[Pdns-users] Problem with chroot and local resolving and anot her problem with guardian

Bauer, Georg bauer at gws.ms
Wed Jul 9 08:06:00 UTC 2003


Hi!

> There is a problem as noted by SørenBoll Overgaard in May and 
> June of this
> year with PowerDNS and chroot. If the server runs chrooted, 
> it can't send
> notifications out to slaves, because the local resolving of 
> the nameservers
> to send stuff to doesn't work (presumeably because the 
> resolver needs some
> files).

Absolutely no comments on this? Actually I think this is a rather serious
problem, as it makes some security measure rather pointless, if you have to
set up your system combined with non-PDNS nameservers and have to rely on
AXFRs.

There is another problem with AXFR: if the slave is configured (either
config file or commandline option) for usage of a guardian process, the
slave won't ever check it's slave zones and won't pull down stuff via AXFR.
It will notice the notify from a supermaster, it will create the domain
record, but it won't pull down the zone and put in the records. If it is
started without the --guardian=yes option, it will  notice the missing SOA
record for that domain and pull it down. If it is started with
--guardian=yes, it won't even notice the problem (it actually just doesn't
check it).

So on the master I have to disable chroot, to allow axfr to happen, and on
the slave I have to disable guardian to allow it to actually use axfr. This
isn't what I expect from a nameserver :-/

Any comments? Please?

Relevant version is the current stable debian package (2.9.10) from
powerdns.com

bye, Georg


More information about the Pdns-users mailing list