Re: [Pdns-users] Can't make AXFR work with LDAP backend

[Nick Milas]

Hi,

I never had problems with AXFR between powerdns authoritative server and 
BIND9, but the problem was in Notify messages.


You may want to read the threads:

   Can pdns (with ldap backend) be a master of BIND9 slave?:
   http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03248.html
   Successful, yet incomplete AXFR to BIND9 slave:
   
http://old.nabble.com/Successful,-yet-incomplete-AXFR-to-BIND9-slave-td29660781.html
   NOTIFY by pdns master with ldap backend in next authoritative server
   releases?:
   http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03357.html

Remember that the slave should be included in the zone NS entries and 
should be configured as a slave.


Anyway the command:
dig example.net AXFR @pdns.server.example.com
should run without problems. You don't have to configure pdns as a 
master for that. It is always capable to produce AXFR output.


I would assume that something is corrupt on your server. Check logs. You 
may also want to try a clean installation.


Nick


On 3/12/2010 3:49 μμ, Kenneth Marshall wrote:



The problem is that I have never been able make AXFR dig. I have the problem
for years now, but until now, I never really need to make it work. But I'd
like now to use a PowerDNS server as shadow master for my public zone (the DNS
server is BIND9).



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Can't make AXFR work with LDAP backend

[Nick Milas]

Hmm,

What powerdns package are you using? It seems they're from debian lenny 
repos.


Could you try for example the one offered at powerdns.com: 
http://downloads.powerdns.com/releases/deb/stable/pdns-static_2.9.22-1_i386.deb?

(I guess it includes ldap backend.)

Since it happens in many installations of yours, maybe the packages, 
which you are (obviously consistently) using, have the AXFR 
functionality corrupt for some reason?


I've only used RPMs on CentOS and all of them had the expected (correct) 
behavior.


Good luck,
Nick

On 3/12/2010 7:05 μμ, David Douard wrote:

In fact, I have the problem on several pdns servers ; I have 2 of them
for my
private network running on Debian Lenny boxes (with native LDAP replication),
and I just installed a new Squeeze box in a kvm in order to prepare and
validate some network and DNS reconfiguration I am planning.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Outgoing timouts problem (?)

[Nick Milas]

Hi all,

I have just entered full production running, with pdns 9.22 and recursor 
3.3 on two servers with ldap backend (openldap replicated with syncrepl).


Can someone please give some info on outgoing timeouts (which seem 
significant)?  What do these actually mean, and if they are a real 
problem; if so, what should I do to resolve?


I found in the manual that these are: "number of timeouts on outgoing 
UDP queries since starting". Why do I have such timeouts? What should I 
check?


Here is an excerpt from recursor log on one server:

Dec  4 11:09:09 dns2 pdns_recursor[2248]: stats: 529100 questions, 
457693 cache entries, 5199 negative entries, 1% cache hits
Dec  4 11:09:09 dns2 pdns_recursor[2248]: stats: throttle map: 2, ns 
speeds: 1533
Dec  4 11:09:09 dns2 pdns_recursor[2248]: stats: outpacket/query ratio 
172%, 1% throttled, 0 no-delegation drops
Dec  4 11:09:09 dns2 pdns_recursor[2248]: stats: 845 outgoing tcp 
connections, 2 queries running, 66140 outgoing timeouts
Dec  4 11:09:09 dns2 pdns_recursor[2248]: stats: 217172 packet cache 
entries, 0% packet cache hits
Dec  4 11:09:09 dns2 pdns_recursor[2248]: stats: 0 qps (average over 
1984 seconds)

Dec  4 11:23:55 dns2 pdns_recursor[2248]: Refreshed . records

And an excerpt from the other server log:

Dec  4 11:39:03 vdns pdns_recursor[2217]: stats: 352149 questions, 49361 
cache entries, 3405 negative entries, 21% cache hits
Dec  4 11:39:03 vdns pdns_recursor[2217]: stats: throttle map: 3, ns 
speeds: 675
Dec  4 11:39:03 vdns pdns_recursor[2217]: stats: outpacket/query ratio 
61%, 21% throttled, 0 no-delegation drops
Dec  4 11:39:03 vdns pdns_recursor[2217]: stats: 303 outgoing tcp 
connections, 1 queries running, 39967 outgoing timeouts
Dec  4 11:39:03 vdns pdns_recursor[2217]: stats: 18896 packet cache 
entries, 63% packet cache hits
Dec  4 11:39:03 vdns pdns_recursor[2217]: stats: 0 qps (average over 
1935 seconds)


Thanks in advance,
Nick Milas

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Outgoing timouts problem (?)

[Nick Milas]

Thanks Ken,

It makes sense.

Since no one has send any other info, I assume you are correct.

Regards,
Nick

On 4/12/2010 5:35 μμ, Kenneth Marshall wrote:

My two cents and I am certain that someone will correct me
if I am mistaken, but the outgoing timeouts are when the
remote site does not answer the DNS query soon enough for
any number of reasons, including overloaded DNS server
as well as any number of network problems. This is more
than likely all out of your control.

Cheers,
Ken


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS and external CNAME

[Nick Milas]

Hi,

We are using powerdns authoritative (latest version: 2.9.22) with ldap 
backend and recursor latest version (3.3).


CNAME to external hosts works fine.

This is the record:

   dn: dc=myhost,dc=example.com,ou=dns,dc=example,dc=com
   objectClass: dNSDomain2
   objectClass: domainRelatedObject
   dc: myhost
   associatedDomain: myhost.example.com
   cNAMERecord: externalhost.example.net

And this is how it looks like in conventional notation (as it appears in 
an AXFR):


   myhost.example.com. 86400 IN CNAME externalhost.example.net.

Nick


On 16/12/2010 7:12 μμ, Pascal R. wrote:

Hi,

we are currently switching from mydns-ng to powerdns.

now we got an issue with external cname entries.

example:

help.example.com  CNAME www.help.com 




reply from pdns:

** server can't find help.example.com : NXDOMAIN

our pdns.conf:


config-dir=/etc/powerdns
daemon=yes
disable-axfr=yes
guardian=yes
launch=gmysql
lazy-recursion=yes
local-address=1.1.1.1
local-ipv6=2a02:xx:xx:x::x
local-port=53
module-dir=/usr/lib/powerdns
recursor=8.8.8.8
setgid=pdns
setuid=pdns
socket-dir=/var/run
use-logfile=yes
version-string=powerdns
include=/etc/powerdns/pdns.d


any hint, how i can get external cnames running ?


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Problem with aRecord matching in ldap backend

[Nick Milas]

Hi,

This is more of an LDAP question, but it is directly connected to 
powerdns/ldap-backend, so I need some feedback:


I am trying to select particular records based on their aRecord 
attribute in openldap (dns records stored in ldap backend - simple mode).


So I am trying to use - in external scripts - a search filter like: 
(aRecord=10.11.12.*) but it never produces results.


I noticed that aRecord is defined in dnsDomain schema (available in 
cosine.schema) and inherited in dnsDomain2.


I came to the conclusion that the problem may be caused by the fact that 
aRecord (oid: 0.9.2342.19200300.100.1.26) has no substring matching rule 
defined in schema:


   attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

I thought of modifying it in order to allow substring matching, like:

   attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Would this change possibly cause any problems? Should I do it or not? 
Would powerdns be affected in any way?


Please advise.

Thanks in advance,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNSSec for other backends?

[Nick Milas]

Hi,

Just wondering, will DNSSec be supported soon with other backends except 
relational databases?


I'm most interested in LDAP backend. Any plans? Which backends will 
Authoritative Server 3.0 support (except of course the dbase ones 
mentioned above)?


Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Problem with aRecord matching in ldap backend

[Nick Milas]

Any suggestions?

Norbert, any advice?

Could you please clarify?

Thanks very much,
Nick

On 8/1/2011 2:08 μμ, Nick Milas wrote:

Hi,

This is more of an LDAP question, but it is directly connected to 
powerdns/ldap-backend, so I need some feedback:


I am trying to select particular records based on their aRecord 
attribute in openldap (dns records stored in ldap backend - simple mode).


So I am trying to use - in external scripts - a search filter like: 
(aRecord=10.11.12.*) but it never produces results.


I noticed that aRecord is defined in dnsDomain schema (available in 
cosine.schema) and inherited in dnsDomain2.


I came to the conclusion that the problem may be caused by the fact 
that aRecord (oid: 0.9.2342.19200300.100.1.26) has no substring 
matching rule defined in schema:


attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

I thought of modifying it in order to allow substring matching, like:

attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Would this change possibly cause any problems? Should I do it or not? 
Would powerdns be affected in any way?


Please advise.

Thanks in advance,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Problem with aRecord matching in ldap backend

[Nick Milas]

Thanks Norbert,

Although the OpenLDAP guys would not encourage such a change (and, 
formally speaking, they are right), since the aRecord attribute 
definition (in the standard distribution cosine.schema file) is 
according to RFC 1274 without a SUBSTR matching rule, I guess it's the 
easiest solution, provided one can manually "convey" the changes when 
upgrading. I would urge some more LDAP-engaged people to push some 
official changes to this RFC (since it's published in 1991) to allow 
substring matches to this and to other attributes (to provide more 
versatility in searching) and possibly other changes. I am afraid I 
can't do it.


I already tested the change on a testing box and it works.

Thanks again,
Nick


On 16/1/2011 7:50 μμ, Norbert Sendetzky wrote:

Hi Nick


attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

I thought of modifying it in order to allow substring matching, like:

attributetype ( 0.9.2342.19200300.100.1.26 NAME 'aRecord'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

Would this change possibly cause any problems? Should I do it or not?
Would powerdns be affected in any way?


This might work. The only problem will be OpenLDAP upgrades because 
they will overwrite your change.



Norbert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSec for other backends?

[Nick Milas]

Hi Norbert,

We would really appreciate any info you might be able to provide 
regarding upgrading plans for the LDAP backend, esp. considering there 
is an upcoming 3.0 release.


For example, besides DNSSec support (see below), I am aware of issues 
313 (associated with 317), 318 (on which a discussion was made here: 
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03357.html and 
I am confident that a solution can be found), 323 (which is the same 
with 260 as I later found).


Thanks for your invaluable role to the PowerDNS project.

All the best,
Nick


On 11/1/2011 1:31 μμ, bert hubert wrote:


On Tue, Jan 11, 2011 at 01:24:53PM +0200, Nick Milas wrote:

Just wondering, will DNSSec be supported soon with other backends
except relational databases?



Yes, but it depends on the maintainer. For LDAP, Norbert Sendetzky would
need to do the heavy lifting, since it really is his code.



Norbert? I'm also not entirely sure LDAP supports the required 'ordering'
technology for NSEC/NSEC3-broad mode.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSec for other backends?

[Nick Milas]

Hi Bert and all,

I am sure there is some plan (by the powerDNS project managers) to 
continue Norbert's great work on the LDAP backend. One of the powerful 
features of powerDNS over other products is the strong and elegant 
operation with an LDAP backend, which - as I have read in numerous 
discussions/forums worldwide - has pushed a lot of DNS admins to migrate 
to powerdns/ldap without regrets. One of them is me, having migrated 
(with a significant effort) just a few months ago from a wide, 
distrubuted, conventional BIND infrastructure to pdns/ldap, inventing 
into a totally new architecture for our organization. So, you can 
understand my concerns, feeling unsafe with a software whose 
maintenance/evolution seemed steady and guaranteed - virtues which are 
an absolute necessity for this type of mission-critical software - and 
now future appears (at least) a bit unclear...


