Re: [Pdns-users] How to config pdns to send notification to addres not in "IN NS" record.
> On 12 Mar 2024, at 12:54, Brian Candler via Pdns-users > wrote: > > On 12/03/2024 11:40, Bino Oetomo wrote: >> I run --> tcpdump -vv --interface eth1 port 53 at powerdns box , got no >> traffic indicating notification sent. >> But when I restart the bind9 service at the slave, tcpdump shows some >> traffic to and from slave. >> >> So still IMHO my pdns box did not send any notification to slaves. > > OK, so next you said you "did some record editing ", how exactly did you do > that? Editing the zone files and restarting or reloading pdns? Via the API? > Something else? > > There's information about the bind backend, including its behavior w.r.t. > notifies, here: > > https://doc.powerdns.com/authoritative/backends/bind.html > > In particular, note that restarting powerdns will *not* send out notifies. Also, make sure that the zone on PowerDNS is set to “Primary” and not Native. Else no Notify will be sent. Happened to me recently ;) see https://www.ncartron.org/making-powerdns-send-notifies-to-secondaries.html___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Lighning Stream LMDB - Encryption ?
Hi Laura, On 9/7/23 14:48, Laura Smith via Pdns-users wrote: PDNS with Lightning Stream LMDB looks like a welcome addition but having briefly glanced over the docs, I cannot see any client-side encryption settings, not even the option to use CMK on S3 blobs. Are there eventual plans for adding encryption capabilities to Lightning Stream ? In addition, it would be nice to see the S3 connector be enhanced to support more authentication options such as: * Use of AWS roles * Use of AWS Security Token Service (AWS STS) * Use of X.509 certs (IAM Roles Anywhere) Whilst there will clearly still be many people out there only using Access Key + Secret Key, environments with a hardened security posture need some extra knobs and dials. Bear in mind the implementation is not specific to AWS S3 - I tested Lightning Stream against Backblaze B2 and it works perfectly. -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Issue with lightningstream replication not working
Hi again, On 5/18/23 09:15, Nico Cartron via Pdns-users wrote: Answering to myself after I've been pointed out off-list that I was missing lmdb-shards=1 in my pdns.conf I don't know how I missed that, but as soon as I added that line, lightningstream sync worked straight away and I can now see all changes propagated in both directions - new zones, editing the content of a zone etc For those interested, I wrote a blog post about the installation of PDNS + Lightning Stream on FreeBSD: https://www.ncartron.org/testing-powerdns-lightning-stream-to-sync-lmdb-backends.html Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Issue with lightningstream replication not working
Answering to myself after I've been pointed out off-list that I was missing lmdb-shards=1 in my pdns.conf I don't know how I missed that, but as soon as I added that line, lightningstream sync worked straight away and I can now see all changes propagated in both directions - new zones, editing the content of a zone etc Thank you Konrad! :-) Cheers, -- Nico On 5/17/23 22:24, Nico Cartron via Pdns-users wrote: Hi, I'm testing PDNS Auth 4.8-beta1 with lightningstream on FreeBSD 13. I compiled PDNS manually with LMDB module (and gmake, as suggested in the README), and am using Backblaze B2 as S3 backend. The Lightningstream log indicate that replication happens in both directions, and I can indeed see the snapshots in my S3 bucket. But when I create a DNS zone on one PDNS server (with pdnsutil) and populate it, I can't see that zone on the second PDNS server - a pdnsutil list-all-zones doesn't show it. However, when I try to create that same zone on the second PDNS server, pdnsutil tells me that the zone already exists! And surely enough, when I delete that zone on the first PDNS, then I can create it on the second one - which shows that the LMDB/Lightningstream workflow works. The Lightningstream status webpage (http://:8500) also shows the same metrics for both instances. I must be missing something, but I'm having a hard time figuring out what. I looked at the Lightningstream doc and everything looks good. My pdns.conf: local-address=192.168.x.y local-port=53 launch=lmdb lmdb-filename=/var/spool/pdns-4.8/pdns.lmdb lmdb-random-ids=yes lmdb-flag-deleted=yes lmdb-map-size=1000 lmdb-sync-mode=sync zone-cache-refresh-interval=0 zone-metadata-cache-ttl=0 My Lightningstream YAML conf file: instance: pdns lmdbs: main: # Auth 'lmdb-filename' path: /var/spool/pdns-4.8/pdns.lmdb schema_tracks_changes: true options: no_subdir: true create: true # optional for 'main', as auth will create it on startup, if needed map_size: 1000MB # for create=true, make sure to match auth's lmdb-map-size shard: # Auth 'lmdb-filename' plus '-0' for the first shard path: /var/spool/pdns-4.8/pdns.lmdb-0 schema_tracks_changes: true options: no_subdir: true create: true # strongly recommended for shards map_size: 1000MB # for create=true, make sure to match auth's lmdb-map-size storage: type: s3 options: access_key: XX secret_key: YY bucket: pdns create_bucket: false endpoint_url: https://s3.us-west-000.backblazeb2.com http: address: ":8500" # for status and metrics Cheers, ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Issue with lightningstream replication not working
Hi, I'm testing PDNS Auth 4.8-beta1 with lightningstream on FreeBSD 13. I compiled PDNS manually with LMDB module (and gmake, as suggested in the README), and am using Backblaze B2 as S3 backend. The Lightningstream log indicate that replication happens in both directions, and I can indeed see the snapshots in my S3 bucket. But when I create a DNS zone on one PDNS server (with pdnsutil) and populate it, I can't see that zone on the second PDNS server - a pdnsutil list-all-zones doesn't show it. However, when I try to create that same zone on the second PDNS server, pdnsutil tells me that the zone already exists! And surely enough, when I delete that zone on the first PDNS, then I can create it on the second one - which shows that the LMDB/Lightningstream workflow works. The Lightningstream status webpage (http://:8500) also shows the same metrics for both instances. I must be missing something, but I'm having a hard time figuring out what. I looked at the Lightningstream doc and everything looks good. My pdns.conf: local-address=192.168.x.y local-port=53 launch=lmdb lmdb-filename=/var/spool/pdns-4.8/pdns.lmdb lmdb-random-ids=yes lmdb-flag-deleted=yes lmdb-map-size=1000 lmdb-sync-mode=sync zone-cache-refresh-interval=0 zone-metadata-cache-ttl=0 My Lightningstream YAML conf file: instance: pdns lmdbs: main: # Auth 'lmdb-filename' path: /var/spool/pdns-4.8/pdns.lmdb schema_tracks_changes: true options: no_subdir: true create: true # optional for 'main', as auth will create it on startup, if needed map_size: 1000MB # for create=true, make sure to match auth's lmdb-map-size shard: # Auth 'lmdb-filename' plus '-0' for the first shard path: /var/spool/pdns-4.8/pdns.lmdb-0 schema_tracks_changes: true options: no_subdir: true create: true # strongly recommended for shards map_size: 1000MB # for create=true, make sure to match auth's lmdb-map-size storage: type: s3 options: access_key: XX secret_key: YY bucket: pdns create_bucket: false endpoint_url: https://s3.us-west-000.backblazeb2.com http: address: ":8500" # for status and metrics Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Powerdns on AWS Instances
On 27-Apr-2021 21:17 CEST, wrote: > Hello, > > Is it possible to deploy powerdns on aws instances and have the instances > run behind an ec2 load balancer? > Any tips to set this up would be really helpful. > > My current design is a powerdns server and a pdns-recursor running on the > same host (not aws) and I am using aws aurora mysql cluster as my backend > with all the domains and records information. This setup is working as > expected and I am able to resolve records that are saved in aurora sql db. > Now I want to move pdns and pdns-recursor to aws instance so wondering what > all issues I will face as I am not able to find any documentation about it. Sounds like a mission for dnsdist! (www.dnsdist.org) -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] What determines authoritative?
