[Pdns-users] Pipe-backend: ABI-v3, TXT, and DNSSEC

Leen Besselink leen at consolejunkie.net
Mon Aug 8 21:34:19 UTC 2011 

On 08/08/2011 06:57 PM, Jan-Piet Mens wrote:
> Hello,
>
> I was curious as to wether PowerDNS would sign records produced by the
> PIPE back-end, particularly since the release notes indicate it may be
> possible ([3] also says "partial support").
>
> I set up a small test with PowerDNS 3.0.1 [1] and the example
> backend-v3.pl [2]. I encountered the following issues:
>

I tried that too. I did rename mine test.net and used gpsqlite3 because
I already had that setup.

> 0. Configuration `powerdns.conf` contains only:
>
>         daemon=no
>         launch=gmysql,pipe
>         gmysql-dnssec
>         gmysql-dbname=pdns
>         gmysql-host=127.0.0.1
>         gmysql-port=3306
>         gmysql-user=pdns
>         gmysql-password=secret
>         cache-ttl=0
>         query-cache-ttl=0
>         log-dns-details=yes
>         loglevel=4
>         pipe-command=/etc/powerdns/backend-v3.pl
>         pipebackend-abi-version=3
>
> 1. A query of type ANY produces a SERVFAIL with the sample back-end. The
>    console logs: 
>    Exception building answer packet (Parsing record content: Data field
>    in DNS should start with quote (") at position 3 of '" "hallo
>    allemaal!""') sending out servfail
>
>    Changing quotes to single quotes, or removing them altogether doesn't
>    improve: I can't get PowerDNS to reply with a TXT RR.
>

Seems that part works for me if I remove all quotes:

print "DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n";

Although it does add a space at the start:

$ dig +short +norec +dnssec @127.0.0.1 test.net txt
TXT 8 2 3600 20110818000000 20110804000000 63826 test.net.
fD8xqLMN9vcBK1Y0CwAJrgr9CfFQRwdc3j9OVijHXjvU5TdMDZ4s4y0g
JcmUCREUFAdbmasrKmthPEzGvtrD/K41zWSdjwArMDzehmozrCswU8Vq
oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g=
" hallo allemaal!"

> 2. I created a zone in gmysql called example.com, type=NATIVE and
>    signed it with `pdnssec secure-zone example.com`. (Records table for
>    the zone is empty)
>

Yes, it won't work without a records-table.

> 3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get
>    expected results including 3 DNSKEY RR
>
> 4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and
>    powerdns aborts with the following message on the console:
>
>         Default beforeAndAfterAbsolute called!
>         Got a signal 6, attempting to print trace
>         ...
>
> A bug or two, surely? :-)
>

It does work for +dnssec for webserver.$domain A or $domain SOA

Which is really encouraging.

But it crashes as stated above if it just doesn't find things and needs
to do DNSSEC.

I was using NSEC and asking for AAAA also crashes the whole thing.

A normal request to the pipe-backend looks like:

24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32
24718 Sent SOA records
24718 End of data

But a request just before a crash says:

ᅵ/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8
24724 Sent SOA records
24724 End of data

Which suggests to me something in the PowerDNS-code isn't able to handle
it when
there is no result from any backend in combination with DNSSEC.

> Additionally, I note that the documentation for the PIPE backend [3]
> has no mention of ABI version 3, nor does it describe the bits and auth
> returned by the example pipe backend. Could somebody explain what the
> `bits' are?
>
> Thanks & regards,
>
>         -JP
>
> [1]: http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
> [2]: http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239
> [3]: http://doc.powerdns.com/backends-detail.html#pipebackend
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list