Re: [Pdns-users] How to config pdns to send notification to addres not in "IN NS" record.

2024-03-12 Thread Nico Cartron via Pdns-users 

> On 12 Mar 2024, at 12:54, Brian Candler via Pdns-users 
>  wrote:
> 
> On 12/03/2024 11:40, Bino Oetomo wrote:
>> I run --> tcpdump -vv --interface eth1 port 53 at powerdns box , got no 
>> traffic indicating notification sent.
>> But when I restart the bind9 service at the slave, tcpdump shows some 
>> traffic to and from slave.
>> 
>> So still IMHO my pdns box did not send any notification to slaves.
> 
> OK, so next you said you "did some record editing ", how exactly did you do 
> that? Editing the zone files and restarting or reloading pdns? Via the API? 
> Something else?
> 
> There's information about the bind backend, including its behavior w.r.t. 
> notifies, here:
> 
> https://doc.powerdns.com/authoritative/backends/bind.html
> 
> In particular, note that restarting powerdns will *not* send out notifies.

Also, make sure that the zone on PowerDNS is set to “Primary” and not Native. 
Else no Notify will be sent. 

Happened to me recently ;) see 
https://www.ncartron.org/making-powerdns-send-notifies-to-secondaries.html___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Lighning Stream LMDB - Encryption ?

2023-09-07 Thread Nico Cartron via Pdns-users 

Hi Laura,

On 9/7/23 14:48, Laura Smith via Pdns-users wrote:
PDNS with Lightning Stream LMDB looks like a welcome addition but 
having briefly glanced over the docs, I cannot see any client-side 
encryption settings, not even the option to use CMK on S3 blobs.


Are there eventual plans for adding encryption capabilities to 
Lightning Stream ?


In addition, it would be nice to see the S3 connector be enhanced to 
support more authentication options such as:


  * Use of AWS roles
  * Use of AWS Security Token Service (AWS STS)
  * Use of X.509 certs (IAM Roles Anywhere)


Whilst there will clearly still be many people out there only using 
Access Key + Secret Key, environments with a hardened security posture 
need some extra knobs and dials.


Bear in mind the implementation is not specific to AWS S3 - I tested 
Lightning Stream against Backblaze B2 and it works perfectly.


--
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Issue with lightningstream replication not working

2023-05-19 Thread Nico Cartron via Pdns-users 

Hi again,

On 5/18/23 09:15, Nico Cartron via Pdns-users wrote:
Answering to myself after I've been pointed out off-list that I was 
missing


lmdb-shards=1

in my pdns.conf

I don't know how I missed that, but as soon as I added that line, 
lightningstream sync worked straight away and I can now see all 
changes propagated in both directions - new zones, editing the content 
of a zone etc


For those interested, I wrote a blog post about the installation of PDNS 
+ Lightning Stream on FreeBSD: 
https://www.ncartron.org/testing-powerdns-lightning-stream-to-sync-lmdb-backends.html 



Cheers,

--
Nico

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Issue with lightningstream replication not working

2023-05-18 Thread Nico Cartron via Pdns-users 

Answering to myself after I've been pointed out off-list that I was missing

lmdb-shards=1

in my pdns.conf

I don't know how I missed that, but as soon as I added that line, 
lightningstream sync worked straight away and I can now see all changes 
propagated in both directions - new zones, editing the content of a zone etc


Thank you Konrad! :-)

Cheers,

--
Nico

On 5/17/23 22:24, Nico Cartron via Pdns-users wrote:

Hi,

I'm testing PDNS Auth 4.8-beta1 with lightningstream on FreeBSD 13.

I compiled PDNS manually with LMDB module (and gmake, as suggested in 
the README), and am using Backblaze B2 as S3 backend.
The Lightningstream log indicate that replication happens in both 
directions, and I can indeed see the snapshots in my S3 bucket.


But when I create a DNS zone on one PDNS server (with pdnsutil) and 
populate it, I can't see that zone on the second PDNS server - a 
pdnsutil list-all-zones doesn't show it.


However, when I try to create that same zone on the second PDNS 
server, pdnsutil tells me that the zone already exists!
And surely enough, when I delete that zone on the first PDNS, then I 
can create it on the second one - which shows that the 
LMDB/Lightningstream workflow works.


The Lightningstream status webpage (http://:8500) also shows the same 
metrics for both instances.


I must be missing something, but I'm having a hard time figuring out 
what.


I looked at the Lightningstream doc and everything looks good.

My pdns.conf:

local-address=192.168.x.y
local-port=53
launch=lmdb
lmdb-filename=/var/spool/pdns-4.8/pdns.lmdb
lmdb-random-ids=yes
lmdb-flag-deleted=yes
lmdb-map-size=1000
lmdb-sync-mode=sync
zone-cache-refresh-interval=0
zone-metadata-cache-ttl=0


My Lightningstream YAML conf file:

instance: pdns
lmdbs:
  main:
    # Auth 'lmdb-filename'
    path: /var/spool/pdns-4.8/pdns.lmdb
    schema_tracks_changes: true
    options:
  no_subdir: true
  create: true  # optional for 'main', as auth will create it 
on startup, if needed
  map_size: 1000MB  # for create=true, make sure to match auth's 
lmdb-map-size

  shard:
    # Auth 'lmdb-filename' plus '-0' for the first shard
    path: /var/spool/pdns-4.8/pdns.lmdb-0
    schema_tracks_changes: true
    options:
  no_subdir: true
  create: true  # strongly recommended for shards
  map_size: 1000MB  # for create=true, make sure to match auth's 
lmdb-map-size


storage:
  type: s3
  options:
    access_key: XX
    secret_key: YY
    bucket: pdns
    create_bucket: false
    endpoint_url: https://s3.us-west-000.backblazeb2.com

http:
  address: ":8500"  # for status and metrics


Cheers,


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Issue with lightningstream replication not working

2023-05-17 Thread Nico Cartron via Pdns-users 

Hi,

I'm testing PDNS Auth 4.8-beta1 with lightningstream on FreeBSD 13.

I compiled PDNS manually with LMDB module (and gmake, as suggested in 
the README), and am using Backblaze B2 as S3 backend.
The Lightningstream log indicate that replication happens in both 
directions, and I can indeed see the snapshots in my S3 bucket.


But when I create a DNS zone on one PDNS server (with pdnsutil) and 
populate it, I can't see that zone on the second PDNS server - a 
pdnsutil list-all-zones doesn't show it.


However, when I try to create that same zone on the second PDNS server, 
pdnsutil tells me that the zone already exists!
And surely enough, when I delete that zone on the first PDNS, then I can 
create it on the second one - which shows that the LMDB/Lightningstream 
workflow works.


The Lightningstream status webpage (http://:8500) also shows the same 
metrics for both instances.


I must be missing something, but I'm having a hard time figuring out what.

I looked at the Lightningstream doc and everything looks good.