It's obvious that it's vital for the pdns/ldap software to continue to 
evolve, a process which seems somewhat slowed down for a while now (for 
the ldap backend), due to Norbert's lack of time.


Any feedback on anticipated developments - a draft roadmap - for the 
ldap backend I believe would really help to relieve pressure from the 
minds and feelings of a significant number of admins who love powerdns, 
have seen a true value in coupling powerdns with ldap, and want to 
continue to rely on their pdns/ldap engine.


Thanking Bert, Norbert and all PowerDNS developers and managers, for a 
truly unique and remarkable project, I close these notes with a 
confidence in Bert's ability to handle/resolve all probable events and 
overcome any barriers in keeping all project components at the 
cutting-edge of software technology.


All the best,
Nick


On 22/1/2011 2:34 μμ, Norbert Sendetzky wrote:


Best wishes to all users and developers of the great PowerDNS project

Norbert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] LDAP Backend maintainance/development

[Nick Milas]

Hi Kenneth,

Sorry for the (slightly) delayed reply.

Your arguments are valid; I hope that LDAP PDNS community can find a way 
to cooperate to at least succeed in maintaining the LDAP backend (even 
without adding much new functionality - as DNSSEC -, at this stage). I 
have earlier mentioned that I am eager to do testing and contribute in 
any way I can, but, unfortunately, I currently don't have the expertise 
to do programming at this level.


Does anyone here have enough expertise (with programming and code 
development management) and a little time to take the lead in providing 
fixes for the few known bugs / important missing features of the LDAP 
backend?
[A quick list: Issue 313 (associated with 317) for which there is 
already a proposal; issue 323 (which is the same with 260 as I later found);
issue 318 (on which a discussion was made here: 
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03357.html and 
I am confident that a solution can be found). ]


I am afraid that we can't address professional services; we are a small 
non-profit organization with a very tiny budget and a totally different 
field of work.


As a final note, I would like to repeat that I believe the PowerDNS LDAP 
backend is an important asset for the whole project, offering a much 
more viable solution than other DNS/LDAP software (which mainly don't 
offer native/mainstream LDAP support) and it would be a pity to become 
outdated/unsupported.


I hope this thread can trigger some activity on this matter (that's why 
I changed the subject).


All the best,
Nick


On 26/1/2011 4:17 μμ, Kenneth Marshall wrote:

Hi Nick,

I think that the major benefit of PowerDNS is its ability to
support a wide range of database backends, including LDAP
through Norbert's work. Each of the various backends support
some, most or all of the features of pdns, depending on their
individual driver. The available features are listed in the
documentation provided for each module. If there is a desire
to continue the development for the LDAP backend, then the
users of the backend should work together to provide resources
for improving it. I would rather see a focus on the core SQL
based backends from Bert, and let others vote with their
pocketbooks and development resources to see which backends
will support new features. I believe that consulting and
professional services are available from powerdns.com should
you wish to engage them directly. I look forward to seeing
what the PDNS/LDAP community provide in terms of updates to
the LDAP backend. If nothing is forthcoming, it is certainly
a straightforward process to change backends to a more core
backend. That is the true benefit and versatility of the
PDNS server.

Regards,
Ken


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns error sendto

[Nick Milas]

In CentOS 5, I directly edit iptables file.

I'm using the following DNS rules for iptables (as suggested by 
RH/CentOS), and I have no problems with DNS servers:


-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --sport 53 -j ACCEPT

Also, you didn't mention if you are using IPv6. If so, in 
/etc/sysconfig/ip6tables you should specify:


-A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --sport 53 -j ACCEPT

...because ip6tables stateful filtering is broken in Centos 5 (it's 
documented, but I have found it the hard way).


The above rules are on the DNS Server box.

Note that if you are using ipv6, it will have a higher priority over 
ipv4; so, if ipv6 is available it will be used and, if not configured 
properly, you'll have problems.


Good luck,
Nick


On 25/2/2011 8:46 πμ, Liong Kok Foo wrote:

Hi,

I have double checked and I did configured the firewall port 53
tcp/udp. Could it possible there are other port that need to be opened.?




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Heading up to PowerDNS Authoritative Server release 3.0: please check your open tickets

[Nick Milas]

Good news about upcoming version.

However, not so good news for the LDAP backend...

So, I feel that LDAP-related issues should - at least - remain open, 
since they have not been fixed. Closing them with an indication of 
"Unable to devote time to the LDAP backend" (or similar), would most 
probably not promote true resolution (fix).


I always hope that a developer can sometime provide fixes for these, 
esp. 260 & 313 which are bugs (and not feature requests).


Would it help to request e.g. openldap developers with DNS background 
(through their mailing list) to possibly show interest in resolving them 
(since no one in pdns mailing list has volunteered and Norbert has 
stopped support)?


Thanks,
Nick


On 22/3/2011 10:38 μμ, bert hubert wrote:


Ticket #313 (ldapbackend sets TZ to UTC but should not) closed by ahu
wontfix: we are currently unable to devote time to the LDAP backend.

Ticket #260 (LDAP backend doens't try to reestablish connection once lost) 
closed by ahu
wontfix: We are currently unable to fix LDAP issues.

Ticket #298 (AXFR query fail with LDAP backend) closed by ahu
wontfix: We are unable to address LDAP issues at this time.

Ticket #318 (Master (Notify) functionality with ldap backend) closed by ahu
wontfix: We are unable to enhance the LDAP backend.

Ticket #323 (powerdns authoritative server with ldap backend hangs when ldap 
server is ...) closed by ahu
wontfix: We are unable to fix LDAP issues.



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 23/3/2011 11:05 πμ, bert hubert wrote:


Unless something happens, the LDAP backend will move to 'unmaintained'
status in the 3.0 release.
I think this attitude is the best. At least new admins planning DNS 
server deployment *will know* that they should probably keep off LDAP 
backend, since it's unmaintained.


My opinion is that LDAP backend is a very good solution for (at least) 
small-to-mid sized organizations which can store/manage/use in a DIT all 
their data and use standard admin tools, and this backend should be 
maintained, but you are right: Since no direct interest is expressed 
(which I still find surprising), there is no other way to go.


Pitty I am not a (professional) developer and my organization doesn't 
have the resources to invest in improving an already good (as I think) 
piece of software. We'll have to live with the current version and 
probably migrate to other backend later - unless things change. Maybe 
some people/organization will continue to find LDAP backend cool enough 
to give it a push. :-)


Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 24/3/2011 10:11 πμ, Angel Bosch Mora wrote:


what about a community donation?

we could create a ticket with all people interested in this feature and how 
much can they contribute.

i think there's more people than we thing using LDAP backend.


I like the idea. Such an announcement could be published to the ldap 
communities too.


However, it strikes me that, although I have repeatedly published about 
the issue in this list, no one has expressed interest (you are the first 
one). Yet, I believe that there must be out there at least some 
people/organizations who use or would be interested in using the LDAP 
backend. (Googling for powerdns/ldap will reveal at least some activity 
in the recent or earlier past.)


I find it a pity to put the LDAP backend (which I have mentioned in the 
past that is one of the virtues of powerdns vs other software) to 
unmaintained status.


How can this be initiated? Has this be done in the past in the powerdns 
project?


Nick.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 03/24/2011 11:36 AM, Nick Milas wrote:

On 24/3/2011 10:11 πμ, Angel Bosch Mora wrote:


what about a community donation?

we could create a ticket with all people interested in this feature
and how much can they contribute.

i think there's more people than we thing using LDAP backend.


I like the idea. Such an announcement could be published to the ldap
communities too.

However, it strikes me that, although I have repeatedly published about
the issue in this list, no one has expressed interest (you are the first
one). Yet, I believe that there must be out there at least some
people/organizations who use or would be interested in using the LDAP
backend. (Googling for powerdns/ldap will reveal at least some activity
in the recent or earlier past.)

I find it a pity to put the LDAP backend (which I have mentioned in the
past that is one of the virtues of powerdns vs other software) to
unmaintained status.

How can this be initiated? Has this be done in the past in the powerdns
project?


Well, this entire thing might just be that no all people interested in
the LDAP backend are actively following the mailing list (like myself :-)

However, we are using the LDAP backend as well for our couple of
PowerDNS servers and would suffer much from dropping LDAP support.

On the other hand, I perfectly understand Bert's POV on the issue, so I
what I can offer is taking a look on the open issues and maybe - if time
allows - putting some manpower to it, but I will first have a look at
the issues myself.

Regards

Udo Rader
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 24/3/2011 12:55 μμ, Udo Rader wrote:


On the other hand, I perfectly understand Bert's POV on the issue, so I
what I can offer is taking a look on the open issues and maybe - if time
allows - putting some manpower to it, but I will first have a look at
the issues myself.



Thanks Udo,

As I have stated in the past, I am available for testing on CentOS.

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

Sorry, the following was sent by mistake! Please ignore (the message is 
already in the list, sent by Udo Rader)!


Nick

On 24/3/2011 1:03 μμ, Nick Milas wrote:

On 03/24/2011 11:36 AM, Nick Milas wrote:

On 24/3/2011 10:11 πμ, Angel Bosch Mora wrote:


what about a community donation?

we could create a ticket with all people interested in this feature
and how much can they contribute.

i think there's more people than we thing using LDAP backend.


I like the idea. Such an announcement could be published to the ldap
communities too.

However, it strikes me that, although I have repeatedly published about
the issue in this list, no one has expressed interest (you are the first
one). Yet, I believe that there must be out there at least some
people/organizations who use or would be interested in using the LDAP
backend. (Googling for powerdns/ldap will reveal at least some activity
in the recent or earlier past.)

I find it a pity to put the LDAP backend (which I have mentioned in the
past that is one of the virtues of powerdns vs other software) to
unmaintained status.

How can this be initiated? Has this be done in the past in the powerdns
project?


Well, this entire thing might just be that no all people interested in
the LDAP backend are actively following the mailing list (like myself :-)

However, we are using the LDAP backend as well for our couple of
PowerDNS servers and would suffer much from dropping LDAP support.

On the other hand, I perfectly understand Bert's POV on the issue, so I
what I can offer is taking a look on the open issues and maybe - if time
allows - putting some manpower to it, but I will first have a look at
the issues myself.

Regards

Udo Rader
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

I wanted to quickly chime in on this. I agree with the decision to 
move the LDAP backend into "unmaintained" status and not fix these 
bugs right now. If there isn't a big enough community demand to supply 
the resources needed to maintain it, then there likely isn't a big 
enough demand to make it worthwhile anyway.


I feel I should repeat here Udo Rader's very thoughtful comment that: 
"...(it) might just be that not all people interested in the LDAP 
backend are actively following the mailing list"! In fact, it seems that 
there are quite some people and organizations using it, and moving into 
"unmaintained status" (I'll call it UMS) would be harmful to them. 
However, since little interest has been explicitly exhibited, entering 
UMS might ring a bell to some of the users/organizations to engage more 
actively in its development (but it could push them to entirely drop 
LDAP backend too!). But, of course, there is also Udo's offer to 
possibly "offer some manpower", and, hopefully, LDAP backend might avoid 
entering UMS after all (I hope we will hear some news from him some time 
soon, after "having a look at the issues") by catching up with v3.0. :-)



*However*, I do not think marking the bugs "will not fix" is the right 
move, as I believe there is a better alternative. Where I work, we 
have another status called "Deferred." When a bug is determined to be 
legitimate and needs to be fixed, but for some reason or another can't 
be fixed right now (e.g., not enough resources, requires major 
restructure somewhere that needs serious discussion, etc.), we mark it 
as "Deferred." This indicates later down the road that we had already 
decided to fix it, but couldn't at that time.


