[Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.

Chris Russell Chris.Russell at knowledgeit.co.uk
Thu Jul 21 16:46:04 UTC 2011


 As an addendum, also tried multi launch with the same issue specifying dnssec on one launch:

launch=gmysql:sec,gmysql:nonsec
gmysql-sec-dnssec
gmysql-sec-host=127.0.0.1
gmysql-sec-user=x
gmysql-sec-dbname=y
gmysql-sec-password=z
gmysql-nonsec-host=127.0.0.1
gmysql-nonsec-user=x
gmysql-nonsec-dbname=y
gmysql-nonsec-password=z

 Have to be missing something silly here.


Cheers

Chris



-----Original Message-----
From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Chris Russell
Sent: 21 July 2011 17:38
To: zaphodb at zaphods.net
Cc: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.

Hi Stefan,

 Thanks for the reply.

 Sorry for the confusion. I think "option for dns-sec in the backend" is the key here, because I have this set, as I want to serve some dns-sec zones but not all.

 Essentially, PDNS, with Mysql Backend (only), and I`m trying to serve dns-sec, and non dns-sec zones.

launch=gmysql
gmysql-dnssec


 Set in pdns.conf.

 In the database:

Domains:

|  6 | wibble.com               | NULL   |       NULL | NATIVE |            NULL | NULL    |
+----+--------------------------+--------+------------+--------+-----------------+---------+


mysql> select * from records where domain_id=6;
+-----+-----------+-----------------+------+------------------------------------------------------------------------------+-------+------+-------------+-----------+------+
| id  | domain_id | name            | type | content                                                                      | ttl   | prio | change_date | ordername | auth |
+-----+-----------+-----------------+------+------------------------------------------------------------------------------+-------+------+-------------+-----------+------+
| 694 |         6 | wibble.com      | SOA  | ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 | 86400 |    0 |        NULL |           |    0 |

| 695 |         6 | mail.wibble.com | A    | 1.1.1.1          | 86400 |    0 |        NULL |           |    0 |
| 696 |         6 | wibble.com      | NS   | ns1.server.co.uk | 86400 |    0 |        NULL |           |    0 |


 So I have name server (ns1.server.co.uk is the physical server), SOA and an A record. The auth field (for DNS-SEC is 0)

 However results from dig:

[root at ns1 ~]# dig wibble.com @localhost SOA

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> wibble.com @localhost SOA
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18174
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wibble.com.                    IN      SOA

;; ANSWER SECTION:
wibble.com.             86400   IN      SOA     ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 21 17:22:56 2011
;; MSG SIZE  rcvd: 101

 So, no issues with the SOA, but the A

[root at ns1 ~]# dig mail.wibble.com @localhost A

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> mail.wibble.com @localhost A
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57290
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.wibble.com.               IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 21 17:28:20 2011
;; MSG SIZE  rcvd: 33


 And in the logs:

Jul 21 17:25:19 ns1 pdns[14821]: Should not get here (mail.wibble.com|1): please run pdnssec rectify-zone wibble.com

 Im guessing as I have gmysql-dnssec set, its assuming all zones are DNS-SEC enabled.

 So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database.

Cheers

Chris



-----Original Message-----
From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Stefan Schmidt


I am not sure what you mean by 'auth zone'.
You can run non DNSSEC zones alongside DNSSEC signed ones no problem,
PowerDNS will default to non-DNSSEC operation for a Zone if it doesn't
find any key material or option for it in the backend.

 Stefan
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Knowledge I.T.
‘Unifying Business Technology’
www.knowledgeit.co.uk

Knowledge Limited, Company Registration: 1554385
Registered Office: New Century House, Crowther Road, Washington, Tyne & Wear. NE38 0AQ
Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR

Tel: 0845 142 0020. Fax: 0845 142 0021

E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.

Please consider the environment before printing this email.
_______________________________________________
Pdns-users mailing list
Pdns-users at mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list