Re: [Pdns-users] Glue-Records in PowerDNS 3.x
Hello, domain.com and www.domain.com resolve as expected in both releases. When queried for www.sub.domain.com, in release 2.9.21 PowerDNS responds with 3.4.5.6 . In version 3.1 it doesn't find a A record. Yes, this is correct. 2.9.21 would return the A, but 3.1 should return the delegation instead (at least, if -dnssec is set). well, we haven't started PowerDNS with DNSSEC yet. We explicitly started it without, because otherwise we would have had to create keys and sign the zones. The behaviour is still the same. So having NS-records at subdomains of a zone definetely means, that subdomains of this subdomain in the same zone are ignored? I guess then it wouldn't help us if it can be corrected somehow without DNSSEC; because sooner or later we'll be providing DNSSEC as well and then we're going to have the same issue again. 3.1 should not synthesize SOA records. Can you show actual output? I can't reproduce that with a minimalistic record set for some reason, maybe other circumstance led to that behaviour. Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Ignoring wildcard due to TXT record
Hello, after our migration from PowerDNS 2.9.21 to 3.1 we just noticed another unexpected behaviour. If a TXT record for a subdomain is defined, a wildcard at the same subdomain level is ignored. Example (zone=domain.com): whatever.domain.com TXT some text *.domain.com A 1.2.3.4 Querying for whatever.domain.com with the type TXT correctly returns some text. Querying for whatever.domain.com with the type A returned 1.2.3.4 in 2.9.21, but returns just the SOA of domain.com in 3.1. What is the reason to introduce this behaviour? I think BIND has the bug, meaning that once an explicit subdomain is found, further wildcards are ignored, even they do have a different type. I was happy that earlier PowerDNS releases implemented it the way one would intuitivly expect. Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Ignoring wildcard due to TXT record
Hello, the odd thing is: when we have a wildcard for the TXT record as well, subdomains are resolved correctly: *.domain.com TXT some text *.domain.com A 1.2.3.4 This returns 1.2.3.4 for sub.domain.com for type A and some text for TXT. http://www.ietf.org/rfc/rfc1034.txt - 4.3.2, step 3.c spells out what we have to do. To me this looks inconsistent. Wildcards are virtually useless if the resolver is that broken, even if a RFC from 1987 might describe it that way. Besides that, the RFC does not go into record types at this point. It leaves it totally open to the implementation if step 3.c is tied to the requested record type or all records. If I query for an A record of sub.domain.com, then the resolver doesn't find the corresponding label for type A so it should look for a wildcard of type A then. It would find it in my case, so everything would be fine. What PowerDNS does instead is to stop, even if the corresponding label is only for a different type (TXT in this case). This is badly wrong in my opinion. While both ways to implement it conform to the RFC, only the first way (looking for specific type) is the behaviour one would expect. Is it possible to change the behaviour somehow? We really can't go into thousands of domains that rely on the 2.9 behaviour which now would be required to add additional A records. Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Glue-Records in PowerDNS 3.x
Hello, we recently upgraded from PowerDNS 2.9.21 to 3.1 and noticed a different handling of subdomains within subdomains, that contain NS-records. Let me show an example for the zone domain.com, which has an entry in the domains table (its a NATIVE zone) and its records in the records table related by the domain_id. domain.com A 1.2.3.4 www.domain.com A 2.3.4.5 sub.domain.com NS whatever.com www.sub.domain.com A 3.4.5.6 domain.com and www.domain.com resolve as expected in both releases. When queried for www.sub.domain.com, in release 2.9.21 PowerDNS responds with 3.4.5.6 . In version 3.1 it doesn't find a A record. Interestingly, in 3.1 it responds with a SOA record for sub.domain.com, meaning that by just having inserted an NS-record for a sub.domain.com, PowerDNS creates a virtual SOA record (there is no SOA-record in the records table for sub.domain.com) and doesn't look for www.sub.domain.com in the same zone any longer. It probably fails because it tries to lookup sub.domain.com again in the domains table but doesn't find a record (we didn't create a separate zone for it) so it doesn't resolve at all instead of using the record within the domain.com zone. Thats especially complicated for glue records within subdomains of a larger domain. However, there is no problem with this simpler situation. Lets say we again have the zone domain.com: domain.com NS ns1.domain.com domain.com NS ns2.domain.com ns1.domain.com A 1.2.3.4 ns2.domain.com A 2.3.4.5 Having explained the problem above, one would expect, that PowerDNS 3.1 won't show A-records for ns1/ns2.domain.com and you have to create separate zones for ns1.domain.com and ns2.domain.com instead. But it does resolve in this case, possibly because it finds the domain.com zone in the domains table, whereas it didn't find a sub.domain.com zone in the above example. Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] IPv4 and IPv6 sockets at the same time