I think having a status similar to "Deferred" for PDNS bugs and 
putting these bugs in that status would be a better thing to do. A 
project this large can have a lot of "Won't Fix" bugs, and a year down 
the road it could be very hard to sort the "Can't fix" bugs out from 
the "Won't fix" bugs.



This might be a useful policy; filtering tickets by "Deferred" status 
sounds efficient and helpful (if developers concerned agree too!). On 
the negative side, the existence of a "Deferred" status might 
(psychologically) encourage a more frequent "defer" of issues. :-(


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Forward IPv6 Requests?

[Nick Milas]

On 30/3/2011 7:41 μμ, Pascal R. wrote:


HI,

my PDNS currently do IPv4 recursion with the following config:

recursor=8.8.8.8


How can i add an IPV6 Recorder to the pdns.conf ?



This is what I use in my pdns.conf:

local-address=127.0.0.1 10.10.10.10
do-ipv6-additional-processing=yes
local-ipv6=::1 2001:::::
local-port=53
allow-axfr-ips=10.10.10.10, 10.10.11.10
recursor=127.0.0.1:5300

And in recursor.conf (hosted on the same box):

local-address=127.0.0.1,10.10.10.10,[::1],[2001:::::]
allow-from=0.0.0.0/0,::/0
query-local-address6=2001:::::
local-port=5300
-additional-processing=on

10.10.10.10 is the IPv4 address of the box (it is public, and I have 
replaced it).

2001::::: is always my IPv6 address of the box (public too).

I can't tell whether this is the best configuration (I welcome all 
comments), but it works.


As Maik has said, in fact we communicate with the recursor over local 
IPv4 (at a different port). It is true that it's better to have a 
different box for auth and recursion, but we have a low volume of DNS 
queries and it's not a problem at this time.


Hope that helps.

Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 4/4/2011 12:44, Udo Rader wrote:

yes, I took a look on the issues and will put some work into fixing
them. From my POV #260 will be the first and most important thing to
deal with.

#317 looks trivial to fix, but as mentioned in the bug report, side
effect may exist.

...

ETA for the fixes should be in during the coming week- hopefully :-) So
chances exist that the fixes can make it into the 3.0 release.


Hi Udo,

It's been 10 days (two business weeks) since your last update. Any news 
for us anxious pdns/ldap users? :-)


Thanks!

All the best,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 15/4/2011 3:30 μμ, Nick Milas wrote:


It's been 10 days (two business weeks) since your last update. Any 
news for us anxious pdns/ldap users? :-)




Hi Udo,

I don't want to make you feel pressure, but it's been 16 days since we 
last heard from you, and you were estimating to publish fixes in the 
week that would follow (that time, i.e. 4-10 of April).


Please, if you won't be able to work on the issues, let us know so that 
we might try to search for someone, at least at this phase, when 3.0 
release is upcoming (even now), otherwise we'll have to wait for the 
next release...


At least give us an update.

Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 23/3/2011 11:05 πμ, bert hubert wrote:


To clarify, PowerDNS development happens because one or more of the
following three reasons:

...

We also develop quite some things because, frankly, we find them cool

For LDAP, right now none if these things is the case. 1) We don't feel that
LDAP is a particularly good or interesting place to store DNS data. It will
for example have big problems with PowerDNSSEC because of lack of ordering.

Although there has been some time since this thread started, and nothing 
has changed in essence (we have no news from Udo Rader who offered to 
work on the issues), I would like to add a couple of points.


1. I really find storing DNS records in LDAP cool and fun, and I have 
been wondering why there is so little interest for it.
2. I have discussed the issue in openldap mailing list (see: 
http://www.openldap.org/lists/openldap-technical/201104/msg00363.html 
and the associated thread) and people there think too that:


   * LDAP *IS *the best place to store DNS data
   * Maintaining/evolving the PowerDNS LDAP backend is "interesting and
 worthwhile" (but noone volunteered to work on it, at least yet)

As I have said in the past, I agree with the above. It strikes me that, 
although LDAP seems perhaps the best solution to store DNS records (at 
least from a potential performance perspective), there seems to be so 
little use of it! I will attribute this to:


   (a) BIND ldap backend (dlz / sdb) being highly experimental and
   practically unsuitable for production
   (b) lack of publicity about PowerDNS itself, let alone its LDAP backend.
   (c) lack of "critical momentum" for PowerDNS - LDAP, mainly caused
   by lack of case studies, performance test results (e.g. LDAP vs
   MySQL backends), white papers, studies with focus on large domains,
   etc. - to prove beyond doubt it's worth it even for enterprise use.
   (d) lack of nice management tools that would allow (LDAP-stored) DNS
   Record management using an easy and efficient GUI (which would also
   enforce all needed checks when changing records etc.) The reason for
   this is (b) and (c) above. But, there is some ongoing activity on
   this (see for example the GoSA project:
   http://www.mail-archive.com/debian-edu@lists.debian.org/msg21887.html).
   For our organization's needs, we have developed a php application
   which is very convenient (but would require a lot of work to become
   more generic and programming is rather non-professional).

So, considering the above, I would like to underline that LDAP should 
NOT become unmaintained:


   (i) It would not be difficult to include at least the proposed patch
   for Ticket #313
   (http://mailman.powerdns.com/pipermail/pdns-users/2010-September/007004.html)
   in one v3.0 build so we can install and test.
   (ii) I would encourage PowerDNS developers to only provide a
   solution for Ticket #260 (= #323) (this time/effort should be very
   low) which is the minimum to keep LDAP backend in production status
   in the new versions. So, it will gain time to hopefully build up
   (b), (c), (d) above.

I have no personal reasons to promote this work (it would have been 
easier for me and would require much less time than what I am doing now 
to switch to any other backend), but, feeling comfortable in a nice 
community like this, I have publicly expressed my feelings regarding 
what I believe is/should be a real power in PowerDNS which we all want 
to thrive.


Regards,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 30/4/2011 2:09 μμ, Angel Bosch Mora wrote:

this is inacurate. LDAP has a lot of multi-platform front-ends, most 
of them really customizable. there's also bindings for every coding 
language, so as you said anyone can create their own tool.



Hi Angel,

You are partly right: yes, there are many *generic* LDAP browsers (like 
the free - very good but now unmaintained, I am afraid - phpLDAPadmin 
and the excellent JXplorer, which I use both; there is also Apache 
Directory Studio etc. and other commercial products), but there are no 
*specialized* LDAP-stored DNS Record applications.


Such specialized apps should allow automatic operations like adding 
automatically forward and reverse record when adding an IP Addr ---> DNS 
Name mapping (A and PTR records), automatically increasing the zone 
counters (both forward and reverse). Also, when changing such a mapping, 
it would ensure that A and PTR records are updated correctly. The app 
should check (perhaps by alerting the user) whether an IPv6 ( record 
plus the reverse record) exists and should also be updated. Also other 
more advanced operations include DNS domain redirections, subdomain 
delegations etc.


With the generic LDAP browsers one must do all such operations manually 
(which is not terrible, but it's a bit prone to errors and inconvenient 
when there are daily maintenance activities).


All the best,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 1/5/2011 12:58 πμ, Alejandro wrote:

HI Nick, The powerdns plugin for GOsa is finished, but the lack of 
DNSSEC and the chance of drop this feature in future versions of 
powerdns force the debian-edu project to choose bind in place of 
powerdns for the next version of debian-edu.


...

I really like to see a update of the powerdns-ldap plugin because also 
I think that ldap is a really good backend to manage DNS.




Hi Alejandro,

I do hope and *I believe* that the PowerDNS development team will change 
their mind and decide to - at least minimally for the time being - 
support the LDAP backend. IMHO it's one of the hidden powers of 
PowerDNS, and I have striven to demonstrate my case for the benefit of 
the PowerDNS project. If the LDAP backend is moved to unmaintained 
status, I believe that the whole PowerDNS project may be harmed in terms 
of propagation, fame and reliability.


One dimension of the problem, perhaps not always considered, might be 
that to include a new backend would perhaps be far easier than keeping 
up with the currently existing ones: dropping or reducing support for 
one of them will tend to reduce the "reliability index" (as perceived by 
the "world") for the whole project, because, once a backend is released 
and officially included in a release, there will be a community (known 
or unknown) of users for that backend, even if that community is not in 
a position to directly provide some kind of compensation (funds or 
development resources) to the project. One could assert that even the 
adoption of the PowerDNS software IS a kind of compensation, which will 
provide mid-term/long-term benefit(s) of all types (e.g. publicity, 
propagation, etc.).


Note that while the PowerDNS LDAP backend in Authoritative Server v3.0 
will surely not support DNSSEC, one could very well use Phreebird for an 
easy and efficient DNSSEC deployment, until DNSSEC is included in the 
backend itself (which I believe it will).


I find the lack of "Notify" ("Master") ability in the LDAP backend even 
more important at this stage (although one can use workarounds, as I 
have mentioned in this mailing list).


All the best,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 30/4/2011 2:09 μμ, Angel Bosch Mora wrote:


  there's also bindings for every coding language, so as you said anyone can 
create their own tool.



I forgot to comment that you are very right in that. For example:

   * PHP ldap bindings are great (we have used this API in our web
 application which I mentioned). (Pear also includes Net_LDAP2 as
 an object oriented API.)
   * Also there is http://www.unboundid.com/products/ldapsdk/ for Java
 which is allegedly better than (now Oracle's) JNDI. There is also
 Novell's JLDAP.
   * Perl includes Net::LDAP.
   * For JSP, one might want to see:
 o http://www.lumdev.net/node/3824
 o http://www.lumdev.net/node/3861
   * For MS ASP.net System.DirectoryServices, check:
 o http://forums.asp.net/p/907421/1007517.aspx
   * Mono ASP.net framework ships with Novell.Directory.Ldap library
 and probably others too.

The only drawback, of course, is that it takes time and resources to do 
one's own development!


So, specialized open-source applications like for example GoSA and 
PowerDNS Administrator (works only with SQL backend) in many cases offer 
administrators very useful tools with a fraction of the otherwise 
required effort.


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 1/5/2011 12:58 πμ, Alejandro wrote:

The other real option to use in LDAP is binddlz project but is 
experimental and very complex to use in any tool, but have all the 
features :(.


I really like to see a update of the powerdns-ldap plugin because also 
I think that ldap is a really good backend to manage DNS.




Hi Alejantro,

Some additional thoughts:

Even in the state it is now, PowerDNS with LDAP backend (and with any 
other backend) is an efficient production solution while BIND9/DLZ is not.


I would *not* recommend anyone to switch from PowerDNS, if they want any 
working backend except BIND (text files).


See for example tests at: 
http://bind-dlz.sourceforge.net/perf_tests.html. All backends except 
BIND suck, esp. LDAP.


If you search in the Internet, you'll find ample evidence that BIND / 
DLZ is not a production solution. In terms of performance, it simply is 
unacceptable.


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Sorting of DNS responses

[Nick Milas]

On 29/4/2011 10:43 πμ, Roland Schwingel wrote:



I am using pdns 2.9.22 with ldap backend for many months now. It works 
very nice and without troubles.Thanks for this...
Maybe I am too dump to find this in the docu but I need to sort the 
responses of dns replies according to where the request comes from. 
Similar to the sortlist feature of bind.




Hi Roland,

I am happy to hear that you are one more user of the LDAP backend; we 
have a hard time identifying such users and as a result the LDAP backend 
is in a bit of a possible crisis, I'm afraid... (I assume you must have 
only now subscribed to this list.)


