particular, how they cache. > > Do they use the remote clients ip as part of the caching key, thus only > serving from the cache if the client is repeatedly asking? AFAIK this is > not the case. > > > If I added simple bind style views to my backend, would this be pointless? > > My thinking here, if a request came from netblock A and it was cached, > followed by a request from netblock C, C would get the cached answer > instead of querying the backend for its corrected view. > > Is there a way that the remote backend can influence the cache in the > response it sends back? > > I am aware of all the other backend, this is just my fun-time thing to play > with the new features. > > Thanks in advance > > -- > AJ McKee > phone: +353 83 1130 545 > profile: http://linkedin.com/in/ajmkee > jid: aj.mckee at druid-dns.com > blog: http://aj.mc-kee.com/ > twitter: @ajmckee You can set scopeBits to size of netblock. Should do what you want. Aki From aj.mckee at druid-dns.com Sun Feb 1 11:21:45 2015 From: aj.mckee at druid-dns.com (AJ McKee) Date: Sun, 1 Feb 2015 11:21:45 +0000 Subject: [Pdns-users] Remote Backend and Query / Packet Cache In-Reply-To: <20150201081456.GA13227@pi.ip.fi> References: <20150201081456.GA13227@pi.ip.fi> Message-ID: Ah perfect, there goes my Sunday :) Thank You Aki AJ On 1 February 2015 at 08:14, Aki Tuomi wrote: > On Sun, Feb 01, 2015 at 02:41:07AM +0000, AJ McKee wrote: > > Being the weekend, I decided to write a HTTP backend for pdns as a fun > > thing to do. > > > > One thing springs to mind however are the packet and query cache. In > > particular, how they cache. > > > > Do they use the remote clients ip as part of the caching key, thus only > > serving from the cache if the client is repeatedly asking? AFAIK this is > > not the case. > > > > > > If I added simple bind style views to my backend, would this be > pointless? > > > > My thinking here, if a request came from netblock A and it was cached, > > followed by a request from netblock C, C would get the cached answer > > instead of querying the backend for its corrected view. > > > > Is there a way that the remote backend can influence the cache in the > > response it sends back? > > > > I am aware of all the other backend, this is just my fun-time thing to > play > > with the new features. > > > > Thanks in advance > > > > -- > > AJ McKee > > phone: +353 83 1130 545 > > profile: http://linkedin.com/in/ajmkee > > jid: aj.mckee at druid-dns.com > > blog: http://aj.mc-kee.com/ > > twitter: @ajmckee > > You can set scopeBits to size of netblock. Should do what you > want. > > Aki > -- AJ McKee phone: +353 83 1130 545 profile: http://linkedin.com/in/ajmkee jid: aj.mckee at druid-dns.com blog: http://aj.mc-kee.com/ twitter: @ajmckee -------------- next part -------------- An HTML attachment was scrubbed... URL: From james at jtaylor.id.au Sun Feb 1 11:35:18 2015 From: james at jtaylor.id.au (James Taylor) Date: Sun, 01 Feb 2015 22:35:18 +1100 Subject: [Pdns-users] DS record algorithm suggestions Message-ID: <54CE0F76.8020702@jtaylor.id.au> Hello World Just looking around for some suggestions for DNSSEC algorithms. Currently using RSASHA256, but was looking into possibly using ECDSA P-384 Does anyone have any insight into this? (and also the different NSEC options) Thanks, James Taylor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From carlos at hospedajeydominios.com Sun Feb 1 18:47:47 2015 From: carlos at hospedajeydominios.com (Carlos HyD) Date: Sun, 1 Feb 2015 19:47:47 +0100 Subject: [Pdns-users] Axfr notification not success from super master Message-ID: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3... I build a new system to test 3.4 version and see now this config no longer works with error: Received NOTIFY for XXXXx from XXXX but slave support is disabled in the configuration In doc I see this: However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. Before a supermaster notification succeeds, the following conditions must be met: • The supermaster must carry a SOA record for the notified domain • The supermaster IP must be present in the 'supermaster' table • The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. I can enable slave on conf and zones are imported, but just curious about. Regards Carlos Luna From steffannoord at gmail.com Mon Feb 2 11:41:34 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Mon, 2 Feb 2015 12:41:34 +0100 Subject: [Pdns-users] wildcard proof failed dnssec In-Reply-To: <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> References: <003c01d03c7b$e1f1f980$a5d5ec80$@gmail.com> <20150130110447.GA11175@xs.powerdns.com> <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> Message-ID: <026c01d03edd$32bee450$983cacf0$@gmail.com> Hello Bert, Im just discussing the problem with Marco from SIDN. He did point me to http://dnsviz.net/d/_25._tcp.startmetplate.nl/VMtu8Q/dnssec/ So for the archive this is a good site to check a dnssec error The problem is TLSA Rectify-zone fixed the problem. How often do i have to do that ? After every dns update or every day... -----Oorspronkelijk bericht----- Van: bert hubert [mailto:bert.hubert at powerdns.com] Verzonden: vrijdag 30 januari 2015 12:05 Aan: Steffan Noord CC: pdns-users at mailman.powerdns.com Onderwerp: Re: [Pdns-users] wildcard proof failed dnssec On Fri, Jan 30, 2015 at 11:59:55AM +0100, Steffan Noord wrote: > I have a domein with *.domein in a A record > > After that sidn is sending me reports that > > wildcard proof failed Please tell us which PowerDNS version you use and the name of the domain name so we can check. Thanks! Bert From s.posner at telekom.de Mon Feb 2 12:19:41 2015 From: s.posner at telekom.de (Posner, Sebastian) Date: Mon, 2 Feb 2015 12:19:41 +0000 Subject: [Pdns-users] wildcard proof failed dnssec In-Reply-To: <026c01d03edd$32bee450$983cacf0$@gmail.com> References: <003c01d03c7b$e1f1f980$a5d5ec80$@gmail.com> <20150130110447.GA11175@xs.powerdns.com> <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> <026c01d03edd$32bee450$983cacf0$@gmail.com> Message-ID: <035b058bd35e4b1f90ff5a951e045e85@QEO00410.de.t-online.corp> Steffan Noord wrote: > Rectify-zone fixed the problem. > How often do i have to do that ? > After every dns update or every day... After every zone-update would perfectly do the trick. Some changes like just changing values alone (e.g. changing the IP address of an A-RR) won't need an update, so you could make a differentiation depending on type of update; but if you don't expect overly huge amounts of updates, I'd say there's no huge gain to make. kind regards, Sebastian From bert.hubert at powerdns.com Mon Feb 2 12:54:06 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 2 Feb 2015 13:54:06 +0100 Subject: [Pdns-users] wildcard proof failed dnssec In-Reply-To: <026c01d03edd$32bee450$983cacf0$@gmail.com> References: <003c01d03c7b$e1f1f980$a5d5ec80$@gmail.com> <20150130110447.GA11175@xs.powerdns.com> <021101d03ed7$99d7eca0$cd87c5e0$@gmail.com> <026c01d03edd$32bee450$983cacf0$@gmail.com> Message-ID: <20150202125406.GB534@xs.powerdns.com> On Mon, Feb 02, 2015 at 12:41:34PM +0100, Steffan Noord wrote: > Rectify-zone fixed the problem. > How often do i have to do that ? > After every dns update or every day... If you update the database for DNSSEC records, this is what you need to do: https://doc.powerdns.com/md/authoritative/dnssec/#rules-for-filling-out-fields-in-database-backends Good luck! Bert > > > > -----Oorspronkelijk bericht----- > Van: bert hubert [mailto:bert.hubert at powerdns.com] > Verzonden: vrijdag 30 januari 2015 12:05 > Aan: Steffan Noord > CC: pdns-users at mailman.powerdns.com > Onderwerp: Re: [Pdns-users] wildcard proof failed dnssec > > On Fri, Jan 30, 2015 at 11:59:55AM +0100, Steffan Noord wrote: > > I have a domein with *.domein in a A record > > > > After that sidn is sending me reports that > > > > wildcard proof failed > > Please tell us which PowerDNS version you use and the name of the domain > name so we can check. > > Thanks! > > Bert > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From jordan at webnames.ca Mon Feb 2 23:26:57 2015 From: jordan at webnames.ca (Jordan Rieger) Date: Mon, 02 Feb 2015 15:26:57 -0800 Subject: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API Message-ID: Hello. I'm writing code to interface with the HTTP JSON REST API of a PowerDNS 3.4.1 authoritative server with a MySQL backend. I'm submitting a request to modify the records on a zone using a PATCH method as specified at https://doc.powerdns.com/md/httpapi/api_spec/#url-serversserver95idzoneszone95id, and I'm getting back a "405 Method Not Allowed" response. I am able to successfully GET the pre-created example.com zone and POST (create) or DELETE my own test zone. It's only PATCH that's not working. I tried increasing the server log level to 9 (the maximum), and I see my request in the log, but it only shows the request size and the fact that it caused a 405 error, which I already know. It doesn't seem to matter what content the PATCH request actually contains, what zone I use, or even if the zone exists at all. It seems to just be the PATCH method itself causing the problem. This makes me think that it is a simple configuration problem on the server. Maybe the internal HTTP server component is rejecting PATCH requests by default? Anyways, here is the request. This is attempting to delete all TXT records on example.com: 10.9.9.64:8081 /servers/localhost/zones/example.com PATCH {"rrsets":[{"name":"example.com","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]} Response: 405 Method Not Allowed Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Tue Feb 3 10:34:42 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 3 Feb 2015 11:34:42 +0100 Subject: [Pdns-users] PowerDNS Authoritative Server 3.4.2 Released Message-ID: <20150203103442.GA22731@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Warning: Version 3.4.2 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if you are coming from any 3.x version (including 3.3.1), there is a mandatory SQL schema upgrade. Please refer to the Upgrade documentation for important information on correct and stable operation, as well as notes on performance and memory use. Find the downloads on our download page, https://www.powerdns.com/downloads.html This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases. Please let us know. We would like to thank Patrik Wallström of IIS, Kees Monshouwer and Fredrik Eriksson of Loopia for working with us on solving several issues that only became apparent on a 750000 domain (!) DNSSEC installation, the last of which we could eventually trace to memory fragmentation in the secure allocator of our cryptography library. This bug chase, which lasted for over a month, led to numerous other improvements, like better statistical metrics for plotting (actual CPU usage, uptime, key cache size, signatures/s) and the 'sharding' of our internal caches to better support multi-CPU operations. A list of changes since 3.4.1 follows. Please see the full clickable changelog at https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-342 Improvements: * implement CORS for the HTTP API * qtype is now case insensitive in API and database * Allow (optional) PIE hardening * json-api: remove priority from json * backport remotebackend fixes * Support Lua 5.3 * support single-type ZSK signing * Potential fix for ticket #1907, we now try to trigger libgcc_s.so.1 to load before we chroot. I can't reproduce the bug on my local system, but this "should" help. * update polarssl to 1.3.9 Bug fixes: * refuse overly long labels in names * auth: limit long version strings to 63 characters and catch exceptions in secpoll * pdnssec: fix ttl check for RRSIG records * fix up latency reporting for sub-millisecond latencies (would clip to 0) * make sure we don't throw an exception on "pdns_control show" of an unknown variable * fix startup race condition with carbon thread already trying to broadcast uninitialized data * make qsize-q more robust * Kees Monshouwer discovered we count corrupt packets and EAGAIN situations as validly received packets, skewing the udp questions/answers graphs on auth. * make latency & qsize reporting 'live'. Plus fix that we only reported the qsize of the first distributor. * fix up statbag for carbon protocol and function pointers * get priority from table in Lua axfrfilter; fixes ticket #1857 * various backends: fix records pointing at root * remove additional layer of trailing . stripping, which broke MX records to the root in the BIND backend. Should close ticket #1243. * api: use uncached results for getKeys() * read ALLOW-AXFR-FROM from the backend with the metadata Minor changes: * move manpages to section 1 * secpoll: Replace ~ with _ * only zones with an active ksk are secure * api: show keys for zones without active ksk New features: * add signatures metric to auth, so we can plot signatures/second * pdns_control: make it posible to notify all zones at once * JSON API: provide flush-cache, notify, axfr-receive * add 'bench-db' to do very simple database backend performance benchmark * enable callback based metrics to statbags, and add 5 such metrics: uptime, sys-msec, user-msec, key-cache-size, meta-cache-size, signature-cache-size Performance improvements: * better key for packetcache * don't do time(0) under signature cache lock * shard the packet cache, closing ticket #1910. * with thanks to Jack Lloyd, this works around the default Botan allocator slowing down for us during production use. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlTQpEIACgkQHF7pkNLnFXU9PQCdE8SOyKnZv5L1cNeykn41Hgl8 NxQAoOwPNyqohboVjI5tCy8L7Uy6tedB =VXFO -----END PGP SIGNATURE----- From christian.hofstaedtler at deduktiva.com Tue Feb 3 11:48:34 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Tue, 3 Feb 2015 11:48:34 +0000 Subject: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API In-Reply-To: References: Message-ID: Hi! > On 03 Feb 2015, at 00:26, Jordan Rieger wrote: > I'm writing code to interface with the HTTP JSON REST API of a PowerDNS 3.4.1 authoritative server with a MySQL backend. [..] > I tried increasing the server log level to 9 (the maximum), and I see my request in the log, but it only shows the request size and the fact that it caused a 405 error, which I already know. Indeed, the logging could be more useful. > It doesn't seem to matter what content the PATCH request actually contains, what zone I use, or even if the zone exists at all. It seems to just be the PATCH method itself causing the problem. This makes me think that it is a simple configuration problem on the server. Maybe the internal HTTP server component is rejecting PATCH requests by default? > > Anyways, here is the request. This is attempting to delete all TXT records on example.com: > > 10.9.9.64:8081 /servers/localhost/zones/example.com PATCH {"rrsets":[{"name":"example.com","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]} So, a full `curl` command line or a XHR dump would be useful. For what I can see, if you’re able to POST/DELETE zones, PATCH should also work. Can you try the steps with curl outlined in https://doc.powerdns.com/md/httpapi/README/#try-it , as those exactly create a zone and then PATCH it. Based on the instructions from the intro sections, I tried your request with curl, and that does seem to work: curl -X PATCH --data '{"rrsets":[{"name":"example.org","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]}' -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones/example.org -v < HTTP/1.1 200 OK {"id":"example.org.","url":"/servers/localhost/zones/example.org.","name":"example.org","type":"Zone","kind":"Master","dnssec":false,"soa_edit_api":"","soa_edit":"","masters":[],"serial":2002022401,"notified_serial":0,"last_check":0,"records":[{"name":"bill.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.3"},{"name":"example.org","type":"MX","ttl":86400,"disabled":false,"content":"10 mail.another.com"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns1.example.org"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns2.smokeyjoe.com"},{"name":"example.org","type":"SOA","ttl":86400,"disabled":false,"content":"ns1.example.org. hostmaster.example.org. 2002022401 10800 15 604800 10800"},{"name":"fred.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.4"},{"name":"ftp.example.org","type":"CNAME","ttl":86400,"disabled":false,"content":"www.example.org"},{"name":"ns1.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.1"},{"name":"test.example.org","type":"A","ttl":86400,"disabled":false,"content":"1.1.1.1"},{"name":"www.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.2"}],"comments":[]} Best, -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From jordan at webnames.ca Tue Feb 3 19:13:44 2015 From: jordan at webnames.ca (Jordan Rieger) Date: Tue, 03 Feb 2015 11:13:44 -0800 Subject: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API In-Reply-To: Message-ID: Running the HTTP request in an outside tool, rather than my own code, was the key to debugging it. It looks like the problem was caused by an issue in an HTTP helper method on my end. I thought I was setting the HTTP verb to "PATCH" but my helper method was actually overwriting it with "POST", and that was causing the PowerDNS server, naturally, to reject it. Thanks for your help, Christian. -----Original Message----- From: Christian Hofstaedtler [mailto:christian.hofstaedtler at deduktiva.com] Sent: Tuesday, February 03, 2015 3:49 AM To: Jordan Rieger Cc: pdns-users at mailman.powerdns.com Subject: Re: [Pdns-users] 405 Method Not Allowed error returned from zone update HTTP PATCH method against JSON REST API Hi! > On 03 Feb 2015, at 00:26, Jordan Rieger wrote: > I'm writing code to interface with the HTTP JSON REST API of a PowerDNS 3.4.1 authoritative server with a MySQL backend. [..] > I tried increasing the server log level to 9 (the maximum), and I see my request in the log, but it only shows the request size and the fact that it caused a 405 error, which I already know. Indeed, the logging could be more useful. > It doesn't seem to matter what content the PATCH request actually contains, what zone I use, or even if the zone exists at all. It seems to just be the PATCH method itself causing the problem. This makes me think that it is a simple configuration problem on the server. Maybe the internal HTTP server component is rejecting PATCH requests by default? > > Anyways, here is the request. This is attempting to delete all TXT records on example.com: > > 10.9.9.64:8081 /servers/localhost/zones/example.com PATCH {"rrsets":[{"name":"example.com","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]} So, a full `curl` command line or a XHR dump would be useful. For what I can see, if you’re able to POST/DELETE zones, PATCH should also work. Can you try the steps with curl outlined in https://doc.powerdns.com/md/httpapi/README/#try-it , as those exactly create a zone and then PATCH it. Based on the instructions from the intro sections, I tried your request with curl, and that does seem to work: curl -X PATCH --data '{"rrsets":[{"name":"example.org","type":"TXT","changetype":"DELETE","records":[],"comments":[]}]}' -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones/example.org -v < HTTP/1.1 200 OK {"id":"example.org.","url":"/servers/localhost/zones/example.org.","name":"example.org","type":"Zone","kind":"Master","dnssec":false,"soa_edit_api":"","soa_edit":"","masters":[],"serial":2002022401,"notified_serial":0,"last_check":0,"records":[{"name":"bill.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.3"},{"name":"example.org","type":"MX","ttl":86400,"disabled":false,"content":"10 mail.another.com"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns1.example.org"},{"name":"example.org","type":"NS","ttl":86400,"disabled":false,"content":"ns2.smokeyjoe.com"},{"name":"example.org","type":"SOA","ttl":86400,"disabled":false,"content":"ns1.example.org. hostmaster.example.org. 2002022401 10800 15 604800 10800"},{"name":"fred.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.4"},{"name":"ftp.example.org","type":"CNAME","ttl":86400,"disabled":false,"content":"www.example.org"},{"name":"ns1.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.1"},{"name":"test.example.org","type":"A","ttl":86400,"disabled":false,"content":"1.1.1.1"},{"name":"www.example.org","type":"A","ttl":86400,"disabled":false,"content":"192.168.0.2"}],"comments":[]} Best, -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From bert.hubert at powerdns.com Wed Feb 4 11:22:04 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Wed, 4 Feb 2015 12:22:04 +0100 Subject: [Pdns-users] Introducing 3.7.0 blogpost + PowerDNS Recursor 3.7.0-RC2 available Message-ID: <20150204112204.GA1759@xs.powerdns.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, We're pleased to announce the second release candidate for 3.7.0. RC1 has seen a lot of production use already, which uncovered a small number of issues which have been addressed in RC2. We are very grateful for the people that test our RCs, it really helps us deliver very reliable and robust formal releases. Thanks! More information about 3.7.0 can be found in our blogpost: http://blog.powerdns.com/2015/01/22/an-introduction-to-powerdns-recursor-3-7-0/ 3.7.0 offers significant performance improvements when using IPv6 for outgoing queries, which is only on if query-local-address6 is set to something. Secondly, we spent a lot of time with very large PowerDNS deployments to preemptively improve our resilience against difficult or malicious traffic. To further enhance our resilience, the Lua module has been enhanced with new (bulk & automated) filtering abilities. This version of the Recursor can also publish live performance graphs & and a realtime overview of (attack) traffic per domain name. A demo of this can be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif . This is an early development, but to try this out, consult https://github.com/ahupowerdns/recuweb Tar.gz and packages are available on: * https://downloads.powerdns.com/testing/ * Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/rc2/ (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer). The changelog with clickable links can also be found on https://doc.powerdns.com/md/changelog/#powerdns-recursor-370 Changes new to RC2 are marked as such. This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads. Minor changes: Removal of dead code here and there 04dc6d618 * Per-qtype response counters are now 64 bit 297bb6acf on 64 bit systems * Add IPv6 addresses for b and c.root-servers.net hints efc259542 * Add IP address to logging about terminated queries 37aa9904d * Improve qtype name logging fab3ed345 (Aki Tuomi) * Redefine 'BAD_NETS' for dont-query based on newer IANA guidance 12cd44ee0 * (lochiiconnectivity) * Add documentation links to systemd unit eb154adfd (Ruben Kerkhof) Improvements: * Upgrade embedded PolarSSL to 1.3.9: d330a2ea1 * yahttp upgrade c29097577 c65a57e88 (Aki Tuomi) * Replace . in hostnames by - for Carbon so as not to confuse Metronome 46541751e * Manpages got a lot of love and are now built from Markdown (Pieter Lexis) * Move to PolarSSL base64 488360551 (Kees Monshouwer) * The quiet=no query logging is now more informative 461df9d20 * We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source b71b60ee7 * We use per-packet timestamps to drop ancient traffic in case of overload b71b60ee7 * Builtin webserver can be queried with the API key in the URL again c89f8cd02 * Ringbuffers are now available via API c89f8cd02 * Lua 5.3 compatibility 59c6fc3e3 (Kees Monshouwer) * No longer leave a stale UNIX domain socket around from rec_control if the recursor was down 524e4f4d8, ticket #2061 (RC2) * Running with 'quiet=no' would strangely actually prevent debug messages from being logged f48d7b657 (RC2) * Webserver now implements CORS for the API ea89a97e8 (RC2), fixing ticket #1984 * Houskeeping thread would sometimes run multiple times simultaneously, which worked, but was odd cc59bce67 (RC2) * Tweaked the DoS timeouts somewhat compared to RC1 c59501468 based on feedback (RC2) New features: * Lua preoutquery filter 3457a2a0e * Lua IP-based filter (ipfilter) before parsing packets 4ea949413 * iputils class for Lua, to quickly process IP addresses and netmasks in their native format * Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries Speedups: * Remove unneeded malloc traffic 93d4a8909 8682c32bc a903b39cf * Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough 891fbf888 * Prioritize new queries over nameserver responses, improving latency under query bursts bf3b0cec3 * Remove escaping in case there was nothing to escape 83b746fd1 * Our logging infrastructure had a lot of locking d1449e4d0 * Reduce logging level of certain common messages, which locked up synchronously logging systems 854d44e31 * Add limit on total wall-clock time spent on a query 9de3e0340 * Packet cache is now case-insensitive, which increases hitrate 90974597a Security relevant: * Check for PIE, RELRO and stack protector during configure 8d0354b18 (Aki Tuomi) * Testing for support of PIE etc was improved in b2053c28c and beyond, fixes #2125 (Ruben Kerkhof) * Max query-per-query limit (max-qperq) is now configurable 173d790ea Bugs fixed: * IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in 76f190f2a and beyond. * rec_control gave incorrect output on a timeout 12997e9d8 * When using the webserver AND having an error in the Lua script, recursor could crash during startup 62f0ae629 * Hugely long version strings would trip up security polling 18b733382 (Kees Monshouwer) * The 'remotes' ringbuffer was sized incorrectly f8f243b01 (RC2) * Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread f8f243b01 (RC2) * Our automatic file descriptor limit raising was attempted after setuid, which made it a lot less effective. Found and fixed by Aki Tuomi a6414fdce (RC2) * Timestamps used for dropping packets were occasionaly wrong 183eb8774 and 4c4765c10 (RC2) with thanks to Winfried for debugging. * In RC1, our new DoS protection measures would crash the Recursor if too many root sersvers were unreachable. 