My pdns.conf:

local-address=192.168.x.y
local-port=53
launch=lmdb
lmdb-filename=/var/spool/pdns-4.8/pdns.lmdb
lmdb-random-ids=yes
lmdb-flag-deleted=yes
lmdb-map-size=1000
lmdb-sync-mode=sync
zone-cache-refresh-interval=0
zone-metadata-cache-ttl=0


My Lightningstream YAML conf file:

instance: pdns
lmdbs:
  main:
    # Auth 'lmdb-filename'
    path: /var/spool/pdns-4.8/pdns.lmdb
    schema_tracks_changes: true
    options:
  no_subdir: true
  create: true  # optional for 'main', as auth will create it 
on startup, if needed
  map_size: 1000MB  # for create=true, make sure to match auth's 
lmdb-map-size

  shard:
    # Auth 'lmdb-filename' plus '-0' for the first shard
    path: /var/spool/pdns-4.8/pdns.lmdb-0
    schema_tracks_changes: true
    options:
  no_subdir: true
  create: true  # strongly recommended for shards
  map_size: 1000MB  # for create=true, make sure to match auth's 
lmdb-map-size


storage:
  type: s3
  options:
    access_key: XX
    secret_key: YY
    bucket: pdns
    create_bucket: false
    endpoint_url: https://s3.us-west-000.backblazeb2.com

http:
  address: ":8500"  # for status and metrics


Cheers,

--
Nico

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns on AWS Instances

2021-04-27 Thread Nico CARTRON via Pdns-users 
On 27-Apr-2021 21:17 CEST,  wrote:

> Hello,
> 
> Is it possible to deploy powerdns on aws instances and have the instances
> run behind an ec2 load balancer?
> Any tips to set this up would be really helpful.
> 
> My current design is a powerdns server and a pdns-recursor running on the
> same host (not aws) and I am using aws aurora mysql cluster as my backend
> with all the domains and records information. This setup is working as
> expected and I am able to resolve records that are saved in aurora sql db.
> Now I want to move pdns and pdns-recursor to aws instance so wondering what
> all issues I will face as I am not able to find any documentation about it.

Sounds like a mission for dnsdist! (www.dnsdist.org) 


-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] What determines authoritative?

2020-06-20 Thread Nico CARTRON via Pdns-users 
Hi,

On 20-Jun-2020 17:47 CEST,  wrote:

> Yes, this is probably a dumb question, but I couldn't figure it out in
> 20 minutes of googling.
> 
> I have a pdns installation for my local network. V4.1.13.  Mysql
> backend.
> 
> I noticed while debugging something else that it is returning
> non-authoritative answers for a zone for which should be the
> authority.
> 
> The zone has an SOA naming this host as the authority.  It has an NS
> record saying it's the server for this zone.  It knows its hostname.
> The A record for itself is correct.  There *should* be enough
> information there for it to determine that it's authoritative.
> 
> FWIW, I *think* in times past, this used to work.  So maybe I've
> inadvertently changed some config?  Dunno.
> 
> What are the necessary conditions for pdns to return authoritative
> answers?

Would you mind sharing your configuration (pdns.conf as well as the zone
in question)?
And also some dig requests against your PDNS Auth server.


-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Sub-domains delegation. I am not sure what I missed.

2020-06-01 Thread Nico CARTRON via Pdns-users 
Hi,

On 01-Jun-2020 12:19 CEST,  wrote:

> I've got a test PDNS auth with mysql running in my internal network for the
> domain and delegate the vlan100 subdomain to another DNS in the network
> (see mysql extract below). I'm not sure why I'm not getting any answer
> for the A record test. When I do dig directly to the NS of the vlan100
> sub-domain I'm get answer.
> 
> I'm not sure what I am missing. Thanks!

You're asking the PDNS Auth server (192.168.1.53) a question that only
the other DNS server (192.168.1.50) has the answer to.

THe answer you got to your `dig` request is a pointer to this 1.50
server, following delegation.

If you ask a recursive server that knows lab.integrate.zone /
192.168.1.50, then you should get an answer since it will do recursion.

Cheers,

-- 
Nico

> [root@ns1 ~]# dig @192.168.1.53 test.vlan100.lab.integrate.zone
> 
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> @192.168.1.53
> test.vlan100.lab.integrate.zone
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53535
> 
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
> 
> ;; WARNING: recursion requested but not available
> 
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags:; udp: 1680
> 
> ;; QUESTION SECTION:
> 
> ;test.vlan100.lab.integrate.zone. IN A
> 
> 
> ;; AUTHORITY SECTION:
> 
> vlan100.lab.integrate.zone. 3 IN NS dns.lab.integrate.zone.
> 
> 
> ;; ADDITIONAL SECTION:
> 
> dns.lab.integrate.zone. 3 IN A 192.168.1.50
> 
> 
> ;; Query time: 1 msec
> 
> ;; SERVER: 192.168.1.53#53(192.168.1.53)
> 
> ;; WHEN: Mon Jun 01 22:16:01 NZST 2020
> 
> ;; MSG SIZE  rcvd: 94
> 
> 
> 
> 
> DB extract:
> 
> MariaDB [powerdns]> select id, name, master from domains;
> 
> ++-++
> 
> | id | name| master |
> 
> ++-++
> 
> |  2 | lab.integrate.zone  ||
> 
> 
> 
> MariaDB [powerdns]> select domain_id, name, type, content from records
> where type='NS' and domain_id=2;
> 
> 
> +---++--++
> 
> | domain_id | name   | type | content|
> 
> +---++--++
> 
> | 2 | lab.integrate.zone | NS   | ns1.lab.integrate.zone |
> 
> | 2 | vlan100.lab.integrate.zone | NS   | dns.lab.integrate.zone |
> 
> +---++--++
> 
> 
> 
> MariaDB [powerdns]> select domain_id, name, type, content from records
> where id=137;
> 
> +---++--+--+
> 
> | domain_id | name   | type | content  |
> 
> +---++--+--+
> 
> | 2 | dns.lab.integrate.zone | A| 192.168.1.50 |
> 
> +---++--+--+

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnssec and lua-config--file

2020-05-12 Thread Nico CARTRON via Pdns-users 
On 12-May-2020 19:11 CEST,  wrote:

> Hi,
> 
> Yes I do :
> 
> cat recursor.conf | grep -v '^\s*$\|^\s*\#'
> config-dir=/etc/powerdns
> dnssec-log-bogus=yes
> hint-file=/usr/share/dns/root.hints
> local-address=0.0.0.0
> local-port=3334
> *lua-config-file=/etc/powerdns/recursor.lua*
> quiet=yes
> security-poll-suffix=
> setgid=pdns
> setuid=pdns
> trace=fail
> forward-zones=example.net=192.168.1.28:
> 
> Maybe I'm using the wrong syntax in forward-zones ...

Nope, the syntax is correct.

However, in your original email, you said that you wanted to:

   - resolve normally example.net (I fixed a typo in the domain name,
 since you wrote `exemple.net`)
   - forward the request foo.example.net to an internal authoritative
   server

Your configuration forwards *all* requests to `example.net` to the
192.168.1.28 server.
You should replace it with:
forward-zones=foo.example.net=192.168.1.28: 

Also, can you send the result of a request for
.foo.example.net, e.g. using dig?

Side question: why using `hint-file`? Are you using a specific root
servers configuration? If not, you don't need that.

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnssec and lua-config--file

2020-05-12 Thread Nico CARTRON via Pdns-users 
Hi Pierre,

On 12-May-2020 16:59 CEST,  wrote:

> Hello,
> 
> I'm testing pdns-recursor and I'd like to config it in order to :
> 
>- resolves normally exemple.net
>- forwards the request foo.example.net to an internal authoritative
>server
> 
> I've read the documentation, and found :
> https://docs.powerdns.com/recursor/settings.html#forward-zones
> I've seen the remark regarding DNSSEC and thus use a lua-config-file in
> which I added, to not use DNSSEC for this particular domain name :
> addNTA("foo.example.net", "test")
> 
> However, I can't get any answer and the log is quite obvious :
> "Wants DNSSEC processing in query A ..."
> 
> It seems that my lua file isn't taken.
> Am I wrong ? How can I check whether the lua file is used or not .