BIND statements rrset-order and sortlist don't seem to be supported with 
any PowerDNS backend, neither in LDAP backend.


Are you using LDAP DNS simple style or tree style?

One workaround would be to have a different virtual (i.e. without its 
own NS records and without a SOA record) subdomain ("subzone") for each 
network; for example:

192.168.0.0/24 > sub0.my.net
192.168.1.0/24 > sub1.my.net
192.168.2.0/24 > sub2.my.net
192.168.4.0/24 > sub4.my.net

Then, you would define different names for the host in each network; for 
example:

myhost.sub0.my.net ->192.168.0.11
myhost.sub1.my.net -> 192.168.1.11
myhost.sub2.my.net -> 192.168.2.11
myhost.sub4.my.net -> 192.168.4.11

(it doesn't have to be .11 everywhere, but I guess it's more convenient 
from an admin viewpoint.)


This is what we are doing in our networks (we were doing so even with 
BIND, before using PowerDNS with LDAP backend). I believe this is a more 
flexible, scalable and a much more admin-friendly approach.


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Sorting of DNS responses

[Nick Milas]

On 2/5/2011 10:00 πμ, Roland Schwingel wrote:


I subscribed the day I wrote this post and have read the posts
appearing since
than about the LDAP backend. I am a bit astonished about this. In my
eyes the LDAP backend is THE key benefit of powerdns. The easiness in
setting
it up and it's robustness was the key decision point for me to use
powerdns
instead of any other solution.



I agree; So, please post your comment in that thread too! If you think 
of anything that would help (by finding developer(s) or funding for) the 
project, please give your feedback. Note that the LDAP backend will not 
be removed from v3.0, but -if left umaintained- it will not include any 
improvements whatsoever. I am doing what I can to avoid this.


I have recently provided (enough, I hope) evidence that the LDAP backend 
should remain alive and kicking for many reasons.



I am using it in strict mode as it was more straight forward for me
to set up.


I assume that you don't have any public networks, because with strict 
mode you can't have AXFR for reverse zones.



Thanks for this tip. I see what I can do here on my side to give it a
try.
I was also thinking about hacking the resolving of these hosts into
pipe backend
but this is not the ideal solutiong for me.

In fact, it's not a workaround/tip. It's a different approach, which I 
believe is better. If you want/need more technical details for the 
implementation I suggested, I can provide, although it's 
straightforward. The problem in your case - if you follow this plan - is 
probably that you would have to modify practically all your RRs (but it 
will only be needed once and you'll never need to mess-up with DNS 
server configuration for sortlist etc.).



I honestly hope that the LDAP backend will survive in pdns 3.0 as it
is (in my eyes) one of the most vital features of pdns and PowerDNS will
definitely loose a big key feature if it would go away!


Even included in unmaintained status, I have come to believe that the 
whole project may be harmed.




And I also hope that some kind of sortlist feature will find its way
into pdns soon.
I don't thing that sorting of replies is so uncommon, so pdns should
support it.
In the meantime I have to find a different solution for my problem.


The project's developers should comment on it. You should file a ticket 
here for your request: http://wiki.powerdns.com/trac/ - mention that you 
want this for the LDAP backend. I don't know if this would be a 
backend-specific implementation or it can be done at the main software 
level.


All the best,
Nick

P.S. Please avoid: Top-posting and HTML; both are considered bad 
practices in mailing lists.



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS use statistics

[Nick Milas]

Hello,

I have been trying to find stats on PowerDNS global use for some time 
now, but I had not much luck.


The only sources I found were:
http://mailman.powerdns.com/pipermail/pdns-dev/2005-October/000347.html
and
http://dns.measurement-factory.com/surveys/

The second shows low numbers for PowerDNS esp. in the last two years, 
which I find a bit strange.


But are there any other surveys about DNS Software use which one would 
suggest as more reliable? Are there any comparative DNS server software 
usage trends data for the last 5-6 years ?


Correctly or not, for many people, the installed base is an important 
indicator of a software's potential and dynamics.


Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns/ldap funding, how much?

[Nick Milas]

On 6/5/2011 12:04 am, Christopher Wood wrote:


  2) There are people in the PowerDNS community developing&  maintaining it.
  3) There are end-users with support contracts that need it, or there are
 end-users willing to fund the development directly.
--

I don't know if anybody has asked how much #2 or #3 cost. How much money are we 
talking about, as a rounded figure per month or per year?

After all, if enough people want this then perhaps it makes sense to spread the 
cost.



Hi Christopher,

Thanks for extending the previous thread re LDAP backend (I don't know 
if it would probably be better to continue that one).


Since #2 (which does not entail costs) has not yielded any positive 
outcome (no developer has responded or acted positively) yet, we 
probably could view cost more specifically. So specific costs (per item) 
should be specified for:


   1. Correction of bug mentioned in Ticket 260 (the most important one
  currently). [Unless PowerDNS developers agree to my thoughts - see
  below.]
   2. The addition of Notify functionality (Master Operation). [Ticket: 
318]

  * With this opportunity I would like to ask whether
pdns_control notify should work with LDAP backend because I
(only recently) read in the documentantion (fixes for
v2.9.20): "LDAP fixes as reported in ticket 37
(http://wiki.powerdns.com/projects/trac/ticket/37), fixed in
commit 558
(http://wiki.powerdns.com/projects/trac/changeset/558),
which maked pdns_control notify work."
So, does this mean that:
  pdns_control notify domain
and
  pdns_control notify-host domain ip-address
should work?
(I haven't tried it, but here:

http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg03365.html
I concluded that pdns_control notify would not work, and no
one corrected me... - I might try it now!)
   3. General maintenance of code of the backend (e.g. speed
  optimization etc) - if / where needed.
   4. Addition of DNSSEC support to the backend.
   5. Other suggested/needed additions.

But we are also waiting for a reply on an already one-week-old request I 
made:


 > So, considering the above, I would like to underline that LDAP 
should NOT become unmaintained:

 >
 >(i) It would not be difficult to include at least the proposed patch
 >for Ticket #313
 > 
(http://mailman.powerdns.com/pipermail/pdns-users/2010-September/007004.html)

 >in one v3.0 build so we can install and test.
 >(ii) I would encourage PowerDNS developers to only provide a
 >solution for Ticket #260 (= #323) (this time/effort should be very
 >low) which is the minimum to keep LDAP backend in production status
 >in the new versions...

So, let's wait (hopefully not for long) for some (hopefully positive) 
feedback from PowerDNS developers. Probably they've been very busy these 
days, because I don't see them being very active in the mailing list 
recently. But things will surely change (favorably)! After all, we trust 
them. :-)


Best regards,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Some DNS performance tests with various PDNS backends and BIND9

[Nick Milas]

Hello,

Just in case someone would like to examine some comparative performance 
results re. various PowerDNS backends with ref. to BIND9, I am posting 
the following tests.


In case you think something should be changed in the setup to make 
results more objective, please let me know.


Comments would be welcome and appreciated.

NOTE: I would like to run the same test against BIND9/SDB with LDAP 
backend, but I had a hard time trying to migrate my pdns LDAP data to 
bind-sdb LDAP entries. zone2ldap BIND9 tool also fails after a few 
entries (I've abandoned trying). IF SOMEONE HAS A SCRIPT FOR SUCH A 
MIGRATION, PLEASE LET ME KNOW.


Test Setup:
==

Running queryperf from a (virtual) machine ("vdns") against an 
Authoritative-only DNS server running on another (virtual) machine 
("vdev") on the same LAN (Both virtual machines run on a VM cluster). 
DNS server logging was off in all cases.


Both machines are running CentOS 5.6 x86_64. The data file 
(examplecom.txt) included 736 type A records. (All the forward type "A" 
RRs used in our domain.) The file was cycled during 60 seconds.


Of course, test results are only relative to the particular hardware 
setup, so they should not be compared to other test results.


IP addresses and domain names have been changed as they are public.

Results:

With BIND9 9.3.6 (13615 qps) as reference:
we have:
BIND9 9.7.3: 12731 qps ===>  -6.5%
PDNS - BIND: 17683 qps ===> +29.9%
PDNS- MYSQL: 16879 qps ===> +24.0%
PDNS - LDAP: 17339 qps ===> +27,4%

A conclusion is that, under this setup, PDNS/LDAP appears faster than 
any other DNS server, except PDNS/BIND (from which it is only -1,95% 
slower). Note that the Openldap cache size was set large enough to hold 
the entire database (as it should).


Nick

==
Test 1: Using PowerDNS 2.9.22 (CentOS repo) - BIND backend:
==
./queryperf -d examplecom.txt -s 10.10.10.11 -l 60

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 10.10.10.11)
[Status] Testing complete

Statistics:

  Parse input file: multiple times
  Run time limit:   60 seconds
  Ran through file: 1441 times

  Queries sent: 1061006 queries
  Queries completed:1061006 queries
  Queries lost: 0 queries
  Queries delayed(?):   0 queries

  RTT max:  0.041637 sec
  RTT min:  0.69 sec
  RTT average:  0.001046 sec
  RTT std deviation:0.000376 sec
  RTT out of range: 0 queries

  Percentage completed: 100.00%
  Percentage lost:0.00%

  Started at:   Tue May 10 21:01:01 2011
  Finished at:  Tue May 10 21:02:01 2011
  Ran for:  60.000656 seconds

  Queries per second:   17683.239997 qps

==
Test 2: PowerDNS 2.9.22 - LDAP backend on Openldap v2.4.25 w/ hdb 
backend running locally

==

[root@vdns queryperf]# ./queryperf -d examplecom.txt -s 10.10.10.11 -l 60

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 10.10.10.11)
[Status] Testing complete

Statistics:

  Parse input file: multiple times
  Run time limit:   60 seconds
  Ran through file: 1413 times

  Queries sent: 1040546 queries
  Queries completed:1040546 queries
  Queries lost: 0 queries
  Queries delayed(?):   0 queries

  RTT max:  0.668537 sec
  RTT min:  0.000110 sec
  RTT average:  0.001070 sec
  RTT std deviation:0.001224 sec
  RTT out of range: 0 queries

  Percentage completed: 100.00%
  Percentage lost:0.00%

  Started at:   Tue May 10 21:06:58 2011
  Finished at:  Tue May 10 21:07:58 2011
  Ran for:  60.013004 seconds

  Queries per second:   17338.675464 qps

===
Test 3: BIND 9.3.6 (CentOS standard) with flat files):
===

[root@vdns queryperf]# ./queryperf -d examplecom.txt -s 10.10.10.11 -l 60

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 10.10.10.11)
[Status] Testing complete

Statistics:

  Parse input file: multiple times
  Run time limit:   60 seconds
  Ran through file: 1109 times

  Queries sent: 816941 queries
  Queries completed:816941 queries
  Queries lost: 0 queries
  Queries delayed(?):   0 queries

  RTT max:  0.113733 sec
  RTT min:  0.91 sec
  RTT average:  0.001394 sec
  RTT

[Pdns-users] Some DNS performance tests with various PDNS backends and BIND9

[Nick Milas]

UPDATED: In the meantime I have managed to run the test with 
BIND9/SDB/LDAP, so I am resending the whole message for completeness.


Just in case someone would like to examine some comparative performance 
results re. various PowerDNS backends with ref. to BIND9, I am posting 
the following tests.


In case you think something should be changed in the setup to make 
results more objective and more real-life, please let me know.


Comments would be welcome and appreciated.

Test Setup:
==

Running queryperf from a (virtual) machine ("vdns") against an 
Authoritative-only DNS server running on another (virtual) machine 
("vdev") on the same LAN (Both virtual machines run on a VM cluster). 
DNS server logging was off in all cases.


