Re: [Pdns-users] pdns & nproxy
Hi Peter, You are 100% correct. This is why some type of notify proxying would be such a good thing :) Proxying notfiys back to a dedicated slave would eliminate this issue completely. Gary Hurricane Electric Peter van Dijk <mailto:peter.van.d...@netherlabs.nl> July 6, 2012 7:38 AM Hello Gary, you should never try to initiate TCP between two IPs, one of which is anycasted. It's a recipe for failure, no matter how hard you try to find the right node. Kind regards, Gary Shaver <mailto:gsha...@he.net> July 6, 2012 7:04 AM Hi Bert, Fred, List, An anycasted nameserver cluster could benefit from this. Initiating an axfr from from a nameserver that is not topologically closest to the master just results in a failed axfr attempt since the answer does not come back to the slave making the initial request. Gary Shaver Hurricane Electric bert hubert <mailto:bert.hub...@netherlabs.nl> July 5, 2012 3:00 PM Interesting. The original use case was where the outside world would never be talking to that master, or at least not taking the initiative to do so. So the outside world would think the nproxy IP address was the slave, and nproxy would then relay that to the real slave, which would reach out over TCP to make it happen. I think some NAT trick is used to make sure that the outgoing traffic appears as the address that was notified. If you want to have this integrated, what exactly is your use case? Better protection for the hidden master? Please don't get me wrong, I get the impression what you want is reasonable, but I can't quite wrap my head around your exact requirements. Please let us know! Bert PowerDNS ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Fred Wittekind <mailto:r...@twister.dyndns.org> July 5, 2012 11:18 AM I'm working on deploying pdns, and we had intended to use native replication (mysql-replication). Our idea was to have one master dns server that sits behind a firewall, and our public facing servers replicate from it. This works well for 90%+ of the domains we host. We do have a few we have to slave from our clients though. My original plan was to have nproxy sit on the public facing name servers to forward the notify to the master dns server behind the firewall, the master then does the axfr from our client's server, populates mysql with the new zone info, that then replicates out to the public facing servers. Then I got this error when trying to start nproxy (IP address censored): nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53': Address already in use Which of course makes sense after seeing it, pdns is already binding to the same IP/port. So, my question is this... Can the functionality of nproxy be rolled into pdns so that pdns itself can forward the notify to another instance of pdns (on the master server), or can nproxy and pdns be made to work on the same IP. I looked into trying to see if I could get iptables to split out the notify messages to a different destination IP so I could put nproxy on a different IP than pdns, but, I didn't figure out a good (reliable) way to do this. Any help would be appreciated. Fred Wittekind !DSPAM:4ff5da85151923326710967! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users <>___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns & nproxy
Hi Bert, Fred, List, An anycasted nameserver cluster could benefit from this. Initiating an axfr from from a nameserver that is not topologically closest to the master just results in a failed axfr attempt since the answer does not come back to the slave making the initial request. Gary Shaver Hurricane Electric bert hubert <mailto:bert.hub...@netherlabs.nl> July 5, 2012 3:00 PM Interesting. The original use case was where the outside world would never be talking to that master, or at least not taking the initiative to do so. So the outside world would think the nproxy IP address was the slave, and nproxy would then relay that to the real slave, which would reach out over TCP to make it happen. I think some NAT trick is used to make sure that the outgoing traffic appears as the address that was notified. If you want to have this integrated, what exactly is your use case? Better protection for the hidden master? Please don't get me wrong, I get the impression what you want is reasonable, but I can't quite wrap my head around your exact requirements. Please let us know! Bert PowerDNS ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users !DSPAM:4ff60e6d270271029916480! Fred Wittekind <mailto:r...@twister.dyndns.org> July 5, 2012 11:18 AM I'm working on deploying pdns, and we had intended to use native replication (mysql-replication). Our idea was to have one master dns server that sits behind a firewall, and our public facing servers replicate from it. This works well for 90%+ of the domains we host. We do have a few we have to slave from our clients though. My original plan was to have nproxy sit on the public facing name servers to forward the notify to the master dns server behind the firewall, the master then does the axfr from our client's server, populates mysql with the new zone info, that then replicates out to the public facing servers. Then I got this error when trying to start nproxy (IP address censored): nproxy: Fatal: Binding socket for incoming packets to 'a.b.c.d:53': Address already in use Which of course makes sense after seeing it, pdns is already binding to the same IP/port. So, my question is this... Can the functionality of nproxy be rolled into pdns so that pdns itself can forward the notify to another instance of pdns (on the master server), or can nproxy and pdns be made to work on the same IP. I looked into trying to see if I could get iptables to split out the notify messages to a different destination IP so I could put nproxy on a different IP than pdns, but, I didn't figure out a good (reliable) way to do this. Any help would be appreciated. Fred Wittekind !DSPAM:4ff5da85151923326710967! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users <>___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Slave zone just won't refresh....