Did you specify the path to your Lua file in the recursor.conf file?
Something like:

lua-config-file=

If so, can you share you recursor.conf?

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Fallback to recursor if authoritative fails

2020-05-01 Thread Nico CARTRON via Pdns-users 
Hi Saad,

On 01-May-2020 05:17 CEST,  wrote:

> Hi,
> 
> My use case is such that I have some local as well as TLD domains inside
> the authoritative server but I would also like to use a recursor so that
> local clients can send queries for let's say google.com.
> 
> Is there a way to do this in such a way that I do not have to hard-code
> forward zones from recursor to authoritative server like on this page:
> https://doc.powerdns.com/authoritative/guides/recursion.html#id4
> 
> From what I understand, this used to be possible out of the box before
> 4.1.0. How can we achieve this now?

You're probably looking for this: "Migrating from using recursion on the
Authoritative Server to using a Recursor"
https://doc.powerdns.com/authoritative/guides/recursion.html

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC and SOA records

2019-07-22 Thread Nico CARTRON 
Hi Tamer,

On 21-Jul-2019 22:10 CEST,  wrote:

> Hello,
> 
> I have setup PowerDNS 4.2.0-rc2 through the CentOS 7 repository. Everything
> works fine except SOA replies in AUTHORITY SECTIONs with DNSSEC enabled. We
> are testing the domain through the well-known validator Internet.nl and it
> results in a BOGUS validation. They state that it's because test.nizari.nl
> is not returning SOA records in the AUTHORITY SECTION.

so the zone you're testing with is test.nizari.nl, right?
It seems there's no delegation for this zone, hence no SOA.

> The following works and returns a proper SOA answer:
> dig soa nizari.nl
> dig soa test.nizari.nl @ns1.nizari.nl
> dig soa test.nizari.nl @1.1.1.1
> dig soa test.nizari.nl @8.8.8.8 +cd
> 
> The following does not work and results in a SERVFAIL:
> dig soa test.nizari.nl
> dig soa test.nizari.nl @8.8.8.8
> 
> Is this normal behaviour or is there something wrong with my config? The
> nameservers run simply in a MySQL cluster.
> 
> pdns.conf:
> local-address=0.0.0.0
> local-ipv6=::
> local-port=5300
> launch=gmysql,geoip
> gmysql-host=
> gmysql-user=
> gmysql-dbname=
> gmysql-password=
> geoip-database-files
> loglevel=9
> enable-lua-records=yes
> edns-subnet-processing=yes
> log-dns-queries=yes
> gmysql-dnssec=yes
> disable-syslog=yes
> resolver=8.8.8.8,[2001:4860:4860::]

Also, why are you using the 'resolver' setting without 'expand-alias'?
This setting is not meant to specify the resolver to send recursive requests to,
but is related to the ALIAS records
(https://doc.powerdns.com/authoritative/guides/alias.html).

Cheers,

-- 
Nico

> If there is something wrong with my config, why does 1.1.1.1 work and
> 8.8.8.8 not?
> I see no errors in the logs and all other DNS related stuff is working.
> 
> DNSVIZ results are OK.
>
> Any help or tips can be of use, I have been debugging this for three days
> now. Thank you for reading!
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 主节点通知从节点进行更新

2019-07-18 Thread Nico Cartron 
Hi,

> On 18 Jul 2019, at 17:06, 姜伯洋 <1513...@163.com> wrote:
> 
> 
> cat /var/log/message
> Jul 18 20:07:48 VM_9_140_centos pdns_server: Error trying to resolve 
> '[::1]:53' for notifying 'wptqc.com' to server: Unable to send notify to 
> [::1]:53: No route to host
> 
> This is the error of the master node. I don't know where I configured the 
> address. Therefore, after the master node changes the configuration, it will 
> send a notification to this address. I should close the address there.

First, hello. 

Then, in order to help you, we would need a bit more information on your setup. 

It looks like the logs are coming from the PowerDNS Authoritative server, and 
that you have configured your Master server with a zone named wptqc.com, and 
the master server is trying to notify slaves zones using the IPv6 localhost 
address. 
Could you show us the content of this zone and whether there's any Metadata 
configured for this zone in your backend?

Cheers,

-- 
Nico___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns-recursor delegate some queries to another recursor

2019-05-20 Thread Nico CARTRON 
Hi,

On 20-May-2019 16:04 CEST,  wrote:

> > wonder if the following is possible somehow with pdns-recursor. Our main
> > recursor A sometimes has problems talking to some auth servers. In the
> > same time another recursor B in our network still can talk to such an
> > auth server.
> > 
> > So we wonder if we could somehow send queries for such auth servers via
> > the other recursor. The decission to send queries to the other box is
> > based on the IP address of the auth server. The idea is to route such
> > queries from recursor A to recursor B while all other queries from
> > recursor A should still be sent without recursor B.
> > 
> > Is something like that possible in pdns-rescursor or do we have to use a
> > tool like dnsdist?
> 
> Hi Tobi,
> 
> I recommend using dnsdist for this use-case! Sending traffic to backend dns
> servers is what dnsdist is made for!

While it's true that what Frank suggested is totally doable with dnsdist (and
actually one of its missions), it would be interesting though to understand why
one of your recursors has issues to reach the authoritative server, and another
recursor has no issue.

A couple of questions:
- are they running the same Recursor version?
- are they on the same network / same site / faced by the same network
  equipments, if any (e.g. firewall) / any ACL in place
- which OS are they running (if differences between the 2)

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns server api access leads to "Internal Server Error"

2019-05-07 Thread Nico CARTRON 
Hi Tobi,

On 07-May-2019 16:49 CEST,  wrote:

> Hi list
> 
> I have an application which access the pdns server via the api
> interface. I'm using pdns 4.1.8 on a CentOS 7 with latest updates. pdns
> runs with mysql backend on mariadb.
> 
> All except one api query work as expected but when I fire such a query
> 
> curl -X GET -H 'X-API-Key: MY_API'
> http://127.0.0.1:8081/api/v1/servers/localhost/zones/mydomain.tld
> 
> I get a http 500 "Internal Server Error" message. Like said it's the
> only query that fails. Any other for example
> 
> http://127.0.0.1:8081/api/v1/servers/localhost/zones
> 
> lists the zones available without any problem.
> 
> The documentation on
> https://doc.powerdns.com/authoritative/http-api/zone.html specifies this
> endpoint as valid
> 
> > GET /servers/{server_id}/zones/{zone_id}
> 
> Anyone an idea what goes wrong here?
> Can I somehow enable debug of the api part of pdns?

It works fine for me, also on a 4.1.8 Auth configuration.

Could you paste your pdns.conf, as well as the output from the listing of all
zones from the API? (just a single zone will be enough)
Please do not obfuscate it [1]

[1] https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns 4.2 install and config issues

2019-05-03 Thread Nico CARTRON 
Hi Bryan,

On 03-May-2019 17:21 CEST,  wrote:

> Is this the right list for reporting an issue?  If there's a better place
> please let me know.
> 
> I am on ubuntu 18, and running the mariadb/mysql backend.  I've used the repos
> per the http://repo.powerdns.com/ setup.
> 
> During the install there is no typical script to provision the database, this
> must be done manually.  The 4.1 version has this working, and admittedly this
> may be the packagers issue.

