[Pdns-users] Problem with NS Glue records - "out-of-zone data"
Andre Lorbach
alorbach at ro1.adiscon.com
Fri May 11 15:59:52 UTC 2007
Hi again,
for those with the same problem, I have found a workaround myself which
needs some code modifications. This is debian specific, but will work on
other linux systems as well. What I have done is, I kindly changed the
code at the "sneaked in out-of-zone data", so it kindly discards those
entries and continues.
I know some won't will see this not the right way, but my problem cannot
be solved in another way, as my primary DNS Server is (don't flame me!)
Windows 2003 Sp2. I can't change this fact ;), so I have to deal with
it. Some documents I found tell me, what they are doing since
ServicePack2 cannot be so wrong:
http://cr.yp.to/djbdns/axfr-notes.html
<http://cr.yp.to/djbdns/axfr-notes.html>
http://home.claranet.de/xyzzy/home/test/draft-koch-dns-glue-clarificatio
ns-01.txt
<http://home.claranet.de/xyzzy/home/test/draft-koch-dns-glue-clarificati
ons-01.txt>
However here is the workaround:
1. First download the source:
apt-get source pdns-server
2. then make the code changes:
edit ./pdns/communicator.cc
3. Search for "sneaked in out-of-zone data" and use this code (may
differ from version to version, my debian port is using 2.9.17):
for(Resolver::res_t::iterator i=recs.begin();i!=recs.end();++i)
{
// WorkArround by ANDRE @ Adiscon
if(!endsOn(i->qname, domain)) {
L<<Logger::Error<<"Remote "<<remote<<" sneaked in out-of-zone
data '"<qname<<"' during AXFR of zone '"<<domain<<"'"<<endl;
// di.backend->abortTransaction();
// return;
// SIMPLY IGNORE THE RECORD
}
else
{
i->domain_id=domain_id;
di.backend->feedRecord(*i);
}
}
4. Save and compile/create a debian package (Stay in the folder!).
You may need to install several packages first, you will be notified
which:
dpkg-buildpackage -rfakeroot -uc -b
5. Once done, go back to the previous directory and install the
package, for example:
dpkg -i pdns-server_2.9.17-13sarge3_i386.deb
6. After installed, confirm that the changes were successfully
--
Hope this helps - best regards,
Andre Lorbach
Adiscon
From: pdns-users-bounces at mailman.powerdns.com
[mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Andre
Lorbach
Sent: Wednesday, May 09, 2007 12:52 PM
To: pdns-users at mailman.powerdns.com
Subject: [Pdns-users] Problem with NS Glue records - "out-of-zone data"
Hello all,
We are successfully using powerdns since some years as secondary name
server on a Debian Server, Version 2.9.17 .
It has done a great job so far. However recently a problem occurred when
our master dns server was updated. Since this update, our master dns
server is sending so called glue records along with dns zone transfers.
To explain the problem I will use the following sample values:
ns.nameserver.com = Nameservername for my zone
somedomain.com = My dns zone I want to transfer to pdns from the master
PowerDNS blocks the zone transfer with the following reason:
May 09 14:13:10 Domain somedomain.com is stale, master serial
2007050913, our serial 2007050911
May 09 14:13:10 AXFR started for ' somedomain.com', transaction started
May 09 14:13:10 Remote 172.16.0.164 sneaked in out-of-zone data
'ns.nameserver.com' during AXFR of zone ' somedomain.com'
I have been in contact with the vendor of our primary DNS Server, and we
came to the result that powerdns may not support glue records in DNS
zone transfer.
So my question to the mailing list is, are there any chances to get this
problem fixed? I understand that this behavior is wanted to prevent dns
injection, but A records for DNS Server records should be allowed, or
maybe an option be added to allow it.
Currently we rolled back the update on our master dns server, but we
can't leave it in this state forever.
--
Thank you and best regards,
Andre Lorbach
Adiscon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20070511/d7545337/attachment-0001.html>
More information about the Pdns-users
mailing list