Hello, Try this: local-address=127.0.0.1 local-ipv6=::1 there is no option local-ipv6 in pdns recursor: http://doc.powerdns.com/built-in-recursor.html local-address=::1,127.0.0.1 is partially working: pdns listens on ::1 and 127.0.0.1. But it only answers on 127.0.0.1, not ::1 when both ip addresses are specified. Could someone please try running pdns recursor with this config file: setuid=pdns setgid=pdns local-address=::1,127.0.0.1 max-negative-ttl=5 allow-from=0.0.0.0/0 You can also use local-address=127.0.0.1,::1 order doesn't seem to change the symptom. # netstat -plntu | grep 53 tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 673/pdns_recursor tcp0 0 ::1:53 :::* LISTEN 673/pdns_recursor udp0 0 127.0.0.1:530.0.0.0:* 673/pdns_recursor udp0 0 ::1:53 :::* 673/pdns_recursor So pdns recursor is definetely binding to the sockets as specified. But if you do a dig google.com @::1 you won't get any answer (at least I don't on a CentOS 5 system with firewalls disabled for testing). dig google.com @127.0.0.1 does work however. Should I file a bug report? Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] IPv4 and IPv6 sockets at the same time
Hello, This might be a variant of http://wiki.powerdns.com/trac/ticket/209 Could you open a new bug and reference 209 in the description? no, I've found the problem: Line 123 in pdns_recursor.cc defines the default allow-from rules: #define LOCAL_NETS 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 So as long as I'm not defining my own allow-from rules the defaults are used, which work fine for IPv4 and IPv6 in local nets. But as my goal was to have the recursor listen on a public IPv4 address (e.g. 71.72.73.74) as well as on a local IPv6 address (::1) my allow-from rule 0.0.0.0/0 was not sufficient, since it granted IPv4 access from everywhere but at the same time replaced the default rules thus removing the permissions to answer to local IPv6 requests. So the correct rule in my situation would be: allow-from=::1/128,0.0.0.0/0 or allow-from=::0/0,0.0.0.0/0 if I'd like to grant access through IPv6 from everywhere. Could you please add such IPv6 examples in the documentation at http://doc.powerdns.com/built-in-recursor.html? I guess it would be helpful for others experimenting with IPv6. Thanks. Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] IPv4 and IPv6 sockets at the same time
Hello, I'm running a local recursor with pdns recursor 3.3. When I have this line: local-address=::1 pdns answers on queries like dig google.com @::1. When I have local-address=127.0.0.1 pdns answers on queries like dig google.com @127.0.0.1. When I combine both (comma separated, as the documentation describes), resulting in this line: local-address=::1,127.0.0.1 pdns listens to both sockets on port :53 (verified with lsof and netstat), but only answers queries to 127.0.0.1, not ::1. It also doesn't work with local-address=[::1],127.0.0.1 Whats wrong with it? Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] positive cache-ttl on recursor
Hi, I'm about to migrate from BIND named caching daemon to pdns-recursor, but I cannot find an equivalent for BINDs max-cache-ttl option. While max-negative-ttl in pdns is the same as max-ncache-ttl in BIND, I cannot find an analog parameter for max-cache-ttl. Parameters that I found in different search results (ie. cache-ttl or packet-cache-ttl) seem to relate to the authoritative pdns only. pdns-recursor is only used locally on several servers and as dns entries for our internal stuff and customer configurations might change more often then IPs of google.com, we want a positive cache ttl of 900, no matter what the authoritative dns told. How can we do this? Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] positive cache-ttl on recursor
Hi, According to the docs, the latest version of pdns-recursor also has a max-cache-ttl parameter along with the max-negative-ttl. http://doc.powerdns.com/built-in-recursor.html#recursor-settings thanks. For some reason I was looking at the /usr/sbin/pdns-recursor --config of the RHEL4 EPEL release, which as fairly outdated (3.1.7.2) and didn't contain the max-cache-ttl parameter, although I was building my own RPM... Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS DNSSEC: your support is needed
Hi Bert, All parties with an interest in PowerDNS and/or DNSSEC are therefore kindly requested to contact me privately if they are in a position to either acquire a support contract with us, or to fund DNSSEC development directly. is this still an issue? I couldn't access the website powerdnssec.org for details. We have registrar contracts with a lot of TLD registries and thus we noticed, that more and more registries keep an eye on DNSSEC, several registries provide test environments with DNSSEC and some (like IIS.se) even production environments. I read an earlier posting from you that stated, that there would be a directory including the keys for each domain name. But we have a pure database replication deployment, so rather than text files it would be better to have the keys within the same database as well. We could support the DNSSEC development, but in this case rather financially than by contributing code. Unfortunately I neither received an answer regarding this to a private email to Bert Hubert nor through a message I left on the contact form of the powerdns website. I hope that this way someone involved in the DNSSEC development reads my message. Kind regards Marten Lehmann ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNAME record support?
Hello, according to the latest PowerDNS documentation, there is no support for the DNAME record. Are there any intentions to implement them? Or any reasons not to implement them? http://www.rfc-editor.org/rfc/rfc2672.txt Kind regards Marten ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users