[Pdns-users] pipe backend + slave + bad zones = bug
crayon at leechbox.net
crayon at leechbox.net
Thu Oct 30 17:59:24 UTC 2008
Kenneth Marshall wrote:
> As you have found out, PowerDNS trusts its backend data completely and
> expects it to be correct. You need to fix your zones and put mechanisms
> in place to prevent the entry of bad data at all -- speaking as someone
> who had their instance brought to its I/O knees by attempted zone transfers
> of bad data. I would like nicer behavior, but assuming good data allows for
> streamlined processing and much higher performance than assuming bad data.
> In fact, by that reasoning PDNS should stop serving zones once incorrect
> data is found. I think the current behavior is better than not serving
> the data at all. My two cents.
>
> Ken
>
While I agree in general it's OK to trust backends, when PowerDNS is in
'slave' mode this is riskier. Now you have 100% trust all your backends,
your network connection and some other software on another server.
In my case PowerDNS already detects the bad data, it just forgets to
cleanup the co-processes. Maybe slave mode isn't PowerDNS's most
advisable/supported feature, but it seems to me it still should handle
error cases gracefully.
More information about the Pdns-users
mailing list