Both machines are running CentOS 5.6 x86_64. The data file 
(examplecom.txt) included 736 type A records. (All the forward type "A" 
RRs used in our domain.) The file was cycled during 60 seconds.


Of course, test results are only relative to the particular hardware 
setup, so they should not be compared to other test results.


IP addresses and domain names have been changed as they are public.

Results:

(Using BIND9 9.3.6 (13615 qps) as reference)
-
BIND9 9.3.6  : 13615  qps-
BIND9 9.7.3  : 12731  qps ===>  -6.5%
BIND9 9.7.3/SDB/LDAP :   370* qps ===> -97.3%
PDNS 2.9.22 / BIND   : 17683  qps ===> +29.9%
PDNS 2.9.22 / MYSQL  : 16879  qps ===> +24.0%
PDNS 2.9.22 / LDAP   : 17339  qps ===> +27.4%
-
* See comment at the bottom of the last test.

A conclusion is that, under this setup, PDNS/LDAP appears faster than 
any other setup, except PDNS/BIND (from which it is only -1,95% slower). 
Note that the Openldap cache size was set large enough to hold the 
entire database (as it should).


The test confirms the slow qps rate when running using BIND9/SDB/LDAP.

Nick

==
Test 1: Using PowerDNS 2.9.22 (CentOS repo) - BIND backend:
==
./queryperf -d examplecom.txt -s 10.10.10.11 -l 60

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 10.10.10.11)
[Status] Testing complete

Statistics:

  Parse input file: multiple times
  Run time limit:   60 seconds
  Ran through file: 1441 times

  Queries sent: 1061006 queries
  Queries completed:1061006 queries
  Queries lost: 0 queries
  Queries delayed(?):   0 queries

  RTT max:  0.041637 sec
  RTT min:  0.69 sec
  RTT average:  0.001046 sec
  RTT std deviation:0.000376 sec
  RTT out of range: 0 queries

  Percentage completed: 100.00%
  Percentage lost:0.00%

  Started at:   Tue May 10 21:01:01 2011
  Finished at:  Tue May 10 21:02:01 2011
  Ran for:  60.000656 seconds

  Queries per second:   17683.239997 qps

==
Test 2: PowerDNS 2.9.22 - LDAP backend on Openldap v2.4.25 w/ hdb 
backend running locally

==

[root@vdns queryperf]# ./queryperf -d examplecom.txt -s 10.10.10.11 -l 60

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 10.10.10.11)
[Status] Testing complete

Statistics:

  Parse input file: multiple times
  Run time limit:   60 seconds
  Ran through file: 1413 times

  Queries sent: 1040546 queries
  Queries completed:1040546 queries
  Queries lost: 0 queries
  Queries delayed(?):   0 queries

  RTT max:  0.668537 sec
  RTT min:  0.000110 sec
  RTT average:  0.001070 sec
  RTT std deviation:0.001224 sec
  RTT out of range: 0 queries

  Percentage completed: 100.00%
  Percentage lost:0.00%

  Started at:   Tue May 10 21:06:58 2011
  Finished at:  Tue May 10 21:07:58 2011
  Ran for:  60.013004 seconds

  Queries per second:   17338.675464 qps

===
Test 3: BIND 9.3.6 (CentOS standard) with flat files):
===

[root@vdns queryperf]# ./queryperf -d examplecom.txt -s 10.10.10.11 -l 60

DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $

[Status] Processing input data
[Status] Sending queries (beginning with 10.10.10.11)
[Status] Testing complete

Statistics:

  Parse input file: multiple times
  Run time limit:   60 seconds
  Ran through file: 1109 times

  Queries sent: 816941 queries
  Queries completed:816941 queries
  Queries lost: 

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 30/4/2011 11:00 πμ, Nick Milas wrote:


   (i) It would not be difficult to include at least the proposed patch
   for Ticket #313
   
(http://mailman.powerdns.com/pipermail/pdns-users/2010-September/007004.html)

   in one v3.0 build so we can install and test.
   (ii) I would encourage PowerDNS developers to only provide a
   solution for Ticket #260 (= #323) (this time/effort should be very
   low) which is the minimum to keep LDAP backend in production status
   in the new versions. So, it will gain time to hopefully...



Hi Bert,

You haven't replied on my request (i). Could you include the above patch 
in one v3.0 build so we (users of ldap backend) can test whether it 
works OK?


I was hoping that you would answer favorably to (ii) above, as well, but 
anyway...  Hope never dies... ;-)


Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 14/5/2011 10:12 μμ, bert hubert wrote:


Well, you are proof that if you keep nagging you might get your way.
2193 has the fix for 313 suggested in that URL, it is building now.



Thanks, Bert. After all, you know that I am not just nagging, I have 
invested *a lot* of time to prove the ldap backend is worth support and 
do whatever I can to attract the community interest to it. I care for 
the powerdns project.


I saw the 2193 tarball. I'll try to compile and test it tomorrow (Monday).

If you make a script that sets up LDAP so that I can test, I'll see. 
But I'm

not going to delve into anything, you need to get me something that after
I've apt-get installed the ldap server it sets up a working powerdns
environment.




OK Bert, it makes sense. I'll attempt to prepare something for you and 
send it in the next couple of days.


If you have an RHEL/CentOS test server, it will be easier because all my 
test and production environments use this OS and I can prepare something 
more knowledgeably.


If you must use a debian-based system, please tell me the exact version 
of the OS, so that I can examine the peculiarities related to the latest 
openldap package available for that distro in its repos, to prepare a 
package accordingly (it might take me more time).


Thanks,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 15/5/2011 12:47 μμ, Nick Milas wrote:



I saw the 2193 tarball. I'll try to compile and test it tomorrow 
(Monday).




I am having a hard time trying to compile it. I installed (from CentOS 
repos) boost:


   boost-1.33.1-10.el5
   boost-devel-1.33.1-10.el5

but I was getting:

   checking for Boost headers version >= 103400... no
   configure: error: cannot find Boost headers version >= 103400

Then, I saw that boost-devel files are in /usr/include/boost and I tried 
with:


   CXXFLAGS=-I/usr/include/boost ./configure --with-modules="gmysql ldap"

or with:

   CXXFLAGS=-I/usr/include ./configure --with-modules="gmysql ldap"

but I kept getting the same error. So, I downloaded the source package 
from boost website, extracted it and tried with (as suggested here: 
http://rtfm.powerdns.com/compiling-powerdns.html):


   CXXFLAGS=-I/root/boost/boost_1_46_1 ./configure
   --with-modules="gmysql ldap"

With it, I am getting:

   checking for Boost headers version >= 103400... yes
   checking for Boost's header version... 1_33_1
   checking boost/foreach.hpp usability... yes
   checking boost/foreach.hpp presence... no
   configure: WARNING: boost/foreach.hpp: accepted by the compiler,
   rejected by the preprocessor!
   configure: WARNING: boost/foreach.hpp: proceeding with the
   compiler's result
   checking for boost/foreach.hpp... yes
   checking for the toolset name used by Boost for g++... gcc41 -gcc
   checking boost/program_options.hpp usability... yes
   checking boost/program_options.hpp presence... yes
   checking for boost/program_options.hpp... yes
   checking for the Boost program_options library... no
   configure: error: cannot not find the flags to link with Boost
   program_options

Why the configure script didn't find the boost headers as installed by 
the native RPM package?
(See the package contents at 
http://pkgs.org/centos-5-rhel-5/centos-rhel-x86_64/boost-devel-1.33.1-10.el5.x86_64.rpm.html)


Why the source package didn't work either?

Please advise!

Note: I only have x86_64 packages installed in the box.

Thanks,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 16/5/2011 12:50 μμ, Imre Gergely wrote:



I think you need boost >=1.34, the default version in CentOS 5 is not 
enough.





Thank you. I thought "103400" meant v1.03.4 but it seems you are right, 
it obviously means v1.34.


So, I installed (from the EPEL repo) packages boost141 and 
boost141-devel and compilation went better, but it still stops later:


# CXXFLAGS=-I/usr/include/boost141 ./configure --with-modules="gmysql ldap"
...
checking for Boost headers version >= 103400... yes
checking for Boost's header version... BOOST_LIB_VERSION
configure: error: invalid value: boost_major_version=BOOSTLIB

It seems I should declare more flags, and I don't know how.

In the end, I decided and used packages boost-*-1.39.0-9.el5 from the 
atrpms repo and after that (I also had to install openldap-devel), 
configure finished OK. But make now has problems:


smysql.cc: In constructor \u2018SMySQL::SMySQL(const string&, const 
string&, uint16_t, const string&, const string&, const string&)\u2019:
smysql.cc:22: error: cannot convert \u2018unsigned int*\u2019 to 
\u2018const char*\u2019 for argument \u20183\u2019 to \u2018int 
mysql_options(MYSQL*, mysql_option, const char*)\u2019
smysql.cc:23: error: cannot convert \u2018unsigned int*\u2019 to 
\u2018const char*\u2019 for argument \u20183\u2019 to \u2018int 
mysql_options(MYSQL*, mysql_option, const char*)\u2019

make[3]: *** [smysql.lo] Error 1
make[3]: Leaving directory 
`/root/pdns-2193/pdns-3.0-rc2.20110514.2193/modules/gmysqlbackend'

make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory 
`/root/pdns-2193/pdns-3.0-rc2.20110514.2193/modules'

make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/pdns-2193/pdns-3.0-rc2.20110514.2193'
make: *** [all] Error 2

However I managed to compile/make/install using ldap only:

   ./configure --with-modules="ldap"

and now pdns works fine with ldap backend:

May 16 15:44:33 vdev pdns[15898]: PowerDNS 3.0-rc2.20110514.2193 (C) 
2001-2011 PowerDNS.COM BV (May 16 2011, 14:46:45, gcc 4.1.2 20080704 
(Red Hat 4.1.2-50)) starting up


Did some tests with queryperf and some AXFRs too. No errors and Ticket 
313 is handled (logging time by ldap backend is correct local time).


Anyone can tell me how to "make" including gmyslq backend?

Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 16/5/2011 4:19 μμ, Ralf van der Enden wrote:


You need to use the --with-boost= option with ./configure and tell it
where to find the includes and libraries (.ie --with-boost=/usr/local)




Thanks Ralf,

Your advice will be valuable in case I install boost in another 
non-conventional location (as I did with boost141). Now this problem is 
resolved because boost from atrpms repo installs in the standard location.


But now I don't know why there is problem in "making" the gmysql backend...

Thanks again,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] MongoDB Backend merged Re: Mongo DB and PowerDNS part 3: Now with DNSSEC

[Nick Milas]

On 14/4/2011 9:30 μμ, bert hubert wrote:


Hi Fredrik,
I have just merged it with the build system based on your latest version. It
is part of build 2163, and will be shipped as 'experimental' with version
3.0.



Hi Fredrik and all,

I see here: http://doc.powerdns.com/mongo.html that pdns/mongodb 
supports Master functionality. I assume this means that it detects zone 
serial changes and sends Notify messages as needed (and then sends AXFR 
as requested by slaves).


My question is: how to you implement this functionality (conceptually), 
since Mongo DB (as far as I know) doesn't support triggers?


Can you provide some feedback on this please?

Thanks,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] MongoDB Backend merged Re: Mongo DB and PowerDNS part 3: Now with DNSSEC

[Nick Milas]

On 25/5/2011 11:25 μμ, fredrik danerklint wrote:


PowerDNS ask each backend for domains which has a different 'notified_serial'
than 'serial' for the domain.



