[Pdns-users] Problem with chroot and local resolving and anot her problem with guardian
Bauer, Georg
bauer at gws.ms
Wed Jul 9 08:06:00 UTC 2003
Hi!
> There is a problem as noted by SørenBoll Overgaard in May and
> June of this
> year with PowerDNS and chroot. If the server runs chrooted,
> it can't send
> notifications out to slaves, because the local resolving of
> the nameservers
> to send stuff to doesn't work (presumeably because the
> resolver needs some
> files).
Absolutely no comments on this? Actually I think this is a rather serious
problem, as it makes some security measure rather pointless, if you have to
set up your system combined with non-PDNS nameservers and have to rely on
AXFRs.
There is another problem with AXFR: if the slave is configured (either
config file or commandline option) for usage of a guardian process, the
slave won't ever check it's slave zones and won't pull down stuff via AXFR.
It will notice the notify from a supermaster, it will create the domain
record, but it won't pull down the zone and put in the records. If it is
started without the --guardian=yes option, it will notice the missing SOA
record for that domain and pull it down. If it is started with
--guardian=yes, it won't even notice the problem (it actually just doesn't
check it).
So on the master I have to disable chroot, to allow axfr to happen, and on
the slave I have to disable guardian to allow it to actually use axfr. This
isn't what I expect from a nameserver :-/
Any comments? Please?
Relevant version is the current stable debian package (2.9.10) from
powerdns.com
bye, Georg
More information about the Pdns-users
mailing list