Re: [Pdns-users] lookup failing only with pdns recursor
On Wed, Apr 27, 2011 at 06:11:37PM -0500, Mark Felder wrote: > I also found this works on the same recursor on a machine outside > the network. Now I'm rapidly hunting down the problem. If you could show the output of a --trace of a pdns_recursor in a network that has problems, we can rapidly tell what is going on. I tried the problematic domain here and it always resolves using stock 3.3. But perhaps there is something we can improve in the face of filtering or so. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] lookup failing only with pdns recursor
Wait, found that this is the same problem as in thread "DNS resolution problem with pdns-recursor-3.3" I am sorry, but I think this has been a wild goose chase regarding a bug in the recursor. The existing 3.3 version works just fine with resolving cdn4.digitalconcerthall.com from a system outside our network. I am going to start looking into a firewall or networking problem. Thank you for your assistance and I will let you know what I find and hopefully it will help someone else. I also found this works on the same recursor on a machine outside the network. Now I'm rapidly hunting down the problem. Regards, Mark ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] lookup failing only with pdns recursor
Ok here's the scenario. We've done a lot of testing and we've discovered this weird, weird bug: Requirements: - pdns recursor, confirmed with version 3.3 - domain we're looking up: ncura.omnicms.com Test with host from my server to get an idea of what we're working with: mwi1% host ncura.omnicms.com ncura.omnicms.com is an alias for ncura.confex.com. ncura.confex.com is an alias for cluster3.confex.com. cluster3.confex.com has address 69.26.96.84 Dig from my server to PowerDNS Recursor: mwi1% dig @66.170.1.10 ncura.omnicms.com ; <<>> DiG 9.6.-ESV-R3 <<>> @66.170.1.10 ncura.omnicms.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36984 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ncura.omnicms.com. IN A ;; AUTHORITY SECTION: omnicms.com.3297IN SOA dns1.supranet.net. hostmaster.supranet.net. 2010101200 1800 900 604800 3600 ;; Query time: 0 msec ;; SERVER: 66.170.1.10#53(66.170.1.10) ;; WHEN: Wed Apr 27 17:53:57 2011 ;; MSG SIZE rcvd: 99 Dig from my server to our other lookup server which is BIND: mwi1% dig @66.170.1.19 ncura.omnicms.com ; <<>> DiG 9.6.-ESV-R3 <<>> @66.170.1.19 ncura.omnicms.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37513 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ncura.omnicms.com. IN A ;; ANSWER SECTION: ncura.omnicms.com. 1933IN CNAME ncura.confex.com. ncura.confex.com. 80996 IN CNAME cluster3.confex.com. cluster3.confex.com.80996 IN A 69.26.96.84 ;; Query time: 0 msec ;; SERVER: 66.170.1.19#53(66.170.1.19) ;; WHEN: Wed Apr 27 17:54:27 2011 ;; MSG SIZE rcvd: 101 Behavior also recreated with nslookup, etc. Any ideas on what this is? This is crazy. Thanks, Mark ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Niek, > I can confirm that build 2181 fixes this problem completely. For the record is is fully fixed in r2183 ;-) Bert just completed that. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Hi JP, Overhere it looks okay: ; <<>> DiG 9.6.1-P2 <<>> +nodnssec powerdnssec.org ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;powerdnssec.org. IN DS ;; ANSWER SECTION: powerdnssec.org. 86332 IN DS 2224 5 1 CD79B0D2639AAA5AE5ABDC80003836E5E5E0C506 On Wed, Apr 27, 2011 at 04:58:43PM +0200, Jan-Piet Mens wrote: > Bert, > > > Build 2181 is up which fixes your initial DS bug. Can you check if things > > are ok now? > > r2181 fixes this for me, but I note that DS records are served only when > querying with +dnssec. Omitting the switch gives NOERROR and NODATA. > (This behaviour differs from that of BIND and NSD.) > > For example: > > dig +nodnssec powerdnssec.org ds > > Regards, > > -JP > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server
Hi Folks, I can confirm this problem got fixed in build 2181. This build also fixes "[Pdns-users] DNSsec DS trouble in single server TLD setup". On Tue, Apr 26, 2011 at 06:00:02PM +0200, Niek wrote: > Hi Folks, > > In addition to the findings I communicated to this list in "DNSsec DS trouble > in single server TLD setup" on Thu Apr 21, I tried to delegate a subdomain > with > DNSsec on PowerDNS Server (pdns-3.0-rc2.20110419.2176). > > If both parent domain and child domain are hosted within the same instance of > PowerDNS (with mysql backend), I fail because PowerDNS refuses to serve me the > DS of the subzone. > > I do not know if this is the normal way to go for this sort of thing, the > alternative is to put the child RR's into the parent zone. This works fine, > but putting it all into the parent zone becomes very messy very fast. > As an ISP we have subzones with 40,000+ RR's, I'm not especially looking > forward to bundling those into 200,000+ RR zones. > > Also, if you put al records in the parent zone, you will have a harder time > delegating reponsibilities for sub zones to e.g. another office. You can in > this scenario make two extra servers of course, but then you have to take care > of 4 servers. > > > Here's what I did: > > domain_id 5 = parent (pre-exists) > domain_id 6 = child > > Create subdomain > = > INSERT INTO `powerdns`.