Thanks Fredrik for the info. If I understand it right, 'notified_serial' 
is the one PowerDNS knows as current for a domain, and 'serial' is the 
one stored in the same domain (in the backend), which may be updated or not.


But how/when is this question from PowerDNS triggered? I mean, how 
PowerDNS knows *when* to ask the backend for an updated serial?



This function is called getUpdatedMasters(vector* domains) and
exists in the source file 'master.cc' for MongoDB backend.


I understand that the above function is part of the master (if I name it 
correctly) process (i.e. not the backend). So, how is it in a file of 
the backend?



What PowerDNS except after a call to this function is a list of all domains
that has a different serialnumber than notified serialnumber.

Every backend can implement this functionallity differently since PowerDNS
does not know how the information about a domain is stored.



That's trivial to retrieve, whatever the backend.


The good part that you asked about this is that I (you!) found a bug which
would not fill out the domains that has a different serial number against the
real serial number. I've sent Bert a patch to be included in the source code
to fix this.



I am glad I helped (even without knowing it) for a fix!


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] svn access to pdns backends

[Nick Milas]

Hi,

Can anyone please tell me how I can have svn access to pdns backends 
source tree?


I used:
svn co svn://svn.powerdns.com/pdns/trunk/pdns pdns
as indicated here: http://wiki.powerdns.com/trac/wiki/HACKING but in 
there I only see gmysql and bind backends.


I am mainly interested in LDAP and mongodb backends.

(Trying to probably become a hacker, now in my late days. ;-) )

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] svn access to pdns backends

[Nick Milas]

On 26/5/2011 11:13 πμ, Leen Besselink wrote:



I see the directories and files in pdns/modules/ (not pdns/pdns/backends !!)



Thanks, Leen.

You are right. I was confused. I see I should not look into 
/pdns/pdns/backends but in /pdns/modules.


Thanks, again
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] MongoDB Backend merged Re: Mongo DB and PowerDNS part 3: Now with DNSSEC

[Nick Milas]

On 26/5/2011 3:44 μμ, fredrik danerklint wrote:


Nick,

To answer all of your questions, please take a look at the source file
'communicator.cc'. At the end of that file there is a function called
"void CommunicatorClass::mainloop(void)" that checks slave and master every
other 'slave-cycle-interval' seconds (parameter taken from the pdns.conf
file). I assume that this function is running in a seperate thread.

This is how PowerDNS knows when to send a update to other nameservers.



Actually, I am afraid things do not work like that. The 
'slave-cycle-interval' parameter is only used by slaves and only when 
they (the slaves) are in undetermined state, i.e. at launch. "Once a 
domain has been checked, it will not be checked before its SOA refresh 
timer has expired."


What I was asking is how the *Master* knows that the serial in the SOA 
of one of its zones has changed. If you have not implemented some 
solution, Master will never know that a serial (in its own backend!) has 
been changed, unless you manually let it know. The PowerDNS 
documentation states: "Some backends may be able to detect zone changes, 
others may choose to let the operator indicate which zones have changed 
and which haven’t. Consult the documentation for your backend to see how 
it processes changes in zones." The usual logical solution is the use of 
triggers (if your backend supports them).


Of course, for the Master it doesn't really matter to know that a serial 
has changed, because it directly refreshes its data (which is retrieved 
from the database). [ I don't know what happens with cached data, if 
they are used - LDAP backend doesn't use cached data; the LDAP server 
takes care of that. ] But the Master will not be able to Notify 
slaves... They will wait until their refresh interval (specified in the 
SOA) expires and only then they will ask the Master if serial has changed.


So, in fact you don't have what pdns calls Master operation, unless the 
backend on the Master provides a mechanism to detect serial changes and 
send Notify messages to slaves. If it doesn't, you must manually or 
semi-manually send Notify messages, as I am also now doing with LDAP 
backend, using a cron job to detect externally (i.e. not within the 
backend) serial changes and to send, when such changes are detected, 
Notify messages to slaves.


But I guess, when you don't have triggers, you could embed in the 
backend the above procedure. You could define a time parameter (perhaps 
changeable in the config) which would cycle domains (zones), 
automatically, as part of the backend process and detect serial changes. 
As I have explained earlier (in other threads), this works fine for a 
moderate number of zones. If the number of zones is high, however, it 
doesn't scale well.


Nick.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] MongoDB Backend merged Re: Mongo DB and PowerDNS part 3: Now with DNSSEC

[Nick Milas]

On 27/5/2011 12:59 πμ, fredrik danerklint wrote:


Hopefully Bert can answer better than I can on this.

Have you read the documentation about writeing a backend?
http://doc.powerdns.com/master-backends.html

It says that the backend only needs to have these two function to functions as
a master backend and that what's I have done with the MongoDB backend.



Fredrik, you are right! The documentation states as you say: 
"Periodically, PDNS queries backends for domains that may have changed, 
and sends out notifications for slave nameservers."


It also says: "Some backends may be able to detect zone changes, others 
may choose to let the operator indicate which zones have changed and 
which haven't." (http://doc.powerdns.com/master.html)


So, please, be so kind as to answer one more question: When PDNS queries 
backends for updated serials, does it provide them with a list of the 
'notified_serial's (as per your explanation in a previous post of 
yours), that is, a list of all serials which it has previously used in 
notifications, or the backends have to maintain such a list (of 
previously notified serials)?


Sorry, I may be becoming tiresome, but I have a hard time running 
through the source code to find out this detail. I may have to find time 
to read a bit about programming in C.


I have a hard role to play without a regular maintainer on the LDAP 
backend.


Thank you VERY much for all the details you provide and your cooperation,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] MongoDB Backend merged Re: Mongo DB and PowerDNS part 3: Now with DNSSEC

[Nick Milas]

On 27/5/2011 10:16 πμ, Jan-Piet Mens wrote:


If it were C, I could help you a bit -- the last time I looked
(admittedly a few years ago), PowerDNS was written in C++ ;-)




Thank you. Very kind of you.

It must be C++. Unfortunately, I am unfamiliar with both (C, C++).

I am an old tech guy: FORTRAN, Pascal (back in the late 80's, and in the 
last years I only have time for some medium internal web apps (mainly 
procedural and not object-oriented) using: php, coldfusion (some years 
ago), javascript/html. I also do a bit of basic bash scripting (for our 
admin tasks).


My aim here is to identify problems and (if possible) technical 
solutions to open issues on the LDAP backend, and request experienced 
developers to do the implementation. Perhaps I shouldn't, because I am 
now spending too much time and effort on this, while I have other 
serious pending tasks, but no one else will, at the moment.


Thankfully, Bert has taken over to fix some stuff. I am trying to assist 
him as much as possible.


Thanks again,
Nick


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

I am sending this message as an update and a wrap-up for the LDAP backend:

Bug 313 (ldapbackend sets TZ to UTC but should not) is fixed (according 
all test reports).


Bug 260 (LDAP backend doesn't try to reestablish connection once lost) 
will be fixed by Bert (I thank him in advance).


[Bug 37 (old, closed)]:
In the meantime I found that pdns_control  does not work with the LDAP 
Backend to send Notify messages (although it should, according the 
documentation). I have asked Bert, if he can, to kindly take a look in 
that too (when he looks into Bug 260 above, but he has not replied); 
this should be important for the completeness of PDNS with LDAP backend 
(see bug 37). Yet it's not crucial, thanks to third-party software: 
http://thewalter.net/stef/software/slapi-dnsnotify/notify-dns-slaves.1.html 
which works (this is what I am currently using).


Ticket #318 (Master (Notify) functionality with ldap backend):
Up to now, I was thinking that the absence of trigger support in LDAP 
was a reason why Master (Notify) functionality had not been included in 
the LDAP backend. Yet, as Fredrik Danerklint (of the MongoDB backend, 
whom I thank) has informed us, no triggering support is needed, because 
PDNS periodically asks the backends for fresh zones, providing them with 
a list of previously 'notified_serials'. So, it should be trivial (by 
any developer) to extend the backend so as to identify changed serials 
and create a list of changed zones (as required for the Master 
functionality).

Volunteers wanted.

No ticket: DNSSEC support
It will need Developer(s) with DNSSEC knowledge! Backend (LDAP) Server 
capabilities should not pose insurmountable obstacles.

Volunteers wanted.

Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] New ogslb release (v0.6)

[Nick Milas]

On 2/6/2011 10:59 πμ, bert hubert wrote:


But we should still find a way to tell people that ogslb exists.

Any ideas?




Could it perhaps be included in the contrib directory in pdns?

And include a page in the standard pdns documentation about contribs, 
where a (short?) description of the ogslb project could be added 
(assuming of course that there is more extensive documentation in doc 
files of each ogslb release).


Even without adding the source code in /contrib, a special section in 
pdns documentation (e.g. Add-on software, like page 
http://www.postfix.org/addon.html offered by the Postfix project) could 
refer to this and other such projects, providing links (assuming that 
there is a website where one can find current source, documentation etc.)


Best Regards,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Can we disable recursor caching for local authoritative zones?

[Nick Milas]

Hi,

I am running powerdns authoritative (ldap backend) and recursor on the 
same box (latest stable versions).


I have noticed that when I change something in my local authoritative 
zones, these changes are not directly reflected to client requests, 
obviously due to recursor's cache.


Can I somehow disable recursor's cache for specific domains (zones), in 
particular the ("local") zones for which powerdns (running on the same 
box here, but could be running on a separate box as well) is authoritative?


Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Can we disable recursor caching for local authoritative zones?

[Nick Milas]

On 9/6/2011 1:14 μμ, Nick Milas wrote:



Can I somehow disable recursor's cache for specific domains (zones), 
in particular the ("local") zones for which powerdns (running on the 
same box here, but could be running on a separate box as well) is 
authoritative?





My setup is as follows (forgot it):

pdns.conf:

   ...
   allow-recursion=0.0.0.0/0, ::/0
   cache-ttl=60
   lazy-recursion=yes
   recursor=127.0.0.1:5300

recursor.conf:

   local-address=127.0.0.1:5300,[::1]:5300
   local-port=5300

OK, I got it. Switching

   lazy-recursion=no

does the trick.

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Trouble compiling pdns 2.9.22 on Centos

[Nick Milas]

Use boost packages (RPM) boost-*-1.39.0-9.el5 from the atrpms repo 
(http://packages.atrpms.net/dist/el5/boost/).


You can enable atrpms repo just to install the above packages using yum 
and then disable it again.


I found they work nicely.

Yet, I still had problems compiling (dev 3.0 versions) with MySQL 
support, but I compiled fine with LDAP support (which is my main interest).


However, why would you want to compile 2.9.22 for CentOS ? Use for example:
http://download.fedora.redhat.com/pub/epel/5/x86_64/pdns-2.9.22-3.el5.x86_64.rpm
or
http://centos.karan.org/el5/extras/testing/x86_64/RPMS/pdns-2.9.22-7.el5.kb.x86_64.rpm

Good luck,
Nick


On 17/6/2011 4:12 πμ, Florian G. wrote:

Hello,

I am trying to compile pdns 2.9.22 on Centos 5.6 x64 but when I run .configure 
I get this error:
 Missing boost - please install Boost packages or see 
http://doc.powerdns.com/compiling-powerdns.html



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Trouble compiling pdns 2.9.22 on Centos

[Nick Milas]

On 17/6/2011 6:48 μμ, Florian G. wrote:


Thank you very much for the info, I'll try atrpms tonight! Did you put CXXFLAGS 
before ./configure?