Indeed.

> I've run into an issue with the slave's not working for AFXR, and then found
> superslave=yes must be set in the config new for 4.2.  However, with this set
> the server will not start with the error below:
> Fatal error: Trying to set unknown parameter 'superslave'
> 
> I couldn't figure this out, so have rolled back to 4.1.  I'm willing to do
> some testing or provide some logs if needed.

you're right, "superslave" doesn't work today.

This will work with the final version of 4.2, and probably 4.0.2-rc2.
For 4.0.2-rc1, you need to use "supermaster"

We changed the setting name to make it easier/more obvious, but only realised it
once -rc1 had been released.

So, the documentation [1] is correct for 4.0.2-rc2 and ownward.
And this is also listed in the "Upgrade" notes [2].


[1] https://doc.powerdns.com/authoritative/settings.html#superslave
[2] https://doc.powerdns.com/authoritative/upgrading.html

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Authoritative Server API?

2019-05-02 Thread Nico CARTRON 
On 02-May-2019 20:57 CEST,  wrote:

> On Thu, May 2, 2019 at 8:35 PM Ryan Finnesey  wrote:
> 
> > Is there a Swagger file for the Authoritative Server API?  I did see that
> > there is a lot of documentation at
> > https://doc.powerdns.com/md/httpapi/README/#api-specification but I can't
> > seem to find a Swagger file.
> >
> 
> The newer documentation [1] links the file in the GitHub repository [2].
> Is that what you were looking for?
> 
> HTH
> 
> [1]:
> https://doc.powerdns.com/authoritative/http-api/index.html#working-with-the-api
> [2]:
> https://raw.githubusercontent.com/PowerDNS/pdns/master/docs/http-api/swagger/authoritative-api-swagger.yaml

Yep, and that was also mentioned on the blog [1] when the first alpha1 of the
Auth 4.2 was announced.

[1]: 
https://blog.powerdns.com/2018/12/14/powerdns-authoritative-server-4-2-0-alpha1-lua-records-ixfrdist-swagger/

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Rate-Limit for NXDOMAIN

2019-04-26 Thread Nico CARTRON 
Hi Markus,

On 26-Apr-2019 14:55 CEST,  wrote:

> Hello together,
> 
> since recently we use two powerDNS Authoritative Servers (v.4.1.8) for
> managing our own domains. Is it possible, to rate-limit dns lookups for
> non-existing Domains?
> Background: from time to time (several times a day), we get hundreds (or
> thousands) of requests to random, non-existing, subdomains for one domain, we
> are authoritative for. The root domain is the same in all requests. I don't
> understand the aim of this attacks, but want to limit it in some possible
> ways.

This looks like a mission for dnsdist (http://www.dnsdist.org)
Especially this section: 
https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns forward nested recurse possible?

2019-04-19 Thread Nico CARTRON 
On 19-Apr-2019 12:10 CEST,  wrote:

> That means the way to go is what I stated initially. That is using
> pdns-recursor to forward "known" domains to authoritative server. The rest
> will be forward with recursive to public dns, right?

Not "forwarded" (which has a special meaning in DNS), rather "sent" to the
public DNS system (i.e. recursion to the Root servers, then (cc)TLD, ...)

But yes, correct.


Cheers,

-- 
Nico

> On Fri, Apr 19, 2019 at 5:48 PM Nico CARTRON  wrote:
> 
> > On 19-Apr-2019 11:44 CEST,  wrote:
> >
> > > How do I do plain recursion with only pdns installed? AFAIK, the new
> > > version of pdns does not support recursor anymore. Or maybe I am missing
> > > something?
> >
> > I think you're confusing things :)
> >
> > You're probably referring to the fact that the Authoritative server does
> > not
> > provide recursion anymore - this is true.
> >
> > But in your case, the server doing the recursion would be the PowerDNS
> > Recursor,
> > which of course will always provide DNS Recursion, since that its main
> > goal in
> > life ;)
> >
> > Cheers,
> >
> > --
> > Nico
> >
> > > On Fri, Apr 19, 2019 at 5:32 PM Nico CARTRON 
> > wrote:
> > >
> > > > Hi,
> > > >
> > > > On 19-Apr-2019 11:21 CEST,  wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > I am just trying to have something simple.
> > > >
> > > > well, I do believe you are complicating something which should be
> > simple ;)
> > > >
> > > > > When a client query the pdns recursor server, it will first look at
> > it's
> > > > > authoritative pdns domains. If non of the domains being queried is in
> > > > > authoritative then it will shoot to public dns for recurvise query.
> > > > >
> > > > > EG,
> > > > > dig onedomain.com @pdnsrecursor.server
> > > > >
> > > > > pdnsrecursor server will forward query to pdns authoritative if
> > nothing
> > > > > comes back then forward to public dns.
> > > > >
> > > > > Does it make sense?
> > > >
> > > > As noted by Brian in another answer, why not just use forward-zones to
> > > > point to
> > > > the Auth the requests for the few domains you are responsible for, and
> > for
> > > > all
> > > > the other zones, just use plain recursion, and not use Google Public
> > DNS?
> > > >
> > > > Cheers,
> > > >
> > > > --
> > > > Nico
> > > >
> > > > > On Fri, Apr 19, 2019 at 5:04 PM Nico CARTRON 
> > > > wrote:
> > > > >
> > > > > > Hello,
> > > > > >
> > > > > > On 19-Apr-2019 10:48 CEST,  wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > Is it possible to use recursor to forward all queries to pdns
> > > > > > authoritative
> > > > > > > server and if that query fails, it will forward all to public DNS
> > > > such as
> > > > > > > 8.8.8.8?
> > > > > > >
> > > > > > > For example, in my pdns, I have create a domain called
> > mydomain.com
> > > > and
> > > > > > > yourdomain.moc.
> > > > > > >
> > > > > > > So instead of creating:
> > > > > > > forward-zones=mydomain=127.0.0.1:5300
> > > > > > > forward-zones+=yourdomain.moc=127.0.0.1:5300
> > > > > > > forward-zones-recurse=.=8.8.8.8
> > > > > > >
> > > > > > > I would like to create:
> > > > > > > forward-zones-recurse=.=127.0.0.1:5300
> > > > > > > forward-zones-recurse+=.=8.8.8.8
> > > > > > >
> > > > > > > However, tried second method and it does not work. Please advise.
> > > > > >
> > > > > > Could you explain with more details what you are trying to achieve?
> > > > > > Sending all the queries you're receiving from the Recursor to an
> > > > > > Authoritative
> > > > > > server wont' work, as the Auth will only answer for the DNS zones
> > it is
> > > > > > Auth
> > > > > > for.
> > > > > >
> > > > > > Google Public DNS is not an Authoritative service, but a recursive
> > one.
> > > > > >
> > > > > > Also, forward-zones-recurse means you are sending requests to a
> > > > recursive
> > > > > > DNS
> > > > > > server (
> > > > > >
> > https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse
> > > > ),
> > > > > > which your PDNS Authoritative is not - hence the fact that this
> > second
> > > > > > method
> > > > > > doesn't work.
> > > > > >
> > > > > > Cheers,
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns forward nested recurse possible?