6a6fb05ad. Debugging and testing by Fusl. Various other documentation changes by Christian Hofstaedtler and Ruben Kerkhof. Lots of improvements all over the place by Kees Monshouwer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlTSANwACgkQHF7pkNLnFXViugCfX+KFJbv/s+lWIfALLvB8eRdA yBsAmwbxEZP8KE5+19HnabDFod2bDMr5 =VeDk -----END PGP SIGNATURE----- From james+pdns at atlanticmetro.net Wed Feb 4 12:10:50 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Wed, 4 Feb 2015 07:10:50 -0500 Subject: [Pdns-users] NS delegation problems Message-ID: Hello, I tried to search for the topic however I'm not sure of the proper phrasing and thus didn't end up with clear findings. I have several servers running powerdns..some authoritative only, on version 3.3, and some on the latest as downloadable from the website..3.4.2 (auth) and 3.6.2 (recursor). Across all of them, I'm not able to get NS records to external DNS servers to function. We're using gmysql backend across the board. We've been doing authoritative on this group of systems for a while, but have a legacy cluster of BIND servers that we're now trying to consolidate to pdns but this problem has been a brick wall. Our most common use case is delegating reverse DNS. There are records for 100.94.145.204.in-addr.arpa with type NS and content of ns1.customer.com, however querying that yields no result. Previously in BIND, it works out of the box but I cant find the magic options to let this work in PowerDNS. Some examples are listed below, but here are some facts. - There is an SOA record for the zone 94.145.204.in-addr.arpa - There are NS records for the zone 94.145.204.in-addr.arpa - There is an NS record for 100.94.145.204.in-addr.arpa - The NS server in the content field is not hosted by our DNS servers. - I've tried toggling the out-of-zone-additional-processing, send-root-referral fields - Same behavior on auth only servers vs auth + recursor servers - Have tried setting up a zone with SOA/NS records, and A record for the customer's DNS server, PDNS: Not working. No answer returned. [james at eng:~] % dig @10.250.50.237 100.94.145.204.in-addr.arpa ptr ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 100.94.145.204.in-addr.arpa ptr ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40501 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 100.94.145.204.in-addr.arpa. 3600 IN NS ns17.bitronictech.net. ;; Query time: 3 msec ;; SERVER: 10.250.50.237#53(10.250.50.237) ;; WHEN: Tue Feb 3 15:48:47 2015 ;; MSG SIZE rcvd: 80 Querying from the same server direct to the customers DNS server works fine: [james at eng:~] % dig @ns17.bitronictech.net 100.94.145.204.in-addr.arpa ptr ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @ns17.bitronictech.net 100.94.145.204.in-addr.arpa ptr ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29030 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.94.145.204.in-addr.arpa. 7200 IN PTR lopfar.net. ;; Query time: 2 msec ;; SERVER: 204.145.94.184#53(204.145.94.184) ;; WHEN: Tue Feb 3 15:56:34 2015 ;; MSG SIZE rcvd: 69 BIND. Works fine. [james at eng:~] % dig @208.78.27.4 100.94.145.204.in-addr.arpa ptr ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @208.78.27.4 100.94.145.204.in-addr.arpa ptr ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2875 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.94.145.204.in-addr.arpa. 7200 IN PTR lopfar.net. ;; AUTHORITY SECTION: 100.94.145.204.in-addr.arpa. 3600 IN NS ns17.bitronictech.net. ;; ADDITIONAL SECTION: ns17.bitronictech.net. 5046 IN A 204.145.94.184 ;; Query time: 3 msec ;; SERVER: 208.78.27.4#53(208.78.27.4) ;; WHEN: Tue Feb 3 15:48: Any thoughts or leads are appreciated. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From zaphodb at zaphods.net Wed Feb 4 12:41:42 2015 From: zaphodb at zaphods.net (Stefan Schmidt) Date: Wed, 04 Feb 2015 13:41:42 +0100 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: On 2015-02-04 13:10, James Cornman wrote: > Hello, Hi James, > - There is an SOA record for the zone 94.145.204.in-addr.arpa > - There are NS records for the zone 94.145.204.in-addr.arpa > - There is an NS record for 100.94.145.204.in-addr.arpa > - The NS server in the content field is not hosted by our DNS servers. > - I've tried toggling the out-of-zone-additional-processing, > send-root-referral fields > - Same behavior on auth only servers vs auth + recursor servers > - Have tried setting up a zone with SOA/NS records, and A record for > the customer's DNS server,  > PDNS: Not working. No answer returned. Below it seems that it answers just fine though. > [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa > ptr  > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 > [2] 100.94.145.204.in-addr.arpa ptr > ; (1 server found) > ;; global options:  printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40501 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;100.94.145.204.in-addr.arpa.   IN      PTR > > ;; AUTHORITY SECTION: > 100.94.145.204.in-addr.arpa. 3600 IN    NS     >  ns17.bitronictech.net. > > ;; Query time: 3 msec > ;; SERVER: 10.250.50.237#53(10.250.50.237) > ;; WHEN: Tue Feb  3 15:48:47 2015 > ;; MSG SIZE  rcvd: 80 This does not seem wrong. > BIND. Works fine.  > > [james at eng:~] % dig @208.78.27.4 [5] 100.94.145.204.in-addr.arpa ptr >    > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @208.78.27.4 > [5] 100.94.145.204.in-addr.arpa ptr > ; (1 server found) > ;; global options:  printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2875 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;100.94.145.204.in-addr.arpa.   IN      PTR > > ;; ANSWER SECTION: > 100.94.145.204.in-addr.arpa. 7200 IN    PTR     lopfar.net. > > ;; AUTHORITY SECTION: > 100.94.145.204.in-addr.arpa. 3600 IN    NS     >  ns17.bitronictech.net. > > ;; ADDITIONAL SECTION: > ns17.bitronictech.net.  5046    IN      A       > 204.145.94.184 > > ;; Query time: 3 msec > ;; SERVER: 208.78.27.4#53(208.78.27.4) > ;; WHEN: Tue Feb  3 15:48: Here you ask with the "rd" aka recursion desired flag and it appears that your BIND Server is indeed configured to recurse for you and go ask ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. This is now recursive DNS works, however it is not how authoritative DNS works. BIND just happens to do both at the same time. Did you try setting up a recursive nameserver to ask your PowerDNS auth Server at 10.250.50.237 for 94.145.204.in-addr.arpa and then query it for the PTR of 100.94.145.204.in-addr.arpa? best regards, Stefan From james+pdns at atlanticmetro.net Wed Feb 4 13:00:09 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Wed, 4 Feb 2015 08:00:09 -0500 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: Hello, thanks for your response. On Wed, Feb 4, 2015 at 7:41 AM, Stefan Schmidt wrote: > > Below it seems that it answers just fine though. > > [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa >> ptr >> >> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;100.94.145.204.in-addr.arpa. IN PTR >> >> ;; AUTHORITY SECTION: >> 100.94.145.204.in-addr.arpa. 3600 IN NS >> ns17.bitronictech.net. >> > It indeed returns with the authoritative answer, but I believe my expectation was that since recursion is desired, and there is a pdns-recursor available, that it would do the deed. Mainly that dig or nslookup off of the pdns-authoritative server, with recursion enabled, would end up with an actual PTR answer. You mention that BIND just happens to do both at the same time..is that something that PDNS can't do, or something I'm doing wrong, or in general a false perception of what is right? Here you ask with the "rd" aka recursion desired flag and it appears that > your BIND Server is indeed configured to recurse for you and go ask > ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. This > is now recursive DNS works, however it is not how authoritative DNS works. > BIND just happens to do both at the same time. > Querying the pdns-recursor directly does return the proper result, however ARIN isn't set to point to this pool of pdns servers and thus this recursion is likely interacting with BIND which is still authoritative for the reverse in-addr.arpa zone....none of which helps my troubleshooting [root at lga1dns1 amc]# dig -p 5300 ptr 100.94.145.204.in-addr.arpa @127.0.0.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> -p 5300 ptr 100.94.145.204.in-addr.arpa @127.0.0.1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;100.94.145.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.94.145.204.in-addr.arpa. 7200 IN PTR lopfar.net. Thanks -James -------------- next part -------------- An HTML attachment was scrubbed... URL: From zaphodb at zaphods.net Wed Feb 4 13:57:13 2015 From: zaphodb at zaphods.net (Stefan Schmidt) Date: Wed, 04 Feb 2015 14:57:13 +0100 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: On 2015-02-04 14:00, James Cornman wrote: >> [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa >>> ptr >>> >>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >>> >>> ;; QUESTION SECTION: >>> ;100.94.145.204.in-addr.arpa. IN PTR >>> >>> ;; AUTHORITY SECTION: >>> 100.94.145.204.in-addr.arpa. 3600 IN NS >>> ns17.bitronictech.net. >>> >> > It indeed returns with the authoritative answer, but I believe my > expectation was that since recursion is desired, and there is a > pdns-recursor available, that it would do the deed. Mainly that dig or > nslookup off of the pdns-authoritative server, with recursion enabled, > would end up with an actual PTR answer. You mention that BIND just > happens > to do both at the same time..is that something that PDNS can't do, or > something I'm doing wrong, or in general a false perception of what is > right? For recursion to become available on the authoritative Server (i.e. pdns-server) the config variables https://doc.powerdns.com/md/authoritative/settings/#recursor and https://doc.powerdns.com/md/authoritative/settings/#allow-recursion will have to be set accordingly. However it is discouraged to do recursion with the auth Server because it leads to exactly the kind of confusion you ran into. Also http://cr.yp.to/djbdns/separation.html lists some good reasons for keeping those two services separated from each other. BIND9 also changed its default behaviour in that regard. ( https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html ) > Here you ask with the "rd" aka recursion desired flag and it appears > that >> your BIND Server is indeed configured to recurse for you and go ask >> ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. >> This >> is now recursive DNS works, however it is not how authoritative DNS >> works. >> BIND just happens to do both at the same time. >> > Querying the pdns-recursor directly does return the proper result, > however > ARIN isn't set to point to this pool of pdns servers and thus this > recursion is likely interacting with BIND which is still authoritative > for > the reverse in-addr.arpa zone....none of which helps my troubleshooting Correct, if the ARIN nameservers are still pointing to the IPs of your BIND9 setup then there is no easy way to test if your new setup works with recursive nameservers. As i said already you could tell your recursive Server to ask the IP of your PowerDNS auth setup directly, thus bypassing the ARIN delegation. In PowerDNS recursor you could do that with the https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse option. For example put forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237 in your recursor.conf. Stefan From james+pdns at atlanticmetro.net Wed Feb 4 14:25:30 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Wed, 4 Feb 2015 09:25:30 -0500 Subject: [Pdns-users] NS delegation problems In-Reply-To: References: Message-ID: I set the forward-zones-recurse option and it seems to be working correctly. It makes me question if the understanding of the query flow is just all wrong. I will pursue separating authoritative and recursive since this isn't working as expected. I guess I'm curious why the recursor options are even present if this functionality doesnt work for any zones that are authoritative. All other recursion is working with exception to zones we're authoritative of that need additional recursion. I'll review the materials you suggested to get some more insight though it seems to stand that some additional clarification might be necessary for the pdns documentation :) I appreciate the help. Thank you. On Wed, Feb 4, 2015 at 8:57 AM, Stefan Schmidt wrote: > On 2015-02-04 14:00, James Cornman wrote: > >> [james at eng:~] % dig @10.250.50.237 [2] 100.94.145.204.in-addr.arpa >>> >>>> ptr >>>> >>>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @10.250.50.237 >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >>>> >>>> ;; QUESTION SECTION: >>>> ;100.94.145.204.in-addr.arpa. IN PTR >>>> >>>> ;; AUTHORITY SECTION: >>>> 100.94.145.204.in-addr.arpa. 3600 IN NS >>>> ns17.bitronictech.net. >>>> >>>> >>> It indeed returns with the authoritative answer, but I believe my >> expectation was that since recursion is desired, and there is a >> pdns-recursor available, that it would do the deed. Mainly that dig or >> nslookup off of the pdns-authoritative server, with recursion enabled, >> would end up with an actual PTR answer. You mention that BIND just happens >> to do both at the same time..is that something that PDNS can't do, or >> something I'm doing wrong, or in general a false perception of what is >> right? >> > > For recursion to become available on the authoritative Server (i.e. > pdns-server) the config variables > https://doc.powerdns.com/md/authoritative/settings/#recursor > and > https://doc.powerdns.com/md/authoritative/settings/#allow-recursion > will have to be set accordingly. > However it is discouraged to do recursion with the auth Server because it > leads to exactly the kind of confusion you ran into. > Also http://cr.yp.to/djbdns/separation.html lists some good reasons for > keeping those two services separated from each other. > BIND9 also changed its default behaviour in that regard. ( > https://kb.isc.org/article/AA-00269/0/What-has-changed-in- > the-behavior-of-allow-recursion-and-allow-query-cache.html ) > > Here you ask with the "rd" aka recursion desired flag and it appears that >> >>> your BIND Server is indeed configured to recurse for you and go ask >>> ns17.bitronictech.net about the PTR for 100.94.145.204.in-addr.arpa. >>> This >>> is now recursive DNS works, however it is not how authoritative DNS >>> works. >>> BIND just happens to do both at the same time. >>> >>> Querying the pdns-recursor directly does return the proper result, >> however >> ARIN isn't set to point to this pool of pdns servers and thus this >> recursion is likely interacting with BIND which is still authoritative for >> the reverse in-addr.arpa zone....none of which helps my troubleshooting >> > > Correct, if the ARIN nameservers are still pointing to the IPs of your > BIND9 setup then there is no easy way to test if your new setup works with > recursive nameservers. > As i said already you could tell your recursive Server to ask the IP of > your PowerDNS auth setup directly, thus bypassing the ARIN delegation. > In PowerDNS recursor you could do that with the > https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse > option. > For example put > forward-zones-recurse=94.145.204.in-addr.arpa=10.250.50.237 > in your recursor.conf. > > Stefan > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Thu Feb 5 13:59:43 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 5 Feb 2015 14:59:43 +0100 Subject: [Pdns-users] rectify-zone on non DNSSEC domains In-Reply-To: <54CB0100.2040901@aventer.net> References: <54C9D705.2060504@aventer.net> <55A633E4-1EE9-4C60-9337-43E741A21346@powerdns.com> <54CB0100.2040901@aventer.net> Message-ID: <6E196F9D-FB89-4871-9BA5-8B0484CB889B@powerdns.com> Hello Martin, On 30 Jan 2015, at 4:56 , Martin Chandler wrote: >> On 29 Jan 2015, at 7:45 , Martin Chandler wrote: >> >>> I am running a PowerDNS hidden master behind BIND dns servers serving to >>> the public. >>> >>> We have a mix of DNSSEC secure zones, and non-secure zones. >>> >>> My question is do I have to 'rectify-zone' on the non-secure zones? >>> (does Powerdns still need the auth and ordername for non-secure zones?) >> >> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default. > > Just curious, as a hidden master that only sends zone transfers to the > front end BIND servers, what will I lose with the 'old' behaviour? If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From steven.spencer at kdsi.com Thu Feb 5 19:04:46 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Thu, 05 Feb 2015 13:04:46 -0600 Subject: [Pdns-users] Forklift upgrade from 2.9.22 to 3.3.1-1 : what is launch=bind? Message-ID: <54D3BECE.7030504@kdsi.com> We are very close to launching 3.3.1-1 and I have a quick question: At the top of the pdns.conf file, third line down, there is: launch=bind Is this required if you are using the gmysql back-end? If so, is bind then required to be installed? Install is on CentOS 6.6 Thanks, -- -- Steven G. Spencer, Network Administrator From aj.mckee at druid-dns.com Thu Feb 5 20:06:24 2015 From: aj.mckee at druid-dns.com (AJ McKee) Date: Thu, 5 Feb 2015 20:06:24 +0000 Subject: [Pdns-users] Forklift upgrade from 2.9.22 to 3.3.1-1 : what is launch=bind? In-Reply-To: <54D3BECE.7030504@kdsi.com> References: <54D3BECE.7030504@kdsi.com> Message-ID: Hi Stephen, That is used for launching the bind backends. Not required if you are using MySQL, bind is not required. Comment out the line and ensure you have the Mysql backend launched instead (gmysql) AJ On 5 February 2015 at 19:04, Steven Spencer wrote: > We are very close to launching 3.3.1-1 and I have a quick question: > > At the top of the pdns.conf file, third line down, there is: > > launch=bind > > Is this required if you are using the gmysql back-end? If so, is bind > then required to be installed? > > Install is on CentOS 6.6 > > Thanks, > > -- > -- > Steven G. Spencer, Network Administrator > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- AJ McKee phone: +353 83 1130 545 profile: http://linkedin.com/in/ajmkee jid: aj.mckee at druid-dns.com blog: http://aj.mc-kee.com/ twitter: @ajmckee -------------- next part -------------- An HTML attachment was scrubbed... URL: From steven.spencer at kdsi.com Thu Feb 5 20:30:16 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Thu, 05 Feb 2015 14:30:16 -0600 Subject: [Pdns-users] Forklift upgrade from 2.9.22 to 3.3.1-1 : what is launch=bind? In-Reply-To: References: <54D3BECE.7030504@kdsi.com> Message-ID: <54D3D2D8.2070803@kdsi.com> Perfect! Thanks! On 02/05/2015 02:06 PM, AJ McKee wrote: > Hi Stephen, > > That is used for launching the bind backends. Not required if you are > using MySQL, bind is not required. > > Comment out the line and ensure you have the Mysql backend launched > instead (gmysql) > > AJ > > On 5 February 2015 at 19:04, Steven Spencer > wrote: > > We are very close to launching 3.3.1-1 and I have a quick question: > > At the top of the pdns.conf file, third line down, there is: > > launch=bind > > Is this required if you are using the gmysql back-end? If so, is > bind then required to be installed? > > Install is on CentOS 6.6 > > Thanks, > -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Thu Feb 5 21:45:02 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 5 Feb 2015 22:45:02 +0100 Subject: [Pdns-users] Axfr notification not success from super master In-Reply-To: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> References: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Message-ID: Hello Carlos, On 01 Feb 2015, at 19:47 , Carlos HyD wrote: > Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3… If the binds are supermasters to it, the pdns is a slave. > I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. > Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. > I can enable slave on conf and zones are imported, but just curious about. Yes, you need to enable slave in the config. If your 2.9 worked without this, this was a bug :) Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From peter.van.dijk at powerdns.com Fri Feb 6 06:47:19 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Fri, 6 Feb 2015 07:47:19 +0100 Subject: [Pdns-users] iputils not available, but LUA support is. In-Reply-To: <7f3598b62af34ac49d134ed4b18eeff3@falken.creativemicrosolutions.com> References: <1421691450991-11195.post@n7.nabble.com> <20150119185353.GA4626@xs.powerdns.com> <7f3598b62af34ac49d134ed4b18eeff3@falken.creativemicrosolutions.com> Message-ID: Hello Doug, On 20 Jan 2015, at 0:07 , Doug Preston wrote: > I don’t see any mention in the docs yet about lua script threads sharing state, is that possible? Right now there is indeed one Lua state per thread, with no sharing of data (for performance reasons the threads are as independent as possible). It might help if you could explain what you’re trying to accomplish with state sharing? We can think of a few things but real world issues are best! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From zane.thomas at gmail.com Fri Feb 6 20:03:06 2015 From: zane.thomas at gmail.com (Zane Thomas) Date: Fri, 06 Feb 2015 12:03:06 -0800 Subject: [Pdns-users] We need your help getting back powerdns.org In-Reply-To: <20150121111503.GA12999@xs.powerdns.com> References: <20150121111503.GA12999@xs.powerdns.com> Message-ID: <54D51DFA.4050601@gmail.com> Bert, > could you please reach out to us or them, so we can start using > powerdns.org Linkedin tells me I know someone who knows the VP of Engineering at Archeo. I will reach out to her and see if she can help. Zane From carlos at hospedajeydominios.com Sat Feb 7 10:32:16 2015 From: carlos at hospedajeydominios.com (Carlos HyD) Date: Sat, 7 Feb 2015 11:32:16 +0100 Subject: [Pdns-users] Axfr notification not success from super master In-Reply-To: References: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Message-ID: <4496A59E-76C3-46A6-B1F9-857EF99D9D71@hospedajeydominios.com> Hi Bert and Peter, thanks for your answer, yes, it does. Regards Carlos Luna > El 1/2/2015, a las 21:13, bert hubert escribió: > > Hi Carlos, > > If 2.9 accepted notifications without ‘slave’ in the configuration, that was a bug. So in 3.4 you should set ‘slave’ if you want to process notifications. > > I’m not entirely sure if this answers your question. 2.9 was a *very* long time ago. > > Bert > > On 01 Feb 2015, at 19:47, Carlos HyD wrote: > >> Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3... >> >> I build a new system to test 3.4 version and see now this config no longer works with error: >> >> Received NOTIFY for XXXXx from XXXX but slave support is disabled in the configuration >> >> In doc I see this: >> >> However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. >> Before a supermaster notification succeeds, the following conditions must be met: >> >> • The supermaster must carry a SOA record for the notified domain >> >> • The supermaster IP must be present in the 'supermaster' table >> >> • The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table >> >> >> I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. >> Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. >> I can enable slave on conf and zones are imported, but just curious about. >> >> Regards >> Carlos Luna >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > From carlos at hospedajeydominios.com Sat Feb 7 10:32:40 2015 From: carlos at hospedajeydominios.com (Carlos HyD) Date: Sat, 7 Feb 2015 11:32:40 +0100 Subject: [Pdns-users] Axfr notification not success from super master In-Reply-To: References: <23978138-B4C4-4759-89BD-15EC1E5FA280@hospedajeydominios.com> Message-ID: Hi Bert, thanks for your answer, yes, it does. Regards Carlos Luna > El 1/2/2015, a las 21:13, bert hubert escribió: > > Hi Carlos, > > If 2.9 accepted notifications without ‘slave’ in the configuration, that was a bug. So in 3.4 you should set ‘slave’ if you want to process notifications. > > I’m not entirely sure if this answers your question. 