[Pdns-users] DNSSEC rectify-zone setuid and setgid

Leen Besselink leen at consolejunkie.net
Sun Aug 21 22:52:17 UTC 2011


On 08/05/2011 06:31 AM, kim Doff wrote:
> Hello,
>
Hi,

> Could you help me?
>

Well, I can try and give you some information and pointers.

> 1.
>
> DNSSEC Master/Slave are working faultlessly.
>
> I have PowerDNS v3, PowerAdmin 2.1.5 and MySQL Database Replication
> With SSL Encryption. 
>
> Here is my question.
>
> When I modify zone domain.com <http://domain.com> through PowerAdmin
> by adding a subdomain like test.domain.com <http://test.domain.com>
>
> Master/Slave are updated (SOA serial is updated) 
> but Master/Slave do not bind test.domain.com <http://test.domain.com>,
>
> I have to rectify zone domain.com <http://domain.com> in Master
> to bind test.domain.com <http://test.domain.com> in Master/Slave
>
> # pdnssec rectify-zone domain.com <http://domain.com>
>
> Is there a way to do it automatically through PowerDNS?
>

First you'll have to know where all the documentation is:
http://powerdnssec.org/
http://wiki.powerdns.com/trac/wiki/PDNSSEC
http://doc.powerdns.com/powerdnssec-auth.html
http://wiki.powerdns.com/trac/wiki/PDNSSEC/details
http://wiki.powerdns.com/trac/wiki/PDNSSEC/backends

Next you should know that if you choose how PowerDNS should do the
live-signing for the domain.

If you choose one that does not need an ordered zone, like for example
NSEC3-narrow, you can just add the right auth=TRUE to the database and
it will 'just work'.

Because that is all that rectify-zone does for un-ordered zones.

(zone-transfers will not be signed by the way with NSEC3-narrow, if I
remember correctly, if you need them you might not what to choose that)

> 2.
>
> When I enable setuid=pdns and setgid=pdns in pdns.conf,
> Master/Slave are down.
>

Have you tried running pdns_server with --daemon=no --guardian=no
--config=/your-config ? I think this should not detach from the console.
If you also add something like strace -f -F than you can also see what
is doing.

There most be something that the pdns-user or -group does not have
rights to that it needs.

> Why?
>
> Thanks,
>
> Kim
>




More information about the Pdns-users mailing list