2019-04-19 Thread Nico CARTRON 
On 19-Apr-2019 11:44 CEST,  wrote:

> How do I do plain recursion with only pdns installed? AFAIK, the new
> version of pdns does not support recursor anymore. Or maybe I am missing
> something?

I think you're confusing things :)

You're probably referring to the fact that the Authoritative server does not
provide recursion anymore - this is true.

But in your case, the server doing the recursion would be the PowerDNS Recursor,
which of course will always provide DNS Recursion, since that its main goal in
life ;)

Cheers,

-- 
Nico

> On Fri, Apr 19, 2019 at 5:32 PM Nico CARTRON  wrote:
> 
> > Hi,
> >
> > On 19-Apr-2019 11:21 CEST,  wrote:
> >
> > > Hi,
> > >
> > > I am just trying to have something simple.
> >
> > well, I do believe you are complicating something which should be simple ;)
> >
> > > When a client query the pdns recursor server, it will first look at it's
> > > authoritative pdns domains. If non of the domains being queried is in
> > > authoritative then it will shoot to public dns for recurvise query.
> > >
> > > EG,
> > > dig onedomain.com @pdnsrecursor.server
> > >
> > > pdnsrecursor server will forward query to pdns authoritative if nothing
> > > comes back then forward to public dns.
> > >
> > > Does it make sense?
> >
> > As noted by Brian in another answer, why not just use forward-zones to
> > point to
> > the Auth the requests for the few domains you are responsible for, and for
> > all
> > the other zones, just use plain recursion, and not use Google Public DNS?
> >
> > Cheers,
> >
> > --
> > Nico
> >
> > > On Fri, Apr 19, 2019 at 5:04 PM Nico CARTRON 
> > wrote:
> > >
> > > > Hello,
> > > >
> > > > On 19-Apr-2019 10:48 CEST,  wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Is it possible to use recursor to forward all queries to pdns
> > > > authoritative
> > > > > server and if that query fails, it will forward all to public DNS
> > such as
> > > > > 8.8.8.8?
> > > > >
> > > > > For example, in my pdns, I have create a domain called mydomain.com
> > and
> > > > > yourdomain.moc.
> > > > >
> > > > > So instead of creating:
> > > > > forward-zones=mydomain=127.0.0.1:5300
> > > > > forward-zones+=yourdomain.moc=127.0.0.1:5300
> > > > > forward-zones-recurse=.=8.8.8.8
> > > > >
> > > > > I would like to create:
> > > > > forward-zones-recurse=.=127.0.0.1:5300
> > > > > forward-zones-recurse+=.=8.8.8.8
> > > > >
> > > > > However, tried second method and it does not work. Please advise.
> > > >
> > > > Could you explain with more details what you are trying to achieve?
> > > > Sending all the queries you're receiving from the Recursor to an
> > > > Authoritative
> > > > server wont' work, as the Auth will only answer for the DNS zones it is
> > > > Auth
> > > > for.
> > > >
> > > > Google Public DNS is not an Authoritative service, but a recursive one.
> > > >
> > > > Also, forward-zones-recurse means you are sending requests to a
> > recursive
> > > > DNS
> > > > server (
> > > > https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse
> > ),
> > > > which your PDNS Authoritative is not - hence the fact that this second
> > > > method
> > > > doesn't work.
> > > >
> > > > Cheers,
> > > >
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns forward nested recurse possible?

2019-04-19 Thread Nico CARTRON 
Hi,

On 19-Apr-2019 11:21 CEST,  wrote:

> Hi,
> 
> I am just trying to have something simple.

well, I do believe you are complicating something which should be simple ;)

> When a client query the pdns recursor server, it will first look at it's
> authoritative pdns domains. If non of the domains being queried is in
> authoritative then it will shoot to public dns for recurvise query.
> 
> EG,
> dig onedomain.com @pdnsrecursor.server
> 
> pdnsrecursor server will forward query to pdns authoritative if nothing
> comes back then forward to public dns.
> 
> Does it make sense?

As noted by Brian in another answer, why not just use forward-zones to point to
the Auth the requests for the few domains you are responsible for, and for all
the other zones, just use plain recursion, and not use Google Public DNS?

Cheers,

-- 
Nico

> On Fri, Apr 19, 2019 at 5:04 PM Nico CARTRON  wrote:
> 
> > Hello,
> >
> > On 19-Apr-2019 10:48 CEST,  wrote:
> >
> > > Hi,
> > >
> > > Is it possible to use recursor to forward all queries to pdns
> > authoritative
> > > server and if that query fails, it will forward all to public DNS such as
> > > 8.8.8.8?
> > >
> > > For example, in my pdns, I have create a domain called mydomain.com and
> > > yourdomain.moc.
> > >
> > > So instead of creating:
> > > forward-zones=mydomain=127.0.0.1:5300
> > > forward-zones+=yourdomain.moc=127.0.0.1:5300
> > > forward-zones-recurse=.=8.8.8.8
> > >
> > > I would like to create:
> > > forward-zones-recurse=.=127.0.0.1:5300
> > > forward-zones-recurse+=.=8.8.8.8
> > >
> > > However, tried second method and it does not work. Please advise.
> >
> > Could you explain with more details what you are trying to achieve?
> > Sending all the queries you're receiving from the Recursor to an
> > Authoritative
> > server wont' work, as the Auth will only answer for the DNS zones it is
> > Auth
> > for.
> >
> > Google Public DNS is not an Authoritative service, but a recursive one.
> >
> > Also, forward-zones-recurse means you are sending requests to a recursive
> > DNS
> > server (
> > https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse),
> > which your PDNS Authoritative is not - hence the fact that this second
> > method
> > doesn't work.
> >
> > Cheers,
> >
> > --
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns forward nested recurse possible?

2019-04-19 Thread Nico CARTRON 
Hello,

On 19-Apr-2019 10:48 CEST,  wrote:

> Hi,
> 
> Is it possible to use recursor to forward all queries to pdns authoritative
> server and if that query fails, it will forward all to public DNS such as
> 8.8.8.8?
> 
> For example, in my pdns, I have create a domain called mydomain.com and
> yourdomain.moc.
> 
> So instead of creating:
> forward-zones=mydomain=127.0.0.1:5300
> forward-zones+=yourdomain.moc=127.0.0.1:5300
> forward-zones-recurse=.=8.8.8.8
> 
> I would like to create:
> forward-zones-recurse=.=127.0.0.1:5300
> forward-zones-recurse+=.=8.8.8.8
> 
> However, tried second method and it does not work. Please advise.

Could you explain with more details what you are trying to achieve?
Sending all the queries you're receiving from the Recursor to an Authoritative
server wont' work, as the Auth will only answer for the DNS zones it is Auth
for.

Google Public DNS is not an Authoritative service, but a recursive one.

Also, forward-zones-recurse means you are sending requests to a recursive DNS
server (https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse),
which your PDNS Authoritative is not - hence the fact that this second method
doesn't work.

Cheers,

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS/BIND Configuration

2019-02-17 Thread Nico CARTRON 
Hi Tshepo, 

(please reply to the list, not only myself, as having the history is
useful e.g. for archives, but also as other people can then answer).

your configuration is kind of weird, as you have your PDNS Auth sending
notifies to the master - unless you want to use DNS updates to PDNS, and
send them back to Bind?
I don't think that's the case, given what you said earlier.

