[Pdns-users] pdns & nproxy

[Fred Wittekind]

On 7/8/2012 8:31 PM, Fred Wittekind wrote:
> On 07/05/2012 06:00 PM, bert hubert wrote:
>> On Jul 5, 2012, at 8:18 PM, Fred Wittekind wrote:
>>> Then I got this error when trying to start nproxy (IP address
>>> censored):
>>> nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53':
>>> Address already in use
>>>
>>> Which of course makes sense after seeing it, pdns is already binding
>>> to the same IP/port.
>>>
>>> So, my question is this...  Can the functionality of nproxy be
>>> rolled into pdns so that pdns itself can forward the notify to
>>> another instance of pdns (on the master server), or can nproxy and
>>> pdns be made to work on the same IP.   I looked into trying to see
>>> if I could get iptables to split out the notify messages to a
>>> different destination IP so I could put nproxy on a different IP
>>> than pdns, but, I didn't figure out a good (reliable) way to do this.
>> Interesting. The original use case was where the outside world would
>> never be talking to that master, or at least not taking the
>> initiative to do so. So the outside world would think the nproxy IP
>> address was the slave, and nproxy would then relay that to the real
>> slave, which would reach out over TCP to make it happen. I think some
>> NAT trick is used to make sure that the outgoing traffic appears as
>> the address that was notified.
>>
>> If you want to have this integrated, what exactly is your use case?
>> Better protection for the hidden master?
>>
>> Please don't get me wrong, I get the impression what you want is
>> reasonable, but I can't quite wrap my head around your exact
>> requirements.
>>
>> Please let us know!
>>
>>     Bert
>>     PowerDNS
>>
>>
>
> What we are trying to do is have what we call NSMS, which is a server
> that sits behind our firewall, and is the MySQL master db server. 
> Then we are going to have 3 name servers on public IPs that will be
> MySQL slaves of NSMS (what PDNS calls native replication I think).  We
> would then have some type of web interface managing the DNS records on
> NSMS.  This setup covers the need of 90+% of the domains we host.
>
> We have a small handful of domains that we slave from one of our
> client's servers.  The 3 name servers we would have on public IPs
> would be unable to write to there local MySQL instance, because they
> are MySQL slaves, so we would need that notify to be passed on to
> NSMS, which our 3 public name servers can talk to, but our client
> server's can't.
>
> Right now, the client's are configured to send the notify to one of
> our existing 3 public name servers, and it has a script on it that
> intercepts that notify and passes it on to the existing NSMS.  I would
> prefer to avoid solutions that require the clients to change there
> configuration.  Our new PDNS based servers are intended to take over
> the IP addresses of our old name servers.
>
> Looks like it would be pretty easy to re-write one of the SQL queries
> so that the 3 public name servers get back "native" as the replication
> mode for all domains including the ones that NSMS actually slaves off
> a client server.  The trick I think is just going to be getting the
> notify forwarded to NSMS (since it's the only server with MySQL write
> access).
>
> Fred Wittekind
>

I've been looking at the code in nproxy, and the code in pdns that tests
against the trusted-notification-proxy setting, and I see that it tests
that the notify came from the trusted-notification-proxy, and that it
tests that the domain the notify is for has a master, but, I do not see
that it checks that the original notify came from the master, or that
nproxy even passes along that information to pdns.

Am I missing something or am I reading the code correctly?  If I am
reading the code correctly, would it be possible or a good idea for
nproxy to forward along the IP address it received the notify from, and
for pdns to check that IP against the master for the zone?

Fred Wittekind