Hi, On 20-Jun-2020 17:47 CEST, wrote: > Yes, this is probably a dumb question, but I couldn't figure it out in > 20 minutes of googling. > > I have a pdns installation for my local network. V4.1.13. Mysql > backend. > > I noticed while debugging something else that it is returning > non-authoritative answers for a zone for which should be the > authority. > > The zone has an SOA naming this host as the authority. It has an NS > record saying it's the server for this zone. It knows its hostname. > The A record for itself is correct. There *should* be enough > information there for it to determine that it's authoritative. > > FWIW, I *think* in times past, this used to work. So maybe I've > inadvertently changed some config? Dunno. > > What are the necessary conditions for pdns to return authoritative > answers? Would you mind sharing your configuration (pdns.conf as well as the zone in question)? And also some dig requests against your PDNS Auth server. -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Sub-domains delegation. I am not sure what I missed.
Hi, On 01-Jun-2020 12:19 CEST, wrote: > I've got a test PDNS auth with mysql running in my internal network for the > domain and delegate the vlan100 subdomain to another DNS in the network > (see mysql extract below). I'm not sure why I'm not getting any answer > for the A record test. When I do dig directly to the NS of the vlan100 > sub-domain I'm get answer. > > I'm not sure what I am missing. Thanks! You're asking the PDNS Auth server (192.168.1.53) a question that only the other DNS server (192.168.1.50) has the answer to. THe answer you got to your `dig` request is a pointer to this 1.50 server, following delegation. If you ask a recursive server that knows lab.integrate.zone / 192.168.1.50, then you should get an answer since it will do recursion. Cheers, -- Nico > [root@ns1 ~]# dig @192.168.1.53 test.vlan100.lab.integrate.zone > > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3 <<>> @192.168.1.53 > test.vlan100.lab.integrate.zone > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53535 > > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 > > ;; WARNING: recursion requested but not available > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 1680 > > ;; QUESTION SECTION: > > ;test.vlan100.lab.integrate.zone. IN A > > > ;; AUTHORITY SECTION: > > vlan100.lab.integrate.zone. 3 IN NS dns.lab.integrate.zone. > > > ;; ADDITIONAL SECTION: > > dns.lab.integrate.zone. 3 IN A 192.168.1.50 > > > ;; Query time: 1 msec > > ;; SERVER: 192.168.1.53#53(192.168.1.53) > > ;; WHEN: Mon Jun 01 22:16:01 NZST 2020 > > ;; MSG SIZE rcvd: 94 > > > > > DB extract: > > MariaDB [powerdns]> select id, name, master from domains; > > ++-++ > > | id | name| master | > > ++-++ > > | 2 | lab.integrate.zone || > > > > MariaDB [powerdns]> select domain_id, name, type, content from records > where type='NS' and domain_id=2; > > > +---++--++ > > | domain_id | name | type | content| > > +---++--++ > > | 2 | lab.integrate.zone | NS | ns1.lab.integrate.zone | > > | 2 | vlan100.lab.integrate.zone | NS | dns.lab.integrate.zone | > > +---++--++ > > > > MariaDB [powerdns]> select domain_id, name, type, content from records > where id=137; > > +---++--+--+ > > | domain_id | name | type | content | > > +---++--+--+ > > | 2 | dns.lab.integrate.zone | A| 192.168.1.50 | > > +---++--+--+ > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] dnssec and lua-config--file
On 12-May-2020 19:11 CEST, wrote: > Hi, > > Yes I do : > > cat recursor.conf | grep -v '^\s*$\|^\s*\#' > config-dir=/etc/powerdns > dnssec-log-bogus=yes > hint-file=/usr/share/dns/root.hints > local-address=0.0.0.0 > local-port=3334 > *lua-config-file=/etc/powerdns/recursor.lua* > quiet=yes > security-poll-suffix= > setgid=pdns > setuid=pdns > trace=fail > forward-zones=example.net=192.168.1.28: > > Maybe I'm using the wrong syntax in forward-zones ... Nope, the syntax is correct. However, in your original email, you said that you wanted to: - resolve normally example.net (I fixed a typo in the domain name, since you wrote `exemple.net`) - forward the request foo.example.net to an internal authoritative server Your configuration forwards *all* requests to `example.net` to the 192.168.1.28 server. You should replace it with: forward-zones=foo.example.net=192.168.1.28: Also, can you send the result of a request for .foo.example.net, e.g. using dig? Side question: why using `hint-file`? Are you using a specific root servers configuration? If not, you don't need that. Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] dnssec and lua-config--file
Hi Pierre, On 12-May-2020 16:59 CEST, wrote: > Hello, > > I'm testing pdns-recursor and I'd like to config it in order to : > >- resolves normally exemple.net >- forwards the request foo.example.net to an internal authoritative >server > > I've read the documentation, and found : > https://docs.powerdns.com/recursor/settings.html#forward-zones > I've seen the remark regarding DNSSEC and thus use a lua-config-file in > which I added, to not use DNSSEC for this particular domain name : > addNTA("foo.example.net", "test") > > However, I can't get any answer and the log is quite obvious : > "Wants DNSSEC processing in query A ..." > > It seems that my lua file isn't taken. > Am I wrong ? How can I check whether the lua file is used or not . Did you specify the path to your Lua file in the recursor.conf file? Something like: lua-config-file= If so, can you share you recursor.conf? Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Fallback to recursor if authoritative fails
Hi Saad, On 01-May-2020 05:17 CEST, wrote: > Hi, > > My use case is such that I have some local as well as TLD domains inside > the authoritative server but I would also like to use a recursor so that > local clients can send queries for let's say google.com. > > Is there a way to do this in such a way that I do not have to hard-code > forward zones from recursor to authoritative server like on this page: > https://doc.powerdns.com/authoritative/guides/recursion.html#id4 > > From what I understand, this used to be possible out of the box before > 4.1.0. How can we achieve this now? You're probably looking for this: "Migrating from using recursion on the Authoritative Server to using a Recursor" https://doc.powerdns.com/authoritative/guides/recursion.html Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSSEC and SOA records