Hi Bert, I have a few that we've put on a bind server locally here. We were providing secondary service for one domain that had WKS records (which is how I ended up starting down this road). Here are the WKS records that customer's nameserver was spitting out towards us. atlantica.us. 604800 IN WKS 173.16.9.10 6 22 25 42 53 80 113 443 6667 8008 atlantica.us. 604800 IN WKS 173.16.9.10 17 22 25 42 53 80 443 8008 *.atlantica.us. 604800 IN WKS 173.16.9.10 6 22 25 42 53 80 113 443 6667 8008 *.atlantica.us. 604800 IN WKS 173.16.9.10 17 22 25 42 53 80 443 8008 Ariel.atlantica.us. 604800 IN WKS 173.16.9.10 6 22 25 42 80 113 443 6667 8008 Ariel.atlantica.us. 604800 IN WKS 173.16.9.10 17 22 25 42 80 443 8008 It seems shorter versions of the WKS record will go in, but they cause other issues. (see below) For example: This record will actually work, and be entered into the database without crashing the backend. r...@ns1:~# dig test-wks-good.com @ns1.csbd.org AXFR ; <<>> DiG 9.4.2-P2.1 <<>> test-wks-good.com @ns1.csbd.org AXFR ;; global options: printcmd test-wks-good.com. 86400 IN SOA ns1.csbd.org. hostmaster.csbd.org. 2010060902 10800 1800 604800 86400 test-wks-good.com. 86400 IN NS ns1.csbd.org. test-wks-good.com. 86400 IN NS ns2.csbd.org. test-wks-good.com. 86400 IN A 10.1.1.2 test-wks-good.com. 86400 IN WKS 173.16.9.10 6 22 test-wks-good.com. 86400 IN SOA ns1.csbd.org. hostmaster.csbd.org. 2010060902 10800 1800 604800 86400 ;; Query time: 1 msec ;; SERVER: 2001:470:1:111::21#53(2001:470:1:111::21) ;; WHEN: Wed Jun 9 14:51:39 2010 ;; XFR size: 6 records (messages 1, bytes 198) But getting anything back out is futile. # dig test-wks-good.com @ns1.he.net AXFR ; <<>> DiG 9.4.2-P2.1 <<>> test-wks-good.com @ns1.he.net AXFR ;; global options: printcmd test-wks-good.com. 86400 IN SOA ns1.csbd.org. hostmaster.csbd.org. 2010060902 10800 1800 604800 86400 ;; Got bad packet: FORMERR 115 bytes 56 57 84 00 00 01 00 04 00 00 00 00 0d 74 65 73 74 2d 77 6b 73 2d 67 6f 6f 64 03 63 6f 6d 00 00 fc 00 01 c0 0c 00 02 00 01 00 01 51 80 00 0e 03 6e 73 31 04 63 73 62 64 03 6f 72 67 00 c0 0c 00 02 00 01 00 01 51 80 00 06 03 6e 73 32 c0 33 c0 0c 00 01 00 01 00 01 51 80 00 04 0a 01 01 02 c0 0c 00 00 00 01 00 01 51 80 00 08 ad 10 09 0a 06 00 00 02 -- database entry -- id domain_id nametypecontent ttl prio 26038029 112454 test-wks-good.com #11 \# 8 ad10090a0602 86400 If I can be of further help, please let me know, Gary On 6/9/10 2:37 PM, bert hubert wrote: Garry, "2.6.1 WKS WKS records are deprecated in [RFC 1123]. They serve no known useful function, except internally among LISP machines" Normally we'd whip up an implementation just to have the issue go away, but it is a pretty weird record type too, containing a bitmap of protocols. Unknown record type support might save us, but it is not quite there yet it appears. I struggle to find some WKS zone file examples btw, do you have any? Bert On Wed, Jun 09, 2010 at 02:31:22PM -0700, Gary Shaver wrote: Hi Ken, I just found your ticket from abut 4 years ago... Seems strange that it's still a bug. We just ran a few tests and yep.. you were completely correct, WKS records just piss off pdns something fierce. I'll consolidate the test case down to something reasonable and submit a bug report. Gary On 6/9/10 12:54 PM, Kenneth Marshall wrote: Ah, I hit the same problem. WKS records are not supported by PDNS. On top of that, they are not really useful and have not been for quite a while. Try nuking them and your zone should transfer fine. Regards, Ken On Wed, Jun 09, 2010 at 11:43:27AM -0700, Gary Shaver wrote: On 6/9/10 5:49 AM, Kenneth Marshall wrote: another issue that I've run into was another