[Pdns-users] Problem configuring rpz

Bill Pye bill.pye at phoenix-systems.co.uk
Mon Jun 22 10:50:46 UTC 2020 

----- Original Message -----
> From: "Otto Moerbeek" <otto at drijf.net>
> To: "bill pye" <bill.pye at phoenix-systems.co.uk>
> Cc: "Pdns-users" <Pdns-users at mailman.powerdns.com>
> Sent: Monday, 22 June, 2020 12:40:58
> Subject: Re: [Pdns-users] Problem configuring rpz

> On Mon, Jun 22, 2020 at 09:57:13AM +0000, Bill Pye via Pdns-users wrote:
> 
>> Hi all
>> 
>> I'm a home user of your excellent software and by no means an expert in DNS. A
>> while ago I was experimenting with setting-up rpz files on my DNS servers, that
>> all worked OK. Recently I've been trying to configure the rpz via AXFR from
>> ioc2rpz here: [ https://ioc2rpz.net/ | https://ioc2rpz.net/ ]
>> 
>> After a bit of trial and error (normal for me!) I have this working quite well
>> but I did hit a 'problem' and have a couple of questions.
>> 
>> While reading the documentation of the feed it mentioned that the feeds were
>> updated every thirty minutes, PDNS-recursor documentation states that the zones
>> default is used if not specified in the config file:
>> 
>> "refresh
>> 
>> 
>> 
>> An integer describing the interval between checks for updates. By default, the
>> RPZ zone’s default is used"
>> 
>> 
>> 
>> 
>> That sounded reasonable so I left that alone and started with one feed which
>> contained four records. Strangely that resulted in an IXFR being done every
>> second, I left that running for a while (i.e. for about 12 hours) and it never
>> stopped. Is this a bug and should I file one on github?
>> 
>> 
>> 
>> 
>> 
>> Next a question, the documentation states the Refresh is an "integer" but it
>> doesn't mention that it's a per-second "integer" - should that be added to the
>> documentation? . Could the fact that if it's left empty be responsible for my
>> once-per-second IXFR? As the feed said it was updated every thirty minutes
>> override that once-per-second?
>> 
>> The relevant SOA record from my feed is this:
>> 
>> dns-bh.ioc2rpz. 604800 IN SOA ioc2rpz-srv1.ioc2rpz.net. ioc2rpz.ioc2rpz.com.
>> 1591664280 43200 900 2592000 7200
>> 
>> Obviously that has a refresh of 15 minutes which is not the 30 mins the document
>> says but should my once-per-second IXFR be happening with that SOA? Once I
>> added a refresh to my rpzmaster entry it all worked as expected. :)
>> 
>> I hope that all makes sense but if I've missed something or it isn't too clear
>> then just let me know.
>> 
>> Regards
>> 
>> 
>> Bill
> 
> Please always tell which version you are using.
> 
> An issue that sounds very much lkike what you are seeing was fixed in
> https://github.com/PowerDNS/pdns/pull/8778. This is also in 4.3.1
> 
> For older versions, you should set a refresh interval explicitly.
> 
> As for the feed's data update interval vs their published refresh
> interval in their SOA record, I think yo have to contact the feed source.
> 
> 	-Otto

Otto

It seems to be one of those days, here's the version for the list:

PDNS: 4.3.0
PDNS-recursor: 4.3.0
DNSDIST: 1.5.0 rc3


Regards


Bill

More information about the Pdns-users mailing list