Hi Tamer, On 21-Jul-2019 22:10 CEST, wrote: > Hello, > > I have setup PowerDNS 4.2.0-rc2 through the CentOS 7 repository. Everything > works fine except SOA replies in AUTHORITY SECTIONs with DNSSEC enabled. We > are testing the domain through the well-known validator Internet.nl and it > results in a BOGUS validation. They state that it's because test.nizari.nl > is not returning SOA records in the AUTHORITY SECTION. so the zone you're testing with is test.nizari.nl, right? It seems there's no delegation for this zone, hence no SOA. > The following works and returns a proper SOA answer: > dig soa nizari.nl > dig soa test.nizari.nl @ns1.nizari.nl > dig soa test.nizari.nl @1.1.1.1 > dig soa test.nizari.nl @8.8.8.8 +cd > > The following does not work and results in a SERVFAIL: > dig soa test.nizari.nl > dig soa test.nizari.nl @8.8.8.8 > > Is this normal behaviour or is there something wrong with my config? The > nameservers run simply in a MySQL cluster. > > pdns.conf: > local-address=0.0.0.0 > local-ipv6=:: > local-port=5300 > launch=gmysql,geoip > gmysql-host= > gmysql-user= > gmysql-dbname= > gmysql-password= > geoip-database-files > loglevel=9 > enable-lua-records=yes > edns-subnet-processing=yes > log-dns-queries=yes > gmysql-dnssec=yes > disable-syslog=yes > resolver=8.8.8.8,[2001:4860:4860::] Also, why are you using the 'resolver' setting without 'expand-alias'? This setting is not meant to specify the resolver to send recursive requests to, but is related to the ALIAS records (https://doc.powerdns.com/authoritative/guides/alias.html). Cheers, -- Nico > If there is something wrong with my config, why does 1.1.1.1 work and > 8.8.8.8 not? > I see no errors in the logs and all other DNS related stuff is working. > > DNSVIZ results are OK. > > Any help or tips can be of use, I have been debugging this for three days > now. Thank you for reading! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] 主节点通知从节点进行更新
Hi, > On 18 Jul 2019, at 17:06, 姜伯洋 <1513...@163.com> wrote: > > > cat /var/log/message > Jul 18 20:07:48 VM_9_140_centos pdns_server: Error trying to resolve > '[::1]:53' for notifying 'wptqc.com' to server: Unable to send notify to > [::1]:53: No route to host > > This is the error of the master node. I don't know where I configured the > address. Therefore, after the master node changes the configuration, it will > send a notification to this address. I should close the address there. First, hello. Then, in order to help you, we would need a bit more information on your setup. It looks like the logs are coming from the PowerDNS Authoritative server, and that you have configured your Master server with a zone named wptqc.com, and the master server is trying to notify slaves zones using the IPv6 localhost address. Could you show us the content of this zone and whether there's any Metadata configured for this zone in your backend? Cheers, -- Nico___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor delegate some queries to another recursor
Hi, On 20-May-2019 16:04 CEST, wrote: > > wonder if the following is possible somehow with pdns-recursor. Our main > > recursor A sometimes has problems talking to some auth servers. In the > > same time another recursor B in our network still can talk to such an > > auth server. > > > > So we wonder if we could somehow send queries for such auth servers via > > the other recursor. The decission to send queries to the other box is > > based on the IP address of the auth server. The idea is to route such > > queries from recursor A to recursor B while all other queries from > > recursor A should still be sent without recursor B. > > > > Is something like that possible in pdns-rescursor or do we have to use a > > tool like dnsdist? > > Hi Tobi, > > I recommend using dnsdist for this use-case! Sending traffic to backend dns > servers is what dnsdist is made for! While it's true that what Frank suggested is totally doable with dnsdist (and actually one of its missions), it would be interesting though to understand why one of your recursors has issues to reach the authoritative server, and another recursor has no issue. A couple of questions: - are they running the same Recursor version? - are they on the same network / same site / faced by the same network equipments, if any (e.g. firewall) / any ACL in place - which OS are they running (if differences between the 2) Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns server api access leads to "Internal Server Error"
Hi Tobi, On 07-May-2019 16:49 CEST, wrote: > Hi list > > I have an application which access the pdns server via the api > interface. I'm using pdns 4.1.8 on a CentOS 7 with latest updates. pdns > runs with mysql backend on mariadb. > > All except one api query work as expected but when I fire such a query > > curl -X GET -H 'X-API-Key: MY_API' > http://127.0.0.1:8081/api/v1/servers/localhost/zones/mydomain.tld > > I get a http 500 "Internal Server Error" message. Like said it's the > only query that fails. Any other for example > > http://127.0.0.1:8081/api/v1/servers/localhost/zones > > lists the zones available without any problem. > > The documentation on > https://doc.powerdns.com/authoritative/http-api/zone.html specifies this > endpoint as valid > > > GET /servers/{server_id}/zones/{zone_id} > > Anyone an idea what goes wrong here? > Can I somehow enable debug of the api part of pdns? It works fine for me, also on a 4.1.8 Auth configuration. Could you paste your pdns.conf, as well as the output from the listing of all zones from the API? (just a single zone will be enough) Please do not obfuscate it [1] [1] https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Pdns 4.2 install and config issues
Hi Bryan, On 03-May-2019 17:21 CEST, wrote: > Is this the right list for reporting an issue? If there's a better place > please let me know. > > I am on ubuntu 18, and running the mariadb/mysql backend. I've used the repos > per the http://repo.powerdns.com/ setup. > > During the install there is no typical script to provision the database, this > must be done manually. The 4.1 version has this working, and admittedly this > may be the packagers issue. Indeed. > I've run into an issue with the slave's not working for AFXR, and then found > superslave=yes must be set in the config new for 4.2. However, with this set > the server will not start with the error below: > Fatal error: Trying to set unknown parameter 'superslave' > > I couldn't figure this out, so have rolled back to 4.1. I'm willing to do > some testing or provide some logs if needed. you're right, "superslave" doesn't work today. This will work with the final version of 4.2, and probably 4.0.2-rc2. For 4.0.2-rc1, you need to use "supermaster" We changed the setting name to make it easier/more obvious, but only realised it once -rc1 had been released. So, the documentation [1] is correct for 4.0.2-rc2 and ownward. And this is also listed in the "Upgrade" notes [2]. [1] https://doc.powerdns.com/authoritative/settings.html#superslave [2] https://doc.powerdns.com/authoritative/upgrading.html Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Authoritative Server API?