2.9 was a *very* long time ago. > > Bert > > On 01 Feb 2015, at 19:47, Carlos HyD wrote: > >> Hi, we use pdns 2.9 neither as master or slave, just imports zones from binds acting like supermasters and then replicate db in mysql to ns2,ns3... >> >> I build a new system to test 3.4 version and see now this config no longer works with error: >> >> Received NOTIFY for XXXXx from XXXX but slave support is disabled in the configuration >> >> In doc I see this: >> >> However, a notification from a supermaster carries more persuasion. When PDNS determines that a notification comes from a supermaster and it is bonafide, PDNS can provision the domain automatically, and configure itself as a slave for that zone. >> Before a supermaster notification succeeds, the following conditions must be met: >> >> • The supermaster must carry a SOA record for the notified domain >> >> • The supermaster IP must be present in the 'supermaster' table >> >> • The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table >> >> >> I’m testing this just sending notifications also to the test 3.4 machine from the same named.conf and same 2.9 that is importing the zones fine. We do not use dnssec. >> Supermaster table is the same on new version, so I really have no clue why is no longer working as expected. >> I can enable slave on conf and zones are imported, but just curious about. >> >> Regards >> Carlos Luna >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > From mchandler at aventer.net Sat Feb 7 11:39:19 2015 From: mchandler at aventer.net (Martin Chandler) Date: Sat, 07 Feb 2015 20:39:19 +0900 Subject: [Pdns-users] rectify-zone on non DNSSEC domains In-Reply-To: <6E196F9D-FB89-4871-9BA5-8B0484CB889B@powerdns.com> References: <54C9D705.2060504@aventer.net> <55A633E4-1EE9-4C60-9337-43E741A21346@powerdns.com> <54CB0100.2040901@aventer.net> <6E196F9D-FB89-4871-9BA5-8B0484CB889B@powerdns.com> Message-ID: <54D5F967.6050102@aventer.net> Hello Peter, On 2015/02/05 22:59, Peter van Dijk wrote: > Hello Martin, > > On 30 Jan 2015, at 4:56 , Martin Chandler wrote: > >>> On 29 Jan 2015, at 7:45 , Martin Chandler wrote: >>> >>>> I am running a PowerDNS hidden master behind BIND dns servers serving to >>>> the public. >>>> >>>> We have a mix of DNSSEC secure zones, and non-secure zones. >>>> >>>> My question is do I have to 'rectify-zone' on the non-secure zones? >>>> (does Powerdns still need the auth and ordername for non-secure zones?) >>> >>> On non-secure zones, ordername is ignored, but auth is not. However, if you just set auth=1 on all records, you get the ‘old’ behaviour, which has been demonstrated to work just fine in practice. If you use the 3.4.0+ SQL schema, you get auth=1 by default. >> >> Just curious, as a hidden master that only sends zone transfers to the >> front end BIND servers, what will I lose with the 'old' behaviour? > > If you only serve AXFR, there is no difference between ‘old’ and ‘new’ behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you in this case, as long as you make sure SOA queries (that the slave might do to check freshness) don’t fail. > Thank you very much for the clarification. Regards, Martin -- Cellular phone : 090-7849-6808 e-mail:mchandler at aventer.net URL :http://www.aventer.net/ From zozo at z0z0.tk Tue Feb 10 20:26:25 2015 From: zozo at z0z0.tk (=?utf-8?Q?Keresztes_P=C3=A9ter-Zolt=C3=A1n?=) Date: Tue, 10 Feb 2015 22:26:25 +0200 Subject: [Pdns-users] hiding version Message-ID: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Hello, Is there a way to hide the powerdns version from public? Peter From james+pdns at atlanticmetro.net Tue Feb 10 20:30:43 2015 From: james+pdns at atlanticmetro.net (James Cornman) Date: Tue, 10 Feb 2015 15:30:43 -0500 Subject: [Pdns-users] hiding version In-Reply-To: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Message-ID: Hello: For authoritative: # version-string PowerDNS version in packets - full, anonymous, powerdns or custom # version-string=anonymous For recursor: I dont know if it has the same keywords (full, powerdns, etc), but you could do # version-string string reported on version.pdns or version.bind # version-string=anonymous On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán wrote: > Hello, > > Is there a way to hide the powerdns version from public? > > Peter > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Tue Feb 10 20:33:52 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Tue, 10 Feb 2015 22:33:52 +0200 Subject: [Pdns-users] hiding version In-Reply-To: References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Message-ID: <20150210203352.GA18201@pi.ip.fi> It has the same semantics, you can use 'custom' as in, put in whatever you want. Aki On Tue, Feb 10, 2015 at 03:30:43PM -0500, James Cornman wrote: > Hello: > > For authoritative: > > # version-string PowerDNS version in packets - full, anonymous, > powerdns or custom > # > version-string=anonymous > > > For recursor: > > I dont know if it has the same keywords (full, powerdns, etc), but you > could do > > # version-string string reported on version.pdns or version.bind > # > version-string=anonymous > > On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán > wrote: > > > Hello, > > > > Is there a way to hide the powerdns version from public? > > > > Peter > > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users at mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From zozo at z0z0.tk Tue Feb 10 20:46:21 2015 From: zozo at z0z0.tk (=?utf-8?Q?Keresztes_P=C3=A9ter-Zolt=C3=A1n?=) Date: Tue, 10 Feb 2015 22:46:21 +0200 Subject: [Pdns-users] hiding version In-Reply-To: <20150210203352.GA18201@pi.ip.fi> References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> <20150210203352.GA18201@pi.ip.fi> Message-ID: <24CFB000-042F-4B19-A093-71E02BA49B6F@z0z0.tk> Thanks for you quick help. anonymous as version would do it for now. > On Feb 10, 2015, at 10:33 PM, Aki Tuomi wrote: > > It has the same semantics, you can use 'custom' as in, put in whatever you > want. > > Aki > > On Tue, Feb 10, 2015 at 03:30:43PM -0500, James Cornman wrote: >> Hello: >> >> For authoritative: >> >> # version-string PowerDNS version in packets - full, anonymous, >> powerdns or custom >> # >> version-string=anonymous >> >> >> For recursor: >> >> I dont know if it has the same keywords (full, powerdns, etc), but you >> could do >> >> # version-string string reported on version.pdns or version.bind >> # >> version-string=anonymous >> >> On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán >> wrote: >> >>> Hello, >>> >>> Is there a way to hide the powerdns version from public? >>> >>> Peter >>> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users at mailman.powerdns.com >>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >>> > >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > From hunterj91 at hotmail.com Wed Feb 11 13:09:29 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Wed, 11 Feb 2015 13:09:29 +0000 Subject: [Pdns-users] Modify Records Table-Time of Day records Message-ID: Hi Guys, I have implemented an ENUM server using powerdns and its working well. I store data of course in the powerdns database, and in particular the records table. Is it possible to modify the structure of the records table, to add new fields? Also has anyone implemented Time of day routing with ENUM and powerdns previously? Any help would be great. Many thanks Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpmens.dns at gmail.com Wed Feb 11 13:35:15 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Wed, 11 Feb 2015 14:35:15 +0100 Subject: [Pdns-users] Modify Records Table-Time of Day records In-Reply-To: References: Message-ID: <20150211133515.GA55436@tiggr.ww.mens.de> > Is it possible to modify the structure of the records table, to add new fields? You can add as many columns as you need; that will not interfere with PowerDNS Auth operation. (You can also rename existing columns, but you'd need to redefine the queries PowerDNS uses, so I don't recommend you doing that.) -JP From mchandler at aventer.net Wed Feb 11 23:35:57 2015 From: mchandler at aventer.net (Martin Chandler) Date: Thu, 12 Feb 2015 08:35:57 +0900 Subject: [Pdns-users] Modify Records Table-Time of Day records In-Reply-To: <20150211133515.GA55436@tiggr.ww.mens.de> References: <20150211133515.GA55436@tiggr.ww.mens.de> Message-ID: <54DBE75D.2090508@aventer.net> On 2015/02/11 22:35, Jan-Piet Mens wrote: >> Is it possible to modify the structure of the records table, to add new fields? > > You can add as many columns as you need; that will not interfere with > PowerDNS Auth operation. (You can also rename existing columns, but > you'd need to redefine the queries PowerDNS uses, so I don't recommend > you doing that.) > Even if you rename columns, etc it is also possible to then create a view for PowerDNS that matches the recommended schema. That way you don't have to redefine the queries... Regards, Martin -- Cellular phone : 090-7849-6808 e-mail:mchandler at aventer.net URL :http://www.aventer.net/ From nicholas at nicholaswilliams.net Thu Feb 12 05:15:11 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Wed, 11 Feb 2015 23:15:11 -0600 Subject: [Pdns-users] Please test: ALIAS/ANAME apex record in PowerDNS In-Reply-To: <27EE415C-EB2F-401D-A6A9-13C107E801D8@netherlabs.nl> References: <20140921105407.GA16178@xs.powerdns.com> <77B292FB-C4A0-4AA4-A5FE-FD0A85863361@netherlabs.nl> <1DF2DEA9-4BB8-4D55-9666-9138920CA8D2@nicholaswilliams.net> <27EE415C-EB2F-401D-A6A9-13C107E801D8@netherlabs.nl> Message-ID: <69A5B7D0-99E3-4A47-A156-7A61FD0006A8@nicholaswilliams.net> Do you think it's possible that release candidates for 3.5 could be coming soon? =D N On Jan 12, 2015, at 6:35 AM, Peter van Dijk wrote: > Hello Nick, > > this code would be in release 3.5.0, for which no date has been set yet. However, as said below, the autotest website has development snapshots including packages. > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > On 06 Jan 2015, at 22:30 , Nicholas Williams wrote: > >> I'm not clear on how y'all do releases in relation to your GitHub branches. What is the next version that code in master today can be expected to be released? Is there an estimated timeline/date for that release? >> >> Thanks, >> >> Nick >> >> Sent from my iPhone, so please forgive brief replies and frequent typos >> >>> On Jan 5, 2015, at 04:34, Peter van Dijk wrote: >>> >>> Hello Pepe, >>> >>>> On 30 Dec 2014, at 9:28 , Pepe Charli wrote: >>>> >>>> Hi, >>>> >>>> Are implemented these ALIAS/ANAME records in PowerDNS Authoritative >>>> Server 3.4.1 ? >>> >>> our ‘first stab’ attempt at this feature is on git master (https://github.com/PowerDNS/pdns/commit/d59b894ddccbd7c280e1b6d212e6b7d754016d38) but not in any released version. >>> >>> You can find snapshots and packages at https://autotest.powerdns.com/ >>> >>> Kind regards, >>> -- >>> Peter van Dijk >>> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ >>> >>> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users at mailman.powerdns.com >>> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From bert.hubert at powerdns.com Thu Feb 12 08:47:34 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Thu, 12 Feb 2015 09:47:34 +0100 Subject: [Pdns-users] New PowerDNS employee, the importance of testing RCs, skipping 3.7.0, World Hosting Days 2015 Message-ID: <20150212084733.GA28616@xs.powerdns.com> Hi everybody, Some assorted remarks & PowerDNS news: 1) New employee 2) Please test our release candidates 3) 3.7.0 has been skipped, all hail 3.7.1 4) World Hosting days in Germany New employee ------------ To start with, the great news is that on March 2nd, Pieter Lexis will be joining PowerDNS as a fulltime employee! Pieter wrote a paper and software on DANE under our mentorship while at the OS3 program at the University of Amsterdam, and later did an amazing job converting our documentation to the splendor you can now find on http://doc.powerdns.com/ Based on this work, we offered Pieter a job and we're very happy he accepted! Pieter (not to be confused with existing employee Peter) will focus on helping customers, improving our code & infrastructure, fixing bugs and working on internet standards relevant for DNS. Release candidates ------------------ When we work on a PowerDNS release, once we feel that it is ready to be used, we issue a Release Candidate. This is something you can run in production, and we expect it to work fine. If you have issues with an RC, we'll jump on them and resolve them as quickly as is possible. In the 3.7.0 release process this worked well, and because RC1 and RC2 saw wide deployment, many small issues were found before the actual release. 3.7.0 was looking good, and we tagged it for release. And then PowerDNS user & packager Ralf van der Enden reported that the 3.7.0 we uploaded did exactly nothing on his FreeBSD system. After intense debugging to see if we could save 3.7.0, we found that we indeed had a bug which meant 3.7.0 compiled on FreeBSD, but did nothing. This was fixed. Today, we are increasing our regression tests to run on FreeBSD as well to prevent a repeat of this. But we'd like to urge our users, especially the ones on less mainstream platforms than Debian, Ubuntu, Fedora and Red Hat, to test our release candidates. This is one of the best ways you, like Ralf did, can help us deliver quality products! 3.7.0 will be skipped --------------------- Because we had uploaded 3.7.0 and had it built for our various platforms, we are not going to slip the FreeBSD fix into 3.7.0 and end up with two different 3.7.0 releases. The next PowerDNS Recursor release will be 3.7.1. This release is imminent, after we complete our FreeBSD regression testing. World Hosting Days 2015 in Rust ------------------------------- PowerDNS and several of our Certified Consultants will be at World Hosting Days 2015 in Rust, Germany (March 24-26). As always, we enjoy meeting with PowerDNS users. If you or your management will be there and want to talk, please let us know! Kind regards, Bert PowerDNS From peter.van.dijk at powerdns.com Thu Feb 12 12:17:08 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Thu, 12 Feb 2015 13:17:08 +0100 Subject: [Pdns-users] Recursor 3.7.1 released Message-ID: <5BCD7136-FAE1-47A7-B3A0-D5EB26133A89@powerdns.com> Hi everybody, We're pleased to announce the final release for 3.7.1. RC1 and RC2 have seen a lot of production use already, which uncovered a small number of issues which have been addressed in this release. We are very grateful for the people that test our RCs, it really helps us deliver very reliable and robust formal releases. Thanks! As noted in a separate announcement earlier today (http://blog.powerdns.com/2015/02/12/new-powerdns-employee-the-importance-of-testing-rcs-skipping-3-7-0-world-hosting-days-2015/), 3.7.0 has been skipped and we are now releasing 3.7.1 instead. More information about 3.7.1 can be found in our blogpost: http://blog.powerdns.com/2015/01/22/an-introduction-to-powerdns-recursor-3-7-0/ 3.7.1 offers significant performance improvements when using IPv6 for outgoing queries, which is only on if query-local-address6 is set to something. Secondly, we spent a lot of time with very large PowerDNS deployments to preemptively improve our resilience against difficult or malicious traffic. To further enhance our resilience, the Lua module has been enhanced with new (bulk & automated) filtering abilities. This version of the Recursor can also publish live performance graphs & and a realtime overview of (attack) traffic per domain name. A demo of this can be seen on https://xs.powerdns.com/tmp/powerdns-recursor-live.gif . This is an early development, but to try this out, consult https://github.com/ahupowerdns/recuweb Tar.gz and packages are available on: * https://downloads.powerdns.com/releases/ * Soon: https://www.monshouwer.eu/download/3rd_party/pdns-recursor/ (RHEL/CentOS, with the usual huge thanks to Kees Monshouwer). The changelog with clickable links can also be found on https://doc.powerdns.com/md/changelog/#powerdns-recursor-371 This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads. PowerDNS Recursor 3.7.1 Released February 12th, 2015. This version contains a mix of speedups and improvements, the combined effect of which is vastly improved resilience against traffic spikes and malicious query overloads. Of further note is the massive community contribution, mostly over Christmas. Especially Ruben Kerkhof, Pieter Lexis, Kees Monshouwer and Aki Tuomi delivered a lot of love. Thanks! Minor changes: * Removal of dead code here and there [399]04dc6d618 * Per-qtype response counters are now 64 bit [400]297bb6acf on 64 bit systems * Add IPv6 addresses for b and c.root-servers.net hints [401]efc259542 * Add IP address to logging about terminated queries [402]37aa9904d * Improve qtype name logging [403]fab3ed345 (Aki Tuomi) * Redefine 'BAD_NETS' for dont-query based on newer IANA guidance [404]12cd44ee0 (lochiiconnectivity) * Add documentation links to systemd unit [405]eb154adfd (Ruben Kerkhof) Improvements: * Upgrade embedded PolarSSL to 1.3.9: [406]d330a2ea1 * yahttp upgrade [407]c29097577 [408]c65a57e88 (Aki Tuomi) * Replace . in hostnames by - for Carbon so as not to confuse Metronome [409]46541751e * Manpages got a lot of love and are now built from Markdown (Pieter Lexis) * Move to PolarSSL base64 [410]488360551 (Kees Monshouwer) * The quiet=no query logging is now more informative [411]461df9d20 * We can finally bind to 0.0.0.0 and :: and guarantee answers from the correct source [412]b71b60ee7 * We use per-packet timestamps to drop ancient traffic in case of overload [413]b71b60ee7, non-Linux portability in [414]d63f0d836 * Builtin webserver can be queried with the API key in the URL again [415]c89f8cd02 * Ringbuffers are now available via API [416]c89f8cd02 * Lua 5.3 compatibility [417]59c6fc3e3 (Kees Monshouwer) * No longer leave a stale UNIX domain socket around from rec_control if the recursor was down [418]524e4f4d8, ticket #2061 * Running with 'quiet=no' would strangely actually prevent debug messages from being logged [419]f48d7b657 * Webserver now implements CORS for the API [420]ea89a97e8, fixing ticket #1984 * Houskeeping thread would sometimes run multiple times simultaneously, which worked, but was odd [421]cc59bce67 New features: * New root-nx-trust flag makes PowerDNS generalize NXDOMAIN responses from the root-servers [422]01402d568 * getregisteredname() for Lua, which turns 'www.bbc.co.uk' into 'bbc.co.uk' [423]8cd4851be * Lua preoutquery filter [424]3457a2a0e * Lua IP-based filter (ipfilter) before parsing packets [425]4ea949413 * iputils class for Lua, to quickly process IP addresses and netmasks in their native format * getregisteredname function for Lua, to find the registered domain for a given name * Various new ringbuffers: top-servfail-remotes, top-largeanswer-remotes, top-servfail-queries Speedups: * Remove unneeded malloc traffic [426]93d4a8909 [427]8682c32bc [428]a903b39cf * Our nameserver-loop detection carried around a lot of baggage for complex domain names, plus did not differentiate IPv4 and IPv6 well enough [429]891fbf888 * Prioritize new queries over nameserver responses, improving latency under query bursts [430]bf3b0cec3 * Remove escaping in case there was nothing to escape [431]83b746fd1 * Our logging infrastructure had a lot of locking [432]d1449e4d0 * Reduce logging level of certain common messages, which locked up synchronously logging systems [433]854d44e31 * Add limit on total wall-clock time spent on a query [434]9de3e0340 * Packet cache is now case-insensitive, which increases hitrate [435]90974597a Security relevant: * Check for PIE, RELRO and stack protector during configure [436]8d0354b18 (Aki Tuomi) * Testing for support of PIE etc was improved in [437]b2053c28c and beyond, fixes #2125 (Ruben Kerkhof) * Max query-per-query limit (max-qperq) is now configurable [438]173d790ea Bugs fixed: * IPv6 outgoing queries had a disproportionate effect on our query load. Fixed in [439]76f190f2a and beyond. * rec_control gave incorrect output on a timeout [440]12997e9d8 * When using the webserver AND having an error in the Lua script, recursor could crash during startup [441]62f0ae629 * Hugely long version strings would trip up security polling [442]18b733382 (Kees Monshouwer) * The 'remotes' ringbuffer was sized incorrectly [443]f8f243b01 * Cache sizes had an off-by-one scaling problem, with the wrong number of entries allocated per thread [444]f8f243b01 * Our automatic file descriptor limit raising was attempted after setuid, which made it a lot less effective. Found and fixed by Aki Tuomi [445]a6414fdce * Timestamps used for dropping packets were occasionaly wrong [446]183eb8774 and [447]4c4765c10 (RC2) with thanks to Winfried for debugging. * In RC1, our new DoS protection measures would crash the Recursor if too many root sersvers were unreachable. [448]6a6fb05ad. Debugging and testing by Fusl. Various other documentation changes by Christian Hofstaedtler and Ruben Kerkhof. Lots of improvements all over the place by Kees Monshouwer. From nicholas at nicholaswilliams.net Thu Feb 12 15:00:30 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 12 Feb 2015 09:00:30 -0600 Subject: [Pdns-users] Currently using distro packages, want to update Message-ID: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. I pretty much never manually deal with RPMs (so please forgive some of my ignorance). But my distro is currently on PDNS Authoritative 3.1, and upgrading my OS isn't anywhere on my radar right now. I want to get to 3.4.2, so (I think) I'll need to forego the package manager and install the RPM packages manually (if there are alternatives, I'm all ears). Some questions: - Since I won't have auto dependency management, what dependencies do I need installed to install PDNS from RPM? - Does pdns-static-3.4.2-1.x86_64.rpm _just_ install the binaries, or does it install the service, too, so that I can call `service pdns start` and configure the service to start automatically on boot? If the RPM doesn't do that, is there documentation / what is the recommended way to install PDNS as a service when installed manually with an RPM? - Should I just be able to uninstall the package using my package manager and then install the RPM as a drop-in replacement? Thanks in advance for putting up with my lack of knowledge! Nick From michael at stroeder.com Thu Feb 12 15:22:57 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 12 Feb 2015 16:22:57 +0100 Subject: [Pdns-users] Currently using distro packages, want to update In-Reply-To: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> References: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> Message-ID: <54DCC551.5050102@stroeder.com> Nick Williams wrote: > I try to always use software packages from my distro package managers (OpenSUSE zypper and CentOS yum) when I can, because it's easier and it resolves all my dependencies for me. > > But my distro Which is your distro? Vendor and exact version number? For openSUSE I'm trying to keep up with powerdns releases and my submissions most times end up here pretty soon: https://build.opensuse.org/package/show/server:dns/pdns (currently pdns-3.4.2) https://build.opensuse.org/package/show/server:dns/pdns-recursor (currently pdns-recursor-3.6.2, 3.7.1 is in my home project but not built yet) Sooner or later this will be passed downstream in openSUSE Factory for the next openSUSE release. You can see here which platforms are enabled for default builds: https://build.opensuse.org/project/repositories/server:dns There you will also find the direct download links to zypper repo for your openSUSE version. In my OBS home project I'm also building openSUSE Factory_ARM for running the packages on rasperry pi. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From s.posner at telekom.de Thu Feb 12 16:22:58 2015 From: s.posner at telekom.de (Posner, Sebastian) Date: Thu, 12 Feb 2015 16:22:58 +0000 Subject: [Pdns-users] Modify Records Table-Time of Day records In-Reply-To: <54DBE75D.2090508@aventer.net> References: <20150211133515.GA55436@tiggr.ww.mens.de> <54DBE75D.2090508@aventer.net> Message-ID: Martin Chandler wrote: > > > Is it possible to modify the structure of the records table, > > > to add new fields? > > > > You can add as many columns as you need; that will not interfere with > > PowerDNS Auth operation. (You can also rename existing columns, but > > you'd need to redefine the queries PowerDNS uses, so I don't > > recommend you doing that.) > > > > Even if you rename columns, etc it is also possible to then create a > view for PowerDNS that matches the recommended schema. > That way you don't have to redefine the queries... Yes, and no. Don't be surprised if things don't work anymore, depending on your setup. PDNS needs to write into the database/records table for several applications, and a view is not neccesarily writeable, depending on how it is created. Notably here would be Superslave operation; or probably any slave operation mode where replication is done by AXFR and not database means, as the transferred RRs need to be inserted into the DB at the slave. So, despite having a view representing the original database layout, you still may have to redefine some queries. On a side note: Dear staff, I am lacking to find the empty-non-terminal-queries at https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/ - did they become obsolete in recent revisions? Sebastian From spork at bway.net Mon Feb 16 04:19:24 2015 From: spork at bway.net (Charles Sprickman) Date: Sun, 15 Feb 2015 23:19:24 -0500 Subject: [Pdns-users] Any status on DNSSEC in Recursor? Message-ID: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> While asking Google, the same, I hit this old blog post: http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ Any new timeline on when this might happen? Does the plan to implement it still look the same? Thanks, Charles -- Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet www.bway.net spork at bway.net - 212.655.9344 From steffannoord at gmail.com Mon Feb 16 16:04:51 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Mon, 16 Feb 2015 17:04:51 +0100 Subject: [Pdns-users] dns problem Message-ID: <020a01d04a02$4c7e4cc0$e57ae640$@gmail.com> I have a domein with no www record The domain has a *. verbaasdonline.nl record On my dns servers it is wordking dig www.verbaasdonline.nl @ns1.tikklik.nl ;; ANSWER SECTION: www.verbaasdonline.nl. 3600 IN A 5.22.255.211 but when using google dns www is not found dig www.verbaasdonline.nl @8.8.8.8 ;; QUESTION SECTION: ;www.verbaasdonline.nl. IN A is this a problem in my dns or a problem with google and wildcards pdns.i386 3.4.2-1.el5.MIND -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Mon Feb 16 16:12:18 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 16 Feb 2015 17:12:18 +0100 Subject: [Pdns-users] dns problem In-Reply-To: <020a01d04a02$4c7e4cc0$e57ae640$@gmail.com> References: <020a01d04a02$4c7e4cc0$e57ae640$@gmail.com> Message-ID: <20150216161218.GA8177@xs.powerdns.com> On Mon, Feb 16, 2015 at 05:04:51PM +0100, Steffan Noord wrote: > I have a domein with no www record Can you run: pdnssec rectify-zone verbaasdonline.nl pdnssec check-zone verbaasdonline.nl ? This is probably a DNSSEC issue. Bert > > The domain has a > *. verbaasdonline.nl record > > > > On my dns servers it is wordking > > > > dig www.verbaasdonline.nl @ns1.tikklik.nl > ;; ANSWER SECTION: > www.verbaasdonline.nl. 3600 IN A 5.22.255.211 > > but when using google dns www is not found > > dig www.verbaasdonline.nl @8.8.8.8 > ;; QUESTION SECTION: > ;www.verbaasdonline.nl. IN A > > is this a problem in my dns or a problem with google and wildcards > > > > > > pdns.i386 3.4.2-1.el5.MIND > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steffannoord at gmail.com Tue Feb 17 08:11:44 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Tue, 17 Feb 2015 09:11:44 +0100 Subject: [Pdns-users] cnames Message-ID: <004b01d04a89$5e873a80$1b95af80$@gmail.com> Yes cnames are eval But some clients want to use them. After checking my dns server i see a error [Error] CNAME cmsetup.nl found, but other records with same label exist. The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up to another domain. But why is that a error. If i remove one of the cnames (say www. cmsetup.nl) then the domain is not responding anymore. Thanxs Steffan From bert.hubert at powerdns.com Tue Feb 17 08:16:03 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 17 Feb 2015 09:16:03 +0100 Subject: [Pdns-users] cnames In-Reply-To: <004b01d04a89$5e873a80$1b95af80$@gmail.com> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> Message-ID: <20150217081603.GD14514@xs.powerdns.com> On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote: > Yes cnames are eval > But some clients want to use them. > > After checking my dns server i see a error > [Error] CNAME cmsetup.nl found, but other records with same label exist. > > The client has a cname www. cmsetup.nl > and a cname cmsetup.nl se up to another domain. > But why is that a error. Because sadly that is how DNS works. You can't have a CNAME together with a SOA. This is not a powerdns issues. Bert From steffannoord at gmail.com Tue Feb 17 08:17:39 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Tue, 17 Feb 2015 09:17:39 +0100 Subject: [Pdns-users] cnames In-Reply-To: <20150217081603.GD14514@xs.powerdns.com> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> <20150217081603.GD14514@xs.powerdns.com> Message-ID: <005001d04a8a$31fde710$95f9b530$@gmail.com> So the soa needs tob e removed ? -----Oorspronkelijk bericht----- Van: bert hubert [mailto:bert.hubert at powerdns.com] Verzonden: dinsdag 17 februari 2015 9:16 Aan: Steffan Noord CC: 'Pdns' Onderwerp: Re: [Pdns-users] cnames On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote: > Yes cnames are eval > But some clients want to use them. > > After checking my dns server i see a error [Error] CNAME cmsetup.nl > found, but other records with same label exist. > > The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up > to another domain. > But why is that a error. Because sadly that is how DNS works. You can't have a CNAME together with a SOA. This is not a powerdns issues. Bert From bert.hubert at powerdns.com Tue Feb 17 08:27:10 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 17 Feb 2015 09:27:10 +0100 Subject: [Pdns-users] cnames In-Reply-To: <005001d04a8a$31fde710$95f9b530$@gmail.com> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> <20150217081603.GD14514@xs.powerdns.com> <005001d04a8a$31fde710$95f9b530$@gmail.com> Message-ID: <20150217082710.GE14514@xs.powerdns.com> I recommend learning about DNS. http://shop.oreilly.com/product/9780596100575.do is probably a good start. I'm sorry we can't be more helpful, but basic knowledge about DNS can be really helful when running DNS. Do not remove your SOA record in any case! Bert On Tue, Feb 17, 2015 at 09:17:39AM +0100, Steffan Noord wrote: > So the soa needs tob e removed ? > > > -----Oorspronkelijk bericht----- > Van: bert hubert [mailto:bert.hubert at powerdns.com] > Verzonden: dinsdag 17 februari 2015 9:16 > Aan: Steffan Noord > CC: 'Pdns' > Onderwerp: Re: [Pdns-users] cnames > > On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote: > > Yes cnames are eval > > But some clients want to use them. > > > > After checking my dns server i see a error [Error] CNAME cmsetup.nl > > found, but other records with same label exist. > > > > The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up > > to another domain. > > But why is that a error. > > Because sadly that is how DNS works. You can't have a CNAME together with a > SOA. This is not a powerdns issues. > > Bert > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From steffannoord at gmail.com Tue Feb 17 13:07:38 2015 From: steffannoord at gmail.com (Steffan Noord) Date: Tue, 17 Feb 2015 14:07:38 +0100 Subject: [Pdns-users] cnames In-Reply-To: <-1587561429133483169@unknownmsgid> References: <004b01d04a89$5e873a80$1b95af80$@gmail.com> <-1587561429133483169@unknownmsgid> Message-ID: <00b301d04ab2$b4e931c0$1ebb9540$@gmail.com> Thanxs I never use cnames i found it and updating my panel to not let this be added again. -----Oorspronkelijk bericht----- Van: James Cornman [mailto:james at atlanticmetro.net] Verzonden: dinsdag 17 februari 2015 14:06 Aan: Steffan Noord CC: Pdns Onderwerp: Re: [Pdns-users] cnames To be more clear than the others, you can't have a CNAME record for domain.com. > On Feb 17, 2015, at 3:13 AM, Steffan Noord wrote: > > Yes cnames are eval > But some clients want to use them. > > After checking my dns server i see a error [Error] CNAME cmsetup.nl > found, but other records with same label exist. > > The client has a cname www. cmsetup.nl and a cname cmsetup.nl se up > to another domain. > But why is that a error. > If i remove one of the cnames (say www. cmsetup.nl) then the domain > is not responding anymore. > > Thanxs > > Steffan > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From steven.spencer at kdsi.com Tue Feb 17 21:59:46 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Tue, 17 Feb 2015 15:59:46 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused Message-ID: <54E3B9D2.6050206@kdsi.com> List, I need to preface this that we are not using DNSSEC. In doing the schema changes, I've run into problems, or what appear to be a problems: Schema changes required (according to the upgrade notes) for 2.9.x to 3.1: |mysql> ALTER TABLE records MODIFY content VARCHAR(64000); mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);| The first one (above) works as expected, second one gives this error: ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist In reading, it says that this change is required for DNSSEC, so I went on: Changes required for 3.1 to 3.2: |alter table records modify ordername VARCHAR(255) BINARY; drop index orderindex on records; create index recordorder on records (domain_id, ordername);| All of these generate errors ERROR 1054 (42S22): Unknown column 'ordername' in 'records' ERROR 1091 (42000): Can't DROP 'orderindex'; check that column/key exist ERROR 1072 (42000): Key column 'ordername' doesn't exist in table Last error is obvious, since it already argued on the first command as an unknown column Changes required for 3.2 to 3.3: alter table supermasters modify ip VARCHAR(64); This works as expected. Am I missing earlier schema changes? This is the second time through this. Thanks, -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ktm at rice.edu Tue Feb 17 22:08:09 2015 From: ktm at rice.edu (ktm at rice.edu) Date: Tue, 17 Feb 2015 16:08:09 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused In-Reply-To: <54E3B9D2.6050206@kdsi.com> References: <54E3B9D2.6050206@kdsi.com> Message-ID: <20150217220809.GN5510@aart.rice.edu> Hi Steven, Review the schema and if the tables do not exist create them as specified. The alter's should be run against existing tables. Regards, Ken On Tue, Feb 17, 2015 at 03:59:46PM -0600, Steven Spencer wrote: > List, > > I need to preface this that we are not using DNSSEC. > > In doing the schema changes, I've run into problems, or what appear > to be a problems: > > Schema changes required (according to the upgrade notes) for 2.9.x to 3.1: > > |mysql> ALTER TABLE records MODIFY content VARCHAR(64000); > mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);| > > > The first one (above) works as expected, second one gives this error: > > ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist ... From steven.spencer at kdsi.com Wed Feb 18 14:40:47 2015 From: steven.spencer at kdsi.com (Steven Spencer) Date: Wed, 18 Feb 2015 08:40:47 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused In-Reply-To: <20150217220809.GN5510@aart.rice.edu> References: <54E3B9D2.6050206@kdsi.com> <20150217220809.GN5510@aart.rice.edu> Message-ID: <54E4A46F.3030705@kdsi.com> That makes perfect sense, but since I do not have DNSSEC enabled, none of the tables or columns specific to that are in the schema. The very first set from my original email shows the ALTER TABLE tsigkeys line, and that table and none of the columns associated with it, are in the database at all. In my searching the upgrade notes, there is no mention of what /should/ be in that table. So, what I'm trying to do is make sure I have a working DNS server after the upgrade. If the table 'tsigkeys' is required, then I need to know how to create that and what columns/fields it should contain. Thanks, Steve On 02/17/2015 04:08 PM, ktm at rice.edu wrote: > Hi Steven, > > Review the schema and if the tables do not exist create them as > specified. The alter's should be run against existing tables. > > Regards, > Ken > > On Tue, Feb 17, 2015 at 03:59:46PM -0600, Steven Spencer wrote: >> List, >> >> I need to preface this that we are not using DNSSEC. >> >> In doing the schema changes, I've run into problems, or what appear >> to be a problems: >> >> Schema changes required (according to the upgrade notes) for 2.9.x to 3.1: >> >> |mysql> ALTER TABLE records MODIFY content VARCHAR(64000); >> mysql> ALTER TABLE tsigkeys MODIFY algorithm VARCHAR(50);| >> >> >> The first one (above) works as expected, second one gives this error: >> >> ERROR 1146 (42S02): Table 'powerdns.tsigkeys' doesn't exist > ... > > -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 From ktm at rice.edu Wed Feb 18 15:09:31 2015 From: ktm at rice.edu (ktm at rice.edu) Date: Wed, 18 Feb 2015 09:09:31 -0600 Subject: [Pdns-users] Update from 2.9.21 to 3.3.1-1 - Color me confused In-Reply-To: <54E4A46F.3030705@kdsi.com> References: <54E3B9D2.6050206@kdsi.com> <20150217220809.GN5510@aart.rice.edu> <54E4A46F.3030705@kdsi.com> Message-ID: <20150218150931.GO5510@aart.rice.edu> On Wed, Feb 18, 2015 at 08:40:47AM -0600, Steven Spencer wrote: > That makes perfect sense, but since I do not have DNSSEC enabled, > none of the tables or columns specific to that are in the schema. > The very first set from my original email shows the ALTER TABLE > tsigkeys line, and that table and none of the columns associated > with it, are in the database at all. In my searching the upgrade > notes, there is no mention of what /should/ be in that table. So, > what I'm trying to do is make sure I have a working DNS server after > the upgrade. If the table 'tsigkeys' is required, then I need to > know how to create that and what columns/fields it should contain. > > Thanks, > Steve Hi Steve, The documentation has all of the schema definitions. There are also schema definitions in the source code tar file. Regards, Ken From hw at nitramlexa.com Thu Feb 19 14:26:42 2015 From: hw at nitramlexa.com (hw at nitramlexa.com) Date: Thu, 19 Feb 2015 15:26:42 +0100 Subject: [Pdns-users] Windows 7 computers not getting split horizon change made by Lua script Message-ID: <54e5f2a2.711f.fa37d700.37fe93f7@woffinden.co.uk> My setup is as follows: All servers are Centos 7 x86_64 running under VMware ESXi 5.1. My DNS/firewall running PDNS 3.4.1 and PDNS-RECURSOR 3.6.2 has 2 NICs. 1 has one static public IP (79.142.xx.yy), and the other is on my LAN (192.168.3.1/24). The IP in my DNS for the mail server is the public, and ports are then forwarded. mail server is at 192.168.3.50 internal PDNS-recursor (3.6.2) with a Lua script to change address to LAN address is located at 192.168.3.51, and it's the only DNS specified in all workstations network setup. It works like a dream for everybody BUT Windows 7. Android, Linux and Windows XP all get the LAN address when asking for mail.example.com, but Windows 7 gets the public address. I can see in logging in the Lua script that the Windows 7 machine asks for the name, and Lua returns the LAN address, but Windows 7 still gets the public IP. Any ideas to why? I'm also running Samba on the PDNS-recursor to let Windows access the NAS shares, but there's no wins defined anywhere, and the firewall / auth dns is not running Samba. Kind regards, Henrik Woffinden -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Thu Feb 19 15:00:05 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Thu, 19 Feb 2015 16:00:05 +0100 Subject: [Pdns-users] Windows 7 computers not getting split horizon change made by Lua script In-Reply-To: <54e5f2a2.711f.fa37d700.37fe93f7@woffinden.co.uk> References: <54e5f2a2.711f.fa37d700.37fe93f7@woffinden.co.uk> Message-ID: <20150219150005.GA31941@xs.powerdns.com> On Thu, Feb 19, 2015 at 03:26:42PM +0100, hw at nitramlexa.com wrote: > It works like a dream for everybody BUT Windows 7. > Android, Linux and Windows XP all get the LAN address when asking > for mail.example.com, but Windows 7 gets the public address. Check with tcpdump what answers you are really sending out. Did you remember to use setvariable() to make sure PowerDNS doesn't packetcache your lua answers? Good luck! Bert > > I can see in logging in the Lua script that the Windows 7 machine > asks for the name, and Lua returns the LAN address, > but Windows 7 still gets the public IP. > > Any ideas to why? > > I'm also running Samba on the PDNS-recursor to let Windows access > the NAS shares, but there's no wins defined anywhere, > and the firewall / auth dns is not running Samba. > > Kind regards, > Henrik Woffinden > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From niels at peen.ch Thu Feb 19 16:40:47 2015 From: niels at peen.ch (Niels Peen) Date: Thu, 19 Feb 2015 17:40:47 +0100 Subject: [Pdns-users] LUA iputils netmaskgroup match Message-ID: <83978FC5-E77B-41A4-AD94-141D63ECDCBF@peen.ch> Hello, I’m using a netmaskgroup to see if a given IP matches: if nmg:match(ca) then .. This works very well but I would like to know which specific netmask matched. E.g. by having :match (also) return the matching netmask rather than (just) returning true. Am I correct that this is currently not possible? If so, could this be considered for a future release? Thanks, Niels From nicholas at nicholaswilliams.net Thu Feb 19 21:12:23 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 15:12:23 -0600 Subject: [Pdns-users] Why was content length increased? Message-ID: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> I'm upgrading to authoritative 3.4 and noticed that the records.content column has been increased from 255 characters to 64000 characters. Because my table is UTF-8, I get the following error: mysql> ALTER TABLE records MODIFY content VARCHAR(64000); ERROR 1074 (42000): Column length too big for column 'content' (max = 21845); use BLOB or TEXT instead I know I can use latin1, but I tend to avoid any non-Unicode character sets completely, and would prefer to stick with UTF-8. Given that: - What changed that required the increase from 255 to 64,000 characters? - Is there any reason that I couldn't just use VARCHAR(21845)? - Are there any performance implications to using TEXT instead of VARCHAR(64000)? Thanks, Nick From nicholas at nicholaswilliams.net Thu Feb 19 21:13:51 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Thu, 19 Feb 2015 15:13:51 -0600 Subject: [Pdns-users] Currently using distro packages, want to update In-Reply-To: References: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> <54DCC551.5050102@stroeder.com> <54DCCEFA.7050604@stroeder.com> <54DCE95B.90709@stroeder.com> Message-ID: So I've gathered now that I can get 3.4.2 from https://www.monshouwer.eu/download/3rd_party/pdns/el6/ for my CentOS 6 machine, https://www.monshouwer.eu/download/3rd_party/pdns/el7/ fro my CentOS 7 machine, and http://download.opensuse.org/repositories/server:/dns/SLE_12/ for my OpenSUSE 12 machine (or update to OpenSUSE 13 and use http://download.opensuse.org/repositories/server:/dns/openSUSE_13.2/). But the problem that doesn't solve is my impending need to install the PDNS 3.5 release candidate when it's available. I gather there will be RPMs available, but I doubt I'll be able to get it on any of these repos. Is there anyone who can answer my original 3 questions (below) about this? > - Since I won't have auto dependency management, what dependencies do I need installed to install PDNS from RPM? > > - Does pdns-static-3.4.2-1.x86_64.rpm _just_ install the binaries, or does it install the service, too, so that I can call `service pdns start` and configure the service to start automatically on boot? If the RPM doesn't do that, is there documentation / what is the recommended way to install PDNS as a service when installed manually with an RPM? > > - Should I just be able to uninstall the package using my package manager and then install the RPM as a drop-in replacement? Thanks! Nick On Thu, Feb 12, 2015 at 12:02 PM, Nicholas Williams wrote: I know this is off-topic, but have you ever used `zypper dist-upgrade`? It scares me, but if it would make the upgrade easier... I don't like the idea of going without security updates. Nick Sent from my iPhone, so please forgive brief replies and frequent typos > On Feb 12, 2015, at 11:56, Michael Ströder wrote: > > Nicholas Williams wrote: >> Sorry, you're right—OpenSUSE 12.3. Upgrading is a hassle that I don't have >> time for right now. It'll probably be another 8-12 months before I can >> upgrade it. > > You could try SLES11SP3 packages. But you're own your own. > > Also note that openSUSE 12.3 does *not* receive security updates anymore. > > Ciao, Michael. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ahodgson at simkin.ca Thu Feb 19 21:31:31 2015 From: ahodgson at simkin.ca (Alan Hodgson) Date: Thu, 19 Feb 2015 13:31:31 -0800 Subject: [Pdns-users] Currently using distro packages, want to update In-Reply-To: References: <5CBEA825-ADD2-4EEF-8CE7-575C35E61164@nicholaswilliams.net> Message-ID: <41905273.9WmEUAvrse@skynet.simkin.ca> On Thursday, February 19, 2015 03:13:51 PM Nicholas Williams wrote: > > - Since I won't have auto dependency management, what dependencies do I > > need installed to install PDNS from RPM? You can use yum to install a local RPM, and it will resolve dependencies (yum localinstall rpmfile, I believe) > > > > - Does pdns-static-3.4.2-1.x86_64.rpm _just_ install the binaries, or does > > it install the service, too, so that I can call `service pdns start` and > > configure the service to start automatically on boot? If the RPM doesn't > > do that, is there documentation / what is the recommended way to install > > PDNS as a service when installed manually with an RPM? rpm -q -l -p pdns-static-3.4.2-1.x86_64.rpm, see if it puts a file in /etc/init.d. If it does, you still may need to chkconfig --add it, and chkconfig --level 345 service_name on to add it to boot). never used the static rpms myself. Building RPMs, deconstructing them, and even creating your own init scripts are pretty common linux system administration tasks, especially if you want to run bleeding edge software on CentOS. You might want to dig into them at some point. From nicholas at nicholaswilliams.net Thu Feb 19 21:34:06 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 15:34:06 -0600 Subject: [Pdns-users] When was ordername column added to records table? Message-ID: I'm a bit curious because, looking through the code history, I can't find any evidence of it. The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 This doesn't compute. Can someone provide me some perspective on this? Thanks, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From ktm at rice.edu Thu Feb 19 21:37:16 2015 From: ktm at rice.edu (ktm at rice.edu) Date: Thu, 19 Feb 2015 15:37:16 -0600 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: References: Message-ID: <20150219213716.GB5510@aart.rice.edu> On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: > I'm a bit curious because, looking through the code history, I can't find any evidence of it. > > The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: > > https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql > > And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: > > https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 > > But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: > > https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 > > This doesn't compute. > > Can someone provide me some perspective on this? > > Thanks, > > Nick Hi Nick, Please check the release documentation for the new release for the schema definitions used and add any missing tables. The ALTER TABLE will only apply to previously existing tables, not create the needed new ones. Regards, Ken From nicholas at nicholaswilliams.net Thu Feb 19 21:44:00 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 15:44:00 -0600 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: <20150219213716.GB5510@aart.rice.edu> References: <20150219213716.GB5510@aart.rice.edu> Message-ID: <79E5C562-FBD0-467E-87B7-7A3598D09A7E@nicholaswilliams.net> On Feb 19, 2015, at 3:37 PM, ktm at rice.edu wrote: > On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: >> I'm a bit curious because, looking through the code history, I can't find any evidence of it. >> >> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: >> >> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql >> >> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: >> >> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 >> >> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: >> >> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 >> >> This doesn't compute. >> >> Can someone provide me some perspective on this? >> >> Thanks, >> >> Nick > > Hi Nick, > > Please check the release documentation for the new release for the schema definitions > used and add any missing tables. The ALTER TABLE will only apply to previously existing > tables, not create the needed new ones. > > Regards, > Ken Ken, you misread my email. I'm not talking about adding a new table. I'm saying that apparently a new _column_ and a new _index_ was added between 3.0 and 3.1 but not listed on the 3.0 -> 3.1 upgrade instructions. Please re-read my email carefully to see the discrepancy. Thanks, Nick From christian.hofstaedtler at deduktiva.com Thu Feb 19 21:05:54 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Thu, 19 Feb 2015 21:05:54 +0000 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: <20150219213716.GB5510@aart.rice.edu> References: <20150219213716.GB5510@aart.rice.edu> Message-ID: <92AD7E39-A082-4A04-80D4-71AFA69644E3@deduktiva.com> > On 19 Feb 2015, at 22:37, ktm at rice.edu wrote: > On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: >> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: >> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql >> >> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: >> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 >> >> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: >> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 >> >> […] >> Can someone provide me some perspective on this? ordername