slave zone. This had pdns cycling every 2-3 seconds Jun 7 00:48:44 ns1 pdns[10216]: Initiating transfer of 'axxxa.us' from remote '216.117.186.93' Jun 7 00:48:45 ns1 pdns[10216]: AXFR started for 'axxxa.us', transaction started Jun 7 00:48:45 ns1 pdns[10216]: Communicator thread died because of error: Failed to execute mysql_query, perhaps connection died? Err=1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\# 1007 ad10090a060240002080 004000' at line 1 Jun 7 00:48:46 ns1 pdns[16017]: Our pdns instance exited with code 0 Jun 7 00:48:46 ns1 pdns[16017]: Respawning Jun 7 00:48:47 ns1 pdns[10258]: Guardian is launching an instance Simply removing the zone puts everything back in a happy state, so It's not a timeout issue. Are there any debugging options that can be turn
Re: [Pdns-users] Slave zone just won't refresh....
Hi Ken, I just found your ticket from abut 4 years ago... Seems strange that it's still a bug. We just ran a few tests and yep.. you were completely correct, WKS records just piss off pdns something fierce. I'll consolidate the test case down to something reasonable and submit a bug report. Gary On 6/9/10 12:54 PM, Kenneth Marshall wrote: Ah, I hit the same problem. WKS records are not supported by PDNS. On top of that, they are not really useful and have not been for quite a while. Try nuking them and your zone should transfer fine. Regards, Ken On Wed, Jun 09, 2010 at 11:43:27AM -0700, Gary Shaver wrote: On 6/9/10 5:49 AM, Kenneth Marshall wrote: another issue that I've run into was another slave zone. This had pdns cycling every 2-3 seconds Jun 7 00:48:44 ns1 pdns[10216]: Initiating transfer of 'axxxa.us' from remote '216.117.186.93' Jun 7 00:48:45 ns1 pdns[10216]: AXFR started for 'axxxa.us', transaction started Jun 7 00:48:45 ns1 pdns[10216]: Communicator thread died because of error: Failed to execute mysql_query, perhaps connection died? Err=1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\# 1007 ad10090a060240002080 004000' at line 1 Jun 7 00:48:46 ns1 pdns[16017]: Our pdns instance exited with code 0 Jun 7 00:48:46 ns1 pdns[16017]: Respawning Jun 7 00:48:47 ns1 pdns[10258]: Guardian is launching an instance Simply removing the zone puts everything back in a happy state, so It's not a timeout issue. Are there any debugging options that can be turned on for the mysql backend? I didn't find any referenced in the documentation and increasing the loglevel doesn't give me any additional information. I've pulled down the zone and besides the laundry list of different record types, it looks fine. I can sanitize it an post it if that would help. The pdns version is the static .deb package from the main download page. Any help is appreciated. Thanks, Gary Hi Gary, Try enabling the MySQL query logging to see what command is being received by the backend. You can also bump the logging level on the PDNS system to see if it gives you more information. Have you changed any of the default queries? What is your PDNS configuration, including the backend chosen? At 27 entries, you could post the entire zone but if the problem is a weird character, sanitizing it will make the information useless. I would try bumping the debugging levels first. I cannot help much on the MySQL side since we use PostgreSQL as the backend database. I already tried both of those. Increasing the loglevel didn't yield any additional information and query log didn't include the query, I suspect due to it's failure. I've attached the zone. I've changed the hostnames and ip's. The remainder of the zone is untouched. Gary Regards, Ken -- Gary Shaver | Voice 510.580.4100, Fax 510.580.4151 Hurricane Electric | AS6939 Network