On 02-May-2019 20:57 CEST, wrote: > On Thu, May 2, 2019 at 8:35 PM Ryan Finnesey wrote: > > > Is there a Swagger file for the Authoritative Server API? I did see that > > there is a lot of documentation at > > https://doc.powerdns.com/md/httpapi/README/#api-specification but I can't > > seem to find a Swagger file. > > > > The newer documentation [1] links the file in the GitHub repository [2]. > Is that what you were looking for? > > HTH > > [1]: > https://doc.powerdns.com/authoritative/http-api/index.html#working-with-the-api > [2]: > https://raw.githubusercontent.com/PowerDNS/pdns/master/docs/http-api/swagger/authoritative-api-swagger.yaml Yep, and that was also mentioned on the blog [1] when the first alpha1 of the Auth 4.2 was announced. [1]: https://blog.powerdns.com/2018/12/14/powerdns-authoritative-server-4-2-0-alpha1-lua-records-ixfrdist-swagger/ -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Rate-Limit for NXDOMAIN
Hi Markus, On 26-Apr-2019 14:55 CEST, wrote: > Hello together, > > since recently we use two powerDNS Authoritative Servers (v.4.1.8) for > managing our own domains. Is it possible, to rate-limit dns lookups for > non-existing Domains? > Background: from time to time (several times a day), we get hundreds (or > thousands) of requests to random, non-existing, subdomains for one domain, we > are authoritative for. The root domain is the same in all requests. I don't > understand the aim of this attacks, but want to limit it in some possible > ways. This looks like a mission for dnsdist (http://www.dnsdist.org) Especially this section: https://dnsdist.org/guides/dynblocks.html#dynblockrulesgroup Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns forward nested recurse possible?
On 19-Apr-2019 12:10 CEST, wrote: > That means the way to go is what I stated initially. That is using > pdns-recursor to forward "known" domains to authoritative server. The rest > will be forward with recursive to public dns, right? Not "forwarded" (which has a special meaning in DNS), rather "sent" to the public DNS system (i.e. recursion to the Root servers, then (cc)TLD, ...) But yes, correct. Cheers, -- Nico > On Fri, Apr 19, 2019 at 5:48 PM Nico CARTRON wrote: > > > On 19-Apr-2019 11:44 CEST, wrote: > > > > > How do I do plain recursion with only pdns installed? AFAIK, the new > > > version of pdns does not support recursor anymore. Or maybe I am missing > > > something? > > > > I think you're confusing things :) > > > > You're probably referring to the fact that the Authoritative server does > > not > > provide recursion anymore - this is true. > > > > But in your case, the server doing the recursion would be the PowerDNS > > Recursor, > > which of course will always provide DNS Recursion, since that its main > > goal in > > life ;) > > > > Cheers, > > > > -- > > Nico > > > > > On Fri, Apr 19, 2019 at 5:32 PM Nico CARTRON > > wrote: > > > > > > > Hi, > > > > > > > > On 19-Apr-2019 11:21 CEST, wrote: > > > > > > > > > Hi, > > > > > > > > > > I am just trying to have something simple. > > > > > > > > well, I do believe you are complicating something which should be > > simple ;) > > > > > > > > > When a client query the pdns recursor server, it will first look at > > it's > > > > > authoritative pdns domains. If non of the domains being queried is in > > > > > authoritative then it will shoot to public dns for recurvise query. > > > > > > > > > > EG, > > > > > dig onedomain.com @pdnsrecursor.server > > > > > > > > > > pdnsrecursor server will forward query to pdns authoritative if > > nothing > > > > > comes back then forward to public dns. > > > > > > > > > > Does it make sense? > > > > > > > > As noted by Brian in another answer, why not just use forward-zones to > > > > point to > > > > the Auth the requests for the few domains you are responsible for, and > > for > > > > all > > > > the other zones, just use plain recursion, and not use Google Public > > DNS? > > > > > > > > Cheers, > > > > > > > > -- > > > > Nico > > > > > > > > > On Fri, Apr 19, 2019 at 5:04 PM Nico CARTRON > > > > wrote: > > > > > > > > > > > Hello, > > > > > > > > > > > > On 19-Apr-2019 10:48 CEST, wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > Is it possible to use recursor to forward all queries to pdns > > > > > > authoritative > > > > > > > server and if that query fails, it will forward all to public DNS > > > > such as > > > > > > > 8.8.8.8? > > > > > > > > > > > > > > For example, in my pdns, I have create a domain called > > mydomain.com > > > > and > > > > > > > yourdomain.moc. > > > > > > > > > > > > > > So instead of creating: > > > > > > > forward-zones=mydomain=127.0.0.1:5300 > > > > > > > forward-zones+=yourdomain.moc=127.0.0.1:5300 > > > > > > > forward-zones-recurse=.=8.8.8.8 > > > > > > > > > > > > > > I would like to create: > > > > > > > forward-zones-recurse=.=127.0.0.1:5300 > > > > > > > forward-zones-recurse+=.=8.8.8.8 > > > > > > > > > > > > > > However, tried second method and it does not work. Please advise. > > > > > > > > > > > > Could you explain with more details what you are trying to achieve? > > > > > > Sending all the queries you're receiving from the Recursor to an > > > > > > Authoritative > > > > > > server wont' work, as the Auth will only answer for the DNS zones > > it is > > > > > > Auth > > > > > > for. > > > > > > > > > > > > Google Public DNS is not an Authoritative service, but a recursive > > one. > > > > > > > > > > > > Also, forward-zones-recurse means you are sending requests to a > > > > recursive > > > > > > DNS > > > > > > server ( > > > > > > > > https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse > > > > ), > > > > > > which your PDNS Authoritative is not - hence the fact that this > > second > > > > > > method > > > > > > doesn't work. > > > > > > > > > > > > Cheers, ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns forward nested recurse possible?