What would be interesting as well, would be to have logs for both Bind
and PDNS roughly at the same time, when Bind tries to notify PDNS.

Comments in-line below for the rest.

Cheers,
Nico

On 18-Feb-2019 07:17 CET,  wrote:

> Hi Nico
> 
> That would not be a problem, please see the below for pdns(slave) & bind
> (master)
> 
> PDNS CONF:
> 
> allow-axfr-ips=10.200.1.12
> 
> allow-dnsupdate-from=10.200.1.12

not sure this is needed, since you're already doing XFR from this Bind
server.

> allow-notify-from=10.200.1.12
> 
> allow-unsigned-notify=yes
> 
> allow-unsigned-supermaster=yes
> 
> also-notify=10.200.1.12

see my remark above - do you really want your PDNS server to notify your
Bind?

> api=yes
> 
> api-key=changeme
> 
>  config-dir=/etc/pdns
> 
> disable-axfr=no
> 
>  disable-tcp=yes
> 
> distributor-threads=10
> 
> dnsupdate=yes
> 
> forward-dnsupdate=yes
> 
> forward-notify=10.200.1.12

same remark as above.

> local-address=0.0.0.0

Please see
https://doc.powerdns.com/authoritative/settings.html#local-address
it is advised to bind to specific IP addresses - in your case,
10.200.1.12

> local-port=53
> 
> log-dns-details=yes
> 
> log-dns-queries=yes
> 
> log-timestamp=yes
> 
> logging-facility=0
> 
> loglevel=5
> 
>  master=yes

Not sure you need that, since your PDNS will be slave.

> module-dir=/usr/lib64/pdns
> 
> non-local-bind=yes
> 
> only-notify=10.1.200.12/23,::/0

same remark as above re notifies, and also the IP address is wrong.

> query-cache-ttl=60
> 
> query-local-address=10.1.200.13

The IP address is wrong - I guess this should be 10.200.1.13?

> query-logging=yes
> 
> 
> security-poll-suffix=secpoll.powerdns.com.
> 
> 
> setgid=pdns
> 
> setuid=pdns
> 
>  slave=yes
> 
>  version-string=full
> 
> webserver=bserver-address=10.200.1.13
> 
> webserver-allow-from=0.0.0.0/0,::/0
> 
> webserver-port=8081
> 
> launch=gmysql
> gmysql-host=10.200.1.11
> gmysql-port=3306
> gmysql-user=ns1
> gmysql-dbname=pdns_vox
> gmysql-password=ohplease
> 
> 
> BIND CONF:
> 
> options {
> listen-on port 53 { 127.0.0.1;10.200.1.13;any;};
> //  listen-on-v6 port 53 { ::1; };
> directory   "/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> recursing-file  "/var/named/data/named.recursing";
> secroots-file   "/var/named/data/named.secroots";
> allow-query {localhost;10.200.1.12;10.200.1.13;};
> allow-update-forwarding  {10.200.1.13;};
> };
> 
>*/
> recursion no;
> 
> dnssec-enable no;
> dnssec-validation no;
> 
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
> 
> managed-keys-directory "/var/named/dynamic";
> 
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
> 
> 
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> 
> zone "." IN {
> type hint;
> file "named.ca";
> };
> 
> zone "test123.co.za" IN {
> type master;
> file "named.bind-master.zones";
> also-notify {10.200.1.13;};

if your PDNS is slave, it should be listed as NS in your zone, and
therefore you wouldn't need this also-notify statement.

> allow-transfer {10.200.1.13;};
> };
> 
> zone "www.voxcloud.co.za" IN {
> type master;
> file "named.bind-rec.zones";
> also-notify {10.200.1.13;};

same remark as for the test123.co.za zone.

> allow-transfer {10.200.1.13;};
> };
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> 
> 
> 
> ZONE FILE FOR BIND:
> 
> $TTL3600
> @  IN SOA  test123.co.za. tshepo.msimango.voxtelecom.co.za. (
> 
> 2019020714 ; Serial
> 3600   ;

Re: [Pdns-users] max-negative-ttl does not work

2019-01-09 Thread Nico CARTRON 
On 09-Jan-2019 12:00 CET,  wrote:

> On 09/01/2019 10:51, Stefan Priebe - Profihost AG wrote:
> > Real test is / was:
> > mydomain.multi.uribl.rblserver.de-nserver.de
> 
> I see a SERVFAIL here, not an NXDOMAIN.  Do you get the same?
> 
> $ dig mydomain.multi.uribl.rblserver.de-nserver.de
> 
> ; <<>> DiG 9.10.6 <<>> mydomain.multi.uribl.rblserver.de-nserver.de
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20062
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> With dig +trace it stops here:
> 
> ...
> 
> uribl.rblserver.de-nserver.de. 3600 IN    NS rblserver.de-nserver.de.
> ;; Received 87 bytes from 91.151.23.20#53(ns2.de-nserver.de) in 9 ms
> 
> ;; connection timed out; no servers could be reached

Yep, same here, I also see a SERVFAIL.

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] max-negative-ttl does not work

2019-01-09 Thread Nico CARTRON 
On 09-Jan-2019 10:46 CET,  wrote:

> Hi,
> 
> Am 09.01.19 um 09:53 schrieb Nico CARTRON:
> > On 09-Jan-2019 09:39 CET,  wrote:
> > 
> >> Hi Nico,
> >>
> >> Am 09.01.19 um 09:33 schrieb Nico CARTRON:
> >>> Hi Stefan,
> >>>
> >>> On 09-Jan-2019 09:19 CET,  wrote:
> >>>
> >>>> Dear List,
> >>>>
> >>>> i'm trying to get max-negative-ttl to work but i can't.
> >>>>
> >>>> # dpkg -s pdns-recursor  | grep Version
> >>>> Version: 4.1.8-1pdns.stretch
> >>>>
> >>>> # grep max-negative-ttl /etc/powerdns/recursor.conf
> >>>> max-negative-ttl=30
> >>>>
> >>>> # dig -t A unknowndomainxyz.multi.hiddendomain.de
> >>>> ...
> >>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437
> >>>> ...
> >>>>
> >>>> dumped cache:
> >>>>
> >>>> # grep "unknowndomainxyz.multi.hiddendomain.de" /cachefile
> >>>> unknowndomainxyz.multi.hiddendomain.de. 3588 A  ; tag 0
> >>>>
> >>>> Why is the TTL 3588 when max-negative-ttl is set to 30?
> >>>
> >>> Just did a quick check on one of my Recursor, version 4.1.8 running on
> >>> FreeBSD, and max-negative-ttl works as expected (i.e. if I set it to 30
> >>> seconds, I correctly get this back, should it be with a dig or when
> >>> dumping the cache).
> >>>
> >>> Did you forget to restart the recursor after having changed the value in
> >>> the recursor.conf? Cause the 3600 value is the default one.
> >>
> >> No it was def. restarted after changing the config.
> >>
> >> See below:
> >> # rec_control get-parameter max-negative-ttl
> >> max-negative-ttl="30"
> >>
> >> Greets,
> >> Stefan
> >>
> > 
> > So I did the test on a Debian Stretch, with the same version as you:
> > 
> > root@vm-pdns1-lab:/etc/powerdns# dpkg -s pdns-recursor |grep Version
> > Version: 4.1.8-1pdns.stretch
> > 
> > and I also got it working.
> > 
> > Do you mind sharing your entire recursor.conf configuration file?
> 
> Do i can provide it - just an idea. I'm talking about a Subdomain wich
> is missing / NXDOAIN - the domain itself exists with a TTL of 3600.