was added in 3.0, as part of the DNSSEC schema upgrade. (see https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/dnssec.schema.pgsql.sql ) > […] The ALTER TABLE will only apply to previously existing > tables, not create the needed new ones. The upgrade SQL scripts in general add/modify tables and columns. The instructions for upgrading to 3.4.0 include consolidated update scripts, see https://doc.powerdns.com/md/authoritative/upgrading/#database-schema . Pick the backend and schema type you currently have (if you come from 2.9.22, it’s always the ‘non-dnssec’ type), and you’ll end up with the correct schema. Best, -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From nicholas at nicholaswilliams.net Thu Feb 19 22:35:42 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Thu, 19 Feb 2015 16:35:42 -0600 Subject: [Pdns-users] When was ordername column added to records table? In-Reply-To: <92AD7E39-A082-4A04-80D4-71AFA69644E3@deduktiva.com> References: <20150219213716.GB5510@aart.rice.edu> <92AD7E39-A082-4A04-80D4-71AFA69644E3@deduktiva.com> Message-ID: <31A3A89D-88D8-4307-9232-F659DA2F5BC0@nicholaswilliams.net> On Feb 19, 2015, at 3:05 PM, Christian Hofstaedtler wrote: > >> On 19 Feb 2015, at 22:37, ktm at rice.edu wrote: >> On Thu, Feb 19, 2015 at 03:34:06PM -0600, Nick Williams wrote: >>> The schema for PDNS 3.0 shows no "ordername" column or "orderindex" index on the records table: >>> https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql >>> >>> And the upgrade instructions for 3.0 -> 3.1 don't include an alter statement for adding the "ordername" column or "orderindex" index: >>> https://doc.powerdns.com/md/authoritative/upgrading/#30-to-31 >>> >>> But the upgrade instructions for 3.1 -> 3.2 includes an alter statement for _modifying_ the "ordername" column and _dropping_ the "orderindex" index that were never added: >>> https://doc.powerdns.com/md/authoritative/upgrading/#31-to-32 >>> >>> […] > >>> Can someone provide me some perspective on this? > > ordername was added in 3.0, as part of the DNSSEC schema upgrade. (see https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/dnssec.schema.pgsql.sql ) > > >> […] The ALTER TABLE will only apply to previously existing >> tables, not create the needed new ones. > > The upgrade SQL scripts in general add/modify tables and columns. > > The instructions for upgrading to 3.4.0 include consolidated update scripts, see https://doc.powerdns.com/md/authoritative/upgrading/#database-schema . > Pick the backend and schema type you currently have (if you come from 2.9.22, it’s always the ‘non-dnssec’ type), and you’ll end up with the correct schema. > > Best, > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 Thanks, Christian. Interesting that the ordername column was added in 3.0, but the schema file in the 3.0 tag (https://github.com/PowerDNS/pdns/blob/auth-3.0/pdns/no-dnssec.schema.pgsql.sql) doesn't include that column. Thanks for clearing it up from me. Interestingly, I'm coming from 3.0.1 and my database does not have that column in it. But the consolidated script definitely helped. Nick From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:23:15 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:23:15 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: I had an e-mail client issue and this message was never sent. Sending now. There are three other messages with the same problem. *** > On 2015-01-29, at 8:02 AM, Peter van Dijk wrote: > > Hello Rooster, > We had a similar report from a Solaris SPARC user; a fix for his problem went into the 3.4.0 release, but we never got an answer about whether it helped. > > Can you please try with pens-server 3.4.0 or higher, and let us know if that fixes it? > > Kind regards, > -- > Peter van Dijk Hi there Peter, Thank you for this information. I had seen talk about big endian versus little endian and I think I saw that same sparc post. I will install pdns-server 3.4.0 or higher and report back. Thank you again. -- From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:29:51 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:29:51 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: > We had a similar report from a Solaris SPARC user; a fix for his problem went into the 3.4.0 release, but we never got an answer about whether it helped. > > Can you please try with pens-server 3.4.0 or higher, and let us know if that fixes it? > > Kind regards, > -- > Peter van Dijk Hi again Peter, Here are my results of the installation I did tonight. I grabbed the following files : ftp://ftp.debian.org//debian/pool/main/p/pdns/pdns_3.4.1-4.debian.tar.xz ftp://ftp.debian.org//debian/pool/main/p/pdns/pdns_3.4.1-4.dsc ftp://ftp.debian.org//debian/pool/main/p/pdns/pdns_3.4.1.orig.tar.bz2 Compiled, built and installed pdns-server_3.4.1. PowerDNS version now reports as the following : Jan 30 01:55:06 PowerDNS Authoritative Server 3.4.1 (jenkins at autotest.powerdns.com) (C) 2001-2014 PowerDNS.COM BV Jan 30 01:55:06 Using 32-bits mode. Built on 20150130004723 by root at host, gcc 4.8.2. Jan 30 01:55:06 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Jan 30 01:55:06 Features: botan1.10 cryptopp libdl lua Jan 30 01:55:06 Built-in modules: Now when I do a lookup from the host (dig @IPADDRESS google.com), I see this in the syslog : Jan 30 01:54:40 host pdns_recursor[995]: 1 question answered from packet cache from 127.0.0.1 Jan 30 01:54:40 host pdns[23000]: Discarding untracked packet from recursor backend with id 24672. Conntrack table size=1 End result, same as before. :( I will go looking for a version higher than 3.4.1 and try again. -- From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:32:58 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:32:58 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: > We had a similar report from a Solaris SPARC user; a fix for his problem went into the 3.4.0 release, but we never got an answer about whether it helped. > > Can you please try with pens-server 3.4.0 or higher, and let us know if that fixes it? > > Kind regards, > -- > Peter van Dijk Hi again Peter, I downloaded, compiled and installed the recently released 3.4.2 from the PowerDNS releases web page but I was unable to get it to launch. :( The error I am getting is “Unable to launch, no backends configured for querying” which is very odd since when I did the compile, I explicitly compiled with the bind module option. Also, my local config file does have “launch=bind” parameter set. host - PowerPC 32bit, ubuntu 14.04 LTS release -- From yawowb+pdns-users at nuclei.ca Fri Feb 20 01:34:13 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 17:34:13 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: <20150127.112228.41636277.sthaug@nethelp.no> <20150127135941.GG5510@aart.rice.edu> Message-ID: <78ADE2F8-333E-4D5A-A7FC-A9A0FD9386E0@nuclei.ca> > I downloaded, compiled and installed the recently released 3.4.2 from the PowerDNS releases web page but I was unable to get it to launch. :( > > The error I am getting is “Unable to launch, no backends configured for querying” which is very odd since when I did the compile, I explicitly compiled with the bind module option. Also, my local config file does have “launch=bind” parameter set. > > host - PowerPC 32bit, ubuntu 14.04 LTS release Here is an update to this new problem that Habbie and ahu on the IRC channel helped me with. What was happening was when pdns was launched, it would look in /usr/local/etc/ for it’s configuration files. Of course this was wrong. After some short deliberation and with a hint from Fusl in the IRC channel, I modified /etc/default/pdns to add --config-dir=/etc/powerdns in the DAEMON_ARGS=“” line. The two other options are : add this same modification to the init.d script that was generated from the compile or at the time of compile, add --sysconfdir=/etc/powerdns to the ./configure command. Now I have a running 3.4.2 pdns but I still have the problem of the precursor responses being discarded. Right ha has me running a testrunner. -- From roblocke at gmail.com Fri Feb 20 02:06:00 2015 From: roblocke at gmail.com (Robert Locke) Date: Fri, 20 Feb 2015 10:06:00 +0800 Subject: [Pdns-users] Why was content length increased? In-Reply-To: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> References: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> Message-ID: Hi Nick, We use TEXT (utf-8) and have had no performance issues so far. My understanding is that the innodb engine handles text efficiently - the “content” data is stored inline in the general case, and only stored on a separate page if it’s above a certain size for a given row. Cheers, Rob > On Feb 20, 2015, at 5:12 AM, Nick Williams wrote: > > I'm upgrading to authoritative 3.4 and noticed that the records.content column has been increased from 255 characters to 64000 characters. Because my table is UTF-8, I get the following error: > > mysql> ALTER TABLE records MODIFY content VARCHAR(64000); > ERROR 1074 (42000): Column length too big for column 'content' (max = 21845); use BLOB or TEXT instead > > I know I can use latin1, but I tend to avoid any non-Unicode character sets completely, and would prefer to stick with UTF-8. Given that: > > - What changed that required the increase from 255 to 64,000 characters? > - Is there any reason that I couldn't just use VARCHAR(21845)? > - Are there any performance implications to using TEXT instead of VARCHAR(64000)? > > Thanks, > > Nick > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From yawowb+pdns-users at nuclei.ca Fri Feb 20 02:48:06 2015 From: yawowb+pdns-users at nuclei.ca (rooster) Date: Thu, 19 Feb 2015 18:48:06 -0800 Subject: [Pdns-users] pdns-recursor works but pdns discards responses In-Reply-To: References: Message-ID: <4FF468BA-9016-44DB-9735-F35811BA93F0@nuclei.ca> > On 2015-01-26, at 5:38 PM, rooster wrote: > > Hello list, > > I have pdns-recursor and pdns on the same host and port but on different IP’s. When I query pdns and it can not answer, so it passes the query on to pdns-recursor, which then responds with the answer but then pdns discards the packets. What did I do wrong? I have tried this with the firewall both on and off and the result is the same. Below is a snippet of the log file with the error, followed by my configuration for the recursor and pdns itself. The host is a PowerPC computer running ubuntu 14.04 LTS. > > /var/log/syslog > > Jan 26 16:45:55 host pdns_recursor[29993]: 0 question answered from packet cache from 127.0.0.1 > Jan 26 16:45:55 host pdns[26791]: Discarding untracked packet from recursor backend with id 49601. Conntrack table size=1 > Jan 26 16:46:00 host pdns_recursor[29993]: 1 [42] question for ‘google.com.|A' from 127.0.0.1 > Jan 26 16:46:01 host pdns[26791]: Discarding untracked packet from recursor backend with id 49345. Conntrack table size=2 > Jan 26 16:46:01 host pdns_recursor[29993]: 1 [42] answer to question ‘google.com.|A': 1 answers, 0 additional, took 2 packets, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 > Jan 26 16:46:05 host pdns_recursor[29993]: 0 question answered from packet cache from 127.0.0.1 > Jan 26 16:46:05 host pdns[26791]: Discarding untracked packet from recursor backend with id 50113. Conntrack table size=3 Here is a final update with success. I removed recursor=127.0.0.1 from pdns.local.conf. I will also note that, my original problem was not so much a problem caused by a bug or some other such issue but more precisely, it was a configuration error. I theorize that the error I was seeing in my logs was not so much an error but an indication of the configuration error. In short, I had misconfigured the auth server to allow recursion. As such, when a non-authorized query came in, auth server passed it on to the recursor like it was configured to do and the recursor would respond correctly but the auth server then would drop the packets instead of routing them back to the source of the query. If anyone else has theories or additional input, please feel free to post a message to the list. As I mentioned, I’d mark this as solved and not as a bug in the pdns auth server code (big endian vs. little endian) but instead a user configuration error. Thank you everyone for your assistance on this "problem". -- From mloftis at wgops.com Fri Feb 20 03:00:51 2015 From: mloftis at wgops.com (Michael Loftis) Date: Thu, 19 Feb 2015 19:00:51 -0800 Subject: [Pdns-users] Why was content length increased? In-Reply-To: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> References: <79974B73-5BB5-4039-BD3C-D54F8F67402C@nicholaswilliams.net> Message-ID: DNSSEC and DKIM. On Thursday, February 19, 2015, Nick Williams wrote: > I'm upgrading to authoritative 3.4 and noticed that the records.content > column has been increased from 255 characters to 64000 characters. Because > my table is UTF-8, I get the following error: > > mysql> ALTER TABLE records MODIFY content VARCHAR(64000); > ERROR 1074 (42000): Column length too big for column 'content' (max = > 21845); use BLOB or TEXT instead > > I know I can use latin1, but I tend to avoid any non-Unicode character > sets completely, and would prefer to stick with UTF-8. Given that: > > - What changed that required the increase from 255 to 64,000 characters? > - Is there any reason that I couldn't just use VARCHAR(21845)? > - Are there any performance implications to using TEXT instead of > VARCHAR(64000)? > > Thanks, > > Nick > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Fri Feb 20 11:53:41 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Fri, 20 Feb 2015 12:53:41 +0100 Subject: [Pdns-users] LUA iputils netmaskgroup match In-Reply-To: <83978FC5-E77B-41A4-AD94-141D63ECDCBF@peen.ch> References: <83978FC5-E77B-41A4-AD94-141D63ECDCBF@peen.ch> Message-ID: <20150220115341.GA5829@xs.powerdns.com> On Thu, Feb 19, 2015 at 05:40:47PM +0100, Niels Peen wrote: > Hello, > > I’m using a netmaskgroup to see if a given IP matches: > > if nmg:match(ca) then .. > > This works very well but I would like to know which specific netmask matched. E.g. by having :match (also) return the matching netmask rather than (just) returning true. > > Am I correct that this is currently not possible? If so, could this be considered for a future release? Hi Niels, This is currently not possible, but it sounds like a great idea. It may be good to know that the netmaskgroup currently just tries all netmasks to see if one fits, you could easily emulate this in Lua itself, and it would not be slower. And then you would know which address matched. Could you open a ticket requesting this feature on github? Please put a note in there we find it a fine idea. Bert From bert.hubert at powerdns.com Fri Feb 20 12:03:43 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Fri, 20 Feb 2015 13:03:43 +0100 Subject: [Pdns-users] Any status on DNSSEC in Recursor? In-Reply-To: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> References: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> Message-ID: <20150220120342.GB5829@xs.powerdns.com> Hi Charles, The status is that it is happening, and it should soon become more visible. The start of this is described in our post from this morning: http://mailman.powerdns.com/pipermail/pdns-dev/2015-February/001481.html Please join us in testing 4.x as it will be appearing! Bert On Sun, Feb 15, 2015 at 11:19:24PM -0500, Charles Sprickman wrote: > While asking Google, the same, I hit this old blog post: > > http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ > > Any new timeline on when this might happen? Does the plan to implement it still look the same? > > Thanks, > > Charles > > -- > Charles Sprickman > NetEng/SysAdmin > Bway.net - New York's Best Internet www.bway.net > spork at bway.net - 212.655.9344 > > > > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From margus.kiting at gmail.com Fri Feb 20 12:09:00 2015 From: margus.kiting at gmail.com (Margus Kiting) Date: Fri, 20 Feb 2015 14:09:00 +0200 Subject: [Pdns-users] Oracle backend and axfr problems. Message-ID: Hello. I am experiencing weird problems in my PowerDNS setup. I'll describe my setup below. The problem is, that our superslave servers are getting Network Timeouts if they are requesting AXFR. We have some BIND slaves also, and it seems like BIND waits for received information longer before it gets timeout. I tried configuring more distributor-threads and both caches TTL to bit longer, bit it does not help at all. All other requests are coming from master server fast without any delay. The problem raises only on axfr requests. Our setup: Authoritative Master DNS server (hosts about 1000 forward and reverse zones) PowerDNS 3.3.1 with Oracle backend using dnssec for ALLOW-AXFR-FROM configuration flag. Super Slave Server: PowerDNS 3.3.1 with sqlite3 backend is configured as slave. and there is supermaster configured in database. Both master and slave servers are rinning on the same network segment and there are no restrictions between servers on network side. Firewalls are also disabled. Log's from Master DNS server: AXFR of domain 'transferring zone' allowed: client IP slave.server.ip is in NSset TCP Connection Thread died because of network error: Writing data: Broken pipe Logs from Slave DNS server: Initiating transfer of 'Transferring zone' from remote 'master.name.server.ip' Unable to AXFR zone 'Transferring zone' from remote 'master.name.server.ip' (resolver): Timeout waiting for answer from master.name.server.ip:53 during AXFR Thank You in advance! Margus -------------- next part -------------- An HTML attachment was scrubbed... URL: From hunterj91 at hotmail.com Fri Feb 20 17:28:53 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Fri, 20 Feb 2015 17:28:53 +0000 Subject: [Pdns-users] Multiple Entries in the Content field of NAPTR records. Message-ID: Hi All, Is it possible when implementing NAPTR records in the records table to add multiple entries within the content field of a record? Im just trying to reduce the number of entries in the database, so wondered if I could have more than one content entry, and if so how do you split them up? So for example I have; select * from records;+----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+| id | domain_id | name | type | content | ttl | prio | change_date |+----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+ | 27 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". | 120 | NULL | NULL || 26 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". | 120 | NULL | NULL | Can I add both 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". and 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". into the content of id 27 without breaking a query? Many thanks Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From spork at bway.net Fri Feb 20 19:08:20 2015 From: spork at bway.net (Charles Sprickman) Date: Fri, 20 Feb 2015 14:08:20 -0500 Subject: [Pdns-users] Any status on DNSSEC in Recursor? In-Reply-To: <20150220120342.GB5829@xs.powerdns.com> References: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> <20150220120342.GB5829@xs.powerdns.com> Message-ID: <22E5E7F8-5358-4DBF-8EAE-A9497506EC9E@bway.net> On Feb 20, 2015, at 7:03 AM, bert hubert wrote: > Hi Charles, > > The status is that it is happening, and it should soon become more visible. > > The start of this is described in our post from this morning: > http://mailman.powerdns.com/pipermail/pdns-dev/2015-February/001481.html > > Please join us in testing 4.x as it will be appearing! Sounds good. I’m itching to tell our users they’re a bit “safer”, and I have about zero interest in learning a third DNS server (unbound). The old blog post noted that you’d be leveraging another server for the key verification, is that still the case or will everything happen within pdns recursor? I just did my first DNSSEC setup with BIND, kind of a pain. Now I’ll be toying with my personal box that runs PDNS and then an actual production setup. From what I’m reading, it seems almost too simple to setup. :) Charles > > Bert > > > On Sun, Feb 15, 2015 at 11:19:24PM -0500, Charles Sprickman wrote: >> While asking Google, the same, I hit this old blog post: >> >> http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/ >> >> Any new timeline on when this might happen? Does the plan to implement it still look the same? >> >> Thanks, >> >> Charles >> >> -- >> Charles Sprickman >> NetEng/SysAdmin >> Bway.net - New York's Best Internet www.bway.net >> spork at bway.net - 212.655.9344 >> >> >> >> >> >> >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> From hongyi.zhao at gmail.com Mon Feb 23 05:09:13 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 13:09:13 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. Message-ID: Hi all, >From the manual of PowerDNS Recursor, learned the following settings can be used in its config file: forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? Any hints on this issue will be highly appreciated. Regards -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Mon Feb 23 10:26:01 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 11:26:01 +0100 Subject: [Pdns-users] Multiple Entries in the Content field of NAPTR records. In-Reply-To: References: Message-ID: <6FA5BE73-D765-44AC-A7D7-C0CAAB80EB52@powerdns.com> Hello Jonathan, On 20 Feb 2015, at 18:28 , Jonathan Hunter wrote: > Is it possible when implementing NAPTR records in the records table to add multiple entries within the content field of a record? > > Im just trying to reduce the number of entries in the database, so wondered if I could have more than one content entry, and if so how do you split them up? > > So for example I have; > > > select * from records; > +----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+ > | id | domain_id | name | type | content | ttl | prio | change_date | > +----+-----------+---------------------------+-------+-------------------------------------------------------------+-------+------+-------------+ > > | 27 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". | 120 | NULL | NULL | > | 26 | 1 | *.0.3.7.7.4.4.e164.sip.mn | NAPTR | 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". | 120 | NULL | NULL | > > Can I add both 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.46!". and 2 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at 195.219.240.50!". into the content of id 27 without breaking a query? No, this will not work. One database row is one DNS record, there are no exceptions to this. What problem are you trying to solve by combining the records? Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From peter.van.dijk at powerdns.com Mon Feb 23 10:27:37 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 11:27:37 +0100 Subject: [Pdns-users] Any status on DNSSEC in Recursor? In-Reply-To: <22E5E7F8-5358-4DBF-8EAE-A9497506EC9E@bway.net> References: <9AA3A9C2-9CE8-4B33-B727-A547A6D03A6C@bway.net> <20150220120342.GB5829@xs.powerdns.com> <22E5E7F8-5358-4DBF-8EAE-A9497506EC9E@bway.net> Message-ID: <9D04E920-7A7D-4BE7-8824-C7B4E1E2DA49@powerdns.com> Hello Charles, On 20 Feb 2015, at 20:08 , Charles Sprickman wrote: > Sounds good. I’m itching to tell our users they’re a bit “safer”, and I have about zero interest in learning a third DNS server (unbound). > > The old blog post noted that you’d be leveraging another server for the key verification, is that still the case or will everything happen within pdns recursor? For various reasons, yes, it makes sense to do validation in another server/daemon/process. However, you should still expect something that’s as simple as ‘verify-dnssec=yes’ in recursor.conf. We hope :) Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From peter.van.dijk at powerdns.com Mon Feb 23 10:28:44 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 11:28:44 +0100 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: References: Message-ID: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Hello, On 23 Feb 2015, at 6:09 , Hongyi Zhao wrote: > forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for zones listed here will be forwarded to the IP address listed. Since version 3.1.5, multiple IP addresses can be specified. Additionally, port numbers other than 53 can be configured. > Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, powerdns.com=127.0.0.1;198.51.100.10:530 > > I just want to know the mechanism when we use multiple ip for Query a zone. I mean is this process sequel or parallel? When we using multiple ip for resoving a specific domain-name, which answer given by the forwarders should be picked up by PowerDNS Recursor and then return it to user's client program? It’s best to assume the process is random. For any given query, the resulting data can come from any of the IPs, and there is no guarantee from which one. So, in general, make sure your backend IPs agree on the data! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From hongyi.zhao at gmail.com Mon Feb 23 10:49:50 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 18:49:50 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Message-ID: Why not let the process run parallely and then picked out the one which is retured firstly to the client? Regards 2015-02-23 18:28 GMT+08:00 Peter van Dijk : > Hello, > > On 23 Feb 2015, at 6:09 , Hongyi Zhao wrote: > > > forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for > zones listed here will be forwarded to the IP address listed. Since version > 3.1.5, multiple IP addresses can be specified. Additionally, port numbers > other than 53 can be configured. > > Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, > powerdns.com=127.0.0.1;198.51.100.10:530 > > > > I just want to know the mechanism when we use multiple ip for Query a > zone. I mean is this process sequel or parallel? When we using multiple > ip for resoving a specific domain-name, which answer given by the > forwarders should be picked up by PowerDNS Recursor and then return it to > user's client program? > > It’s best to assume the process is random. For any given query, the > resulting data can come from any of the IPs, and there is no guarantee from > which one. So, in general, make sure your backend IPs agree on the data! > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From hongyi.zhao at gmail.com Mon Feb 23 11:16:14 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 19:16:14 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Message-ID: Considering that the backend/forwarder IPs are always NOT owned by the authoritive servers of the queryer. It wil be difficult to ensure all of them online all the time. So, if we can let the process run parallely and then picked out the one which is retured firstly to the client. At least the query efficiency will be raised to some extent, IMO. Regards 2015-02-23 18:49 GMT+08:00 Hongyi Zhao : > Why not let the process run parallely and then picked out the one which is > retured firstly to the client? > > Regards > > 2015-02-23 18:28 GMT+08:00 Peter van Dijk : > >> Hello, >> >> On 23 Feb 2015, at 6:09 , Hongyi Zhao wrote: >> >> > forward-zones Comma separated list of ’zonename=IP’ pairs. Queries for >> zones listed here will be forwarded to the IP address listed. Since version >> 3.1.5, multiple IP addresses can be specified. Additionally, port numbers >> other than 53 can be configured. >> > Sample syntax: forward-zones=example.org=203.0.113.210:5300;127.0.0.1, >> powerdns.com=127.0.0.1;198.51.100.10:530 >> > >> > I just want to know the mechanism when we use multiple ip for Query a >> zone. I mean is this process sequel or parallel? When we using multiple >> ip for resoving a specific domain-name, which answer given by the >> forwarders should be picked up by PowerDNS Recursor and then return it to >> user's client program? >> >> It’s best to assume the process is random. For any given query, the >> resulting data can come from any of the IPs, and there is no guarantee from >> which one. So, in general, make sure your backend IPs agree on the data! >> >> Kind regards, >> -- >> Peter van Dijk >> Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ >> >> >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users at mailman.powerdns.com >> http://mailman.powerdns.com/mailman/listinfo/pdns-users >> > > > > -- > Hongyi Zhao > Xinjiang Technical Institute of Physics and Chemistry > Chinese Academy of Sciences > GnuPG DSA: 0xD108493 > -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Mon Feb 23 11:20:58 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Mon, 23 Feb 2015 12:20:58 +0100 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> Message-ID: <856ED1CE-E97E-44B7-B61A-83AF5A8F5ED3@powerdns.com> Hello, On 23 Feb 2015, at 11:49 , Hongyi Zhao wrote: > Why not let the process run parallely and then picked out the one which is retured firstly to the client? In general (without forward-rules), we do something better - we try the servers and remember which one was faster. That way you get the performance benefits without unnecessarily overloading the other servers. I’m not entirely sure we do this for forward rules. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From hongyi.zhao at gmail.com Mon Feb 23 12:05:19 2015 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Mon, 23 Feb 2015 20:05:19 +0800 Subject: [Pdns-users] About the mechanism of forward-zones when using multiple ips for one zonename. In-Reply-To: <856ED1CE-E97E-44B7-B61A-83AF5A8F5ED3@powerdns.com> References: <64FC190F-56B3-4872-9E3C-939EA961F6D9@powerdns.com> <856ED1CE-E97E-44B7-B61A-83AF5A8F5ED3@powerdns.com> Message-ID: Which forward-rules do you meant to by saying "without forward-rules"? Are these forward rules can all be setted or controlled by using config file fo pdns_recurrsor? Why these rules cann't be treated combinedly into the inner optimizing algrithems for determining the maybe-best servers? Regards 2015-02-23 19:20 GMT+08:00 Peter van Dijk : > Hello, > > On 23 Feb 2015, at 11:49 , Hongyi Zhao wrote: > > > Why not let the process run parallely and then picked out the one which > is retured firstly to the client? > > In general (without forward-rules), we do something better - we try the > servers and remember which one was faster. That way you get the performance > benefits without unnecessarily overloading the other servers. I’m not > entirely sure we do this for forward rules. > > Kind regards, > -- > Peter van Dijk > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -- Hongyi Zhao Xinjiang Technical Institute of Physics and Chemistry Chinese Academy of Sciences GnuPG DSA: 0xD108493 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Mon Feb 23 14:58:14 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 23 Feb 2015 15:58:14 +0100 Subject: [Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011! Message-ID: <20150223145813.GA15931@xs.powerdns.com> In this post, we’d like to share our current plans for .. PowerDNS 4.x! We shared this first with the PowerDNS-development community, and after we gathered feedback, we’re now announcing it more broadly. The tl;dr: For the next few months we will be spring cleaning git master, and stable code and releases can be found in the auth-3.4 and rec-3.7 branches. We'll also be moving to C++ 2011. Please read on for the whole story. First some background. PowerDNS is a 15 year old software project, and over these 1.5 decades, we have built up some ‘technical debt’ (http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring cleaning in our code. Meanwhile, we are broadening what our code does, to include for example smart, DNS-native, load balancing and further denial of service mitigation. And of course, the major work of bringing carrier-grade DNSSEC to the recursor. Finally, we’ve fallen in love with C++ 2011, and we would like to start taking advantage of this now 4 year old revision of C++. All this means some important changes. For one, where it used to be the case that our git ‘master’ was usually fit to run in production (and people actually did this), for the coming few months please consider our master branch a ‘heavy development zone’. While we’ll try to keep things working, it might break for hours or even days at a time. Even though there will be somewhat of a wild-west aspect to development, major changes will be implemented as pull requests from separate branches that can be studied by the community. Meanwhile, PowerDNS 3.x development and maintenance will continue on separate release branches. The latest 3.x releases will remain actively supported until 4.x is more powerful, more stable, and can be compiled on Debian Stable (more about this later). Active support means more than passive maintenance, if there are pressing things that need to happen, they will happen. But the focus for new things will shift to 4.x. (as an example, we are currently gathering the patches for auth-3.4.3, see https://twitter.com/powerdns/status/569872447757025280 ) Things we will be addressing during our spring cleaning include: * We treat DNS names as ASCII strings, which we escape and unescape repeatedly. DNS names are not ascii strings, and we keep finding issues related to us treating them like strings. * The PowerDNS Authoritative Server distributes queries to multiple backends inefficiently * The PowerDNS Recursor cache is both slower and less memory efficient than it could be * DNSSEC in the PowerDNS Recursor * Move our own atomic, locking and semaphore infrastructure to C++ 2011 native * The Lua APIs use an ascii based interface for domain names and IP addresses, and this could be faster One thing we are probably not going to do is change the database format, by the way. The somewhat bad news about the spring cleaning is that we’ll come out of it as a C++ 2011 project, which means that to compile PowerDNS, you’ll need GCC 4.8 (released in March 2013). Gcc 4.8 is not currently the default in Debian stable or RHEL/CentOS 6, but it is available. It is the default in RHEL7 and in what will become the next Debian stable. It also ships in Ubuntu 14. We will also be targeting clang 3.5. We have chosen C++ 2011 for a variety of reasons, many of which are described in an earlier blogpost (http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html). NOTE: PowerDNS 4.x products WILL run on older distribution releases of course! However, on older distros, compiling with the system default compiler may not work. To clarify, the 4.x branch will not fundamentally alter PowerDNS. This should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). Fundamentally we think the PowerDNS design is sound, it just needs a decent spring cleaning. This will come in especially handy when deploying our DNSSEC validation. So how long will it take until 4.x is production ready? We’ll let you know once we get there, but we are hoping to finish the cleanup in several months, after which we expect further work to iron out remaining issues. In any case, 3.x will remain supported until gcc 4.8 is widely available on currently shipping distributions. Thanks, and please again let us know your thoughts about this proposed plan. Although this is what we intend to do, we can be change our mind if there are good reasons to do so! PowerDNS From nicholas at nicholaswilliams.net Mon Feb 23 16:52:14 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Mon, 23 Feb 2015 10:52:14 -0600 Subject: [Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011! In-Reply-To: <20150223145813.GA15931@xs.powerdns.com> References: <20150223145813.GA15931@xs.powerdns.com> Message-ID: This is exciting news, Bert! Some follow-up questions/comments: - Will 3.x development end on the 3.4 track, or is there still a plan for 3.5? If 3.4 is it, what's the plan for features (such as ALIAS) that were scheduled for 3.5? Are they delayed to 4.0 (if so, sad face)? - Currently, PowerDNS Authoritative and PowerDNS Recursor share a repository (https://github.com/PowerDNS/pdns). This can make things especially confusing, since there are recursor development branches, authoritative development branches, recursor version branches, authoritative version branches, recursor release tags, and authoritative release tags all within the same repository. During all this work being done on master, can the opportunity be taken to move shared code into X repository and then have a repo for Recursor and a separate repo for Authoritative? It seems like it would be a much cleaner arrangement. Good luck in this new challenge! Nick On Mon, Feb 23, 2015 at 8:58 AM, bert hubert wrote: > In this post, we’d like to share our current plans for .. PowerDNS 4.x! We > shared this first with the PowerDNS-development community, and after we > gathered feedback, we’re now announcing it more broadly. > > The tl;dr: For the next few months we will be spring cleaning git master, > and stable code and releases can be found in the auth-3.4 and rec-3.7 > branches. We'll also be moving to C++ 2011. Please read on for the > whole story. > > First some background. PowerDNS is a 15 year old software project, and over > these 1.5 decades, we have built up some ‘technical debt’ > (http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring > cleaning in our code. > > Meanwhile, we are broadening what our code does, to include for example > smart, DNS-native, load balancing and further denial of service mitigation. > And of course, the major work of bringing carrier-grade DNSSEC to the > recursor. > > Finally, we’ve fallen in love with C++ 2011, and we would like to start > taking advantage of this now 4 year old revision of C++. > > All this means some important changes. For one, where it used to be the > case > that our git ‘master’ was usually fit to run in production (and people > actually did this), for the coming few months please consider our master > branch a ‘heavy development zone’. While we’ll try to keep things working, > it might break for hours or even days at a time. Even though there will > be somewhat of a wild-west aspect to development, major changes will be > implemented as pull requests from separate branches that can be studied by > the community. > > Meanwhile, PowerDNS 3.x development and maintenance will continue on > separate release branches. The latest 3.x releases will remain actively > supported until 4.x is more powerful, more stable, and can be compiled on > Debian Stable (more about this later). Active support means more than > passive maintenance, if there are pressing things that need to happen, they > will happen. But the focus for new things will shift to 4.x. > > (as an example, we are currently gathering the patches for auth-3.4.3, see > https://twitter.com/powerdns/status/569872447757025280 ) > > Things we will be addressing during our spring cleaning include: > > * We treat DNS names as ASCII strings, which we escape and unescape > repeatedly. DNS names are not ascii strings, and we keep finding > issues related to us treating them like strings. > > * The PowerDNS Authoritative Server distributes queries to multiple > backends inefficiently > > * The PowerDNS Recursor cache is both slower and less memory efficient > than it could be > > * DNSSEC in the PowerDNS Recursor > > * Move our own atomic, locking and semaphore infrastructure to C++ 2011 > native > > * The Lua APIs use an ascii based interface for domain names and IP > addresses, and this could be faster > > One thing we are probably not going to do is change the database format, by > the way. > > The somewhat bad news about the spring cleaning is that we’ll come out of > it > as a C++ 2011 project, which means that to compile PowerDNS, you’ll need > GCC > 4.8 (released in March 2013). Gcc 4.8 is not currently the default in > Debian stable or RHEL/CentOS 6, but it is available. > > It is the default in RHEL7 and in what will become the next Debian stable. > It also ships in Ubuntu 14. We will also be targeting clang 3.5. We have > chosen C++ 2011 for a variety of reasons, many of which are described in an > earlier blogpost > ( > http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html > ). > > NOTE: PowerDNS 4.x products WILL run on older distribution releases of > course! However, on older distros, compiling with the system default > compiler may not work. > > To clarify, the 4.x branch will not fundamentally alter PowerDNS. This > should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). > Fundamentally we think the PowerDNS design is sound, it just needs a decent > spring cleaning. This will come in especially handy when deploying our > DNSSEC validation. > > So how long will it take until 4.x is production ready? We’ll let you know > once we get there, but we are hoping to finish the cleanup in several > months, after which we expect further work to iron out remaining issues. > In > any case, 3.x will remain supported until gcc 4.8 is widely available on > currently shipping distributions. > > Thanks, and please again let us know your thoughts about this proposed > plan. > Although this is what we intend to do, we can be change our mind if there > are good reasons to do so! > > PowerDNS > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Feb 23 17:50:16 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 23 Feb 2015 18:50:16 +0100 Subject: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!) In-Reply-To: <20150223145813.GA15931@xs.powerdns.com> References: <20150223145813.GA15931@xs.powerdns.com> Message-ID: <54EB6858.703@stroeder.com> bert hubert wrote: > In this post, we’d like to share our current plans for .. PowerDNS 4.x! Glad to read all your plans. > * We treat DNS names as ASCII strings, which we escape and unescape > repeatedly. DNS names are not ascii strings, and we keep finding > issues related to us treating them like strings. Unfortunately the term string is used in many different ways. Could you please elaborate on what that means exactly? E.g. will this affect the way NON-ASCII DNS names are stored in backend files? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas at nicholaswilliams.net Mon Feb 23 18:44:54 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Mon, 23 Feb 2015 12:44:54 -0600 Subject: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!) In-Reply-To: <54EB6858.703@stroeder.com> References: <20150223145813.GA15931@xs.powerdns.com> <54EB6858.703@stroeder.com> Message-ID: I'm also very interested in finding out more about the change around ASCII names. N On Mon, Feb 23, 2015 at 11:50 AM, Michael Ströder wrote: > bert hubert wrote: > > In this post, we’d like to share our current plans for .. PowerDNS 4.x! > > Glad to read all your plans. > > > * We treat DNS names as ASCII strings, which we escape and unescape > > repeatedly. DNS names are not ascii strings, and we keep finding > > issues related to us treating them like strings. > > Unfortunately the term string is used in many different ways. > Could you please elaborate on what that means exactly? > E.g. will this affect the way NON-ASCII DNS names are stored in backend > files? > > Ciao, Michael. > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicholas at nicholaswilliams.net Mon Feb 23 18:48:49 2015 From: nicholas at nicholaswilliams.net (Nicholas Williams) Date: Mon, 23 Feb 2015 12:48:49 -0600 Subject: [Pdns-users] Reply-To Change? Message-ID: PowerDNS's users list (and possibly the other lists—I'm not on those) is the only list I use (and I'm on a LOT of dev/user mailing lists) where hitting "reply" replies to the person who sent the email. Every other list I'm on, messages are modified by the list software to include a Reply-To header containing the list's address so that hitting reply _only_ puts the list's address in the recipient field and hitting "Reply All" isn't necessary. This frequently trips me up a lot, and I end up replying directly to people and not sending to the list. I don't see any good reason for not having a list reply-to. Also, IIRC, the list software PowerDNS is using supports having a list reply-to. Can we get this change implemented? Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Mon Feb 23 18:49:35 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 23 Feb 2015 19:49:35 +0100 Subject: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!) In-Reply-To: References: <20150223145813.GA15931@xs.powerdns.com> <54EB6858.703@stroeder.com> Message-ID: <20150223184935.GA19557@xs.powerdns.com> On Mon, Feb 23, 2015 at 12:44:54PM -0600, Nicholas Williams wrote: > I'm also very interested in finding out more about the change around ASCII > names. I can recommend our ever growing set of test cases: https://github.com/ahupowerdns/pdns/blob/dnsname/pdns/test-dnsname_cc.cc DNS, surprisingly, is 8-bit clean. You can put any stream of octets in DNS (up to a certain length). However, this is not how we print it. http://www.ietf.org/rfc/rfc4343.txt has some words on this. > > Unfortunately the term string is used in many different ways. > > Could you please elaborate on what that means exactly? > > E.g. will this affect the way NON-ASCII DNS names are stored in backend > > files? No, it is not intended to make any changes, except for where we got it wrong. Wr internally have loads of places where we convert to and from (un)escaped versions, add dots, remove dots etc. We get it wrong in some places now. Bert From bert.hubert at powerdns.com Mon Feb 23 18:54:29 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 23 Feb 2015 19:54:29 +0100 Subject: [Pdns-users] Reply-To Change? In-Reply-To: References: Message-ID: <20150223185429.GB19557@xs.powerdns.com> On Mon, Feb 23, 2015 at 12:48:49PM -0600, Nicholas Williams wrote: > This frequently trips me up a lot, and I end up replying directly to people > and not sending to the list. I don't see any good reason for not having a > list reply-to. Also, IIRC, the list software PowerDNS is using supports > having a list reply-to. Oddly enough, the lists we are on do it 'our' way. We rather have it err to your reply being more private than you intended than being more public than you intended. > Can we get this change implemented? Probably not - this has been the setting for 15 years, we've not heard more complaints. Sorry! Bert From sksumit1 at gmail.com Tue Feb 24 09:29:19 2015 From: sksumit1 at gmail.com (sumit sharma) Date: Tue, 24 Feb 2015 14:59:19 +0530 Subject: [Pdns-users] SOA record is coming in answer section Message-ID: Hi All, I am currently using the pipe backend to server powerdns response. I am trying to make powerdns as all authoritative server. dig query -> dig ANY subdomain.mydomain.com I am sending the following response to powerdns 1. pdns requests for SOA record 2. I send back subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com. 2008080300 1800 3600 604800 3600 3. pdns requests for ANY record 4. I send back A & TXT records. I see the SOA record coming in ANSWER SECTION of dig query response. I want to make it come to AUTHORITY SECTION. What can i do to make it happen? Thanks, Sumit -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Tue Feb 24 09:50:47 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Tue, 24 Feb 2015 11:50:47 +0200 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: References: Message-ID: <20150224095047.GA27951@pi.ip.fi> On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > Hi All, > > I am currently using the pipe backend to server powerdns response. > I am trying to make powerdns as all authoritative server. > > dig query -> dig ANY subdomain.mydomain.com > > I am sending the following response to powerdns > 1. pdns requests for SOA record > 2. I send back > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com. > 2008080300 1800 3600 604800 3600 > 3. pdns requests for ANY record > 4. I send back A & TXT records. > > I see the SOA record coming in ANSWER SECTION of dig query response. > I want to make it come to AUTHORITY SECTION. > > What can i do to make it happen? > > Thanks, > Sumit Why exactly do you want it in AUTHORITY SECTION? Aki > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From sksumit1 at gmail.com Tue Feb 24 10:51:28 2015 From: sksumit1 at gmail.com (sumit sharma) Date: Tue, 24 Feb 2015 16:21:28 +0530 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: <20150224095047.GA27951@pi.ip.fi> References: <20150224095047.GA27951@pi.ip.fi> Message-ID: Hi Aki, I want the SOA record that i am sending from the backend to come in the AUTHORITY section of dig response. Sometimes SOA record comes in AUTHORITY SECTION. But mostly it comes in ANSWER SECTION. I want the response to be consistent. A and TXT records always comes as expected in ANSWER SECTION. Hence from dig, sometimes i get 1 authority & 2 answers but mostly i get 0 authority and 3 answers Regards, Sumit On Tue, Feb 24, 2015 at 3:20 PM, Aki Tuomi wrote: > On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > > Hi All, > > > > I am currently using the pipe backend to server powerdns response. > > I am trying to make powerdns as all authoritative server. > > > > dig query -> dig ANY subdomain.mydomain.com > > > > I am sending the following response to powerdns > > 1. pdns requests for SOA record > > 2. I send back > > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com > . > > 2008080300 1800 3600 604800 3600 > > 3. pdns requests for ANY record > > 4. I send back A & TXT records. > > > > I see the SOA record coming in ANSWER SECTION of dig query response. > > I want to make it come to AUTHORITY SECTION. > > > > What can i do to make it happen? > > > > Thanks, > > Sumit > > Why exactly do you want it in AUTHORITY SECTION? > > Aki > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users at mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Tue Feb 24 13:06:16 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Tue, 24 Feb 2015 15:06:16 +0200 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: References: <20150224095047.GA27951@pi.ip.fi> Message-ID: <20150224130616.GA30170@pi.ip.fi> But there is a reason why it's sometimes in either one, there is no sense in trying to fix this for consistency. SOA record goes in ANSWER section, when you ask for SOA record (or ANY). SOA record goes in AUTHORITY section, when a record is not found in the zone. Aki On Tue, Feb 24, 2015 at 04:21:28PM +0530, sumit sharma wrote: > Hi Aki, > > I want the SOA record that i am sending from the backend to come in the > AUTHORITY section of dig response. > Sometimes SOA record comes in AUTHORITY SECTION. But mostly it comes in > ANSWER SECTION. I want the response to be consistent. A and TXT records > always comes as expected in ANSWER SECTION. > Hence from dig, sometimes i get 1 authority & 2 answers but mostly i get 0 > authority and 3 answers > > Regards, > Sumit > > On Tue, Feb 24, 2015 at 3:20 PM, Aki Tuomi wrote: > > > On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > > > Hi All, > > > > > > I am currently using the pipe backend to server powerdns response. > > > I am trying to make powerdns as all authoritative server. > > > > > > dig query -> dig ANY subdomain.mydomain.com > > > > > > I am sending the following response to powerdns > > > 1. pdns requests for SOA record > > > 2. I send back > > > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. ns1.mydomain.com > > . > > > 2008080300 1800 3600 604800 3600 > > > 3. pdns requests for ANY record > > > 4. I send back A & TXT records. > > > > > > I see the SOA record coming in ANSWER SECTION of dig query response. > > > I want to make it come to AUTHORITY SECTION. > > > > > > What can i do to make it happen? > > > > > > Thanks, > > > Sumit > > > > Why exactly do you want it in AUTHORITY SECTION? > > > > Aki > > > > > _______________________________________________ > > > Pdns-users mailing list > > > Pdns-users at mailman.powerdns.com > > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > From hunterj91 at hotmail.com Tue Feb 24 14:04:46 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Tue, 24 Feb 2015 14:04:46 +0000 Subject: [Pdns-users] longest-digit match in records name lookup NAPTR Message-ID: Hi Guys, Sorry, last question for a while! Is it possible to disable longest-digit match in the name lookup? I only ask as running queries on the following entries (shown below from records table) using for example a dig to NAPTR 4.3.2.1.5.5.5.4.0.7.1.0.0.e164.sip.mn, the call is always routed tocarrier 3, where as Id like to be in a position ideally where it would pickup the wildcard with the higher priority (carrier1.com) ideally. Is it an option or not designed due to RFC? Thanks Jon mysql> select * from records;+----+-----------+---------------------------------+-------+----------------------------------------------------+-------+------+-------------+----------+-----------+------+| id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername | auth |+----+-----------+---------------------------------+-------+----------------------------------------------------+-------+------+-------------+----------+-----------+------+ | 5 | 1 | *.1.0.0.e164.sip.mn | NAPTR | 1 1 "U" "E2U+sip" "!