On 19-Apr-2019 11:44 CEST, wrote: > How do I do plain recursion with only pdns installed? AFAIK, the new > version of pdns does not support recursor anymore. Or maybe I am missing > something? I think you're confusing things :) You're probably referring to the fact that the Authoritative server does not provide recursion anymore - this is true. But in your case, the server doing the recursion would be the PowerDNS Recursor, which of course will always provide DNS Recursion, since that its main goal in life ;) Cheers, -- Nico > On Fri, Apr 19, 2019 at 5:32 PM Nico CARTRON wrote: > > > Hi, > > > > On 19-Apr-2019 11:21 CEST, wrote: > > > > > Hi, > > > > > > I am just trying to have something simple. > > > > well, I do believe you are complicating something which should be simple ;) > > > > > When a client query the pdns recursor server, it will first look at it's > > > authoritative pdns domains. If non of the domains being queried is in > > > authoritative then it will shoot to public dns for recurvise query. > > > > > > EG, > > > dig onedomain.com @pdnsrecursor.server > > > > > > pdnsrecursor server will forward query to pdns authoritative if nothing > > > comes back then forward to public dns. > > > > > > Does it make sense? > > > > As noted by Brian in another answer, why not just use forward-zones to > > point to > > the Auth the requests for the few domains you are responsible for, and for > > all > > the other zones, just use plain recursion, and not use Google Public DNS? > > > > Cheers, > > > > -- > > Nico > > > > > On Fri, Apr 19, 2019 at 5:04 PM Nico CARTRON > > wrote: > > > > > > > Hello, > > > > > > > > On 19-Apr-2019 10:48 CEST, wrote: > > > > > > > > > Hi, > > > > > > > > > > Is it possible to use recursor to forward all queries to pdns > > > > authoritative > > > > > server and if that query fails, it will forward all to public DNS > > such as > > > > > 8.8.8.8? > > > > > > > > > > For example, in my pdns, I have create a domain called mydomain.com > > and > > > > > yourdomain.moc. > > > > > > > > > > So instead of creating: > > > > > forward-zones=mydomain=127.0.0.1:5300 > > > > > forward-zones+=yourdomain.moc=127.0.0.1:5300 > > > > > forward-zones-recurse=.=8.8.8.8 > > > > > > > > > > I would like to create: > > > > > forward-zones-recurse=.=127.0.0.1:5300 > > > > > forward-zones-recurse+=.=8.8.8.8 > > > > > > > > > > However, tried second method and it does not work. Please advise. > > > > > > > > Could you explain with more details what you are trying to achieve? > > > > Sending all the queries you're receiving from the Recursor to an > > > > Authoritative > > > > server wont' work, as the Auth will only answer for the DNS zones it is > > > > Auth > > > > for. > > > > > > > > Google Public DNS is not an Authoritative service, but a recursive one. > > > > > > > > Also, forward-zones-recurse means you are sending requests to a > > recursive > > > > DNS > > > > server ( > > > > https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse > > ), > > > > which your PDNS Authoritative is not - hence the fact that this second > > > > method > > > > doesn't work. > > > > > > > > Cheers, > > > > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns forward nested recurse possible?
Hi, On 19-Apr-2019 11:21 CEST, wrote: > Hi, > > I am just trying to have something simple. well, I do believe you are complicating something which should be simple ;) > When a client query the pdns recursor server, it will first look at it's > authoritative pdns domains. If non of the domains being queried is in > authoritative then it will shoot to public dns for recurvise query. > > EG, > dig onedomain.com @pdnsrecursor.server > > pdnsrecursor server will forward query to pdns authoritative if nothing > comes back then forward to public dns. > > Does it make sense? As noted by Brian in another answer, why not just use forward-zones to point to the Auth the requests for the few domains you are responsible for, and for all the other zones, just use plain recursion, and not use Google Public DNS? Cheers, -- Nico > On Fri, Apr 19, 2019 at 5:04 PM Nico CARTRON wrote: > > > Hello, > > > > On 19-Apr-2019 10:48 CEST, wrote: > > > > > Hi, > > > > > > Is it possible to use recursor to forward all queries to pdns > > authoritative > > > server and if that query fails, it will forward all to public DNS such as > > > 8.8.8.8? > > > > > > For example, in my pdns, I have create a domain called mydomain.com and > > > yourdomain.moc. > > > > > > So instead of creating: > > > forward-zones=mydomain=127.0.0.1:5300 > > > forward-zones+=yourdomain.moc=127.0.0.1:5300 > > > forward-zones-recurse=.=8.8.8.8 > > > > > > I would like to create: > > > forward-zones-recurse=.=127.0.0.1:5300 > > > forward-zones-recurse+=.=8.8.8.8 > > > > > > However, tried second method and it does not work. Please advise. > > > > Could you explain with more details what you are trying to achieve? > > Sending all the queries you're receiving from the Recursor to an > > Authoritative > > server wont' work, as the Auth will only answer for the DNS zones it is > > Auth > > for. > > > > Google Public DNS is not an Authoritative service, but a recursive one. > > > > Also, forward-zones-recurse means you are sending requests to a recursive > > DNS > > server ( > > https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse), > > which your PDNS Authoritative is not - hence the fact that this second > > method > > doesn't work. > > > > Cheers, > > > > -- ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns forward nested recurse possible?