`domains` ( > `id` , > `name` , > `master` , > `last_check` , > `type` , > `notified_serial` , > `account` > ) > VALUES ( > NULL , 'sales.securename.nl', NULL , NULL , 'NATIVE', NULL , NULL > ) > > > NS of subdomain in child zone > = > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'sales.securename.nl', 'NS', > 'dnssec-auth-bis.mer-nm.internl.net', '600', '0', NULL , NULL , '1' > ); > > > SOA of subdomain in child zone > = > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'sales.securename.nl', 'SOA', 'dnssec-auth-bis.mer-nm.internl.net > blah.internl.net 2011042600 7200 3600 604800 3600', '600', '0', NULL , NULL , > '1' > ); > > > MX of subdomain in child zone > = > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'sales.securename.nl', 'MX', 'mail.sales.securename.nl', '600', > '10', NULL , NULL , '1' > ); > > > A of MX of subdomain in child zone > = > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '6', 'mail.sales.securename.nl', 'A', '1.2.3.4', '600', '0', NULL , > NULL , '1' > ); > > > Check > === > dig +multiline ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net > -> works > dig +multiline soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net > -> works > > > DNSsec-ify > === > pdnssec secure-zone sales.securename.nl > pdnssec set-nsec3 sales.securename.nl > pdnssec rectify-zone sales.securename.nl > pdnssec check-zone sales.securename.nl > > pdnssec show-zone sales.securename.nl > DS = sales.securename.nl IN DS 42385 8 2 > ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6 > > INSERT INTO `powerdns`.`records` ( > `id` , > `domain_id` , > `name` , > `type` , > `content` , > `ttl` , > `prio` , > `change_date` , > `ordername` , > `auth` > ) > VALUES ( > NULL , '5', 'sales.securename.nl', 'DS', '42385 8 2 > ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6', '600', > '0', NULL , NULL , '1' > ); > > pdnssec rectify-zone sales.securename.nl > pdnssec rectify-zone securename.nl > > /etc/init.d/pdns restart > > dig +multiline +dnssec dnskey sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> works > dig +multiline +dnssec soa sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> works > dig +multiline +dnssec ns sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> works > dig +multiline +dnssec ds sales.securename.nl > @dnssec-auth-bis.mer-nm.internl.net -> Fails, only NSEC3 output > > Which means that validation fails. > > > Any remarks or suggestions? > > BTW, this setup no longer exists,
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Great job Bert! I can confirm that build 2181 fixes this problem completely. And it also fixes "[Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server" On Wed, Apr 27, 2011 at 10:59:00AM +0200, bert hubert wrote: > On Thu, Apr 21, 2011 at 11:13:00AM +0200, Niek wrote: > > Couldn't get it to work with the TLD and the child zone on the same server. > > I was wondering whether this could be a bug in PowerDNS Server or whether > > I'm > > maybe trying to do something the wrong way. (And I was wondering if it also > > affects subdomains on the same server as the parent domain, I didn't > > investigate) > > Thank you for your investigation! > > Build 2181 is up which fixes your initial DS bug. Can you check if things > are ok now? > > Bert > Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Bert, > Build 2181 is up which fixes your initial DS bug. Can you check if things > are ok now? r2181 fixes this for me, but I note that DS records are served only when querying with +dnssec. Omitting the switch gives NOERROR and NODATA. (This behaviour differs from that of BIND and NSD.) For example: dig +nodnssec powerdnssec.org ds Regards, -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] mysql-tests
Moin Bert, On Wed, Apr 27, 2011 at 03:15:27PM +0200, bert hubert wrote: > On Sat, Apr 23, 2011 at 01:04:51AM +0200, erkan yanar wrote: > > As Im missing any good data I created 6*10^6 entries for domains and > > for every domain some entries in the records-table (about 66*10^6) > > That is a pretty good test! 6 million domains is around 2 million domains > smaller than the largest deployment we know of. > > > Queries per second: 10923.212970 qps > > Interesting. Post 3.0 we will be focussing on performance for a few > releases. It may well be that we'll add guidance on which indexes to use. In fact I did a new test (on sunday azlev forced me to use -q :): # ./dnsperf -d /var/tmp/pdns.list -q 4000 -s localhost DNS Performance Testing Tool Nominum Version 1.0.1.0 [Status] Processing input data [Status] Sending queries (to 127.0.0.1) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 494969 queries Queries completed:494969 queries Queries lost: 0 queries Avg request size: 55 bytes Avg response size:81 bytes Percentage completed: 100.00% Percentage lost:0.00% Started at: Sun Apr 24 02:50:44 2011 Finished at: Sun Apr 24 02:51:05 2011 Ran for: 21.518132 seconds Queries per second: 23002.414894 qps With pdns-cache it was easy doubled (with up to 1% Packet lost). > > > As I miss live/real data I would like to get into contact with some > > live/real-data. > > You can use tcpdump & dnsreplay perhaps? Naa Im just a little dba. In fact I own 5 domains:) Erkan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] mysql-tests
On Sat, Apr 23, 2011 at 01:04:51AM +0200, erkan yanar wrote: > As Im missing any good data I created 6*10^6 entries for domains and > for every domain some entries in the records-table (about 66*10^6) That is a pretty good test! 6 million domains is around 2 million domains smaller than the largest deployment we know of. > Queries per second: 10923.212970 qps Interesting. Post 3.0 we will be focussing on performance for a few releases. It may well be that we'll add guidance on which indexes to use. > As I miss live/real data I would like to get into contact with some > live/real-data. You can use tcpdump & dnsreplay perhaps? Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
On Thu, Apr 21, 2011 at 11:13:00AM +0200, Niek wrote: > Couldn't get it to work with the TLD and the child zone on the same server. > I was wondering whether this could be a bug in PowerDNS Server or whether I'm > maybe trying to do something the wrong way. (And I was wondering if it also > affects subdomains on the same server as the parent domain, I didn't > investigate) Thank you for your investigation! Build 2181 is up which fixes your initial DS bug. Can you check if things are ok now? Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users