[Pdns-users] pdns & nproxy

Gary Shaver gshaver at he.net
Fri Jul 6 14:49:26 UTC 2012 

Hi Peter,

You are 100% correct.  This is why some type of notify proxying would be 
such a good thing :)
Proxying notfiys back to a dedicated slave would eliminate this issue 
completely.

Gary
Hurricane Electric

> Peter van Dijk <mailto:peter.van.dijk at netherlabs.nl>
> July 6, 2012 7:38 AM
> Hello Gary,
>
> you should never try to initiate TCP between two IPs, one of which is 
> anycasted. It's a recipe for failure, no matter how hard you try to 
> find the right node.
>
>
> Kind regards,
> Gary Shaver <mailto:gshaver at he.net>
> July 6, 2012 7:04 AM
>
> Hi Bert, Fred, List,
>
> An anycasted nameserver cluster could benefit from this.  Initiating 
> an axfr from  from a nameserver that is not topologically closest to 
> the master just results in a
> failed axfr attempt since the answer does not come back to the slave 
> making the initial request.
>
>
> Gary Shaver
> Hurricane Electric
>
> bert hubert <mailto:bert.hubert at netherlabs.nl>
> July 5, 2012 3:00 PM
>
> Interesting. The original use case was where the outside world would 
> never be talking to that master, or at least not taking the initiative 
> to do so. So the outside world would think the nproxy IP address was 
> the slave, and nproxy would then relay that to the real slave, which 
> would reach out over TCP to make it happen. I think some NAT trick is 
> used to make sure that the outgoing traffic appears as the address 
> that was notified.
>
> If you want to have this integrated, what exactly is your use case? 
> Better protection for the hidden master?
>
> Please don't get me wrong, I get the impression what you want is 
> reasonable, but I can't quite wrap my head around your exact requirements.
>
> Please let us know!
>
> Bert
> PowerDNS
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> Fred Wittekind <mailto:rom at twister.dyndns.org>
> July 5, 2012 11:18 AM
> I'm working on deploying pdns, and we had intended to use native 
> replication (mysql-replication).
>
> Our idea was to have one master dns server that sits behind a 
> firewall, and our public facing servers replicate from it.  This works 
> well for 90%+ of the domains we host.  We do have a few we have to 
> slave from our clients though.
>
> My original plan was to have nproxy sit on the public facing name 
> servers to forward the notify to the master dns server behind the 
> firewall, the master then does the axfr from our client's server, 
> populates mysql with the new zone info, that then replicates out to 
> the public facing servers.
>
> Then I got this error when trying to start nproxy (IP address censored):
> nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53': 
> Address already in use
>
> Which of course makes sense after seeing it, pdns is already binding 
> to the same IP/port.
>
> So, my question is this...  Can the functionality of nproxy be rolled 
> into pdns so that pdns itself can forward the notify to another 
> instance of pdns (on the master server), or can nproxy and pdns be 
> made to work on the same IP.   I looked into trying to see if I could 
> get iptables to split out the notify messages to a different 
> destination IP so I could put nproxy on a different IP than pdns, but, 
> I didn't figure out a good (reliable) way to do this.
>
> Any help would be appreciated.
>
> Fred Wittekind
> !DSPAM:4ff5da85151923326710967!
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120706/268a2227/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gshaver.vcf
Type: text/x-vcard
Size: 276 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20120706/268a2227/attachment-0001.vcf>

More information about the Pdns-users mailing list