I did install pdns from the EPEL rpm, it's just that I have an idea or two 
about tweaking the geo backend for my specific needs -- that's why I need to 
compile from source.



I only did:
./configure --with-modules="ldap"

and this worked fine. If you use the boost packages from atrpms, you 
don't need to add any CXXFLAGS for boost.


If I remember right, to install the boost packages from atrpms, I 
added/enabled the repo and then I ran:


   yum install boost.x86_64 boost-devel.x86_64

This should install all boost RPMs (which are numerous) by resolving 
dependencies.


Note, also, that when I tried to compile mysql backend, it didn't 
succeed (I haven't found a solution on that).


Good luck.
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Trouble compiling pdns 2.9.22 on Centos

[Nick Milas]

On 18/6/2011 4:33 μμ, Florian G. wrote:


Thank you for the help. I was able to install boost 1.39 from the atrpms 
repository just fine, but I still get the Missing boost error.




Hi Florian,

I am afraid I am not an expert with compiling; what I usually do (on 
CentOS, when I plan to compile):


   yum groupinstall "Developer Tools"

This will ensure you have most (if not all) of needed software/libraries.

Then try (with atrpms repo enabled):

   yum install boost-* (or boost*, I am not sure now)

in case the command I gave you earlier did not install all boost libraries.

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Trouble compiling pdns 2.9.22 on Centos

[Nick Milas]

On 18/6/2011 7:17 μμ, Florian G. wrote:


I ran
./configure --with-dynmodules="geo"
but I guess somehow it still tries to compile all the modules, not just the 
module I want.



Try:
./configure --with-modules="bind geo"

The modules will be compiled-in, not dynamic, but you'll most probably 
bypass the mysql errors.


Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 14/5/2011 10:12 μμ, bert hubert wrote:


On Fri, May 13, 2011 at 04:35:13PM +0300, Nick Milas wrote:

On 30/4/2011 11:00 πμ, Nick Milas wrote:


   (i) It would not be difficult to include at least the proposed patch
   for Ticket #313
(http://mailman.powerdns.com/pipermail/pdns-users/2010-September/007004.html)
   in one v3.0 build so we can install and test.
   (ii) I would encourage PowerDNS developers to only provide a
   solution for Ticket #260 (= #323) (this time/effort should be very
   low) which is the minimum to keep LDAP backend in production status
   in the new versions. So, it will gain time to hopefully...

You haven't replied on my request (i). Could you include the above
patch in one v3.0 build so we (users of ldap backend) can test
whether it works OK?

Well, you are proof that if you keep nagging you might get your way.

2193 has the fix for 313 suggested in that URL, it is building now.


I was hoping that you would answer favorably to (ii) above, as well,
but anyway...  Hope never dies... ;-)

If you make a script that sets up LDAP so that I can test, I'll see. But I'm
not going to delve into anything, you need to get me something that after
I've apt-get installed the ldap server it sets up a working powerdns
environment.

Ber



Hi Bert,

As it's almost two months already since your last post regarding LDAP 
backend (see above), and Ticket 313 has been resolved since build 2193, 
have you had any chance to look into Ticket 260, esp. after people here 
have provided scripts for LDAP setup (and I have provided access to a 
test LDAP Server, complete with DNS records, which is up and running; 
you can either work on my server locally, by logging in using SSH, or 
you can work at your own machines, connecting to the test LDAP Server 
remotely, at standard port 389).


Could you please give us LDAP-backend users an update as we are closing 
to 3.0 release?


[Parenthetically, I feel I must also refer here to the issue with 
pdns_control not working with LDAP backend to send Notify messages - old 
Bug #37 (closed, but should probably be re-opened).]


Thank you very much,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Status of the LDAP backend in 3.0 release

[Nick Milas]

On 7/7/2011 2:56 μμ, Nick Milas wrote:



Could you please give us LDAP-backend users an update as we are 
closing to 3.0 release?


[Parenthetically, I feel I must also refer here to the issue with 
pdns_control not working with LDAP backend to send Notify messages - 
old Bug #37 (closed, but should probably be re-opened).]





I have been notified (off-list) by Bert that package 2235 
(http://powerdnssec.org/downloads/pdns-3.0-rc2.20110714.2235.tar.gz) 
fixes long-standing Ticket #260 (= #323) 
[http://wiki.powerdns.com/trac/ticket/260].


I've compiled and tested and it works fine.

Thank you Bert.

If by any chance Bert has time to see what's wrong with pdns_control 
(http://wiki.powerdns.com/trac/ticket/37) when used with ldap backend, 
then PowerDNS can boast standalone (without need of external software) 
LDAP support at (semi-) master level. (Full Master support will be 
available after Ticket #318 is closed, not any time soon I am afraid, 
unless someone takes over LDAP backend support.)


Thanks again,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative Server 3.0-rc3 (FINAL!) released

[Nick Milas]

Hi,

I have installed 
http://downloads.powerdns.com/releases/rpm/pdns-static-3.0rc3-1.x86_64.rpm 
and I am trying to run it on CentOS 5.6 x86_64 with LDAP backend, but it 
doesn't seem to work (does this static package support LDAP?):


Jul 20 09:14:40 dns2 pdns[11633]: Guardian is launching an instance
Jul 20 09:14:40 dns2 pdns[11633]: dnsbackend unable to load module in ldap
Jul 20 09:14:41 dns2 pdns[11631]: Our pdns instance exited with code 1
Jul 20 09:14:41 dns2 pdns[11631]: Respawning
Jul 20 09:14:42 dns2 pdns[11634]: Guardian is launching an instance
Jul 20 09:14:42 dns2 pdns[11634]: dnsbackend unable to load module in ldap
Jul 20 09:14:42 dns2 pdns[11631]: Our pdns instance exited with code 1
Jul 20 09:14:42 dns2 pdns[11631]: Respawning
Jul 20 09:14:43 dns2 pdns[11635]: Guardian is launching an instance
Jul 20 09:14:43 dns2 pdns[11635]: dnsbackend unable to load module in ldap
Jul 20 09:14:43 dns2 pdns[11631]: Our pdns instance exited with code 1
Jul 20 09:14:43 dns2 pdns[11631]: Respawning
...

I didn't have any issues with 
http://powerdnssec.org/downloads/pdns-3.0-rc2.20110714.2235.tar.gz 
compiled from source.


Am I doing anything wrong?

Please advise.

Thanks,
Nick

On 19/7/2011 2:56 μμ, bert hubert wrote:


PowerDNS Authoritative Server 3.0-RC3

...




___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative Server 3.0-rc3 (FINAL!) released

[Nick Milas]

On 20/7/2011 9:36 πμ, bert hubert wrote:

Kees Monshouwer usually builds CentOS native packages for PowerDNS 
releases,

I hope he'll find the time shortly!


If he also can document (in detail!) the process of building these 
packages, we will appreciate that! This will enable other people to 
build such packages too, so that creation/distribution/testing of such 
packages may become much easier and result in a wider cooperative effort!


In the meantime, I have switched back to 2.9.22 RPMs. (I don't want to 
use a manually compiled version on that machine.)


By the way, if compiling/installing from source, is there a way to do a 
complete uninstall (like "make uninstall")? That would be very useful in 
many scenarios.


Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative Server 3.0-rc3 (FINAL!) released

[Nick Milas]

On 20/7/2011 10:46 πμ, Ian Mordey wrote:


So it looks like Kees has built the packages for EL5 and there are available 
here:
http://www.monshouwer.eu/download/3th_party/pdns-server/el5/rc/


Tried to install but there are problems (see below). It seems we need 
various boost packages (which I found here: 
http://www.monshouwer.eu/download/3th_party/boost/el5/) but I was 
thinking that boost should be needed for development and not for 
completed RPMs. Am I right?


Any ideas?

# yum install pdns-server-3.0-rc3.1.el5.MIND.x86_64.rpm 
pdns-server-backend-ldap-3.0-rc3.1.el5.MIND.x86_64.rpm

Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * addons: ftp.ntua.gr
 * base: ftp.ntua.gr
 * extras: ftp.ntua.gr
 * updates: ftp.ntua.gr
8 packages excluded due to repository priority protections
Setting up Install Process
Examining pdns-server-3.0-rc3.1.el5.MIND.x86_64.rpm: 
pdns-server-3.0-rc3.1.el5.MIND.x86_64

Marking pdns-server-3.0-rc3.1.el5.MIND.x86_64.rpm to be installed
Examining pdns-server-backend-ldap-3.0-rc3.1.el5.MIND.x86_64.rpm: 
pdns-server-backend-ldap-3.0-rc3.1.el5.MIND.x86_64
Marking pdns-server-backend-ldap-3.0-rc3.1.el5.MIND.x86_64.rpm to be 
installed

Resolving Dependencies
--> Running transaction check
---> Package pdns-server.x86_64 0:3.0-rc3.1.el5.MIND set to be updated
--> Processing Dependency: boost-program-options >= 1.34.0 for package: 
pdns-server
--> Processing Dependency: boost-serialization >= 1.34.0 for package: 
pdns-server

--> Processing Dependency: lua for package: pdns-server
--> Processing Dependency: libboost_program_options-mt.so.5()(64bit) for 
package: pdns-server
--> Processing Dependency: libboost_serialization-mt.so.5()(64bit) for 
package: pdns-server

--> Processing Dependency: liblua-5.1.so()(64bit) for package: pdns-server
---> Package pdns-server-backend-ldap.x86_64 0:3.0-rc3.1.el5.MIND set to 
be updated

--> Finished Dependency Resolution
pdns-server-3.0-rc3.1.el5.MIND.x86_64 from 
/pdns-server-3.0-rc3.1.el5.MIND.x86_64 has depsolving problems
  --> Missing Dependency: libboost_program_options-mt.so.5()(64bit) is 
needed by package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
pdns-server-3.0-rc3.1.el5.MIND.x86_64 from 
/pdns-server-3.0-rc3.1.el5.MIND.x86_64 has depsolving problems
  --> Missing Dependency: lua is needed by package 
pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
pdns-server-3.0-rc3.1.el5.MIND.x86_64 from 
/pdns-server-3.0-rc3.1.el5.MIND.x86_64 has depsolving problems
  --> Missing Dependency: boost-serialization >= 1.34.0 is needed by 
package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
pdns-server-3.0-rc3.1.el5.MIND.x86_64 from 
/pdns-server-3.0-rc3.1.el5.MIND.x86_64 has depsolving problems
  --> Missing Dependency: boost-program-options >= 1.34.0 is needed by 
package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
pdns-server-3.0-rc3.1.el5.MIND.x86_64 from 
/pdns-server-3.0-rc3.1.el5.MIND.x86_64 has depsolving problems
  --> Missing Dependency: libboost_serialization-mt.so.5()(64bit) is 
needed by package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
pdns-server-3.0-rc3.1.el5.MIND.x86_64 from 
/pdns-server-3.0-rc3.1.el5.MIND.x86_64 has depsolving problems
  --> Missing Dependency: liblua-5.1.so()(64bit) is needed by package 
pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
Error: Missing Dependency: liblua-5.1.so()(64bit) is needed by package 
pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
Error: Missing Dependency: boost-serialization >= 1.34.0 is needed by 
package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
Error: Missing Dependency: libboost_program_options-mt.so.5()(64bit) is 
needed by package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
Error: Missing Dependency: boost-program-options >= 1.34.0 is needed by 
package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
Error: Missing Dependency: libboost_serialization-mt.so.5()(64bit) is 
needed by package pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)
Error: Missing Dependency: lua is needed by package 
pdns-server-3.0-rc3.1.el5.MIND.x86_64 
(/pdns-server-3.0-rc3.1.el5.MIND.x86_64)


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Fwd: Re: PowerDNS Authoritative Server 3.0-rc3 (FINAL!) released

[Nick Milas]

On 20/7/2011 12:14 μμ, Kees Monshouwer wrote:


Hello Nick

Starting with version 3 you need them at runtime...