Please share it :)
Also, please share the domain name you are testing with, not
"hiddendomain.de" - see
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

> Did you test a subdomain, where the real domain exists?

Yes, the domain I tested with exists indeed.


-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] max-negative-ttl does not work

2019-01-09 Thread Nico CARTRON 
On 09-Jan-2019 09:39 CET,  wrote:

> Hi Nico,
> 
> Am 09.01.19 um 09:33 schrieb Nico CARTRON:
> > Hi Stefan,
> > 
> > On 09-Jan-2019 09:19 CET,  wrote:
> > 
> >> Dear List,
> >>
> >> i'm trying to get max-negative-ttl to work but i can't.
> >>
> >> # dpkg -s pdns-recursor  | grep Version
> >> Version: 4.1.8-1pdns.stretch
> >>
> >> # grep max-negative-ttl /etc/powerdns/recursor.conf
> >> max-negative-ttl=30
> >>
> >> # dig -t A unknowndomainxyz.multi.hiddendomain.de
> >> ...
> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437
> >> ...
> >>
> >> dumped cache:
> >>
> >> # grep "unknowndomainxyz.multi.hiddendomain.de" /cachefile
> >> unknowndomainxyz.multi.hiddendomain.de. 3588 A  ; tag 0
> >>
> >> Why is the TTL 3588 when max-negative-ttl is set to 30?
> > 
> > Just did a quick check on one of my Recursor, version 4.1.8 running on
> > FreeBSD, and max-negative-ttl works as expected (i.e. if I set it to 30
> > seconds, I correctly get this back, should it be with a dig or when
> > dumping the cache).
> > 
> > Did you forget to restart the recursor after having changed the value in
> > the recursor.conf? Cause the 3600 value is the default one.
> 
> No it was def. restarted after changing the config.
> 
> See below:
> # rec_control get-parameter max-negative-ttl
> max-negative-ttl="30"
> 
> Greets,
> Stefan
> 

So I did the test on a Debian Stretch, with the same version as you:

root@vm-pdns1-lab:/etc/powerdns# dpkg -s pdns-recursor |grep Version
Version: 4.1.8-1pdns.stretch

and I also got it working.

Do you mind sharing your entire recursor.conf configuration file?

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] max-negative-ttl does not work

2019-01-09 Thread Nico CARTRON 
Hi Stefan,

On 09-Jan-2019 09:19 CET,  wrote:

> Dear List,
> 
> i'm trying to get max-negative-ttl to work but i can't.
> 
> # dpkg -s pdns-recursor  | grep Version
> Version: 4.1.8-1pdns.stretch
> 
> # grep max-negative-ttl /etc/powerdns/recursor.conf
> max-negative-ttl=30
> 
> # dig -t A unknowndomainxyz.multi.hiddendomain.de
> ...
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437
> ...
> 
> dumped cache:
> 
> # grep "unknowndomainxyz.multi.hiddendomain.de" /cachefile
> unknowndomainxyz.multi.hiddendomain.de. 3588 A  ; tag 0
> 
> Why is the TTL 3588 when max-negative-ttl is set to 30?

Just did a quick check on one of my Recursor, version 4.1.8 running on
FreeBSD, and max-negative-ttl works as expected (i.e. if I set it to 30
seconds, I correctly get this back, should it be with a dig or when
dumping the cache).

Did you forget to restart the recursor after having changed the value in
the recursor.conf? Cause the 3600 value is the default one.

Cheers,


-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdnsutil increase-serial not working for mysql with autoserial

2018-11-07 Thread Nico CARTRON 
Hi,

Somebody pointed out that you’re missing some fields in your SOA records. 
Please correct it using what has been suggested and try again.  

-- 
Nico

> On 7 Nov 2018, at 21:40, MRob  wrote:
> 
> in fact after reboot looks like old serial is lost for all domains.
> 
> why is change_date not kept up to date?  all domains have it to be NULL, I 
> think its where the serial is derived from when using autoserial
> 
> 
>> On 2018-11-07 20:18, MRob wrote:
>> Please some help for this? Looks like pdnsutil increase-serial not
>> made to work for mysql backend with autoserial, so how to
>> programmatically request increase serial?
>>> pdnsutil increase-serial example.org
>> Error: Parsing record content (try 'pdnsutil check-zone'): missing
>> field at the end of record content 'ns.example.org cont...@example.org
>> 0'
>>> pdnsutil check-zone example.org
>> Checked 21 records of 'example.org', 0 errors, 0 warnings.
> Related, where is serial stored in auto-serial case? I find
> "change_date" field NULL on all records and "notified_serial" NULL on
> this domain (but its 0 on the other domains, not sure why). In this
> situation what happens if server reboot, SOA has to be reclaimed from
> somewhere??
 As far as I know this can be found in the table "records", column 
 "content",
 for every entry of the type "SOA". It corresponds to the provided serial 
 number
 you get with   "dig  SOA"   (if no DNSSEC is active).
>>> Well for auto-serial you must set that value as 0 so my question being 
>>> where the serial is kept in this special case and carried across reboot 
>>> situation.
>> _
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Increment SOA programmatically?

2018-11-05 Thread Nico CARTRON 
Hi MRob, 

On 05-nov-2018 17:34 CET,  wrote:

> On 2018-11-05 10:57, Torsten Hantzsche wrote:
> > On Sun, 4 Nov 2018, MRob wrote:
> > 
> > 
> > > I use mysql backend and SOA serial set to 0 in datebase for
> > > auto-serial features. But sometime come occasion we must update one
> > > record in database directly, not using DNSUPDATE. In this case how
> > > to tell pdns please update SOA serial? I cant find pdns_control,
> > > pdnsutil command for this.
> > > 
> > 
> > Hi,
> > 
> > if you execute pdnsutil w/o any options it lists all available commands.
> > There you can find:
> > 
> > "increase-serial ZONEIncreases the SOA-serial by 1. Uses SOA-EDIT"
> 
> oh Thanks! The manpage is out of date :)
> still, it didn't work with auto-serial configuration:
> 
> > pdnsutil increase-serial example.org
> Error: Parsing record content (try 'pdnsutil check-zone'): missing field at
> the end of record content 'ns.example.org cont...@example.org 0'

could you paste the content of the SOA record for this zone?

> > pdnsutil check-zone example.org
> Checked 21 records of 'example.org', 0 errors, 0 warnings.
> 
> 
> > > Related, where is serial stored in auto-serial case? I find
> > > "change_date" field NULL on all records and "notified_serial" NULL on
> > > this domain (but its 0 on the other domains, not sure why). In this
> > > situation what happens if server reboot, SOA has to be reclaimed from
> > > somewhere??
> > 
> > 
> > As far as I know this can be found in the table "records", column
> > "content",
> > for every entry of the type "SOA". It corresponds to the provided serial
> > number
> > you get with   "dig  SOA"   (if no DNSSEC is active).
> 
> Well for auto-serial you must set that value as 0 so my question being where
> the serial is kept in this special case and carried across reboot situation.
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

-- 
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] irregular version string - {packages from Repo}?

