[Pdns-users] CNAME to other nameserver, what should a recursor do?
Hi, I'm having problems reaching webmail.deictvereniging.nl when using pdns-recursor 3.3-1 and 3.3.1 my pdns-recursor 3.3-1 says: dig +short webmail.deictvereniging.nl @. webmail.prioserve.net. my pdns-recursor 3.3.1 also says: dig +short webmail.deictvereniging.nl @. webmail.prioserve.net. I'm NOT having problems reaching webmail.deictvereniging.nl when using unbound 1.4.5 and pdns-recursor 3.1.7.2 my unbound 1.4.5 recursor says: dig +short webmail.deictvereniging.nl @. webmail.prioserve.net. 91.216.113.22 my pdns-recursor 3.1.7.2 also says: dig +short webmail.deictvereniging.nl @. webmail.prioserve.net. 91.216.113.22 (well, it omits the ip-address the first time around, but if I ask again it provides the ip-address) Config stays the same, the config from the package 3.3-1, with the 'allow-from-file' and 'local-address' settings adjusted to my situation, nothing else changed. What is the recursor supposed to do? And is it possible to make 3.3.1 and 3.3-1 exhibit the 3.1.7.2 and unbound 1.4.5 behaviour? Here some TCPdumps to show that 3.1.7.2 does some extra work on my query and 3.3.1 doesn't: (these are examples, I tried often) If I tcpdump 3.1.7.2 (dig +short webmail.deictvereniging.nl @. twice) (X.X.X.X = client-pc, Y.Y.Y.Y = recursor) 14:00:09.051223 IP X.X.X.X.12764 Y.Y.Y.Y.53: 14698+ A? webmail.deictvereniging.nl. (44) 14:00:09.051508 IP Y.Y.Y.Y.11849 192.33.4.12.53: 5902 A? webmail.deictvereniging.nl. (44) 14:00:09.066211 IP 192.33.4.12.53 Y.Y.Y.Y.11849: 5902- 0/7/14 (511) 14:00:09.066432 IP Y.Y.Y.Y.30603 193.176.144.2.53: 47726 A? webmail.deictvereniging.nl. (44) 14:00:09.075990 IP 193.176.144.2.53 Y.Y.Y.Y.30603: 47726- 0/3/3 (166) 14:00:09.076117 IP Y.Y.Y.Y.6159 92.60.122.242.53: 60745 A? webmail.deictvereniging.nl. (44) 14:00:09.096191 IP 92.60.122.242.53 Y.Y.Y.Y.6159: 60745 NXDomain*- 1/1/0 (142) 14:00:09.096320 IP Y.Y.Y.Y.53 X.X.X.X.12764: 14698 NXDomain 1/1/0 (142) 14:00:15.698623 IP X.X.X.X.12817 Y.Y.Y.Y.53: 10678+ A? webmail.deictvereniging.nl. (44) 14:00:15.69 IP Y.Y.Y.Y.4343 199.7.83.42.53: 33926 A? webmail.prioserve.net. (39) 14:00:15.705678 IP 199.7.83.42.53 Y.Y.Y.Y.4343: 33926- 0/13/14 (496) 14:00:15.705905 IP Y.Y.Y.Y.63586 192.12.94.30.53: 15614 A? webmail.prioserve.net. (39) 14:00:15.723364 IP 192.12.94.30.53 Y.Y.Y.Y.63586: 15614- 0/3/2 (137) 14:00:15.723522 IP Y.Y.Y.Y.34704 213.239.134.20.53: 39014 A? webmail.prioserve.net. (39) 14:00:15.730529 IP 213.239.134.20.53 Y.Y.Y.Y.34704: 39014*- 1/3/3 (169) 14:00:15.730657 IP Y.Y.Y.Y.53 X.X.X.X.12817: 10678 2/0/0[|domain] If I tcpdump 3.3.1 (dig +short webmail.deictvereniging.nl @. twice) (X.X.X.X = client-pc, Y.Y.Y.Y = recursor) 14:04:38.192952 IP X.X.X.X.16134 Y.Y.Y.Y.53: 55042+ A? webmail.deictvereniging.nl. (44) 14:04:38.193260 IP Y.Y.Y.Y.50331 192.203.230.10.53: 14099 A? webmail.deictvereniging.nl. (44) 14:04:38.355543 IP 192.203.230.10.53 Y.Y.Y.Y.50331: 14099- 0/7/14 (511) 14:04:38.355946 IP Y.Y.Y.Y.11949 213.154.241.28.53: 20304 A? webmail.deictvereniging.nl. (44) 14:04:38.363475 IP 213.154.241.28.53 Y.Y.Y.Y.11949: 20304- 0/3/3 (166) 14:04:38.363589 IP Y.Y.Y.Y.13148 174.143.144.174.53: 56654 A? webmail.deictvereniging.nl. (44) 14:04:38.489184 IP 174.143.144.174.53 Y.Y.Y.Y.13148: 56654 NXDomain*- 1/1/0 (142) 14:04:38.489394 IP Y.Y.Y.Y.53 X.X.X.X.16134: 55042 NXDomain 1/1/0 (142) 14:04:48.440018 IP X.X.X.X.16298 Y.Y.Y.Y.53: 41520+ A? webmail.deictvereniging.nl. (44) 14:04:48.440304 IP Y.Y.Y.Y.2957 192.112.36.4.53: 50327 A? webmail.deictvereniging.nl. (44) 14:04:48.476429 IP 192.112.36.4.53 Y.Y.Y.Y.2957: 50327- 0/7/14 (511) 14:04:48.476851 IP Y.Y.Y.Y.23507 193.176.144.2.53: 23778 A? webmail.deictvereniging.nl. (44) 14:04:48.486065 IP 193.176.144.2.53 Y.Y.Y.Y.23507: 23778- 0/3/3 (166) 14:04:48.486225 IP Y.Y.Y.Y.5951 