[Pdns-users] Pipe-backend: ABI-v3, TXT, and DNSSEC
leen at consolejunkie.net
Mon Aug 8 22:40:22 UTC 2011
On 08/08/2011 11:34 PM, Leen Besselink wrote:
> On 08/08/2011 06:57 PM, Jan-Piet Mens wrote:
>> I was curious as to wether PowerDNS would sign records produced by the
>> PIPE back-end, particularly since the release notes indicate it may be
>> possible ( also says "partial support").
>> I set up a small test with PowerDNS 3.0.1  and the example
>> backend-v3.pl . I encountered the following issues:
> I tried that too. I did rename mine test.net and used gpsqlite3 because
> I already had that setup.
>> 0. Configuration `powerdns.conf` contains only:
>> 1. A query of type ANY produces a SERVFAIL with the sample back-end. The
>> console logs:
>> Exception building answer packet (Parsing record content: Data field
>> in DNS should start with quote (") at position 3 of '" "hallo
>> allemaal!""') sending out servfail
>> Changing quotes to single quotes, or removing them altogether doesn't
>> improve: I can't get PowerDNS to reply with a TXT RR.
> Seems that part works for me if I remove all quotes:
> print "DATA $bits $auth $qname $qclass TXT 3600 -1 hallo allemaal!\n";
> Although it does add a space at the start:
> $ dig +short +norec +dnssec @127.0.0.1 test.net txt
> TXT 8 2 3600 20110818000000 20110804000000 63826 test.net.
> oGJ4K2n/2FEUUA1bpS0pbU+KLMW2I0EevhdPNojzgSyD78ztAOjcTH5o s6g=
> " hallo allemaal!"
>> 2. I created a zone in gmysql called example.com, type=NATIVE and
>> signed it with `pdnssec secure-zone example.com`. (Records table for
>> the zone is empty)
> Yes, it won't work without a records-table.
>> 3. I query the PIPE backend `dig @127.0.0.1 example.com any' and get
>> expected results including 3 DNSKEY RR
>> 4. I query the PIPE backend `dig @127.0.0.1 +dnssec example.com any' and
>> powerdns aborts with the following message on the console:
>> Default beforeAndAfterAbsolute called!
>> Got a signal 6, attempting to print trace
>> A bug or two, surely? :-)
> It does work for +dnssec for webserver.$domain A or $domain SOA
> Which is really encouraging.
> But it crashes as stated above if it just doesn't find things and needs
> to do DNSSEC.
> I was using NSEC and asking for AAAA also crashes the whole thing.
> A normal request to the pipe-backend looks like:
> 24718 Received: Q test.net IN SOA -1 127.0.0.1 127.0.0.1 127.0.0.1/32
> 24718 Sent SOA records
> 24718 End of data
> But a request just before a crash says:
> Ã¯Â¿Å/32 Received: Q test.net IN SOA -1 0.0.0.0 0.0.0.0 8
> 24724 Sent SOA records
> 24724 End of data
> Which suggests to me something in the PowerDNS-code isn't able to handle
> it when
> there is no result from any backend in combination with DNSSEC.
I forgot to add:
It also seems to ask the wrong question ? Or atleast use the wrong
'realRemote' and maybe that breaks the protocol ?
I didn't immediately found the cause for it.
>> Additionally, I note that the documentation for the PIPE backend 
>> has no mention of ABI version 3, nor does it describe the bits and auth
>> returned by the example pipe backend. Could somebody explain what the
>> `bits' are?
>> Thanks & regards,
>> : http://downloads.powerdns.com/releases/rpm/pdns-static-3.0-1.i386.rpm
>> : http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/pipebackend/backend-v3.pl?rev=2239
>> : http://doc.powerdns.com/backends-detail.html#pipebackend
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users