BBlack has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/346937 )
Change subject: [WIP] dnsrecursor: 4.x backport and edns-client-subnet
......................................................................
[WIP] dnsrecursor: 4.x backport and edns-client-subnet
I've manually tested the backports package with these settings,
and it functions correctly as expected (including correct
discovery geoip effects for private-network clients via
edns-client-subnet).
TODO: I'm not sure whether various labs usage of this class might
still be on trusty, in which case there will need to be some
conditional config to let 3.x continue to operate as it did before
there.
TODO: On jessie+, use a systemd unit file fragment to raise the FD
ulimit.
Change-Id: I73cfea9e56800624f1353a381540c0f410dd826d
---
M modules/dnsrecursor/manifests/init.pp
M modules/dnsrecursor/templates/recursor.conf.erb
2 files changed, 55 insertions(+), 83 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/37/346937/1
diff --git a/modules/dnsrecursor/manifests/init.pp
b/modules/dnsrecursor/manifests/init.pp
index 8bfa3c7..a564e3b 100644
--- a/modules/dnsrecursor/manifests/init.pp
+++ b/modules/dnsrecursor/manifests/init.pp
@@ -29,6 +29,16 @@
description => 'Recursive DNS server',
}
+ # This is to ensure we get pdns-recursor 4.x on jessie
+ if os_version('debian < stretch') {
+ apt::pin { 'pdns-recursor':
+ package => 'pdns-recursor',
+ pin => 'release a=jessie-backports',
+ priority => '1001',
+ before => Package['pdns-recursor'],
+ }
+ }
+
package { 'pdns-recursor':
ensure => 'present',
}
diff --git a/modules/dnsrecursor/templates/recursor.conf.erb
b/modules/dnsrecursor/templates/recursor.conf.erb
index 7d2bc0a..fffdc48 100644
--- a/modules/dnsrecursor/templates/recursor.conf.erb
+++ b/modules/dnsrecursor/templates/recursor.conf.erb
@@ -1,7 +1,3 @@
-# This file is managed by puppet - don't edit it locally!
-# recursor.conf
-# https://doc.powerdns.com/3/recursor/settings/
-
<%
def flatten_ips(ips)
result = []
@@ -19,42 +15,31 @@
return result
end
-%>
+# --- Functional basics ---
-# location of configuration directory (recursor.conf)
config-dir=/etc/powerdns/
-
setgid=pdns
setuid=pdns
-
daemon=yes
-# THREADS x MAX-MTHREADS < FD's
-threads=2
+socket-dir=/var/run/
+export-etc-hosts=<%= @export_etc_hosts %>
-# maximum number of simultaneous MTasker threads
-# This is explicitly lowered to avoid a known bug:
-#
http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/
-max-mthreads=512
+# --- Listen IPs, allowed clients, local zones+authdns ---
# local-address IP addresses to listen on, separated by spaces or commas
local-address=<%= flatten_ips(@listen_addresses).sort.join(" ") %>
local-port=53
-
-# available since: 3.6
-#loglevel=1
-log-common-errors=yes
-# suppress logging of questions and answers
-quiet=yes
-# trace if we should output heaps of logging
-trace=off
-
-# which domains we only accept delegations from
-delegation-only=com,net
# If set, only allow these comma separated netmasks to recurse
allow-from=127.0.0.0/8, ::1/128, <%= (@allow_from +
flatten_ips(@listen_addresses)).join(", ") %>
# Zones for which we forward queries, comma separated domain=ip pairs
forward-zones=<%= @forward_zones -%>, <%= @additional_forward_zones -%>
+
+# we need ECS to ensure our geoip resolution (e.g. for discovery hostnames)
works correctly regardless of which recursor (x-dc) a client uses
+# XXX templatize this!
+# XXX 4.x-only! (do we have trusty recdns anywhere?)