174.143.144.174.53: 50521 A? webmail.deictvereniging.nl. (44) 14:04:48.607337 IP 174.143.144.174.53 Y.Y.Y.Y.5951: 50521 NXDomain*- 1/1/0 (142) 14:04:48.607511 IP Y.Y.Y.Y.53 X.X.X.X.16298: 41520 NXDomain 1/1/0 (142) Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Great job Bert! I can confirm that build 2181 fixes this problem completely. And it also fixes [Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server On Wed, Apr 27, 2011 at 10:59:00AM +0200, bert hubert wrote: On Thu, Apr 21, 2011 at 11:13:00AM +0200, Niek wrote: Couldn't get it to work with the TLD and the child zone on the same server. I was wondering whether this could be a bug in PowerDNS Server or whether I'm maybe trying to do something the wrong way. (And I was wondering if it also affects subdomains on the same server as the parent domain, I didn't investigate) Thank you for your investigation! Build 2181 is up which fixes your initial DS bug. Can you check if things are ok now? Bert Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] DNSsec DS trouble in single server TLD setup
Hi JP, Overhere it looks okay: ; DiG 9.6.1-P2 +nodnssec powerdnssec.org ds ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 16718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;powerdnssec.org. IN DS ;; ANSWER SECTION: powerdnssec.org. 86332 IN DS 2224 5 1 CD79B0D2639AAA5AE5ABDC80003836E5E5E0C506 On Wed, Apr 27, 2011 at 04:58:43PM +0200, Jan-Piet Mens wrote: Bert, Build 2181 is up which fixes your initial DS bug. Can you check if things are ok now? r2181 fixes this for me, but I note that DS records are served only when querying with +dnssec. Omitting the switch gives NOERROR and NODATA. (This behaviour differs from that of BIND and NSD.) For example: dig +nodnssec powerdnssec.org ds Regards, -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Grtz, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Delegating a subdomain with DNSsec fails if child and parent zone are on same server
Hi Folks, In addition to the findings I communicated to this list in DNSsec DS trouble in single server TLD setup on Thu Apr 21, I tried to delegate a subdomain with DNSsec on PowerDNS Server (pdns-3.0-rc2.20110419.2176). If both parent domain and child domain are hosted within the same instance of PowerDNS (with mysql backend), I fail because PowerDNS refuses to serve me the DS of the subzone. I do not know if this is the normal way to go for this sort of thing, the alternative is to put the child RR's into the parent zone. This works fine, but putting it all into the parent zone becomes very messy very fast. As an ISP we have subzones with 40,000+ RR's, I'm not especially looking forward to bundling those into 200,000+ RR zones. Also, if you put al records in the parent zone, you will have a harder time delegating reponsibilities for sub zones to e.g. another office. You can in this scenario make two extra servers of course, but then you have to take care of 4 servers. Here's what I did: domain_id 5 = parent (pre-exists) domain_id 6 = child Create subdomain = INSERT INTO `powerdns`.`domains` ( `id` , `name` , `master` , `last_check` , `type` , `notified_serial` , `account` ) VALUES ( NULL , 'sales.securename.nl', NULL , NULL , 'NATIVE', NULL , NULL ) NS of subdomain in child zone = INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'sales.securename.nl', 'NS', 'dnssec-auth-bis.mer-nm.internl.net', '600', '0', NULL , NULL , '1' ); SOA of subdomain in child zone = INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'sales.securename.nl', 'SOA', 'dnssec-auth-bis.mer-nm.internl.net blah.internl.net 2011042600 7200 3600 604800 3600', '600', '0', NULL , NULL , '1' ); MX of subdomain in child zone = INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'sales.securename.nl', 'MX', 'mail.sales.securename.nl', '600', '10', NULL , NULL , '1' ); A of MX of subdomain in child zone = INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '6', 'mail.sales.securename.nl', 'A', '1.2.3.4', '600', '0', NULL , NULL , '1' ); Check === dig +multiline ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net- works dig +multiline soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net - works DNSsec-ify === pdnssec secure-zone sales.securename.nl pdnssec set-nsec3 sales.securename.nl pdnssec rectify-zone sales.securename.nl pdnssec check-zone sales.securename.nl pdnssec show-zone sales.securename.nl DS = sales.securename.nl IN DS 42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6 INSERT INTO `powerdns`.`records` ( `id` , `domain_id` , `name` , `type` , `content` , `ttl` , `prio` , `change_date` , `ordername` , `auth` ) VALUES ( NULL , '5', 'sales.securename.nl', 'DS', '42385 8 2 ec12ab2e160eab1681ea3031b2d72b04d61a58cc914ecb68a3a39a17d5eb0eb6', '600', '0', NULL , NULL , '1' ); pdnssec rectify-zone sales.securename.nl pdnssec rectify-zone securename.nl /etc/init.d/pdns restart dig +multiline +dnssec dnskey sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net - works dig +multiline +dnssec soa sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net - works dig +multiline +dnssec ns sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net - works dig +multiline +dnssec ds sales.securename.nl @dnssec-auth-bis.mer-nm.internl.net - Fails, only NSEC3 output Which means that validation fails. Any remarks or suggestions? BTW, this setup no longer exists, but I can re-create it if needed. Kind regards, -- Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] DNSsec DS trouble in single server TLD setup
='SOA'\G *** 1. row *** id: 29 domain_id: 8 name: rsi.sucks type: SOA content: ns.rsi.sucks. blah.internl.net. 2011041900 7200 3600 604800 3600 ttl: 600 prio: 0 change_date: NULL ordername: 6pmeqp0egqdhf7ikq7iasamtjd270m1c auth: 1 === In this situation 'dig +multiline +dnssec +cd -t DS rsi.sucks @Server_A' doesn't give an ANSWER SECTION, but it does give you an AUTHORITY SECTION whith NSEC3 records: ;; AUTHORITY SECTION: rsi.sucks. 600 IN SOA ns.rsi.sucks. blah.internl.net. ( 2011041900 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) rsi.sucks. 600 IN RRSIG SOA 8 2 600 2011050500 ( 2011042100 4980 rsi.sucks. LVoTvxQ03R1vl7E0miMHuYj91BBp39lGiQ4BcrZIcI6s xTYz4nlpaWmaG8GJ9qvtzWy3LZY5h26EfBYILghWzGWn IvNe6oA6JGm/fgehkz0wws3moPgEqK1xUs83sY5pHia+ ykQf2sIyKFTDQpvpf79Cvis87Z3pnnmd6Y7I4RI= ) 6pmrsi.sucks. 600 IN NSEC3 1 1 1 AB ... NS SOA RRSIG DNSKEY NSEC3PARAM 6pmrsi.sucks. 600 IN RRSIG NSEC3 8 3 600 2011050500 ( 2011042100 4980 rsi.sucks. crSS/90onlzAZng+xqfDWgGlP+Ywwu8ekApPLEP/sn+k LgAOhsey2BWfICt87mhAk9DXJ5xfSsxnH6zIXjRaM+A0 Ee6o7XcJy/sDDDqnvfEFlgicqsz0Fk1VV13/dVOfxyLQ qZKEUkWsA1rvZTE27f3dcdTd3dGt5fRZHAJY6pQ= ) koursi.sucks. 600IN NSEC3 1 1 1 AB ... A RRSIG koursi.sucks. 600IN RRSIG NSEC3 8 3 600 2011050500 ( 2011042100 4980 rsi.sucks. OTwe32EJ4rNaVrU4DooVH1e49fKW75z0csNkaDUmj3+b S78e99w+e5yIpXtOhVYD0emm1XMJasNXGeZOEi03CTbr AIHH3DJuxURLNU4QXNtEvLq2cz8ALRT+lqCc/v1yl+bN 9dNykQxhNasqZCphMkTqr98grSZeG6g8bHuKz2M= ) In case you are wondering: if I change the domain_id of the DS record to the id of the child zone, PowerDNS does give you the DS record, but it is signed with the wrong key (the child zone key): ;; ANSWER SECTION: rsi.sucks. 600 IN RRSIG DS 8 2 600 2011050500 ( 2011042100 4980 rsi.sucks. aBWz2uQwGBzx6rV3TxKYW1XVpffHOrNVWNQ11/HxPnxH 7wunuB0fhOJ/m4aSLv6/pbRsGsgGzLRG/Yfv339CJrnU A+bLgNsdTjAnLMfwiecN4TpGJPSp3TQbebS1ZUACSyMF PUF+gFSqQ7vDA28iydKST9CHkQwD03IjPHYfvXg= ) rsi.sucks. 600 IN DS 52019 8 2 ( 5A078B614331E795527F8A2E1082EEC9EA4EACCC0C26 AB5D2C5B1EE9E3DAA7BB ) Any suggestions? Kind regards, Niek ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users