Hello, On 19-Apr-2019 10:48 CEST, wrote: > Hi, > > Is it possible to use recursor to forward all queries to pdns authoritative > server and if that query fails, it will forward all to public DNS such as > 8.8.8.8? > > For example, in my pdns, I have create a domain called mydomain.com and > yourdomain.moc. > > So instead of creating: > forward-zones=mydomain=127.0.0.1:5300 > forward-zones+=yourdomain.moc=127.0.0.1:5300 > forward-zones-recurse=.=8.8.8.8 > > I would like to create: > forward-zones-recurse=.=127.0.0.1:5300 > forward-zones-recurse+=.=8.8.8.8 > > However, tried second method and it does not work. Please advise. Could you explain with more details what you are trying to achieve? Sending all the queries you're receiving from the Recursor to an Authoritative server wont' work, as the Auth will only answer for the DNS zones it is Auth for. Google Public DNS is not an Authoritative service, but a recursive one. Also, forward-zones-recurse means you are sending requests to a recursive DNS server (https://doc.powerdns.com/recursor/settings.html#forward-zones-recurse), which your PDNS Authoritative is not - hence the fact that this second method doesn't work. Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS/BIND Configuration
Hi Tshepo, (please reply to the list, not only myself, as having the history is useful e.g. for archives, but also as other people can then answer). your configuration is kind of weird, as you have your PDNS Auth sending notifies to the master - unless you want to use DNS updates to PDNS, and send them back to Bind? I don't think that's the case, given what you said earlier. What would be interesting as well, would be to have logs for both Bind and PDNS roughly at the same time, when Bind tries to notify PDNS. Comments in-line below for the rest. Cheers, Nico On 18-Feb-2019 07:17 CET, wrote: > Hi Nico > > That would not be a problem, please see the below for pdns(slave) & bind > (master) > > PDNS CONF: > > allow-axfr-ips=10.200.1.12 > > allow-dnsupdate-from=10.200.1.12 not sure this is needed, since you're already doing XFR from this Bind server. > allow-notify-from=10.200.1.12 > > allow-unsigned-notify=yes > > allow-unsigned-supermaster=yes > > also-notify=10.200.1.12 see my remark above - do you really want your PDNS server to notify your Bind? > api=yes > > api-key=changeme > > config-dir=/etc/pdns > > disable-axfr=no > > disable-tcp=yes > > distributor-threads=10 > > dnsupdate=yes > > forward-dnsupdate=yes > > forward-notify=10.200.1.12 same remark as above. > local-address=0.0.0.0 Please see https://doc.powerdns.com/authoritative/settings.html#local-address it is advised to bind to specific IP addresses - in your case, 10.200.1.12 > local-port=53 > > log-dns-details=yes > > log-dns-queries=yes > > log-timestamp=yes > > logging-facility=0 > > loglevel=5 > > master=yes Not sure you need that, since your PDNS will be slave. > module-dir=/usr/lib64/pdns > > non-local-bind=yes > > only-notify=10.1.200.12/23,::/0 same remark as above re notifies, and also the IP address is wrong. > query-cache-ttl=60 > > query-local-address=10.1.200.13 The IP address is wrong - I guess this should be 10.200.1.13? > query-logging=yes > > > security-poll-suffix=secpoll.powerdns.com. > > > setgid=pdns > > setuid=pdns > > slave=yes > > version-string=full > > webserver=bserver-address=10.200.1.13 > > webserver-allow-from=0.0.0.0/0,::/0 > > webserver-port=8081 > > launch=gmysql > gmysql-host=10.200.1.11 > gmysql-port=3306 > gmysql-user=ns1 > gmysql-dbname=pdns_vox > gmysql-password=ohplease > > > BIND CONF: > > options { > listen-on port 53 { 127.0.0.1;10.200.1.13;any;}; > // listen-on-v6 port 53 { ::1; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > recursing-file "/var/named/data/named.recursing"; > secroots-file "/var/named/data/named.secroots"; > allow-query {localhost;10.200.1.12;10.200.1.13;}; > allow-update-forwarding {10.200.1.13;}; > }; > >*/ > recursion no; > > dnssec-enable no; > dnssec-validation no; > > /* Path to ISC DLV key */ > bindkeys-file "/etc/named.iscdlv.key"; > > managed-keys-directory "/var/named/dynamic"; > > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > }; > > > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > zone "test123.co.za" IN { > type master; > file "named.bind-master.zones"; > also-notify {10.200.1.13;}; if your PDNS is slave, it should be listed as NS in your zone, and therefore you wouldn't need this also-notify statement. > allow-transfer {10.200.1.13;}; > }; > > zone "www.voxcloud.co.za" IN { > type master; > file "named.bind-rec.zones"; > also-notify {10.200.1.13;}; same remark as for the test123.co.za zone. > allow-transfer {10.200.1.13;}; > }; > include "/etc/named.rfc1912.zones"; > include "/etc/named.root.key"; > > > > ZONE FILE FOR BIND: > > $TTL3600 > @ IN SOA test123.co.za. tshepo.msimango.voxtelecom.co.za. ( > > 2019020714 ; Serial > 3600 ;
Re: [Pdns-users] max-negative-ttl does not work
On 09-Jan-2019 12:00 CET, wrote: > On 09/01/2019 10:51, Stefan Priebe - Profihost AG wrote: > > Real test is / was: > > mydomain.multi.uribl.rblserver.de-nserver.de > > I see a SERVFAIL here, not an NXDOMAIN. Do you get the same? > > $ dig mydomain.multi.uribl.rblserver.de-nserver.de > > ; <<>> DiG 9.10.6 <<>> mydomain.multi.uribl.rblserver.de-nserver.de > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20062 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > With dig +trace it stops here: > > ... > > uribl.rblserver.de-nserver.de. 3600 IN NS rblserver.de-nserver.de. > ;; Received 87 bytes from 91.151.23.20#53(ns2.de-nserver.de) in 9 ms > > ;; connection timed out; no servers could be reached Yep, same here, I also see a SERVFAIL. -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] max-negative-ttl does not work
On 09-Jan-2019 10:46 CET, wrote: > Hi, > > Am 09.01.19 um 09:53 schrieb Nico CARTRON: > > On 09-Jan-2019 09:39 CET, wrote: > > > >> Hi Nico, > >> > >> Am 09.01.19 um 09:33 schrieb Nico CARTRON: > >>> Hi Stefan, > >>> > >>> On 09-Jan-2019 09:19 CET, wrote: > >>> > >>>> Dear List, > >>>> > >>>> i'm trying to get max-negative-ttl to work but i can't. > >>>> > >>>> # dpkg -s pdns-recursor | grep Version > >>>> Version: 4.1.8-1pdns.stretch > >>>> > >>>> # grep max-negative-ttl /etc/powerdns/recursor.conf > >>>> max-negative-ttl=30 > >>>> > >>>> # dig -t A unknowndomainxyz.multi.hiddendomain.de > >>>> ... > >>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437 > >>>> ... > >>>> > >>>> dumped cache: > >>>> > >>>> # grep "unknowndomainxyz.multi.hiddendomain.de" /cachefile > >>>> unknowndomainxyz.multi.hiddendomain.de. 3588 A ; tag 0 > >>>> > >>>> Why is the TTL 3588 when max-negative-ttl is set to 30? > >>> > >>> Just did a quick check on one of my Recursor, version 4.1.8 running on > >>> FreeBSD, and max-negative-ttl works as expected (i.e. if I set it to 30 > >>> seconds, I correctly get this back, should it be with a dig or when > >>> dumping the cache). > >>> > >>> Did you forget to restart the recursor after having changed the value in > >>> the recursor.conf? Cause the 3600 value is the default one. > >> > >> No it was def. restarted after changing the config. > >> > >> See below: > >> # rec_control get-parameter max-negative-ttl > >> max-negative-ttl="30" > >> > >> Greets, > >> Stefan > >> > > > > So I did the test on a Debian Stretch, with the same version as you: > > > > root@vm-pdns1-lab:/etc/powerdns# dpkg -s pdns-recursor |grep Version > > Version: 4.1.8-1pdns.stretch > > > > and I also got it working. > > > > Do you mind sharing your entire recursor.conf configuration file? > > Do i can provide it - just an idea. I'm talking about a Subdomain wich > is missing / NXDOAIN - the domain itself exists with a TTL of 3600. Please share it :) Also, please share the domain name you are testing with, not "hiddendomain.de" - see https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ > Did you test a subdomain, where the real domain exists? Yes, the domain I tested with exists indeed. -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] max-negative-ttl does not work