On 20-7-2011 10:33, Nick Milas wrote:

...I was  thinking that boost should be needed for development and 
not for

 completed RPMs. Am I right?





OK,

I first installed atrpms repo (directions: 
http://atrpms.net/documentation/install/) to avoid downloading one by 
one from (if kees' depot allows repo operation, please provide info) and 
then:


   # yum install boost*.x86_64

I also downloaded and installed lua from 
http://www.monshouwer.eu/download/3th_party/lua/el5/lua-5.1.4-4.1.el5.MIND.x86_64.rpm:


   # yum install lua-5.1.4-4.1.el5.MIND.x86_64.rpm
   ...
   Package lua-5.1.4-4.1.el5.MIND.x86_64.rpm is not signed

   # rpm -ivh lua-5.1.4-4.1.el5.MIND.x86_64.rpm
   Preparing...### [100%]
   1:lua###[100%]

and finally I downloaded and installed packages from 
http://www.monshouwer.eu/download/3th_party/pdns-server/el5/:


# rpm -ivh pdns-server-3.0-rc3.1.el5.MIND.x86_64.rpm 
pdns-server-backend-ldap-3.0-rc3.1.el5.MIND.x86_64.rpm


Note: default pdns.conf is at /etc/powerdns/ and system init file is 
called pdns-server. So:


   # service pdns-server start

and

   # chkconfig pdns-server on

Everything seems to be running smoothly up to now.

Nick.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Error with pdns v3.0 RC3 with LDAP backend - queries return wrong results after backend connection is lost and re-established

[Nick Milas]

Hi,

This (most probably) has to do with the fix of Ticket #260.

I noticed that in case pdns loses contact with the backend ldap server, 
when it recovers, it no more returns correct results to DNS queries. For 
some hosts it returns only A record, for others only  record and in 
some cases no record at all (no SERVFAIL notice; both A and  records 
are defined).


After a pdns-server restart, the problem no more occurs (until there is 
a disconnect with ldap server again).


Initially I thought it had to do with LDAP server issues and I tried 
slapindex, but this did not correct the problem.


I see this behavior consistently (always) when connection with ldap 
server is lost and re-established and is always solved when pdns-server 
is restarted (and only then).


Please advise.

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error with pdns v3.0 RC3 with LDAP backend - queries return wrong results after backend connection is lost and re-established

[Nick Milas]

On 21/7/2011 11:27 πμ, bert hubert wrote:


Can you reproduce with query-cache-ttl=0 and negquery-cache-ttl=0 and
cache-ttl=0 ?


Yes, same behavior, even with the above directives.

Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Management of compiled (installed from source) pdns software

[Nick Milas]

On 20/7/2011 9:54 πμ, Nick Milas wrote:



By the way, if compiling/installing from source, is there a way to do 
a complete uninstall (like "make uninstall")? That would be very 
useful in many scenarios.





Hi,

I have installed v3.0 build 2235 on a CentOS box from source.

How can I test final v3.0 RC3 as an RPM on the same box? Is it possible 
to remove the compiled from source version before installing the RPM? How?


I don't think I should have both installed at the same time, as there 
are filename/path differences.


Also, when building from source, should the build process be done as a 
non-root user (as is generally recommended)?


Please help.

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error with pdns v3.0 RC3 with LDAP backend - queries return wrong results after backend connection is lost and re-established

[Nick Milas]

On 21/7/2011 2:05 μμ, Nick Milas wrote:

What I found by further testing (disabled recursor running on the same 
machine) is that, after pdns loses connection with ldap server, when 
ldap is available again pdns hangs...


As a follow-up, I would like to note that this problem seems to have 
been partly resolved in v3.0 (final). I am running v3.0 Kees' CentOS 
RPMs with LDAP backend.


When the connection to the backend db (LDAP Server) is lost and 
re-established, there is no more pdns hanging, but results returned to 
DNS queries continue to be not always correct for the authoritative 
domain *when there is a pdns-recursor running on the same machine* (our 
normal setup).


I don't know what is happening, but "lazy-recursion=no", and all cache 
values are configured 0.


If the recursor service is stopped, pdns provides correct replies for 
the authoritative domain.


Please advise.

Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error with pdns v3.0 RC3 with LDAP backend - queries return wrong results after backend connection is lost and re-established

[Nick Milas]

On 22/7/2011 8:32 μμ, Nick Milas wrote:


On 21/7/2011 2:05 μμ, Nick Milas wrote:

What I found by further testing (disabled recursor running on the 
same machine) is that, after pdns loses connection with ldap server, 
when ldap is available again pdns hangs...


As a follow-up, I would like to note that this problem seems to have 
been partly resolved in v3.0 (final). I am running v3.0 Kees' CentOS 
RPMs with LDAP backend.


When the connection to the backend db (LDAP Server) is lost and 
re-established, there is no more pdns hanging, but results returned to 
DNS queries continue to be not always correct for the authoritative 
domain *when there is a pdns-recursor running on the same machine* 
(our normal setup).


I don't know what is happening, but "lazy-recursion=no", and all cache 
values are configured 0.


If the recursor service is stopped, pdns provides correct replies for 
the authoritative domain.


Please advise.




Hello,

May I ask if there are any developments on this issue? (Malfunction of 
fix for Ticket #260 ?)


All the best,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LDAP backend and subdomain delegation

[Nick Milas]

On 12/9/2011 3:41 μμ, Cyril Jaquier wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

I'm trying to setup a subdomain delegation using the LDAP backend but
did not manage to get it working so far. I found this post on the web
and that is exactly the problem I'm facing:



Hi Cyril,

According to this thread: 
http://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg01488.html, 
"delegation of normal zones (sub.test.dom) is simple as you only need a 
SOA and a NS record for your subdomain where the NS record points to the 
name server providing records of the subdomain."


Delegation with the LDAP backend should use simple mode, not "tree". (I 
don't know about strict mode.)


Also note:

1. I have no experience with delegated subdomains using pdns/ldap - we
   are using only virtual subdomains (with no SOA record).
2. I would say that the best setup should be to have authoritative
   server(s) running on different box(es) than the recursive one(s).
   Yet, with my setup (also with auth server v2.9.22 and recursive
   server on the same box), I have no problems - but no delegations
   either.
   If your recursor runs on another box (standalone), so that all your
   systems query this server and not the authoritative server(s)
   directly, do you still have problems?
3. Unfortunately, pdns LDAP backend is now unmaintained. No
   developer(s) are currently supporting it; we (pdns/ldap community)
   are looking for one (or more) volunteer(s) developer(s) to continue
   support or individuals/corporations that would finance development.
   Otherwise, we are alone in the desert sticking with what we find
   working.

By the way, are you a new or older user of pdns/LDAP backend?

Let us know of your findings,
Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Question about Authoritative Server 3.0 and Recursor 3.3

[Nick Milas]

On 18/9/2011 10:08 μμ, IRCHeaven Technical Support wrote:


Hello,

I have a question about Authoritative Server 3.0 and Recursor 3.3

Is it possible to run this on one server and then make a master/slave
configuration so that both servers has an Authoritative server and a
recursor?
I have searched the docs for it but I can't find any information about this.


No problem; the configuration you describe works.

Just configure only one of the authoritative servers to send Notify 
messages to slaves (if there are any).


What backend are you planning to use?

Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Error with pdns v3.0 RC3 with LDAP backend - queries return wrong results after backend connection is lost and re-established

[Nick Milas]

On 24/8/2011 5:56 μμ, Nick Milas wrote:



May I ask if there are any developments on this issue? (Malfunction of 
fix for Ticket #260 ?)


I was hoping that Bert would provide a final fix for this issue, since 
he offered to fix it in the first place (after my nagging ), and I trust 
his expertise, but after two months I have seen no activity whatsoever - 
and no replies to my occasional requests for an update either...


If no progress seems to be under way in correcting the operation of 
current authoritative version 3.0 to work properly with ldap backend 
with the fix of Ticket #260, I would like to request to either:


A/ revert to ldap backend code as it was without the fix of Ticket #260 
in new releases (this approach will cause a pdns hung when the ldap 
server is temporarily unavailable)
B/ leave as is but warn users that current v3.0 with ldap backend should 
not be setup together with recursive server on the same box (this 
approach will prevent current users with that setup to upgrade to v3.0)


By the way, no more LDAP backend users (or would-be users) around in 
this list any more?


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] evaluating powerdns web frontends

[Nick Milas]

On 19/10/2011 1:15 μμ, Angel Bosch Mora wrote:


I just want to point that in case you use LDAP as backend there's a lot of 
customizable LDAP clients you can use.



Angel, with such tools you manage the database, not DNS.

Frontends (should) allow easy creation/maintenance of domains and RRs 
with auto creation of reverse records, multiple automatic sanity checks 
etc, which are not done by simple management tools. In a few words, they 
are DNS-centric and not database-centric.


As with LDAP, I remind you that it is in unmaintained status! (At least 
v2.9.22 works decently.)


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] evaluating powerdns web frontends

[Nick Milas]

On 19/10/2011 12:51 μμ, Peter van Dijk wrote:


What I am looking for:
- any projects I missed


Check GOSA which supports LDAP backend.


- any and all opinions on any of the projects above


Haven't used any (neither GOSA).


- what information you would like to see in an overview of existing projects 
(I'm thinking of 'does it do mysql', 'does it do postgres', 'does it do users, 
resellers, etc.', 'what does it cost', 'how does it handle reverse DNS')


The info you mention is most important (i.e. backend support, 
administrative user management and access policies, cost, reverse dns 
handling). Add:


 * if they support IPv6 (forward and reverse),
 * CNAMEs
 * DNSSEC.
 * if they require major setup effort
 * main software requirements (e.g. php version, mysql version etc.)

Any and all reviews are very important!

Your effort is useful, anyway!

Thanks,
Nick
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] evaluating powerdns web frontends

[Nick Milas]

On 19/10/2011 1:33 μμ, Jan-Piet Mens wrote:

And since we're nitpicking, let's call it a directory, shall we? :-) 


Or the DIT! ;-)

I just wanted to use a more generic term to depict the difference 
between managing the data directly in their store (whatever the store) 
and managing them as DNS "objects", with all associated logic included 
in an application (which will carry out tasks which otherwise would have 
been done manually).


Nick

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Security Advisory 2012-01: Denial of Service vulnerability in most versions of the PowerDNS Authoritative Server

[Nick Milas]

On 10/1/2012 9:04 μμ, bert hubert wrote:


Tarballs and new static builds (32/64bit, RPM/DEB) of 2.9.22.5
and 3.0.1 have been uploaded to our download site. Kees Monshouwer has provided
updated CentOS/RHEL packages in his repository.


Hello,

I haven't been able to find 2.9.22.5 binary packages (RHEL/CENTOS 5, 
64bit) on any of the repos.


Could someone please provide some guidance to find these packages?

Question: I guess this version has not included any changes in the LDAP 
backend (yes, I am still using it)?


If possible, it should include ONLY the proposed patch for Ticket #313, 
which was successfully tested:

http://mailman.powerdns.com/pipermail/pdns-users/2010-September/007004.html
It should NOT include any other (LDAP backend-related) fix, e.g. for 
Ticket #260 (= #323).


Thanks,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users