Operations | http://www.he.net ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Gary Shaver | Voice 510.580.4100, Fax 510.580.4151 Hurricane Electric | AS6939 Network Operations | http://www.he.net ;<<>> DiG 9.4.2-P2.1<<>> a.us @10.117.186.93 AXFR ;; global options: printcmd a.us. 7200IN SOA DD1.a.us. AtlDNS.Fxl.Com. 2010060736 1200 600 2419200 10800 a.us. 7200IN NS DD1.a.us. a.us. 7200IN NS NS1.SxP.US. a.us. 604800 IN 2fff:470:e056:: a.us. 604800 IN 2fff:ad10:90a:: a.us. 604800 IN A 192.168.9.10 a.us. 604800 IN WKS 192.168.9.10 6 22 25 42 80 113 443 6667 8008 a.us. 604800 IN WKS 192.168.9.10 17 22 25 42 80 443 8008 a.us. 604800 IN MX 10 Mail.a.us. a.us. 604800 IN MX 30 Mail.Rxxxt.US. a.us. 604800 IN MX 30 Mail2.Rxxxt.US. a.us. 604800 IN MX 40 ASPMX.L.Google.Com. a.us. 604800 IN MX 50 Alt1.ASPMX.L.Google.Com. a.us. 604800 IN MX 50 Alt2.ASPMX.L.Google.Com. a.us. 604800 IN MX 60 ASPMX2.GoogleMail.Com. a.us. 604800 IN MX 60 ASPMX3.GoogleMail.Com. a.us. 604800 IN MX 60 ASPMX4.GoogleMail.Com. a.us. 604800 IN MX 60 AS
Re: [Pdns-users] Slave zone just won't refresh....
On 6/9/10 5:49 AM, Kenneth Marshall wrote:
another issue that I've run into was another slave zone. This had pdns
cycling every 2-3 seconds
Jun 7 00:48:44 ns1 pdns[10216]: Initiating transfer of 'axxxa.us' from
remote '216.117.186.93'
Jun 7 00:48:45 ns1 pdns[10216]: AXFR started for 'axxxa.us',
transaction started
Jun 7 00:48:45 ns1 pdns[10216]: Communicator thread died because of error:
Failed to execute mysql_query, perhaps connection died? Err=1: You have an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ''\\# 1007
ad10090a060240002080
004000' at line 1
Jun 7 00:48:46 ns1 pdns[16017]: Our pdns instance exited with code 0
Jun 7 00:48:46 ns1 pdns[16017]: Respawning
Jun 7 00:48:47 ns1 pdns[10258]: Guardian is launching an instance
Simply removing the zone puts everything back in a happy state, so It's not
a timeout issue. Are there any debugging options that can be turned on for
the mysql backend? I didn't find any referenced in the documentation and
increasing the loglevel doesn't give me any additional information.
I've pulled down the zone and besides the laundry list of different record
types, it looks fine. I can sanitize it an post it if that would help.
The pdns version is the static .deb package from the main download page.
Any help is appreciated.
Thanks,
Gary
Hi Gary,
Try enabling the MySQL query logging to see what command is being
received by the backend. You can also bump the logging level on the
PDNS system to see if it gives you more information. Have you changed
any of the default queries? What is your PDNS configuration, including
the backend chosen? At 27 entries, you could post the entire zone but
if the problem is a weird character, sanitizing it will make the
information useless. I would try bumping the debugging levels first.
I cannot help much on the MySQL side since we use PostgreSQL as the
backend database.
I already tried both of those. Increasing the loglevel didn't yield any
additional information and query log didn't include the query, I suspect
due to it's failure.
I've attached the zone. I've changed the hostnames and ip's. The
remainder of the zone is untouched.
Gary
Regards,
Ken
--
Gary Shaver | Voice 510.580.4100, Fax 510.580.4151
Hurricane Electric | AS6939
Network Operations | http://www.he.net
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
!DSPAM:4c0f8df3317271137924711!
--
Gary Shaver | Voice 510.580.4100, Fax 510.580.4151
Hurricane Electric | AS6939
Network Operations | http://www.he.net
; <<>> DiG 9.4.2-P2.1 <<>> a.us @10.117.186.93 AXFR
;; global options: printcmd
a.us. 7200IN SOA DD1.a.us.