On 09-Jan-2019 09:39 CET, wrote: > Hi Nico, > > Am 09.01.19 um 09:33 schrieb Nico CARTRON: > > Hi Stefan, > > > > On 09-Jan-2019 09:19 CET, wrote: > > > >> Dear List, > >> > >> i'm trying to get max-negative-ttl to work but i can't. > >> > >> # dpkg -s pdns-recursor | grep Version > >> Version: 4.1.8-1pdns.stretch > >> > >> # grep max-negative-ttl /etc/powerdns/recursor.conf > >> max-negative-ttl=30 > >> > >> # dig -t A unknowndomainxyz.multi.hiddendomain.de > >> ... > >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437 > >> ... > >> > >> dumped cache: > >> > >> # grep "unknowndomainxyz.multi.hiddendomain.de" /cachefile > >> unknowndomainxyz.multi.hiddendomain.de. 3588 A ; tag 0 > >> > >> Why is the TTL 3588 when max-negative-ttl is set to 30? > > > > Just did a quick check on one of my Recursor, version 4.1.8 running on > > FreeBSD, and max-negative-ttl works as expected (i.e. if I set it to 30 > > seconds, I correctly get this back, should it be with a dig or when > > dumping the cache). > > > > Did you forget to restart the recursor after having changed the value in > > the recursor.conf? Cause the 3600 value is the default one. > > No it was def. restarted after changing the config. > > See below: > # rec_control get-parameter max-negative-ttl > max-negative-ttl="30" > > Greets, > Stefan > So I did the test on a Debian Stretch, with the same version as you: root@vm-pdns1-lab:/etc/powerdns# dpkg -s pdns-recursor |grep Version Version: 4.1.8-1pdns.stretch and I also got it working. Do you mind sharing your entire recursor.conf configuration file? -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] max-negative-ttl does not work
Hi Stefan, On 09-Jan-2019 09:19 CET, wrote: > Dear List, > > i'm trying to get max-negative-ttl to work but i can't. > > # dpkg -s pdns-recursor | grep Version > Version: 4.1.8-1pdns.stretch > > # grep max-negative-ttl /etc/powerdns/recursor.conf > max-negative-ttl=30 > > # dig -t A unknowndomainxyz.multi.hiddendomain.de > ... > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437 > ... > > dumped cache: > > # grep "unknowndomainxyz.multi.hiddendomain.de" /cachefile > unknowndomainxyz.multi.hiddendomain.de. 3588 A ; tag 0 > > Why is the TTL 3588 when max-negative-ttl is set to 30? Just did a quick check on one of my Recursor, version 4.1.8 running on FreeBSD, and max-negative-ttl works as expected (i.e. if I set it to 30 seconds, I correctly get this back, should it be with a dig or when dumping the cache). Did you forget to restart the recursor after having changed the value in the recursor.conf? Cause the 3600 value is the default one. Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdnsutil increase-serial not working for mysql with autoserial
Hi, Somebody pointed out that you’re missing some fields in your SOA records. Please correct it using what has been suggested and try again. -- Nico > On 7 Nov 2018, at 21:40, MRob wrote: > > in fact after reboot looks like old serial is lost for all domains. > > why is change_date not kept up to date? all domains have it to be NULL, I > think its where the serial is derived from when using autoserial > > >> On 2018-11-07 20:18, MRob wrote: >> Please some help for this? Looks like pdnsutil increase-serial not >> made to work for mysql backend with autoserial, so how to >> programmatically request increase serial? >>> pdnsutil increase-serial example.org >> Error: Parsing record content (try 'pdnsutil check-zone'): missing >> field at the end of record content 'ns.example.org cont...@example.org >> 0' >>> pdnsutil check-zone example.org >> Checked 21 records of 'example.org', 0 errors, 0 warnings. > Related, where is serial stored in auto-serial case? I find > "change_date" field NULL on all records and "notified_serial" NULL on > this domain (but its 0 on the other domains, not sure why). In this > situation what happens if server reboot, SOA has to be reclaimed from > somewhere?? As far as I know this can be found in the table "records", column "content", for every entry of the type "SOA". It corresponds to the provided serial number you get with "dig SOA" (if no DNSSEC is active). >>> Well for auto-serial you must set that value as 0 so my question being >>> where the serial is kept in this special case and carried across reboot >>> situation. >> _ > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Increment SOA programmatically?
Hi MRob, On 05-nov-2018 17:34 CET, wrote: > On 2018-11-05 10:57, Torsten Hantzsche wrote: > > On Sun, 4 Nov 2018, MRob wrote: > > > > > > > I use mysql backend and SOA serial set to 0 in datebase for > > > auto-serial features. But sometime come occasion we must update one > > > record in database directly, not using DNSUPDATE. In this case how > > > to tell pdns please update SOA serial? I cant find pdns_control, > > > pdnsutil command for this. > > > > > > > Hi, > > > > if you execute pdnsutil w/o any options it lists all available commands. > > There you can find: > > > > "increase-serial ZONEIncreases the SOA-serial by 1. Uses SOA-EDIT" > > oh Thanks! The manpage is out of date :) > still, it didn't work with auto-serial configuration: > > > pdnsutil increase-serial example.org > Error: Parsing record content (try 'pdnsutil check-zone'): missing field at > the end of record content 'ns.example.org cont...@example.org 0' could you paste the content of the SOA record for this zone? > > pdnsutil check-zone example.org > Checked 21 records of 'example.org', 0 errors, 0 warnings. > > > > > Related, where is serial stored in auto-serial case? I find > > > "change_date" field NULL on all records and "notified_serial" NULL on > > > this domain (but its 0 on the other domains, not sure why). In this > > > situation what happens if server reboot, SOA has to be reclaimed from > > > somewhere?? > > > > > > As far as I know this can be found in the table "records", column > > "content", > > for every entry of the type "SOA". It corresponds to the provided serial > > number > > you get with "dig SOA" (if no DNSSEC is active). > > Well for auto-serial you must set that value as 0 so my question being where > the serial is kept in this special case and carried across reboot situation. > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] irregular version string - {packages from Repo}?