+edns-subnet-whitelist=208.80.154.238/32, 208.80.153.231/32, 91.198.174.239/32
<% if @lua_hooks -%>
# lua scripts allow extending the resolver
@@ -67,70 +52,47 @@
auth-zones=<%= @auth_zones -%>
<% end -%>
-# maximum number of entries in the main cache (default 1000000)
-max-cache-entries=<%= @max_cache_entries %>
+# --- Cache Params ---
-# maximum number of seconds to keep a negative cached entry in memory
+max-cache-entries=<%= @max_cache_entries %>
max-negative-ttl=<%= @max_negative_ttl %>
-# maximum number of simultaneous TCP clients
+# --- Public-facing things ---
+
+# This prevents pdns from polling a public server to check for sec fixes
+# XXX 4.x-only!
+security-poll-suffix=
+
+# which domains we only accept delegations from
+delegation-only=com,net
+
+# Root hints distributed by Debian
+hint-file=/usr/share/dns/root.hints
+
+# --- Scaling / Limits ---
+
+# For now (4.0.x), we want to keep threads to a more-reasonable value like 4
+# because they're sharing a socket and waking up under thundering-herd
+# behavior.
+# Later (4.1), we can raise threads to 8+ (1/core) and leave the rest of the
+# settings below the same, and the recursor will properly use separate
+# reuseport sockets
+
+# XXX ulimits for systemd unit need adjusting, too (16K-ish for our case)
+threads=4
+pdns-distributes-queries=no
+reuseport=yes
+# XXX for 3.x, should reduce this to threads=2 max-mthreads=512 like before
and not include the options above
+
+# TCP tuning/limits
max-tcp-clients=<%= @max_tcp_clients %>
-
-# TCP sessions per client (IP address)
max-tcp-per-client=<%= @max_tcp_per_client %>
-
-# Timeout in seconds when talking to TCP clients
client-tcp-timeout=<%= @client_tcp_timeout %>
-# maximum number of packets to store statistics for
-# /usr/bin/rec_control top-remotes
-remotes-ringbuffer-entries=1000
+# --- Logging ---
-# where the controlsocket will live
-socket-dir=/var/run/
-
-# loads /etc/host entries on start
-# useful for debugging
-export-etc-hosts=<%= @export_etc_hosts %>
-
-# aaaa-additional-processing turn on to do AAAA additional processing (slow)
-# aaaa-additional-processing=off
-
-# if we follow RFC 2181 to the letter, an authoritative server can lower the
TTL of NS records
-# auth-can-lower-ttl=off
-
-# chroot switch to chroot jail
-# chroot=
-
-# hint-file If set, load root hints from this file
-# hint-file=
-
-# no-shuffle Don't change
-# no-shuffle=off
-
-# query-local-address Source IP address for sending queries
-# query-local-address=0.0.0.0
-
-# query-local-address6 Source IPv6 address for sending queries
-# query-local-address6=
-
-# serve-rfc1918 If we should be authoritative for RFC 1918 private IP
space
-# serve-rfc1918=
-
-# returned when queried for 'server.id' TXT, defaults to hostname
-# server-id=
-
-# If set, only use a single socket for outgoing queries
-# single-socket=off
-
-# soa-minimum-ttl Don't change
-# soa-minimum-ttl=0
-
-# soa-serial-offset Don't change
-# soa-serial-offset=0
-
-# spoof-nearmiss-max If non-zero, assume spoofing after this many near misses
-# spoof-nearmiss-max=20
-
-# version-string string reported on version.pdns or version.bind
-# version-string=PowerDNS Recursor 3.1 $Id: pdns_recursor.cc 838 2006-05-19
14:35:27Z
+log-common-errors=yes
+# suppress logging of questions and answers
+quiet=yes
+# trace if we should output heaps of logging
+trace=off
--
To view, visit https://gerrit.wikimedia.org/r/346937
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I73cfea9e56800624f1353a381540c0f410dd826d
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
