[Pdns-users] Pipe-backend: ABI-v3, TXT, and DNSSEC
Leen Besselink
leen at consolejunkie.net
Mon Aug 8 21:34:19 UTC 2011
On 08/08/2011 06:57 PM, Jan-Piet Mens wrote:
> Hello,
>
> I was curious as to wether PowerDNS would sign records produced by the
> PIPE back-end, particularly since the release notes indicate it may be
> possible ([3] also says "partial support").
>
> I set up a small test with PowerDNS 3.0.1 [1] and the example
> backend-v3.pl [2]. I encountered the following issues:
>
I tried that too. I did rename mine test.net and used gpsqlite3 because
I already had that setup.
> 0. Configuration `powerdns.conf` contains only:
>
> daemon=no
> launch=gmysql,pipe
> gmysql-dnssec
> gmysql-dbname=pdns
> gmysql-host=127.0.0.1
> gmysql-port=3306
> gmysql-user=pdns
> gmysql-password=secret
> cache-ttl=0
> query-cache-ttl=0
> log-dns-details=yes
> loglevel=4
> pipe-command=/etc/powerdns/backend-v3.pl
> pipebackend-abi-version=3
>
> 1. A query of type ANY produces a SERVFAIL with the sample back-end. The
> console logs:
> Exception building answer packet (Parsing record content: Data field
> in DNS should start with quote (") at position 3 of '" "hallo
> allemaal!""') sending out servfail
>
> Changing quotes to single quotes, or removing them altogether doesn't
> improve: I can't get PowerDNS to reply with a TXT RR.
>
Seems that part works for me if I remove all quotes:
print "DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n";
Although it does add a space at the start:
$ dig +short +norec +dnssec @127.0.0.1 test.net txt
TXT 8 2 3600 20110818000000 20110804000000 63826 test.net.
fD8xqLMN9vcBK1Y0CwAJrgr9CfFQRwdc3j9OVijHXjvU5TdMDZ4s4y0g
JcmUCREUFAdbmasrKmthPEzGvtrD/K41zWSdjwArMDzehmozrCswU8Vq
oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g=
" hallo allemaal!"
> 2. I created a zone in gmysql called example.com, type=NATIVE and
> signed it with `pdnssec secure-zone example.com`. (Records table for
> the zone is empty)
>
Yes, it won't work without a records-table.
> 3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get
> expected results including 3 DNSKEY RR
>
> 4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and
> powerdns aborts with the following message on the console:
>
> Default beforeAndAfterAbsolute called!
> Got a signal 6, attempting to print trace
> ...
>
> A bug or two, surely? :-)
>
It does work for +dnssec for webserver.$domain A or $domain SOA
Which is really encouraging.
But it crashes as stated above if it just doesn't find things and needs
to do DNSSEC.
I was using NSEC and asking for AAAA also crashes the whole thing.
A normal request to the pipe-backend looks like:
24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32
24718 Sent SOA records
24718 End of data
But a request just before a crash says:
ï¿Å/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8
24724 Sent SOA records
24724 End of data
Which suggests to me something in the PowerDNS-code isn't able to handle
it when
there is no result from any backend in combination with DNSSEC.
> Additionally, I note that the documentation for the PIPE backend [3]
> has no mention of ABI version 3, nor does it describe the bits and auth
> returned by the example pipe backend. Could somebody explain what the
> `bits' are?
>
> Thanks & regards,
>
> -JP
>
> [1]: http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
> [2]: http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239
> [3]: http://doc.powerdns.com/backends-detail.html#pipebackend
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list