^(.*)$!sip:\\1 at carrier1.com!" . | 120 | NULL | NULL | 0 | NULL | 1 || 6 | 1 | *.1.0.0.e164.sip.mn | NAPTR | 3 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at carrier2.com!". | 120 | NULL | NULL | 0 | NULL | 1 || 7 | 1 | *.5.5.5.4.0.7.1.0.0.e164.sip.mn | NAPTR | 5 10 "U" "E2U+sip" "!^(.*)$!sip:\\1 at carrier3.com!". | 120 | NULL | NULL | 0 | NULL | 1 |+----+-----------+---------------------------------+-------+----------------------------------------------------+-------+------+-------------+----------+-----------+------+ -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.van.dijk at powerdns.com Tue Feb 24 14:49:10 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Tue, 24 Feb 2015 15:49:10 +0100 Subject: [Pdns-users] longest-digit match in records name lookup NAPTR In-Reply-To: References: Message-ID: <9FE5E28D-EDE2-471E-B832-A6887AF81714@powerdns.com> Hello Jonathan, On 24 Feb 2015, at 15:04 , Jonathan Hunter wrote: > Is it possible to disable longest-digit match in the name lookup? > > I only ask as running queries on the following entries (shown below from records table) using for example a dig to NAPTR 4.3.2.1.5.5.5.4.0.7.1.0.0.e164.sip.mn, the call is always routed to > carrier 3, where as Id like to be in a position ideally where it would pickup the wildcard with the higher priority (carrier1.com) ideally. > > Is it an option or not designed due to RFC? The current behaviour is indeed mandated by the relevant RFCs. If you don’t want *.5.5.5 to match, why not remove or disable it? Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ From sksumit1 at gmail.com Tue Feb 24 19:11:30 2015 From: sksumit1 at gmail.com (sumit sharma) Date: Wed, 25 Feb 2015 00:41:30 +0530 Subject: [Pdns-users] SOA record is coming in answer section In-Reply-To: <20150224130616.GA30170@pi.ip.fi> References: <20150224095047.GA27951@pi.ip.fi> <20150224130616.GA30170@pi.ip.fi> Message-ID: Thanks for the answer. One more question. During high performance runs using my dig command, sometimes my pipe backend recieves queries Q AXFR -1. Is there a way to disable that. My current AXFR configurations in pdns.conf allow-axfr-ips (this is commented) disable-axfr=yes disable-axfr-rectify=yes Thanks, Sumit On Tue, Feb 24, 2015 at 6:36 PM, Aki Tuomi wrote: > But there is a reason why it's sometimes in either one, there is no sense > in trying to fix this for consistency. > > SOA record goes in ANSWER section, when you ask for SOA record (or ANY). > > SOA record goes in AUTHORITY section, when a record is not found in the > zone. > > Aki > > On Tue, Feb 24, 2015 at 04:21:28PM +0530, sumit sharma wrote: > > Hi Aki, > > > > I want the SOA record that i am sending from the backend to come in the > > AUTHORITY section of dig response. > > Sometimes SOA record comes in AUTHORITY SECTION. But mostly it comes in > > ANSWER SECTION. I want the response to be consistent. A and TXT records > > always comes as expected in ANSWER SECTION. > > Hence from dig, sometimes i get 1 authority & 2 answers but mostly i get > 0 > > authority and 3 answers > > > > Regards, > > Sumit > > > > On Tue, Feb 24, 2015 at 3:20 PM, Aki Tuomi > wrote: > > > > > On Tue, Feb 24, 2015 at 02:59:19PM +0530, sumit sharma wrote: > > > > Hi All, > > > > > > > > I am currently using the pipe backend to server powerdns response. > > > > I am trying to make powerdns as all authoritative server. > > > > > > > > dig query -> dig ANY subdomain.mydomain.com > > > > > > > > I am sending the following response to powerdns > > > > 1. pdns requests for SOA record > > > > 2. I send back > > > > subdomain.mydomain.com. 0 IN SOA ahu.mydomain.com. > ns1.mydomain.com > > > . > > > > 2008080300 1800 3600 604800 3600 > > > > 3. pdns requests for ANY record > > > > 4. I send back A & TXT records. > > > > > > > > I see the SOA record coming in ANSWER SECTION of dig query response. > > > > I want to make it come to AUTHORITY SECTION. > > > > > > > > What can i do to make it happen? > > > > > > > > Thanks, > > > > Sumit > > > > > > Why exactly do you want it in AUTHORITY SECTION? > > > > > > Aki > > > > > > > _______________________________________________ > > > > Pdns-users mailing list > > > > Pdns-users at mailman.powerdns.com > > > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cyruspy at gmail.com Tue Feb 24 20:49:27 2015 From: cyruspy at gmail.com (Ciro Iriarte) Date: Tue, 24 Feb 2015 17:49:27 -0300 Subject: [Pdns-users] ANY+Reflection Attacks? Message-ID: Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". Is this usual?, is there anyway to identify the attackers?. The service is working fine and we have in our roadmap constant packed capture for data mining but I find this behaviour new/interesting today :) Any comments? Regards, -- Ciro Iriarte http://iriarte.it -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From cyruspy at gmail.com Wed Feb 25 02:30:15 2015 From: cyruspy at gmail.com (Ciro Iriarte) Date: Tue, 24 Feb 2015 23:30:15 -0300 Subject: [Pdns-users] ANY+Reflection Attacks? In-Reply-To: References: Message-ID: 2015-02-24 17:49 GMT-03:00 Ciro Iriarte : > Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client > 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". > > Is this usual?, is there anyway to identify the attackers?. The service is > working fine and we have in our roadmap constant packed capture for data > mining but I find this behaviour new/interesting today :) > > Any comments? > > Regards, > > -- > Ciro Iriarte > http://iriarte.it > -- > Well, never mind. After all, those are legitimate clients and there seems to be a firewall with connection tracking issues. What's unexpected to me is having TCP requests, I was expecting only UDP traffic from end users. Regards, -- Ciro Iriarte http://iriarte.it -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Feb 25 08:25:21 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 25 Feb 2015 09:25:21 +0100 Subject: [Pdns-users] ANY+Reflection Attacks? In-Reply-To: References: Message-ID: <54ED86F1.4030304@stroeder.com> Ciro Iriarte wrote: > 2015-02-24 17:49 GMT-03:00 Ciro Iriarte : > >> Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client >> 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". >> >> Is this usual?, is there anyway to identify the attackers?. The service is >> working fine and we have in our roadmap constant packed capture for data >> mining but I find this behaviour new/interesting today :) >> >> Any comments? >> >> Regards, > > Well, never mind. After all, those are legitimate clients and there seems > to be a firewall with connection tracking issues. What's unexpected to me > is having TCP requests, I was expecting only UDP traffic from end users. DNSSEC used? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From cyruspy at gmail.com Wed Feb 25 17:34:09 2015 From: cyruspy at gmail.com (Ciro Iriarte) Date: Wed, 25 Feb 2015 14:34:09 -0300 Subject: [Pdns-users] ANY+Reflection Attacks? In-Reply-To: <54ED86F1.4030304@stroeder.com> References: <54ED86F1.4030304@stroeder.com> Message-ID: El feb 25, 2015 5:25 AM, "Michael Ströder" escribió: > > Ciro Iriarte wrote: > > 2015-02-24 17:49 GMT-03:00 Ciro Iriarte : > > > >> Hi!, I'm seeing a lot of messages of type "Timeout from remote TCP client > >> 10.XXX.XXX.XXX", it seems to be an attack given we have "any-to-tcp = yes". > >> > >> Is this usual?, is there anyway to identify the attackers?. The service is > >> working fine and we have in our roadmap constant packed capture for data > >> mining but I find this behaviour new/interesting today :) > >> > >> Any comments? > >> > >> Regards, > > > > Well, never mind. After all, those are legitimate clients and there seems > > to be a firewall with connection tracking issues. What's unexpected to me > > is having TCP requests, I was expecting only UDP traffic from end users. > > DNSSEC used? > > Ciao, Michael. > As far as I remember, pdns-recursor doesn't support DNSSEC. Regards, Ciro -------------- next part -------------- An HTML attachment was scrubbed... URL: From hunterj91 at hotmail.com Wed Feb 25 18:40:07 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Wed, 25 Feb 2015 18:40:07 +0000 Subject: [Pdns-users] Optimize Powerdns and Mysql for DB with 500K entries Message-ID: Hi Guys, I appreciate there are optimization tips on the website, however I wondered if there are any specific tips for optimization when dealing with a records table or associated view of 500K rows in a Mysql backend database on a Virtual Centos Machine with 2 x 3Ghz processors, 1GB RAM and 20GB Memory. I am seeing some slow responses in terms of using dig to perform NAPTR record lookups. Any help would be great. Many thanks Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From mh+pdns-users at zugschlus.de Wed Feb 25 20:50:40 2015 From: mh+pdns-users at zugschlus.de (Marc Haber) Date: Wed, 25 Feb 2015 21:50:40 +0100 Subject: [Pdns-users] Reply-To Change? In-Reply-To: References: Message-ID: <20150225205040.GK26963@torres.zugschlus.de> On Mon, Feb 23, 2015 at 12:48:49PM -0600, Nicholas Williams wrote: > PowerDNS's users list (and possibly the other lists—I'm not on those) is > the only list I use (and I'm on a LOT of dev/user mailing lists) where > hitting "reply" replies to the person who sent the email. Every other list > I'm on, messages are modified by the list software to include a Reply-To > header containing the list's address so that hitting reply _only_ puts the > list's address in the recipient field and hitting "Reply All" isn't > necessary. http://www.unicom.com/pw/reply-to-harmful.html Most of the mailing lists I am on don't munge Reply-To. I'd say, the vast majority, this being the opposite of your experience. I must be on a different intraweb then. That being said, kindly use your mail reader's list reply function. Decent software has such a function. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600420 From lists at shthead.com Thu Feb 26 02:14:41 2015 From: lists at shthead.com (Chris) Date: Thu, 26 Feb 2015 10:14:41 +0800 Subject: [Pdns-users] Optimize Powerdns and Mysql for DB with 500K entries In-Reply-To: References: Message-ID: <54EE8191.1090503@shthead.com> Hi, I have 3 PowerDNS instances running with the MySQL backend across 4 DNS servers. The largest has 1,883,763 domains with 9,736,133 records (With all instances combined there is a total of 21M rows in the records table). The only things I have done for performance are: - All tables are InnoDB - All DNS servers have 16GB or more of memory, InnoDB buffer pool size is at least 10GB on each - MySQL 5.6 (actually running Percona, upgrading from 5.5 to 5.6 gave me a slight performance increase) - InnoDB file format is barracuda, tables are compressed with 4KB page size With table compression my largest instance uses a total of 750mb on disk. The minimum specs for my DNS servers are: - 2 x E5-2620 CPU (6 cores + hyperthreading each) - 16GB of RAM - 2 x 15K SAS in RAID 1 With the 3 power DNS instances + unbound instance for caching name server the load average on the servers is less than 1, there is no IO wait. Each DNS server is handling an average of 6,714 queries per second across the 3 PowerDNS instances and Unbound. Using dnsscope for my biggest instance I can see that I get these stats: 0.01% of questions answered within 50 usec (0.01%) 51.67% of questions answered within 100 usec (51.67%) 60.11% of questions answered within 200 usec (8.44%) 60.40% of questions answered within 300 usec (0.29%) 60.70% of questions answered within 400 usec (0.30%) 63.85% of questions answered within 800 usec (3.14%) 67.78% of questions answered within 1000 usec (3.93%) 97.93% of questions answered within 2.00 msec (30.15%) 99.71% of questions answered within 4.00 msec (1.78%) 99.97% of questions answered within 8.00 msec (0.26%) 100.00% of questions answered within 32.00 msec (0.03%) 100.00% of questions answered within 64.00 msec (0.00%) 0 responses (0.00%) older than 2 seconds Average non-late response time: 569.60 usec What kind of statistics are you seeing? Do you get large amounts of I/O wait on the server? Is your mysql innodb buffer pool size large enough to hold the entire table in RAM? Chris On 26/02/2015 2:40 AM, Jonathan Hunter wrote: > Hi Guys, > > I appreciate there are optimization tips on the website, however I > wondered if there are any specific tips for optimization when dealing > with a records table or associated view of 500K rows in a Mysql > backend database on a Virtual Centos Machine with 2 x 3Ghz processors, > 1GB RAM and 20GB Memory. > > I am seeing some slow responses in terms of using dig to perform NAPTR > record lookups. > > Any help would be great. > > Many thanks > > Jon > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From geirskjo at gmail.com Thu Feb 26 07:11:55 2015 From: geirskjo at gmail.com (xxsyys) Date: Thu, 26 Feb 2015 00:11:55 -0700 (MST) Subject: [Pdns-users] Proper response to PING on pipe backend. Message-ID: <1424934715700-11341.post@n7.nabble.com> Hi, I am implementing a pipe backend for pdns. What is the proper response to the "PING" command? The documentation at https://doc.powerdns.com/md/authoritative/backend-pipe/#pipebackend-protocol does not say. I would assume it is "PONG" but the list of acceptable answer tags does not contain PONG, leading me to belive it would be either just END or DATA\tPONG END In advance, thanks. best regards, -geir -- View this message in context: http://powerdns.13854.n7.nabble.com/Proper-response-to-PING-on-pipe-backend-tp11341.html Sent from the PowerDNS mailing list archive at Nabble.com. From christian.hofstaedtler at deduktiva.com Thu Feb 26 07:37:06 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Thu, 26 Feb 2015 07:37:06 +0000 Subject: [Pdns-users] Proper response to PING on pipe backend. In-Reply-To: <1424934715700-11341.post@n7.nabble.com> References: <1424934715700-11341.post@n7.nabble.com> Message-ID: <1A19410E-9C2D-44CE-9F92-DC3E9E9970F8@deduktiva.com> > On 26 Feb 2015, at 08:11, xxsyys wrote: > > Hi, > > I am implementing a pipe backend for pdns. > > What is the proper response to the "PING" command? The documentation at > https://doc.powerdns.com/md/authoritative/backend-pipe/#pipebackend-protocol > does not say. > > I would assume it is "PONG" but the list of acceptable answer tags does not > contain PONG, leading me to belive it would be either just > END > or > DATA\tPONG > END The documentation says nothing about a reply to PING, because it doesn’t say anything about PING in the first place. PING is not a command/query for pipebackend coprocesses. -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From geirskjo at gmail.com Thu Feb 26 08:55:06 2015 From: geirskjo at gmail.com (xxsyys) Date: Thu, 26 Feb 2015 01:55:06 -0700 (MST) Subject: [Pdns-users] Proper response to PING on pipe backend. In-Reply-To: <1A19410E-9C2D-44CE-9F92-DC3E9E9970F8@deduktiva.com> References: <1424934715700-11341.post@n7.nabble.com> <1A19410E-9C2D-44CE-9F92-DC3E9E9970F8@deduktiva.com> Message-ID: In Appendic A1.1 of http://downloads.powerdns.com/documentation/pdns.pdf it does say that there are three forms of Questions. A.1.1.2 Questions Questions come in three forms and are prefixed by a tag indicating the type: Q Regular queries AXFR List requests, which mean that an entire zone should be listed PING Check if the coprocess is functioning On Thu, Feb 26, 2015 at 9:30 AM, Christian Hofstaedtler [via PowerDNS] < ml-node+s13854n11342h49 at n7.nabble.com> wrote: > > > On 26 Feb 2015, at 08:11, xxsyys <[hidden email] > > wrote: > > > > Hi, > > > > I am implementing a pipe backend for pdns. > > > > What is the proper response to the "PING" command? The documentation at > > > https://doc.powerdns.com/md/authoritative/backend-pipe/#pipebackend-protocol > > does not say. > > > > I would assume it is "PONG" but the list of acceptable answer tags does > not > > contain PONG, leading me to belive it would be either just > > END > > or > > DATA\tPONG > > END > > The documentation says nothing about a reply to PING, because it doesn’t > say anything about PING in the first place. > > PING is not a command/query for pipebackend coprocesses. > > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > _______________________________________________ > Pdns-users mailing list > [hidden email] > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://powerdns.13854.n7.nabble.com/Proper-response-to-PING-on-pipe-backend-tp11341p11342.html > To unsubscribe from Proper response to PING on pipe backend., click here > > . > NAML > > -- *Geir Skjøtskift* Røykenviklinna 532 N-2760 BRANDBU +47 951 05 109 -- View this message in context: http://powerdns.13854.n7.nabble.com/Proper-response-to-PING-on-pipe-backend-tp11341p11343.html Sent from the PowerDNS mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hunterj91 at hotmail.com Thu Feb 26 16:20:32 2015 From: hunterj91 at hotmail.com (Jonathan Hunter) Date: Thu, 26 Feb 2015 16:20:32 +0000 Subject: [Pdns-users] FW: Optimize Powerdns and Mysql for DB with 500K entries In-Reply-To: References: , <54EE8191.1090503@shthead.com>, Message-ID: Hi chris,(and AJ) Thanks for the detailed response. I now have 4GB of RAM available and looking at the size of my records_orig table, I have set innodb-buffer-pool-size = 950M +----------------------------+---------+------------+----------+--------+------------+| schema_table | data_MB | indexes_MB | total_MB | engine | row_format |+----------------------------+---------+------------+----------+--------+------------+| powerdns.records_orig | 449.95 | 399.16 | 849.11 | InnoDB | Compact | In terms of my setup, I am using pdns 3.4.2.1 and I am running NAPTR queries from another server using the dig utility to test query time. The powerdns database is made using the standard guide, however I have renamed the table to records_orig from records. Structure below; | records_orig | CREATE TABLE `records_orig` ( `id` int(11) NOT NULL AUTO_INCREMENT, `domain_id` int(11) DEFAULT NULL, `name` varchar(255) DEFAULT NULL, `type` varchar(10) DEFAULT NULL, `content` varchar(64000) DEFAULT NULL, `ttl` int(11) DEFAULT NULL, `prio` int(11) DEFAULT NULL, `change_date` int(11) DEFAULT NULL, `disabled` tinyint(1) DEFAULT '0', `ordername` varchar(255) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `auth` tinyint(1) DEFAULT '1', `carrierrate` varchar(255) DEFAULT NULL, PRIMARY KEY (`id`), KEY `nametype_index` (`name`,`type`), KEY `domain_id` (`domain_id`), KEY `recordorder` (`domain_id`,`ordername`)) ENGINE=InnoDB AUTO_INCREMENT=14077920 DEFAULT CHARSET=latin1 | Now that has 3.5 million entries in it, however there are particular time of day entries required, so I infact made a view called records that pdns will then query, and is shown below, and contains a new field I added called carrierrate. | records | CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `records` AS select `records_orig`.`id` AS `id`,`records_orig`.`domain_id` AS `domain_id`,`records_orig`.`name` AS `name`,`records_orig`.`type` AS `type`,`records_orig`.`content` AS `content`,`records_orig`.`ttl` AS `ttl`,`records_orig`.`prio` AS `prio`,`records_orig`.`change_date` AS `change_date`,`records_orig`.`disabled` AS `disabled`,`records_orig`.`ordername` AS `ordername`,`records_orig`.`auth` AS `auth`,`records_orig`.`carrierrate` AS `carrierrate` from `records_orig` where ((`records_orig`.`carrierrate` = 'BT-Peak') or (`records_orig`.`carrierrate` = 'BTI-Weekend') or (`records_orig`.`carrierrate` = 'Colt-OffPeak') or (`records_orig`.`carrierrate` = 'ColtI-OffPeak') or (`records_orig`.`carrierrate` = 'Gamma-OffPeak') or (`records_orig`.`carrierrate` = 'UPC-\n\nOffPeak') or (`records_orig`.`carrierrate` = 'Verizon-OffPeak') or (`records_orig`.`carrierrate` = 'Bandwidth-Allday') or (`records_orig`.`carrierrate` = 'BBCOM-Allday') or (`records_orig`.`carrierrate` = 'TATA-Allday') or (`records_orig`.