2018-08-14 Thread Nico CARTRON 
Hi Chris,

> On 14 Aug 2018, at 23:03, Chris Ernst  wrote:
> 
> Dear all
> 
> recently i downloaded the Debian 9 packages from http://repo.powerdns.com
> 
> Specifically I use:
> "PowerDNS Authoritative Server - master branch"
> to further document this, I executed to following two commands:
> 
> # dpkg -l | grep power
> ii  pdns-server  0.0.2400g4c928be-1pdns.stretch amd64
> 
> # pdns_server --version
> Aug 14 20:45:46 PowerDNS Authoritative Server 0.0.2400g4c928be (C) 2001-2018 
> PowerDNS.COM BV
> 
> what makes me wonder is the Version-String.
> Is 0.0.2400g4c928be correct? Shouldn't it be 4.1.3 or alike?
> 
> This version string causes explicit problems in interaction with nsedit
> (https://github.com/tuxis-ie/nsedit). nesdit checks the version number and 
> expects a 4.
> 
> any comments are highly appreciated.
> best regards
> Chris

From the Repo web page:
“
master — GitHub master branch. Useful for testing, expect breakage.
”
You should use the 41 repository. 

Nico. 

> 
> 
> 
> 
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SOA record not resolved for my domains

2018-04-26 Thread Nico CARTRON 
Hi Hamed,

> On 26 Apr 2018, at 06:34, Hamed Haghshenas  wrote:
> 
> Hi,
>  
> I configure PowerDNS with configuration bellow :
> setuid=pdns
> setgid=pdns
> launch=gmysql,geoip
> gmysql-host=localhost
> gmysql-user=powerdns
> gmysql-password=Hamed@2013
> gmysql-dbname=powerdns
> geoip-database-files=/usr/share/GeoIP/GeoIP.dat
> geoip-zones-file=/etc/pdns/GeoIP/geo.yaml
> edns-subnet-processing=yes
> log-dns-queries=yes
> loglevel=9
> udp-truncation-threshold=4096
> server-id=ns1.example.com
>  
> my zone file for my website is like below where MY IP is (W.X.Y.Z):
> $ORIGIN .
> mail.example.com   300 IN  A   W.X.Y.Z
> ns1.example.com300 IN  A   W.X.Y.Z
> ns2.example.com300 IN  A   W.X.Y.Z
> example.com300 IN  A   W.X.Y.Z
> example.com300 IN  MX  10 mail.example.com.
> example.com300 IN  NS  ns1.example.com.
> example.com300 IN  NS  ns2.example.com.
> example.com300 IN  SOA ns1.example.com 
> hostmaster.example.com 2018041910 28800 3600 3600 3600
> www.example.com300 IN  CNAME   example.com.
>  
> but when try lookup for SOA record, nothing resolved !
>  
> dig example.com @8.8.8.8 SOA
> ;; QUESTION SECTION:
> ; example.com.  IN  SOA
>  
> I appreciate it, if let me know how make changes to fix this problem (resolve 
> SOA record).
>  

Is example.com the zone you’re using? Or did you replace it in the above output?

If the former then you are not authoritative for it and that’s why Google 
public DNS won’t answer with what you configured. 
If the later please give us your domain name as well as your Authoritative IP 
addresses, otherwise it’s near to impossible to help you. 

Cheers,

-- 
Nico___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SRV records do not transfer correctly

2017-03-04 Thread Nico CARTRON 

Hi NoBloat,

On 04/03/2017 17:03, NoBloat wrote:

I'm not sure if this will show up so I'll post both the inline and the url of 
the images I've taken.

First, I created the SIP SRV records on the master. There are 9 SRV records.

http://tinypic.com?ref=2r21xy0; target="_blank">http://i64.tinypic.com/2r21xy0.png; 
border="0" alt="Image and video hosting by TinyPic">

http://i64.tinypic.com/2r21xy0.png

Each time I update the slave, this is what I get.

http://tinypic.com?ref=2vnq32s; target="_blank">http://i67.tinypic.com/2vnq32s.png; 
border="0" alt="Image and video hosting by TinyPic">

http://i67.tinypic.com/2vnq32s.png

As you can see in the second image, the SRV records are showing up but there 
are some weird ones that show up also.
So far, I've not had much luck with SRV and especially NAPTR records.

Why did you create another thread? Please just answer to your initial 
email, it makes things confusing and impossible to follow-up.
Also, Bert has explained that it's worthless obfuscating the domain 
name, we cannot help.
Furthermore, posting on-line pictures (i.e. we have to open a web 
browser to see them)

rather than result of commands is not helpful either...

So please give us the relevant information (e.g. domain name, IP 
addresses of your PowerDNS servers),
in the same email (hit the "Reply" button of your email client) and 
without on-line pictures.


Cheers,

--
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

2017-02-17 Thread Nico CARTRON 

On 17/02/2017 10:58, bert hubert wrote:

On Fri, Feb 17, 2017 at 10:49:08AM +0100, Thomas Mieslinger wrote:

ovh changed its MX A records and now my employers Mail relays can't send
email to ovh.

Have you attempted to talk to OVH about their misconfiguration?

I ask this because the DNS Resolver community keeps getting asked to solve
problems which are not ours. But it is easier to ask us to change.

We (BIND, Unbound) keep running into broken F5 configurations for example,
and yes, we can fix those with some special casing. But people always ask us
because we are easier to talk to than the operators of the F5 machines.

And so the code in resolvers becomes ever more a set of exceptions and
workarounds. And please know, every workaround breaks something else.

So please ask OVH to fix their stuff.

Agreed, they usually are very responsive, either by email or Twitter.

--
Nico
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Powerdns 3.4.10-1 domainmetadata ALSO-NOTIFY not working

2016-12-19 Thread Nico CARTRON 


On 20 December 2016 02:45:49 CET, Paul Travers 
 wrote:
>Ah ha! That's probably my issue, I will reply back if that doesn't fix
>it!

You should actually also reply back if that fixes the issue, so that people 
searching the list archive can find the information when needed :)

-- 
Nico


>On Dec 19, 2016 8:25 PM, "Christian Hofstädtler | Deduktiva" <
>christian.hofstaedt...@deduktiva.com> wrote:
>
>>
>> > On 20 Dec 2016, at 00:29, Paul Travers
>
>> wrote:
>> >
>> > I have the following entries in my domainmetadata table:
>> >
>> > mysql> select * from domainmetadata where domain_id = 3;
>> > ++---+-++---
>> --+
>> > | id | domain_id | kind| content| date_modified
>>  |
>> > ++---+-++---
>> --+
>> > | 27 | 3 | ALSO-NOTIFY | 2.2.2.2| -00-00
>> 00:00:00 |
>> > | 28 | 3 | ALSO-NOTIFY | 1.1.1.1| -00-00
>> 00:00:00 |
>> > | 14 | 3 | TSIG-ALLOW-AXFR | tsig-key| -00-00
>> 00:00:00 |
>> > ++---+-++---
>> --+
>> > 3 rows in set (0.00 sec)
>> >
>> > Whenever the powerdns server receives a notification from the
>master ...
>>
>> Sounds like you need slave-renotify=yes in your config; do you have
>that?
>> By default this is off.
>>
>> --
>> Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien)
>> www.deduktiva.com / +43 1 353 1707
>>
>>
>>
>>
>
>
>
>
>___
>Pdns-users mailing list
>Pdns-users@mailman.powerdns.com
>https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users