AtlDNS.Fxl.Com. 2010060736 1200 600 2419200 10800
a.us. 7200IN NS DD1.a.us.
a.us. 7200IN NS NS1.SxP.US.
a.us. 604800 IN 2fff:470:e056::
a.us. 604800 IN 2fff:ad10:90a::
a.us. 604800 IN A 192.168.9.10
a.us. 604800 IN WKS 192.168.9.10 6 22 25 42 80 113
443 6667 8008
a.us. 604800 IN WKS 192.168.9.10 17 22 25 42 80 443
8008
a.us. 604800 IN MX 10 Mail.a.us.
a.us. 604800 IN MX 30 Mail.Rxxxt.US.
a.us. 604800 IN MX 30 Mail2.Rxxxt.US.
a.us. 604800 IN MX 40 ASPMX.L.Google.Com.
a.us. 604800 IN MX 50 Alt1.ASPMX.L.Google.Com.
a.us. 604800 IN MX 50 Alt2.ASPMX.L.Google.Com.
a.us. 604800 IN MX 60 ASPMX2.GoogleMail.Com.
a.us. 604800 IN MX 60 ASPMX3.GoogleMail.Com.
a.us. 604800 IN MX 60 ASPMX4.GoogleMail.Com.
a.us. 604800 IN MX 60 ASPMX5.GoogleMail.Com.
a.us. 604800 IN MX 80
mxbackup1.junkemailfilter.com.
a.us. 604800 IN MX 90
mxbackup2.junkemailfilter.com.
a.us. 604800 IN TXT "v=spf1 mx
ip6:2fff:470:e056::/48 ptr exists:%{i}.%{l}.%{o}._spf.%{d} -all
exp=explain._spf.%{d}"
a.us. 604800 IN RP Philip.a.us.
Contact.a.us.
*.a.us. 604800 IN CNAME Aa.US.
explain._spf.a.us. 604800 INTXT "%{s} - %{i} is not one of
%{d}'s designated m
[Pdns-users] Slave zone just won't refresh....
Before I pull much more hair out, I thought I'd toss this up to the list to see if anyone has experienced this in the past (or has better google-foo than I) I'm slaving a zone from 208.78.69.112, I'm able to pull the zone manually using dig, but it does go a little slower than I would expect. Pdns just times out.. over and over... Is there a way to increase the timeout? or is there something that I'm missing. The zone itself does not appear to be malformed.. the nameserver I'm pulling from is just slow.. ;; Query time: 5479 msec ;; SERVER: 208.78.69.112#53(208.78.69.112) ;; WHEN: Tue Jun 8 17:13:44 2010 ;; XFR size: 27 records (messages 27, bytes 1748) logs Jun 8 16:53:10 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 Jun 8 16:54:11 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 Jun 8 16:55:12 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 Jun 8 16:56:13 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 Jun 8 16:57:14 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 Jun 8 16:58:15 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 Jun 8 16:59:16 ns1 pdns[1725]: Error trying to retrieve/refresh 'oxxxm.com': Timeout waiting for answer from 208.78.69.112 another issue that I've run into was another slave zone. This had pdns cycling every 2-3 seconds Jun 7 00:48:44 ns1 pdns[10216]: Initiating transfer of 'axxxa.us' from remote '216.117.186.93' Jun 7 00:48:45 ns1 pdns[10216]: AXFR started for 'axxxa.us', transaction started Jun 7 00:48:45 ns1 pdns[10216]: Communicator thread died because of error: Failed to execute mysql_query, perhaps connection died? Err=1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\# 1007 ad10090a060240002080 004000' at line 1 Jun 7 00:48:46 ns1 pdns[16017]: Our pdns instance exited with code 0 Jun 7 00:48:46 ns1 pdns[16017]: Respawning Jun 7 00:48:47 ns1 pdns[10258]: Guardian is launching an instance Simply removing the zone puts everything back in a happy state, so It's not a timeout issue. Are there any debugging options that can be turned on for the mysql backend? I didn't find any referenced in the documentation and increasing the loglevel doesn't give me any additional information. I've pulled down the zone and besides the laundry list of different record types, it looks fine. I can sanitize it an post it if that would help. The pdns version is the static .deb package from the main download page. Any help is appreciated. Thanks, Gary -- Gary Shaver | Voice 510.580.4100, Fax 510.580.4151 Hurricane Electric | AS6939 Network Operations | http://www.he.net ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