Hi Chris, > On 14 Aug 2018, at 23:03, Chris Ernst wrote: > > Dear all > > recently i downloaded the Debian 9 packages from http://repo.powerdns.com > > Specifically I use: > "PowerDNS Authoritative Server - master branch" > to further document this, I executed to following two commands: > > # dpkg -l | grep power > ii pdns-server 0.0.2400g4c928be-1pdns.stretch amd64 > > # pdns_server --version > Aug 14 20:45:46 PowerDNS Authoritative Server 0.0.2400g4c928be (C) 2001-2018 > PowerDNS.COM BV > > what makes me wonder is the Version-String. > Is 0.0.2400g4c928be correct? Shouldn't it be 4.1.3 or alike? > > This version string causes explicit problems in interaction with nsedit > (https://github.com/tuxis-ie/nsedit). nesdit checks the version number and > expects a 4. > > any comments are highly appreciated. > best regards > Chris From the Repo web page: “ master — GitHub master branch. Useful for testing, expect breakage. ” You should use the 41 repository. Nico. > > > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SOA record not resolved for my domains
Hi Hamed, > On 26 Apr 2018, at 06:34, Hamed Haghshenaswrote: > > Hi, > > I configure PowerDNS with configuration bellow : > setuid=pdns > setgid=pdns > launch=gmysql,geoip > gmysql-host=localhost > gmysql-user=powerdns > gmysql-password=Hamed@2013 > gmysql-dbname=powerdns > geoip-database-files=/usr/share/GeoIP/GeoIP.dat > geoip-zones-file=/etc/pdns/GeoIP/geo.yaml > edns-subnet-processing=yes > log-dns-queries=yes > loglevel=9 > udp-truncation-threshold=4096 > server-id=ns1.example.com > > my zone file for my website is like below where MY IP is (W.X.Y.Z): > $ORIGIN . > mail.example.com 300 IN A W.X.Y.Z > ns1.example.com300 IN A W.X.Y.Z > ns2.example.com300 IN A W.X.Y.Z > example.com300 IN A W.X.Y.Z > example.com300 IN MX 10 mail.example.com. > example.com300 IN NS ns1.example.com. > example.com300 IN NS ns2.example.com. > example.com300 IN SOA ns1.example.com > hostmaster.example.com 2018041910 28800 3600 3600 3600 > www.example.com300 IN CNAME example.com. > > but when try lookup for SOA record, nothing resolved ! > > dig example.com @8.8.8.8 SOA > ;; QUESTION SECTION: > ; example.com. IN SOA > > I appreciate it, if let me know how make changes to fix this problem (resolve > SOA record). > Is example.com the zone you’re using? Or did you replace it in the above output? If the former then you are not authoritative for it and that’s why Google public DNS won’t answer with what you configured. If the later please give us your domain name as well as your Authoritative IP addresses, otherwise it’s near to impossible to help you. Cheers, -- Nico___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SRV records do not transfer correctly
Hi NoBloat, On 04/03/2017 17:03, NoBloat wrote: I'm not sure if this will show up so I'll post both the inline and the url of the images I've taken. First, I created the SIP SRV records on the master. There are 9 SRV records. http://tinypic.com?ref=2r21xy0; target="_blank">http://i64.tinypic.com/2r21xy0.png; border="0" alt="Image and video hosting by TinyPic"> http://i64.tinypic.com/2r21xy0.png Each time I update the slave, this is what I get. http://tinypic.com?ref=2vnq32s; target="_blank">http://i67.tinypic.com/2vnq32s.png; border="0" alt="Image and video hosting by TinyPic"> http://i67.tinypic.com/2vnq32s.png As you can see in the second image, the SRV records are showing up but there are some weird ones that show up also. So far, I've not had much luck with SRV and especially NAPTR records. Why did you create another thread? Please just answer to your initial email, it makes things confusing and impossible to follow-up. Also, Bert has explained that it's worthless obfuscating the domain name, we cannot help. Furthermore, posting on-line pictures (i.e. we have to open a web browser to see them) rather than result of commands is not helpful either... So please give us the relevant information (e.g. domain name, IP addresses of your PowerDNS servers), in the same email (hit the "Reply" button of your email client) and without on-line pictures. Cheers, -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns_recursors trusts addtional section where it better shouldn't
On 17/02/2017 10:58, bert hubert wrote: On Fri, Feb 17, 2017 at 10:49:08AM +0100, Thomas Mieslinger wrote: ovh changed its MX A records and now my employers Mail relays can't send email to ovh. Have you attempted to talk to OVH about their misconfiguration? I ask this because the DNS Resolver community keeps getting asked to solve problems which are not ours. But it is easier to ask us to change. We (BIND, Unbound) keep running into broken F5 configurations for example, and yes, we can fix those with some special casing. But people always ask us because we are easier to talk to than the operators of the F5 machines. And so the code in resolvers becomes ever more a set of exceptions and workarounds. And please know, every workaround breaks something else. So please ask OVH to fix their stuff. Agreed, they usually are very responsive, either by email or Twitter. -- Nico ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Powerdns 3.4.10-1 domainmetadata ALSO-NOTIFY not working
On 20 December 2016 02:45:49 CET, Paul Traverswrote: >Ah ha! That's probably my issue, I will reply back if that doesn't fix >it! You should actually also reply back if that fixes the issue, so that people searching the list archive can find the information when needed :) -- Nico >On Dec 19, 2016 8:25 PM, "Christian Hofstädtler | Deduktiva" < >christian.hofstaedt...@deduktiva.com> wrote: > >> >> > On 20 Dec 2016, at 00:29, Paul Travers > >> wrote: >> > >> > I have the following entries in my domainmetadata table: >> > >> > mysql> select * from domainmetadata where domain_id = 3; >> > ++---+-++--- >> --+ >> > | id | domain_id | kind| content| date_modified >> | >> > ++---+-++--- >> --+ >> > | 27 | 3 | ALSO-NOTIFY | 2.2.2.2| -00-00 >> 00:00:00 | >> > | 28 | 3 | ALSO-NOTIFY | 1.1.1.1| -00-00 >> 00:00:00 | >> > | 14 | 3 | TSIG-ALLOW-AXFR | tsig-key| -00-00 >> 00:00:00 | >> > ++---+-++--- >> --+ >> > 3 rows in set (0.00 sec) >> > >> > Whenever the powerdns server receives a notification from the >master ... >> >> Sounds like you need slave-renotify=yes in your config; do you have >that? >> By default this is off. >> >> -- >> Christian Hofstaedtler / Deduktiva GmbH (FN 418592 b, HG Wien) >> www.deduktiva.com / +43 1 353 1707 >> >> >> >> > > > > >___ >Pdns-users mailing list >Pdns-users@mailman.powerdns.com >https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users