`carrierrate` = 'SOA')) | latin1 | latin1_swedish_ci | Now as this is a view, no indexes are there, could this be causing me problems? And the pdns.conf is as standard, I haven't modifed it.Also I havent modified the query powerdns performs, as I am purely holding NAPTR records in a single domain, would changing the mysql query help, as I notice it goes through the SOA,NS and so on queries until it gets to NAPTR. In terms of your question about performance, I can see that some query times are 0-8ms, however others are up to 4500ms, so I need to understand where I can optimize further on this current VM server, as the table view it is querying is around 500K rows. Any help would be great. Many thanks Jon Date: Thu, 26 Feb 2015 10:14:41 +0800 From: lists at shthead.com To: pdns-users at mailman.powerdns.com Subject: Re: [Pdns-users] Optimize Powerdns and Mysql for DB with 500K entries Hi, I have 3 PowerDNS instances running with the MySQL backend across 4 DNS servers. The largest has 1,883,763 domains with 9,736,133 records (With all instances combined there is a total of 21M rows in the records table). The only things I have done for performance are: - All tables are InnoDB - All DNS servers have 16GB or more of memory, InnoDB buffer pool size is at least 10GB on each - MySQL 5.6 (actually running Percona, upgrading from 5.5 to 5.6 gave me a slight performance increase) - InnoDB file format is barracuda, tables are compressed with 4KB page size With table compression my largest instance uses a total of 750mb on disk. The minimum specs for my DNS servers are: - 2 x E5-2620 CPU (6 cores + hyperthreading each) - 16GB of RAM - 2 x 15K SAS in RAID 1 With the 3 power DNS instances + unbound instance for caching name server the load average on the servers is less than 1, there is no IO wait. Each DNS server is handling an average of 6,714 queries per second across the 3 PowerDNS instances and Unbound. Using dnsscope for my biggest instance I can see that I get these stats: 0.01% of questions answered within 50 usec (0.01%) 51.67% of questions answered within 100 usec (51.67%) 60.11% of questions answered within 200 usec (8.44%) 60.40% of questions answered within 300 usec (0.29%) 60.70% of questions answered within 400 usec (0.30%) 63.85% of questions answered within 800 usec (3.14%) 67.78% of questions answered within 1000 usec (3.93%) 97.93% of questions answered within 2.00 msec (30.15%) 99.71% of questions answered within 4.00 msec (1.78%) 99.97% of questions answered within 8.00 msec (0.26%) 100.00% of questions answered within 32.00 msec (0.03%) 100.00% of questions answered within 64.00 msec (0.00%) 0 responses (0.00%) older than 2 seconds Average non-late response time: 569.60 usec What kind of statistics are you seeing? Do you get large amounts of I/O wait on the server? Is your mysql innodb buffer pool size large enough to hold the entire table in RAM? Chris On 26/02/2015 2:40 AM, Jonathan Hunter wrote: Hi Guys, I appreciate there are optimization tips on the website, however I wondered if there are any specific tips for optimization when dealing with a records table or associated view of 500K rows in a Mysql backend database on a Virtual Centos Machine with 2 x 3Ghz processors, 1GB RAM and 20GB Memory. I am seeing some slow responses in terms of using dig to perform NAPTR record lookups. Any help would be great. Many thanks Jon _______________________________________________ Pdns-users mailing list Pdns-users at mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users at mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From melvin at mughal.nu Thu Feb 26 18:41:04 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Thu, 26 Feb 2015 19:41:04 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? Message-ID: We're running a master-slave setup. We want to use the PowerDNS API to automatically create master zones on the master server from our application. We created a master zone template, so when a domain is added the zonefile is automatically filled with the correct records and notifies the slave. I can't find any good reference on how to do this through the PowerDNS API. I want to post it a domain from the application via an API call and request to make a new master zone file for the domain with the zone template. Does anyone have an API call example on how to do this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Thu Feb 26 19:05:32 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Thu, 26 Feb 2015 20:05:32 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: Message-ID: <20150226190531.GA8771@xs.powerdns.com> On Thu, Feb 26, 2015 at 07:41:04PM +0100, Melvin Mughal wrote: > I can't find any good reference on how to do this through the PowerDNS API. > I want to post it a domain from the application via an API call and request > to make a new master zone file for the domain with the zone template. Hi Melvin, Try: # Create new zone "example.org" with nameservers ns1.example.org, # ns2.example.org curl -X POST --data '{"name":"example.org", "kind": "Master", "masters": [], "nameservers": ["ns1.example.org", "ns2.example.org"]}' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones | jq . This is from: https://doc.powerdns.com/md/httpapi/README/ Can you let us know if this works? Bert From jpmens.dns at gmail.com Thu Feb 26 19:06:40 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Thu, 26 Feb 2015 20:06:40 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: Message-ID: <20150226190640.GA7480@tiggr.ww.mens.de> > Does anyone have an API call example on how to do this? There is an example in the documentation [1]. -JP [1] http://doc.powerdns.com/md/httpapi/README/ From melvin at mughal.nu Thu Feb 26 20:06:17 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Thu, 26 Feb 2015 21:06:17 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <20150226190640.GA7480@tiggr.ww.mens.de> References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), but it doesn't show how to create a new zone with an existing zone template. How can I include the zone template in that API call? 2015-02-26 20:06 GMT+01:00 Jan-Piet Mens : > > Does anyone have an API call example on how to do this? > > There is an example in the documentation [1]. > > -JP > > [1] http://doc.powerdns.com/md/httpapi/README/ > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christian.hofstaedtler at deduktiva.com Thu Feb 26 20:06:11 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Thu, 26 Feb 2015 20:06:11 +0000 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), but it doesn't show how to create a new zone with an existing zone template. How can I include the zone template in that API call? There are no templates, but you can include records with the create call. Example: curl -X POST --data '{ "name": "example.com", "kind": "Native", "masters": [], "nameservers": ["ns1.example.org", "ns2.example.org"], "records": [ { "name": "www.example.com", "type": "A", "ttl": 3600, "content": “192.0.2.4", "disabled": false } ] }' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones Christian -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 From msienema at unet.nl Fri Feb 27 08:44:56 2015 From: msienema at unet.nl (Maurice Sienema) Date: Fri, 27 Feb 2015 09:44:56 +0100 Subject: [Pdns-users] Slave DNSKeys Message-ID: We are testing with DNSSEC on our PowerDNS setup, everything seems to be working except the slave server isn't using the DNSKEY set from the master, am I missing the concept and should I register both keys at the parrent zone, or is the slave capable of using the key set from the master? see here what is going wrong: http://dnsviz.net/d/uned.nl/dnssec/ Some details about the setup: Both servers running PowerDNS version 3.1 ( standard Debian wheezy package ) Both servers are running gmysql back-end connected to a local database NS1 is a supermaster for NS2, zones updates are done by NOTIFY/AXFR Regards, Maurice -------------- next part -------------- An HTML attachment was scrubbed... URL: From s.maddox at lantizia.me.uk Fri Feb 27 09:33:19 2015 From: s.maddox at lantizia.me.uk (Steven Maddox) Date: Fri, 27 Feb 2015 09:33:19 +0000 Subject: [Pdns-users] hiding version In-Reply-To: References: <909790BF-1CE2-4BF7-90F8-498CD6CB684C@z0z0.tk> Message-ID: Wow this'll be so handy, Thanks for that On 10/02/15 20:30, James Cornman wrote: > Hello: > > For authoritative: > > # version-string PowerDNS version in packets - full, anonymous, > powerdns or custom > # > version-string=anonymous > > > For recursor: > > I dont know if it has the same keywords (full, powerdns, etc), but you > could do > > # version-string string reported on version.pdns or version.bind > # > version-string=anonymous > > On Tue, Feb 10, 2015 at 3:26 PM, Keresztes Péter-Zoltán > wrote: > > Hello, > > Is there a way to hide the powerdns version from public? > > Peter > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From melvin at mughal.nu Fri Feb 27 10:09:55 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Fri, 27 Feb 2015 11:09:55 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: That's a shame. It would be great if you could give the template name with the API call and it would automatically create records from that template. That would be a feature request ;) 2015-02-26 21:06 GMT+01:00 Christian Hofstaedtler < christian.hofstaedtler at deduktiva.com>: > > > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), > but it doesn't show how to create a new zone with an existing zone > template. How can I include the zone template in that API call? > > There are no templates, but you can include records with the create call. > > Example: > > curl -X POST --data '{ > "name": "example.com", > "kind": "Native", > "masters": [], > "nameservers": ["ns1.example.org", "ns2.example.org"], > "records": [ > { > "name": "www.example.com", > "type": "A", > "ttl": 3600, > "content": “192.0.2.4", > "disabled": false > } > ] > }' -v -H 'X-API-Key: changeme' > http://127.0.0.1:8081/servers/localhost/zones > > > Christian > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christian.hofstaedtler at deduktiva.com Fri Feb 27 09:57:00 2015 From: christian.hofstaedtler at deduktiva.com (Christian Hofstaedtler) Date: Fri, 27 Feb 2015 09:57:00 +0000 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> Message-ID: <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> PowerDNS doesn’t know anything about templates. What are you talking about? -- Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) www.deduktiva.com / +43 1 353 1707 > On 27 Feb 2015, at 11:09, Melvin Mughal wrote: > > That's a shame. It would be great if you could give the template name with the API call and it would automatically create records from that template. That would be a feature request ;) > > 2015-02-26 21:06 GMT+01:00 Christian Hofstaedtler : > > > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), but it doesn't show how to create a new zone with an existing zone template. How can I include the zone template in that API call? > > There are no templates, but you can include records with the create call. > > Example: > > curl -X POST --data '{ > "name": "example.com", > "kind": "Native", > "masters": [], > "nameservers": ["ns1.example.org", "ns2.example.org"], > "records": [ > { > "name": "www.example.com", > "type": "A", > "ttl": 3600, > "content": “192.0.2.4", > "disabled": false > } > ] > }' -v -H 'X-API-Key: changeme' http://127.0.0.1:8081/servers/localhost/zones > > > Christian > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users From melvin at mughal.nu Fri Feb 27 12:12:02 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Fri, 27 Feb 2015 13:12:02 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> Message-ID: Probably it's a Poweradmin thing. I thought it was a PowerDNS feature. In Poweradmin, you can create zone templates and when creating a zone, you can select a template you wish to use for the records to be automatically created. Very handy feature. 2015-02-27 10:57 GMT+01:00 Christian Hofstaedtler < christian.hofstaedtler at deduktiva.com>: > PowerDNS doesn’t know anything about templates. > What are you talking about? > > -- > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > www.deduktiva.com / +43 1 353 1707 > > > > > On 27 Feb 2015, at 11:09, Melvin Mughal wrote: > > > > That's a shame. It would be great if you could give the template name > with the API call and it would automatically create records from that > template. That would be a feature request ;) > > > > 2015-02-26 21:06 GMT+01:00 Christian Hofstaedtler < > christian.hofstaedtler at deduktiva.com>: > > > > > On 26 Feb 2015, at 21:06, Melvin Mughal wrote: > > > > > > I've seen the API example (http://doc.powerdns.com/md/httpapi/README/), > but it doesn't show how to create a new zone with an existing zone > template. How can I include the zone template in that API call? > > > > There are no templates, but you can include records with the create call. > > > > Example: > > > > curl -X POST --data '{ > > "name": "example.com", > > "kind": "Native", > > "masters": [], > > "nameservers": ["ns1.example.org", "ns2.example.org"], > > "records": [ > > { > > "name": "www.example.com", > > "type": "A", > > "ttl": 3600, > > "content": “192.0.2.4", > > "disabled": false > > } > > ] > > }' -v -H 'X-API-Key: changeme' > http://127.0.0.1:8081/servers/localhost/zones > > > > > > Christian > > > > -- > > Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) > > www.deduktiva.com / +43 1 353 1707 > > > > > > > > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users at mailman.powerdns.com > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From koko at wijatmoko.name Fri Feb 27 12:42:46 2015 From: koko at wijatmoko.name (Koko Wijatmoko) Date: Fri, 27 Feb 2015 19:42:46 +0700 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> Message-ID: <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> On Fri, 27 Feb 2015 13:12:02 +0100 Melvin Mughal wrote: > Probably it's a Poweradmin thing. I thought it was a > PowerDNS feature. In Poweradmin, you can create zone > templates and when creating a zone, you can select a > template you wish to use for the records to be > automatically created. Very handy feature. > template are not standard for everyone. so this useless. From jpmens.dns at gmail.com Fri Feb 27 15:00:08 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Fri, 27 Feb 2015 16:00:08 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> Message-ID: <20150227150008.GA28679@tiggr.ww.mens.de> > template are not standard for everyone. so this useless. Utterly useless, yes. -JP From melvin at mughal.nu Fri Feb 27 16:10:08 2015 From: melvin at mughal.nu (Melvin Mughal) Date: Fri, 27 Feb 2015 17:10:08 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <20150227150008.GA28679@tiggr.ww.mens.de> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> Message-ID: I'm not a DNS expert, but why exactly is zone templates something which you guys politely call useless? In our perspective, it seems efficient and clean when: 1. You need to import a lot of zones (in our case more than 50k). Just adding a template attribute to the API call makes it a bit more easy. Now I'm explaining to devs what goes where and why, instead of just giving a more straight forward call. 2. You have several parties using your DNS API and the administrator can set a fixed template so records are filled in a certain way with required values by the administrator. We work with different parties an different requirements. Gives a bit more control. 3. Less error prone if multiple devs are working with it within different implementations and don't have any knowledge about nameservers and how to set things properly. Again explaining stuff to devs where these things aren't within their primary focus. I can guess the counter argument already: just give the damn API example and be done with it. But I'd rather explain why this seems useful in our perspective to keep the topic constructive instead of calling things 'utterly useless' by some without giving any real arguments. 2015-02-27 16:00 GMT+01:00 Jan-Piet Mens : > > template are not standard for everyone. so this useless. > > Utterly useless, yes. > > -JP > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zozo at z0z0.tk Fri Feb 27 16:44:47 2015 From: zozo at z0z0.tk (=?utf-8?Q?Keresztes_P=C3=A9ter-Zolt=C3=A1n?=) Date: Fri, 27 Feb 2015 18:44:47 +0200 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> Message-ID: <92EEA3B9-BC61-4A86-9957-4A4862867BB0@z0z0.tk> Think at something else. templates are different from company to company however api is a standard thing therefore you design your template to match the API requirements and not vice versa. > On Feb 27, 2015, at 6:10 PM, Melvin Mughal wrote: > > in -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmouse at youzen.ext.b2.fi Fri Feb 27 17:18:04 2015 From: cmouse at youzen.ext.b2.fi (Aki Tuomi) Date: Fri, 27 Feb 2015 19:18:04 +0200 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: <92EEA3B9-BC61-4A86-9957-4A4862867BB0@z0z0.tk> References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> <92EEA3B9-BC61-4A86-9957-4A4862867BB0@z0z0.tk> Message-ID: <20150227171804.GA14075@pi.ip.fi> On Fri, Feb 27, 2015 at 06:44:47PM +0200, Keresztes Péter-Zoltán wrote: > Think at something else. > > templates are different from company to company however api is a standard thing therefore you design your template to match the API requirements and not vice versa. > > > > On Feb 27, 2015, at 6:10 PM, Melvin Mughal wrote: > > > > in > Configurable templates, referrable by template ID would make sense, but I suspect that it might take a while unless someone gets inspiration to do them. This way your templates can vary by instance, but API can still supports them. Aki From nicholas at nicholaswilliams.net Fri Feb 27 17:22:33 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 11:22:33 -0600 Subject: [Pdns-users] pdnssec set-nsec3 for all zones Message-ID: Is there not a way to set NSEC3 parameters (pdnssec set-nsec3) for all zones? There's secure-all-zones and rectify-all-zones, but nothing about set-nsec3 for all zones. That could certainly get cumbersome on very large installations. :-/ Thanks, Nick From jpmens.dns at gmail.com Fri Feb 27 17:30:43 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Fri, 27 Feb 2015 18:30:43 +0100 Subject: [Pdns-users] How to add master zone through PowerDNS API? In-Reply-To: References: <20150226190640.GA7480@tiggr.ww.mens.de> <94F30773-E3A9-4A9F-9F9A-CA1D4363C3BC@deduktiva.com> <20150227194246.768e14326e929e9ae424177e@wijatmoko.name> <20150227150008.GA28679@tiggr.ww.mens.de> Message-ID: <20150227173043.GA31541@tiggr.ww.mens.de> > but why exactly is zone templates something which you guys politely > call useless? OK, maybe I ought to apologize for my tone, so I apologize. If you're going to use an API, it seems natural (to me at least) that you'll be creating an application of sorts to leverage that API to create, populate, delete, and otherwise manipulate zones. In that application you would ensure all basic records and settings for a zone are properly defined (I assume this is what you're referring to as a 'template'). As others have said, templates are non-standard and can be defined only by the infrastructure which creates zones. It may well be that it would be nice to have something akin to "please include the records in this file when creating a zone", but this is precisely what the wrapping application should do. -JP From jpmens.dns at gmail.com Fri Feb 27 17:34:34 2015 From: jpmens.dns at gmail.com (Jan-Piet Mens) Date: Fri, 27 Feb 2015 18:34:34 +0100 Subject: [Pdns-users] pdnssec set-nsec3 for all zones In-Reply-To: References: Message-ID: <20150227173434.GB31541@tiggr.ww.mens.de> > Is there not a way to set NSEC3 parameters (pdnssec set-nsec3) for all zones? No, because most people chose differing NSEC3PARAMs for their zones. pdnssec list-all-zones | grep -v '^All zonecount:' | while read z do pdnssec set-nsec3 ... done Not terribly efficient, but it may do. :) -JP From nicholas at nicholaswilliams.net Fri Feb 27 18:19:39 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 12:19:39 -0600 Subject: [Pdns-users] Error Running pdnssec from PHP Message-ID: <6B3CF642-B88F-41C4-8D2D-4273B43E3E78@nicholaswilliams.net> I have a (secured) PHP browser GUI (that I can only access while connected to the VPN) that I use to manage my domains. I'm enabling DNSSEC, so I decided to update my PHP GUI to run the necessary pdnssec commands (secure-zone, set-nsec3, rectify-zone) when applicable. However, when I use PHP's exec() to call pdnssec, I get the following error: Error: No database backends configured for launch, unable to function I can run pdnssec from the command line just fine, so I know that's not the problem. I thought maybe the apache user didn't have permission to access pdns.conf, and I was right, but after adding read permissions it still can't access it. The file is in the default place pdnssec would look for it (/etc/pdns). Any ideas on what I need to do? Thanks, Nick From nicholas at nicholaswilliams.net Fri Feb 27 18:25:35 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 12:25:35 -0600 Subject: [Pdns-users] Error Running pdnssec from PHP In-Reply-To: <6B3CF642-B88F-41C4-8D2D-4273B43E3E78@nicholaswilliams.net> References: <6B3CF642-B88F-41C4-8D2D-4273B43E3E78@nicholaswilliams.net> Message-ID: Nevermind, my bad. It's not enough for the user to have read permissions on the /etc/pdns directory and /etc/pdns/pdns.conf file. The user also must have execute permissions on the /etc/pdns directory. When I added that, it worked. Thanks! Nick On Feb 27, 2015, at 12:19 PM, Nick Williams wrote: > I have a (secured) PHP browser GUI (that I can only access while connected to the VPN) that I use to manage my domains. I'm enabling DNSSEC, so I decided to update my PHP GUI to run the necessary pdnssec commands (secure-zone, set-nsec3, rectify-zone) when applicable. However, when I use PHP's exec() to call pdnssec, I get the following error: > > Error: No database backends configured for launch, unable to function > > I can run pdnssec from the command line just fine, so I know that's not the problem. I thought maybe the apache user didn't have permission to access pdns.conf, and I was right, but after adding read permissions it still can't access it. > > The file is in the default place pdnssec would look for it (/etc/pdns). > > Any ideas on what I need to do? > > Thanks, > > Nick From nicholas at nicholaswilliams.net Fri Feb 27 18:27:15 2015 From: nicholas at nicholaswilliams.net (Nick Williams) Date: Fri, 27 Feb 2015 12:27:15 -0600 Subject: [Pdns-users] Do I need to run pdnssec when removing a zone? Message-ID: <9484254D-3D55-453F-94C9-5898D7B486E9@nicholaswilliams.net> I've recently enabled DNSSEC with the MySQL backend. I'm using the MySQL Backend for everything (including storage of zones/records). If I remove a zone completely from the MySQL domains/records tables (all data deleted), do I need to also A) Run pdnssec , B) delete anything else from MySQL, or C) both? Thanks, Nick From moseleymark at gmail.com Fri Feb 27 22:15:12 2015 From: moseleymark at gmail.com (Mark Moseley) Date: Fri, 27 Feb 2015 14:15:12 -0800 Subject: [Pdns-users] AXFR Crashses Message-ID: We don't do a lot (or practically any) AXFRs, so I hadn't noticed this before now. For every domain of ours that I've tried, doing an AXFR (to a pdns running on localhost -- mysqld running on localhost too; running the powerdns ubuntu precise package for 3.4.2, not running dnssec), it appears to crash the server. The database was massaged from a 2.9.x era database, so could easily be something there. I tried trimming the below domain down to literally a single record (to make sure it wasn't garbage in other records): mysql> select * from records where domain_id = 6084603\G *************************** 1. row *************************** id: 688982903 domain_id: 6084603 name: example2.com type: SOA content: ns1.example2.com dnsadmin.example2.com 2015022701 10800 3600 604800 3600 ttl: 3600 prio: NULL change_date: 1425073508 disabled: 0 ordername: NULL auth: 1 1 row in set (0.00 sec) Here's the logs: gmysql Connection successful. Connected to database 'dns' on '127.0.0.1'. AXFR of domain 'example2.com' initiated by 127.0.0.1 AXFR of domain 'example2.com' allowed: client IP 127.0.0.1 is in allow-axfr-ips gmysql Connection successful. Connected to database 'dns' on '127.0.0.1'. gmysql Connection successful. Connected to database 'dns' on '127.0.0.1'. Got a signal 11, attempting to print trace: /usr/sbin/pdns_server-instance() [0x65c4d0] /lib/x86_64-linux-gnu/libc.so.6(+0x36150) [0x6c3d088cd150] /usr/sbin/pdns_server-instance(_ZNSs6assignERKSs+0x24) [0xa68424] /usr/sbin/pdns_server-instance(_ZN11GSQLBackend3getER17DNSResourceRecord+0x1d2) [0x6aaea2] /usr/sbin/pdns_server-instance(_ZN13TCPNameserver6doAXFRERKSsN5boost10shared_ptrI9DNSPacketEEi+0xe4d) [0x611ced] /usr/sbin/pdns_server-instance(_ZN13TCPNameserver12doConnectionEPv+0xacd) [0x6181ad] /lib/x86_64-linux-gnu/libpthread.so.0(+0x7e9a) [0x6c3d08c5de9a] /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d) [0x6c3d0898a8bd] Our pdns instance (11029) exited after signal 6 Respawning Guardian is launching an instance Reading random entropy from '/dev/urandom' This is a guarded instance of pdns Listening on controlsocket on '0.0.0.0:53000' Only allowing TCP control from: 127.0.0.0/8, 10.0.0.0/8 UDP server bound to 0.0.0.0:53 TCP server bound to 0.0.0.0:53 PowerDNS Authoritative Server 3.4.2 (jenkins at autotest.powerdns.com) (C) 2001-2015 PowerDNS.COM BV Using 64-bits mode. Built on 20150203085343 by root at autotest.powerdns.com, gcc 4.7.2. Attaching to gdb yields this: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x6a376dc97700 (LWP 4618)] 0x0000000000654087 in endsOn(std::string const&, std::string const&) () (gdb) bt #0 0x0000000000654087 in endsOn(std::string const&, std::string const&) () #1 0x0000000000611d07 in TCPNameserver::doAXFR(std::string const&, boost::shared_ptr, int) () #2 0x00000000006181ad in TCPNameserver::doConnection(void*) () #3 0x00006a3897018e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #4 0x00006a3896d458bd in clone () from /lib/x86_64-linux-gnu/libc.so.6 #5 0x0000000000000000 in ?? () Any idea what's making it unhappy? I've got no issues with the current server otherwise. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bert.hubert at powerdns.com Fri Feb 27 22:18:49 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Fri, 27 Feb 2015 23:18:49 +0100 Subject: [Pdns-users] AXFR Crashses In-Reply-To: References: Message-ID: <20150227221849.GA29966@xs.powerdns.com> On Fri, Feb 27, 2015 at 02:15:12PM -0800, Mark Moseley wrote: > We don't do a lot (or practically any) AXFRs, so I hadn't noticed this > before now. Hi Mark, You probably have something in the database that upsets us (which should not happen of course). Can you run pdnssec check-zone on example2.com and see what it says? Bert From moseleymark at gmail.com Fri Feb 27 23:09:59 2015 From: moseleymark at gmail.com (Mark Moseley) Date: Fri, 27 Feb 2015 15:09:59 -0800 Subject: [Pdns-users] AXFR Crashses In-Reply-To: <20150227221849.GA29966@xs.powerdns.com> References: <20150227221849.GA29966@xs.powerdns.com> Message-ID: On Fri, Feb 27, 2015 at 2:18 PM, bert hubert wrote: > On Fri, Feb 27, 2015 at 02:15:12PM -0800, Mark Moseley wrote: > > We don't do a lot (or practically any) AXFRs, so I hadn't noticed this > > before now. > > Hi Mark, > > You probably have something in the database that upsets us (which should > not > happen of course). > > Can you run pdnssec check-zone on example2.com and see what it says? > > Bert > It's actually more likely I'm an idiot. I forgot to remove a custom 'gmysql-list-query' query from when I was trying to make pdns 3.4 work with the 2.9.x schema (and gave up -- but forgot to remove the query from the config at the time). Removing it makes AXFRs work just fine. Amazing that no matter how long you look for, it never fails that you find the answer right after you post to a public forum :) There's got to be some sort of sysadmin "law" for that, a la Murphy's Law. Apologies for the noise. -------------- next part -------------- An HTML attachment was scrubbed... URL: