Re: [Pdns-users] mwscdn.ru issue

2023-12-18 Thread Stephane Bortzmeyer via Pdns-users 
On Mon, Dec 18, 2023 at 08:43:47AM +0100,
 Pieter Lexis via Pdns-users  wrote 
 a message of 41 lines which said:

> DNSViz [1] reports that the nameservers respond NXDomain for 
> queries.

And also for any type for which they don't have data. (I tested with
CAA, because of the recent Let's Encrypt issue.)

% dig @ns1.mwscdn.ru. mwscdn.ru CAA

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @ns1.mwscdn.ru. mwscdn.ru CAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49980
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 0
;; QUESTION SECTION:
;mwscdn.ru. IN CAA

;; AUTHORITY SECTION:
mwscdn.ru.  3600 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. (
2023110101 ; serial
3600   ; refresh (1 hour)
600; retry (10 minutes)
604800 ; expire (1 week)
1800   ; minimum (30 minutes)
)

;; Query time: 44 msec
;; SERVER: 185.242.16.16#53(ns1.mwscdn.ru.) (UDP)
;; WHEN: Mon Dec 18 16:05:43 CET 2023
;; MSG SIZE  rcvd: 109
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] Second Release Candidate of PowerDNS DNSdist 1.8.0

2023-03-09 Thread Stephane Bortzmeyer via Pdns-users 
On Thu, Mar 09, 2023 at 10:25:33AM +0100,
 Remi Gacogne via dnsdist  wrote 
 a message of 94 lines which said:

> https://downloads.powerdns.com/releases/dnsdist-8.0-rc2.tar.bz2

404. The correct one seems to be
.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configuring dnsdist

2021-05-08 Thread Stephane Bortzmeyer via Pdns-users 
On Sat, May 08, 2021 at 01:28:55PM -0500,
 Steven Garner  wrote 
 a message of 78 lines which said:

> I thought recursion was required for a DNS server to communicate
> with other DNS servers to determine an IP address and return it to
> the client.

Hosting "several hundred public domains" is not an easy task so, yes,
I would recommend you study DNS before (specially if it is a
commercial service). A server is either an authoritative server or a
resolver. An authoritative server does not handle recursive queries,
and does not send them. They just take one query and return one
response. Resolvers handle recursive queries and, in turn, query
authoritative name servers to get the responses.

If you like videos, see this one:

https://www.youtube.com/watch?v=qEMXK04d3O0

Some programs (BIND, and, in some way, Unbound), can do both
authoritative and resolver service but most people regard it as a bad
idea.

> All I am wanting to do is list my dns
> servers at the name servers with the domain registrars, and have my servers
> be authoritative for the zone information.

Then, you need authoritative servers. PowerDNS recursor is useless
here, and dnsdist is not mandatory. It could be cool but you can start
without it, just with PowerDNS authoritative.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configuring dnsdist

2021-05-08 Thread Stephane Bortzmeyer via Pdns-users 
On Sat, May 08, 2021 at 01:12:49PM -0500,
 Steven Garner via Pdns-users  wrote 
 a message of 159 lines which said:

> I want to provide authoritative dns for several hundred public
> domains, for which I understand recursion is required,

I don't see why. Could you elaborate?

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] First alpha release of dnsdist 1.6.0

2021-02-03 Thread Stephane Bortzmeyer via Pdns-users 
On Tue, Feb 02, 2021 at 02:10:45PM +0100,
 Remi Gacogne via dnsdist  wrote 
 a message of 149 lines which said:

> We are proud to announce the first alpha release of dnsdist 1.6.0.

Executive summary: be careful beforce activating out-of-order
processing on DoT servers. Read on.

Background: I manage a (very) small public DoT and DoH resolver. It is
automatically monitored from Icinga with two programs, one written in
Python  and the other in C
(based on getdns). So, I can know what happen when I sleep.

I upgraded to 1.6.0 Alpha and the server is running for 18 hours.

So, the big issue: *much* more timeouts are reported by the monitoring
system. With 1.4 and 1.5, everything was smooth, now I have timeouts
all the time.

It only affects DoT, not DoH, so I presume it is not the fault of the
machine or the network.

DoT was configured with maxInFlight=256, I've just go back to
maxInFlight=0 to see if it makes a difference.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] Fourth release candidate for dnsdist 1.5.0

2020-07-20 Thread Stephane Bortzmeyer via Pdns-users 
On Mon, Jul 20, 2020 at 08:10:50AM +0200,
 Otto Moerbeek  wrote 
 a message of 50 lines which said:

> Removing the extra assignment opetor should work. 

Indeed, it now compiles and runs, thanks.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] Fourth release candidate for dnsdist 1.5.0

2020-07-19 Thread Stephane Bortzmeyer via Pdns-users 
On Tue, Jul 07, 2020 at 04:41:00PM +0200,
 Remi Gacogne via dnsdist  wrote 
 a message of 84 lines which said:

> While we expected the third release candidate for dnsdist 1.5.0 to be
> the last one, a race condition that could lead to a crash was discovered
> by Tomas Krizek from CZ.NIC with the DNS Shotgun tool, leading to a new
> release candidate.

Does not compile:

  CXX  doh.o
doh.cc: In function ‘void doh_dispatch_query(DOHServerConfig*, h2o_handler_t*, 
h2o_req_t*, std::string&&, const ComboAddress&, const ComboAddress&, 
std::string&&)’:
doh.cc:677:24: error: expected primary-expression before ‘=’ token
  677 | const char * sni = = h2o_socket_get_ssl_server_name(sock);
  |^
make[2]: *** [Makefile:1351: doh.o] Error 1
make[2]: Leaving directory '/home/stephane/DoH/dnsdist/dnsdist-1.5.0-rc4'
make[1]: *** [Makefile:1478: all-recursive] Error 1
make[1]: Leaving directory '/home/stephane/DoH/dnsdist/dnsdist-1.5.0-rc4'
make: *** [Makefile:1109: all] Error 2
nice make  689.79s user 101.42s system 95% cpu 13:48.71 total

I had no problem with all the 1.5.0rc* before.

Arch Linux, x86_64

% g++ -v
Using built-in specs.
COLLECT_GCC=g++
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/10.1.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib 
--libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info 
--with-bugurl=https://bugs.archlinux.org/ 
--enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++,d --with-isl 
--with-linker-hash-style=gnu --with-system-zlib --enable-__cxa_atexit 
--enable-cet=auto --enable-checking=release --enable-clocale=gnu 
--enable-default-pie --enable-default-ssp --enable-gnu-indirect-function 
--enable-gnu-unique-object --enable-install-libiberty --enable-linker-build-id 
--enable-lto --enable-multilib --enable-plugin --enable-shared 
--enable-threads=posix --disable-libssp --disable-libstdcxx-pch 
--disable-libunwind-exceptions --disable-werror 
gdc_include_dir=/usr/include/dlang/gdc
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 10.1.0 (GCC) 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC-Problems on g.root-servers.net?

2018-09-17 Thread Stephane Bortzmeyer 
On Mon, Sep 17, 2018 at 08:39:38AM +,
 Christian Renner  wrote 
 a message of 23 lines which said:

> DNSViz always shows the same behaviour:
> 
> http://dnsviz.net/d/onba.zkb.ch/dnssec/
> http://dnsviz.net/d/www.admin.ch/dnssec/
> 
> Errors (3)
>   • ./DNSKEY: No response was received from the server over UDP (tried 4 
> times). (2001:500:12::d0d, UDP_0_EDNS0_32768_512)
>   • NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the 
> SNAME (admin.ch).
>   • NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the 
> SNAME (admin.ch).

The first error seems to be a (probably temporary) IPv6 routing issue
between dnsviz.net and g.root-servers.net. It works for me, and,
anyway, this would not prevent validation.

The real problem seems to be in .ch.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Queries .domain. Attack to root server?

2015-12-13 Thread Stephane Bortzmeyer 
On Sun, Dec 13, 2015 at 06:14:38PM +,
 Federico Olivieri  wrote 
 a message of 141 lines which said:

> Maybe is unrelated

Completely unrelated and, as I wrote already, there is no attack: you
just made a wrong analysis from the start.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Queries .domain. Attack to root server?

2015-12-13 Thread Stephane Bortzmeyer 
On Sun, Dec 13, 2015 at 03:57:17PM +,
 Federico Olivieri  wrote 
 a message of 58 lines which said:

> Can you please add more details in your answers?

There are NO requests for names ending in .domain. You do not read
correctly the output of tcpdump.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Queries .domain. Attack to root server?

2015-12-13 Thread Stephane Bortzmeyer 
On Sun, Dec 13, 2015 at 03:48:05PM +,
 Federico Olivieri  wrote 
 a message of 74 lines which said:

> Thanks for the hint.

You apparently did not get it.

> I wrote and iptables rule but seems not working

Completely unrelated to the problem.

> I think that I need to specify to block all domains with .domain at the end
> (a kind of *.domain)

No, no and no.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Queries .domain. Attack to root server?

2015-12-13 Thread Stephane Bortzmeyer 
On Sun, Dec 13, 2015 at 03:17:04PM +,
 Federico Olivieri  wrote 
 a message of 131 lines which said:

> I did sniff traffic and I saw some strange queries with .domain at the end
> of the name

Always use tcpdump with -n option... (hint: the last field is the
port, 53 in digits, domain in letters).

> If I do dig for one of those domains I can see that the query goes directly
> to root server.

Of course, since it searches for the .domain TLD.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS amplification attack advice

2012-05-30 Thread Stephane Bortzmeyer 
On Tue, May 29, 2012 at 04:32:23PM +0200,
 kalpesh thaker  wrote 
 a message of 252 lines which said:

> - max-tcp-connections set to 60
...
> - setup IPtables with a chain to reject udp/tcp connections 
...
> they seem to think they these IP address have all been spoofed for
> this amplification attack.

I'm confused. The attacker uses TCP or not? If yes, it is very
unlikely they were able to spoof the IP addresses.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS amplification attack advice

2012-05-30 Thread Stephane Bortzmeyer 
On Tue, May 29, 2012 at 04:32:23PM +0200,
 kalpesh thaker  wrote 
 a message of 252 lines which said:

> we have been, and still are currently the victims of a terrible DNS
> DOS amplification attack.
...
> May 28 15:01:13 ns1 pdns[9603]: Not authoritative for 'filezilla.de
> ', sending servfail to 184.22.170.194
> (recursion was desired)

Where is the amplification? A SERVFAIL response is not larger than the
incoming request. Real amplification attacks query authoritative
servers (with the domains they manage) or open recursors.

> - setup IPtables with a chain to reject udp/tcp connections to port
> 53 if they create more than 7 connections per second

This requires connection tracking and could kill your machine if the
server has many different clients (specially for UDP where
"connections" are extremely short but Linux connection tracking
remembers them for a long time). 

I prefer the hashlimit module, it still has state but much less, and
it allows burstiness (this is very important on the public Internet):

iptables -A INPUT -p udp --dport 53 -m hashlimit \
   --hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
   --hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNSSEC Progress: ready for a first look

2011-01-12 Thread Stephane Bortzmeyer 
On Fri, Jan 07, 2011 at 01:35:59PM +0100,
 Leen Besselink  wrote 
 a message of 58 lines which said:

> I would expect it to need authentication tokens too. :-)

In almost all registries, this is allowed only to registered
registrars. So, even if someone were willing to add an EPP client to
PowerDNS, it would be a waste of time.

As with similar software (which perform key management), the good
solution is to have a command to export the DS record, so that the
PowerDNS human manager can give it to his registrar.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [Recursor] Resolving large RRsets

2010-12-13 Thread Stephane Bortzmeyer 
On Mon, Dec 13, 2010 at 09:30:18AM +0100,
 bert hubert  wrote 
 a message of 286 lines which said:

> Dec 13 09:23:54 [1] all-wikileaks.bortzmeyer.fr.: truncated bit set,
>   retrying via TCP

This is not perfect: with BIND and Unbound, there is no fallback to
TCP since they use EDNS0 (with a default buffer size of 4096 bytes,
which is enough for this RRset). Why does PowerDNS do not use EDNS0?
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] [Recursor] Resolving large RRsets

2010-12-13 Thread Stephane Bortzmeyer 
I do not have access to a PowerDNS Recursor and I would be glad if
people could test and see if they can resolve the RRset
all-wikileaks.bortzmeyer.fr (2200 bytes) as explained here:

http://www.bortzmeyer.org/size-dns-wikileaks.html
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [recursor] configure could be more user-friendly

2010-05-26 Thread Stephane Bortzmeyer 
On Wed, May 26, 2010 at 07:57:13PM +0200,
 bert hubert  wrote 
 a message of 85 lines which said:

> The immediate reason that the pdns-recursor did not have full auto*,
> and is unlikely to get it, was the deep dissatisfaction we felt with
> this suite of programs.

Do note that I was not asking specifically for a autotools system. I
was asking for a more user-friendly configure script, whether built
with autotools or in another way.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [recursor] Segmentation fault at startup

2010-05-26 Thread Stephane Bortzmeyer 
On Wed, May 26, 2010 at 11:17:25AM +0200,
 bert hubert  wrote 
 a message of 60 lines which said:

> We could probably boil this issue down to a tiny testcase that would
> crash on NetBSD. This could then lead to a bugreport to NetBSD.

I did so, both on the netbsd-users mailing list and in a thread in the
excellent Q&A site StackOverflow


The conclusions seem to be:

1) NetBSD has not thread-local storage at all (it may be added in the
future) I cannot find in-depth discussions about it, just technical
messages like


2) There is no obvious way to write a test (such as an autoconf macro)
to detect that. People recommend a --disable-tls configure flag, to be
set manually.

3) A suggested solution is to replace __thread by pthread_key_create()
+ pthread_setspecific()
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [recursor] Segmentation fault at startup

2010-05-26 Thread Stephane Bortzmeyer 
[BTW, it would be better to do so on a ticketing system but I cannot
find a way to create a new ticket in the PowerDNS Trac.]

On Wed, May 26, 2010 at 10:55:47AM +0200,
 bert hubert  wrote 
 a message of 26 lines which said:

> Could you split line 1508 as follows:
> 
> NetmaskGroup* oldAllowFrom = t_allowFrom;
> NetmaskGroup* allowFrom = new NetmaskGroup;

(gdb) run
Starting program: 
/home/stephane/Programmation/DNS/pdns-recursor-3.2/pdns_recursor 
May 26 10:59:56 PowerDNS recursor 3.2 (C) 2001-2010 PowerDNS.COM BV (May 26 
2010, 10:58:27, gcc 4.1.3 20080704 prerelease (NetBSD nb2 20081120)) starting up
May 26 10:59:56 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
May 26 10:59:56 Operating in 32 bits mode
May 26 10:59:56 Reading random entropy from '/dev/urandom'

Program received signal SIGSEGV, Segmentation fault.
parseACLs () at pdns_recursor.cc:1508
1508  NetmaskGroup* oldAllowFrom = t_allowFrom;
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [recursor] Segmentation fault at startup

2010-05-26 Thread Stephane Bortzmeyer 
On Wed, May 26, 2010 at 10:08:41AM +0200,
 bert hubert  wrote 
 a message of 33 lines which said:

> In fact, this is so little difference that I wonder if it really was
> compiled with -g, can you double check?

It was properly compiled but the Makefile contains a 'strip
$(DESTDIR)/$(SBINDIR)/pdns_recursor' :-( Debugging the non-installed
executable is better:

(gdb) run
Starting program: 
/home/stephane/Programmation/DNS/pdns-recursor-3.2/pdns_recursor 
May 26 10:13:45 PowerDNS recursor 3.2 (C) 2001-2010 PowerDNS.COM BV (May 26 
2010, 09:23:52, gcc 4.1.3 20080704 prerelease (NetBSD nb2 20081120)) starting up
May 26 10:13:45 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
May 26 10:13:45 Operating in 32 bits mode
May 26 10:13:45 Reading random entropy from '/dev/urandom'

Program received signal SIGSEGV, Segmentation fault.
parseACLs () at pdns_recursor.cc:1508
1508  NetmaskGroup* oldAllowFrom = t_allowFrom, *allowFrom=new NetmaskGroup;
(gdb) bt
#0  parseACLs () at pdns_recursor.cc:1508
#1  0x080a84b0 in serviceMain (argc=1, argv=0xbfbfe9dc) at pdns_recursor.cc:1595
#2  0x080b2e04 in main (argc=1, argv=0xbfbfe9dc) at pdns_recursor.cc:1987
(gdb) 

OK, the ACL parsing is not robust enough. What is strange is that,
even without a configuration file (and therefore without ACL), it
crashes at the same place):

(gdb) run
Starting program: 
/home/stephane/Programmation/DNS/pdns-recursor-3.2/pdns_recursor 
May 26 10:14:30 Unable to parse configuration file '/etc/powerdns/recursor.conf'
May 26 10:14:30 PowerDNS recursor 3.2 (C) 2001-2010 PowerDNS.COM BV (May 26 
2010, 09:23:52, gcc 4.1.3 20080704 prerelease (NetBSD nb2 20081120)) starting up
May 26 10:14:30 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
May 26 10:14:30 Operating in 32 bits mode
May 26 10:14:30 Reading random entropy from '/dev/urandom'

Program received signal SIGSEGV, Segmentation fault.
parseACLs () at pdns_recursor.cc:1508
1508  NetmaskGroup* oldAllowFrom = t_allowFrom, *allowFrom=new NetmaskGroup;
(gdb) bt
#0  parseACLs () at pdns_recursor.cc:1508
#1  0x080a84b0 in serviceMain (argc=1, argv=0xbfbfe9dc)
at pdns_recursor.cc:1595
#2  0x080b2e04 in main (argc=1, argv=0xbfbfe9dc) at pdns_recursor.cc:1987
(gdb) 



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] [recursor] Segmentation fault at startup

2010-05-26 Thread Stephane Bortzmeyer 
%  pdns_recursor 
May 26 09:12:12 PowerDNS recursor 3.2 (C) 2001-2010 PowerDNS.COM BV (May 26 
2010, 08:46:38, gcc 4.1.3 20080704 prerelease (NetBSD nb2 20081120)) starting up
May 26 09:12:12 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
May 26 09:12:12 Operating in 32 bits mode
May 26 09:12:12 Reading random entropy from '/dev/urandom'
zsh: segmentation fault  pdns_recursor

Same thing without a /etc/powerdns/recursor.conf. Same thing is run as
root.

% g++ --version
g++ (GCC) 4.1.3 20080704 prerelease (NetBSD nb2 20081120)
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

% uname -a
NetBSD golgoth 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Oct  1 15:46:16 CEST 2009  
steph...@golgoth:/usr/obj/sys/arch/i386/compile/GENERIC i386

Boost is 1.38.0nb1

With the debugger (I have zero experience in debugging C++ programs):

(gdb) run
Starting program: /usr/sbin/pdns_recursor 
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
May 26 09:13:01 PowerDNS recursor 3.2 (C) 2001-2010 PowerDNS.COM BV (May 26 
2010, 08:46:38, gcc 4.1.3 20080704 prerelease (NetBSD nb2 20081120)) starting up
May 26 09:13:01 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
May 26 09:13:01 Operating in 32 bits mode
May 26 09:13:01 Reading random entropy from '/dev/urandom'

Program received signal SIGSEGV, Segmentation fault.
0x08095a97 in std::string::_S_construct ()
(gdb) bt
#0  0x08095a97 in std::string::_S_construct ()
#1  0x0809e390 in std::string::_S_construct ()
#2  0x080a5215 in std::string::_S_construct ()
#3  0x0804ccd4 in ?? ()
#4  0x0001 in ?? ()
#5  0xbfbfea78 in ?? ()
#6  0xbfbfea80 in ?? ()
#7  0x0804cc46 in ?? ()
#8  0xbfbfeb88 in ?? ()
#9  0xbfbfea80 in ?? ()
#10 0xbbbf2000 in ?? ()
#11 0xbfb0 in ?? ()
#12 0x in ?? ()

Very little difference when compiling with -O0 -g:

(gdb) run
Starting program: /usr/sbin/pdns_recursor 
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
May 26 09:29:04 PowerDNS recursor 3.2 (C) 2001-2010 PowerDNS.COM BV (May 26 
2010, 09:23:52, gcc 4.1.3 20080704 prerelease (NetBSD nb2 20081120)) starting up
May 26 09:29:04 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
software, and you are welcome to redistribute it according to the terms of the 
GPL version 2.
May 26 09:29:04 Operating in 32 bits mode
May 26 09:29:04 Reading random entropy from '/dev/urandom'

Program received signal SIGSEGV, Segmentation fault.
0x080a1fac in std::basic_string, 
std::allocator >::basic_string ()
(gdb) bt
#0  0x080a1fac in std::basic_string, 
std::allocator >::basic_string ()
#1  0x080a84b0 in std::basic_string, 
std::allocator >::basic_string ()
#2  0x080b2e04 in std::basic_string, 
std::allocator >::basic_string ()
#3  0x0804e044 in ?? ()
#4  0x0001 in ?? ()
#5  0xbfbfea30 in ?? ()
#6  0xbfbfea38 in ?? ()
#7  0x0804dfb6 in ?? ()
#8  0xbfbfeb40 in ?? ()
#9  0xbfbfea38 in ?? ()
#10 0xbbbf2000 in ?? ()
#11 0xbfb0 in ?? ()
#12 0x in ?? ()
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] [recursor] configure could be more user-friendly

2010-05-25 Thread Stephane Bortzmeyer 
[Sent here because I cannot find a way to create a new ticket at
]

./configure is not very helpful when it cannot find a library. For
instance, if Boost is not found (because it is in /usr/pkg):

% ./configure
Testing dependencies and compiler.
Using gmake to build
g++  -Wall -O3  -pthread -MM -MG *.cc *.c *.hh > dep
g++  -Wall -O3  -pthread  pdns_hw.cc -o pdns_hw 
pdns_hw.cc:1:34: error: boost/lexical_cast.hpp: No such file or directory
pdns_hw.cc:2:43: error: boost/multi_index_container.hpp: No such file or 
directory
pdns_hw.cc:3:47: error: boost/multi_index/ordered_index.hpp: No such file or 
directory
pdns_hw.cc:4:44: error: boost/tuple/tuple_comparison.hpp: No such file or 
directory
pdns_hw.cc:5:48: error: boost/multi_index/key_extractors.hpp: No such file or 
directory
pdns_hw.cc:6:49: error: boost/multi_index/sequenced_index.hpp: No such file or 
directory
pdns_hw.cc: In function 'int main()':
pdns_hw.cc:17: error: 'boost' has not been declared
pdns_hw.cc:17: error: expected primary-expression before '>' token
pdns_hw.cc:17: error: invalid operands of types 'const char [1]' and 'const 
char [2]' to binary 'operator<<'
gmake: [basic_checks] Error 1 (ignored)

Instead of something like, more common among free Unix programs:

Cannot find the Boost library . If it is installed, use 
--with-boost

I cannot even use --help to find documentation, it yields the same
error message.



PowerDNS recursor, version 3.2
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS & DNSSEC!

2009-07-15 Thread Stephane Bortzmeyer 
On Wed, Jul 15, 2009 at 02:59:58AM +1000,
 Duane at e164 dot org  wrote 
 a message of 62 lines which said:

> On the other hand do you know of any "exciting" development with DNScurve?

What's the relationship? DNSSEC secures the data, DNScurve the channel
(like TLS, IPsec, TSIG, etc). So, DNScurve is not a replacement for
DNSSEC, for instance, it does not protect against a rogue resolver (or
secondary name server).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: PowerDNS interview on Dutch national radio tonight

2008-07-09 Thread Stephane Bortzmeyer 
On Tue, Jul 08, 2008 at 06:13:04PM +0200,
 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote 
 a message of 13 lines which said:

> > Microsoft will be releasing more details tonight, 
> 
> Apparently done:
> 
> http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx

As mentioned off-line, this is an old one, the new one is:

http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx

For BIND :

http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: PowerDNS interview on Dutch national radio tonight

2008-07-08 Thread Stephane Bortzmeyer 
On Tue, Jul 08, 2008 at 12:39:33PM +0200,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 24 lines which said:

> Microsoft will be releasing more details tonight, 

Apparently done:

http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: IPv6 testers wanted for snapshot4!

2008-02-11 Thread Stephane Bortzmeyer 
On Sun, Feb 10, 2008 at 10:26:00PM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 35 lines which said:

> This version uses ANY-queries to simultaneously retrieve A and 
> records for resolution, which appears to be new.

This is quite dangerous. With a non-authoritative server, ANY only
returns what's in the cache which may be only the A or only the .

And the recursor cannot know in advance if the server is authoritative
or not.


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: IPv6 testers wanted for snapshot4!

2008-02-11 Thread Stephane Bortzmeyer 
On Mon, Feb 11, 2008 at 10:37:09AM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 13 lines which said:

> > This is quite dangerous. With a non-authoritative server, ANY only
> > returns what's in the cache which may be only the A or only the .
> 
> That only hits mis-configured domains though that delegate to
> non-authoritative servers.

There are a lot. There are also a lot of name servers (or rather, the
black box before them) which reply SERVFAIL to ANY queries.

But I disagree: in the process of name resolution, the recursor can
find a legitimate non-authoritative server up in the domain tree,
which has the A but not the  (for instance because it is a
glue). What does PDNS recursor do here? Always check the authoritative
server?

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: third-party DNS tests fail with fatal errors

2008-02-07 Thread Stephane Bortzmeyer 
On Wed, Feb 06, 2008 at 11:40:38AM -0800,
 Eugene Pefti <[EMAIL PROTECTED]> wrote 
 a message of 54 lines which said:

> [TEST coherence between SOA and ANY records]: server failure (IN/ANY:
> premiere1.com.)

Besides the excellent diagnostic from Bert, let me explain what
Zonecheck does here:

* it asks for the SOA record,
* it asks for ANY records,
* it checks that the SOA record found in response to the ANY query is
  the same as the one sent in response to the SOA query (many broken
  nameservers send bogues replies when asked for ANY records).

So, you can perform the same test with:

dig @myserver SOA mydomain.
dig @myserver ANY mydomain.

and see if it's consistent.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Problem with powerdns(master) -> bind(slave)

2008-01-22 Thread Stephane Bortzmeyer 
On Mon, Jan 21, 2008 at 11:38:30AM -0500,
 Matt Pounsett <[EMAIL PROTECTED]> wrote 
 a message of 43 lines which said:

> You can't mix a CNAME with other data.  

Other persons said so but it should be noted that it is no longer
completely true. RFC 4034 (published in march 2005) says:

   Because every authoritative RRset in a zone must be protected by a
   digital signature, RRSIG RRs must be present for names containing a
   CNAME RR.  This is a change to the traditional DNS specification
   [RFC1034], which stated that if a CNAME is present for a name, it is
   the only type allowed at that name. 

Mixing CNAME and A is still forbidden but you cannot say "Never use
CNAME with other types" any more.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Supermaster with BIND (Was: Stupid subject (Was: Please Help me..Bert Hubert help me!!

2007-06-06 Thread Stephane Bortzmeyer 
On Tue, Jun 05, 2007 at 10:35:48AM +,
 Ale * <[EMAIL PROTECTED]> wrote 
 a message of 59 lines which said:

> I’d like to add new zone (records) or modify an existent zone
> (records) and i'd want that this changes are sended to master
...
> Somebody told me that is it impossible because supermaster option
> doesn’t work with other Dns

He is right. Supermaster is proprietary. Other name servers have an
incompatible protocol (Infoblox, for intance).

There is a work going on to create a standard protocol
(http://www.bortzmeyer.org/files/draft-regnauld-ns-communication-00.html
or
http://www.ietf.org/internet-drafts/draft-regnauld-ns-communication-00.txt)
but do not hold your breadth.

You can transfer the data in the zones (with AXFR), not the list of
zones or the meta-data (such as zone's primary name server address).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Sourceforge DNS issues

2007-03-06 Thread Stephane Bortzmeyer 
[It *seems* that the name servers are PowerDNS machines, hence the
message.]

Sourceforge currently experiences DNS problems (they claim it is a
DoS, http://sourceforge.net/docs/A04). Names like
echoping.svn.sourceforge.net cannot be resolved from most sites
(server failure, while you would expect a timeout, from a typical
DoS).

The behaviour of the authoritative name servers is very funny: they
send (immediately) an empty reply, with TC bit set. So, dig retries
with TCP:

% dig @pdns2.ostg.com. A echoping.svn.sourceforge.net
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.3.4 <<>> @pdns2.ostg.com. A echoping.svn.sourceforge.net
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

(The server does not accept TCP, it seems.)

>From sites where it works, one can see that the response is very
small, there is no need to set the TC bit!

Any idea?

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: PowerDNS releases?

2007-02-26 Thread Stephane Bortzmeyer 
On Sun, Feb 25, 2007 at 11:19:05PM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 23 lines which said:

> We still consider it difficult to fix and not important as it only
> "affects" people who provision domains but neglect to add records.

Wrong (and the use of "neglect" is not nice for the people who
reported it). I already gave a case where it is a problem, ENUM:

 http://mailman.powerdns.com/pipermail/pdns-users/2006-November/003930.html

> But we're all ears to hearing how it is a real problem. If people consider
> it important, by all means open a ticket - 

#127
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: recursor cache storage?

2007-02-22 Thread Stephane Bortzmeyer 
On Thu, Feb 22, 2007 at 09:25:35AM -0500,
 Mike W <[EMAIL PROTECTED]> wrote 
 a message of 46 lines which said:

> Everything works great, except I can't figure out a way to store my
> cached DNS entries.  For example, when I stop pdns_recursor and
> start it again, I lose all the entries that were previously cached.

Every DNS recursor I know of works that way.

> Also, is there any way I can make manual entries in the cache, say
> to make some entries for the hosts on my local network?

Why? If you have stable names why not putting them in an authoritative
name server? Why in the recursor?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] ICANN needs you

2007-02-13 Thread Stephane Bortzmeyer 
PowerDNS recursor was no tested yet, apparently:

http://www.icann.org/committees/security/sac017.htm

Testing Recursive Name Servers for IPv6 and EDNS0 Support

Background

The DNS Root Server System Advisory Committee (RSSAC) and ICANN Security and 
Stability Advisory Committee (SSAC) are jointly studying the topic of adding 
type  resource records for the IPv6 addresses of the root name servers to 
the "root hints file" and the DNS root zone. (The official root hints file is 
located at ftp://ftp.internic.net/domain/.)

Most recursive name servers perform a bootstrap process called priming to 
determine the current list of root name servers, since information in the local 
copy of the root hints file could be out of date. To prime, a recursive name 
server sends a DNS query of type NS for the root (".") to one of the root name 
servers listed in the local root hints file. The recursive name server uses the 
list of root name servers in the response returned from a live root name server 
for resolution purposes. Priming ensures that a recursive name server always 
starts operation with the most up-to-date list of root name servers.

The operators of five root name servers - B, F, H, K, and M -have assigned IPv6 
addresses to their systems. These addresses are not included in the root hints 
file at this time, nor are they present in the root zone. Thus  resource 
records are not returned in responses to DNS priming queries sent by recursive 
name servers.

Adding  records to the root hints file and to the root zone will increase 
the size of the priming response. If the five IPv6 addresses were added to the 
Additional Section of the DNS type NS response message the root servers return 
during the priming exchange, the size of the response message would increase 
from the current 436 bytes to 587 bytes. Ultimately, when all 13 root name 
servers assign IPv6 addresses, the priming response will increase in size to 
800 bytes. This imposes additional conditions for the successful completion of 
a priming exchange that do not exist today:

* Resolvers and any intermediate systems that are situated between 
recursive name servers and root name servers must be able to process DNS 
messages containing type  resource records.
* Resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name 
servers that they are able to process DNS response messages larger than the 512 
byte maximum UDP-encapsulated DNS message size specified in RFC 1035.
* Intermediate systems must be configured to forward UDP-encapsulated DNS 
response messages larger than the 512 byte maximum DNS message size specified 
in RFC 1035 to resolvers that issued the priming request. 

SAC016 solicits feedback from the Internet community on whether commercial 
firewalls organizations use to protect resolvers will block (silently discard) 
priming responses because they do not satisfy these conditions. Vendor and user 
reports from this exercise may be found here.

The joint committees are now soliciting feedback from the Internet community on 
whether DNS servers (software and hardware appliance) organizations use to 
provide recursive name service will operate correctly when type  resource 
records are added to the root hints file and root zone.

Preparing and Testing Recursive Name Server Implementations and Versions

The complete name server bootstrap process must be tested to verify that 
changes at the root level of DNS service do not adversely affect production 
name service. Tests must verify that an implementation:

* Use the root name server information in the DNS response message without 
failing when it is configured with a hints file containing type  resource 
records.
* Perform the priming exchange over UDP, which involves sending a DNS query 
for type NS for the root (".") to one or more of the root name servers 
identified in the local copy of the hints file.
* Process the UDP-encapsulated DNS response message from a root name server.
* Use the information in DNS response message to perform iterative name 
resolution. 

Ideally, the test response contains type A and  resource records of the 
authoritative root name servers and is larger than the 512-byte maximum UDP DNS 
message size specified in RFC 1035. Several root name server operators have 
volunteered to operate test name servers for this exercise. These servers have 
been configured to be authoritative for "test" root and root-servers.net zones 
that contain both type A and  resource records for the authoritative root 
name servers.

Test your Recursive Name Server

To test whether your recursive name server will operate correctly, perform the 
following:

   1. Determine whether your firewall supports  and EDNS0 by performing the 
tests described in SAC016.
   2. Download and install a copy of the test hints file, -test-root-hints 
(HTML) on the host that provides recursive name service. The content

[Pdns-users] Re: how PDNS must reply to malformed query

2007-02-02 Thread Stephane Bortzmeyer 
On Fri, Feb 02, 2007 at 02:43:08PM +0100,
 Joyce LAMBERT <[EMAIL PROTECTED]> wrote 
 a message of 54 lines which said:

> I try to make some malformed queries on PowerDNS and Bind.
> dig @localhost 'w w @ \\. test.com'

In what way is it malformed?
 
> - PowerDNS don't reply

Bad.

> - Bind reply whith a RCODE NXDOMAIN

It's right. nsd does the same.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Force reload of MySQL-data

2007-01-24 Thread Stephane Bortzmeyer 
On Tue, Jan 23, 2007 at 12:03:38PM +,
 Mark Watts <[EMAIL PROTECTED]> wrote 
 a message of 58 lines which said:

> I'm guessing it does that every time it gets a new query?

For PostgreSQL, certainly not (enabling the log of statements in the
DBMS allow to see that PowerDNS caches - a good thing). 

This is unlike BIND-DLZ.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Export pdns database to records file

2007-01-19 Thread Stephane Bortzmeyer 
On Fri, Jan 19, 2007 at 10:39:00AM +0100,
 Arjan Schrijver <[EMAIL PROTECTED]> wrote 
 a message of 18 lines which said:

> For backup and fallback purposes, I have to be able to export the
> PowerDNS database to a plain records file.

This is a very sensible rule. What format is "plain records"? RFC 1034
(the so-called, and underspecified, BIND format)? Or SQL INSERT/COPY
requests?

For the first case, "dig @192.0.2.1 AXFR foobar.example" where
192.0.2.1 is your name server and foobar.example your domain, is a
good solution.

For the second case, it depends on your DBMS. For PostgreSQL, "pg_dump
registry" where registry is your database, is sufficient. pg_dump has
many options, see the man page.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Reverse DNS - sqlite backend

2007-01-18 Thread Stephane Bortzmeyer 
On Thu, Jan 18, 2007 at 08:57:28AM +0200,
 Andy Rabagliati <[EMAIL PROTECTED]> wrote 
 a message of 44 lines which said:

> I have been reading RFC 2317, and I do not believe I need to slave
> the entire class C 196.21.78.* in order to be authoritative for our
> /28,

Right. [And classes have been abolished in 1993.]

> They still need to slave our zone 16-31.78.21.196.in-addr.arpa
> according to RFC 2317.

Certainly not. RFC 2317 recommends it but it was for the broken
software of this time (1998).
 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Cannot compile because of MySQL even if I do not want MySql support

2007-01-17 Thread Stephane Bortzmeyer 
On Wed, Jan 17, 2007 at 03:23:21PM +0100,
 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote 
 a message of 27 lines which said:

> ./configure   --with-modules="gpgsql" --disable-mysql
> 
> (Yes, both with-modules and disable-mysql)

Same thing with the official release of 2.9.20, BTW. Oh, and the pdns
module seems to use mysql and therefore requires it.

The FreeBSD port (which works on the same machine) calls configure
that way:

./configure --with-modules="gpgsql pipe" --with-dynmodules=
--enable-pgsql --with-pgsql-includes=/usr/local/include
--disable-mysql --disable-sqlite --prefix=/usr/local 
--build=i386-portbld-freebsd5.4

I should have read that first, instead of painfully reiventing the
wheel :-}

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Cannot compile because of MySQL even if I do not want MySql support

2007-01-17 Thread Stephane Bortzmeyer 
On Wed, Jan 17, 2007 at 03:34:07PM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 22 lines which said:

> Is this from the SVN HEAD?

HEAD

> Building from SVN can be tricky, 

Yes, I see, I'll go back to releases :-)
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Cannot compile because of MySQL even if I do not want MySql support

2007-01-17 Thread Stephane Bortzmeyer 
On Wed, Jan 17, 2007 at 02:40:17PM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 19 lines which said:

> Try --with-modules=""

Apparently, I need:

./configure   --with-modules="gpgsql" --disable-mysql

(Yes, both with-modules and disable-mysql)

It seems to work but it fails later on:

config.status: creating Makefile
config.status: error: cannot find input file: Makefile.in

Indeed, automake does not create it. It spits a lot of warnings and I
do not know if they are related or not:

pdns/backends/bind/Makefile.am:2: 
pdns/backends/bind/Makefile.am:2: The usual way to define `LIBTOOL' is to add 
`AC_PROG_LIBTOOL'
pdns/backends/bind/Makefile.am:2: to `configure.in' and run `aclocal' and 
`autoconf' again.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Cannot compile because of MySQL even if I do not want MySql support

2007-01-17 Thread Stephane Bortzmeyer 
On Wed, Jan 17, 2007 at 12:38:45PM +0100,
 Ralf van der Enden <[EMAIL PROTECTED]> wrote 
 a message of 39 lines which said:

> I use ./configure --disable-mysql in the FreeBSD port of PowerDNS. Maybe 
> that will help you as well.

No, --disable changes nothing:

checking for MySQL library directory... configure: error: Didn't find the mysql 
library dir in '/usr/local/mysql/lib/mysql /usr/local/lib/mysql 
/opt/mysql/lib/mysql   /usr/lib/mysql /usr/local/mysql/lib 
/usr/local/lib /opt/mysql/lib /usr/lib /usr/sfw/lib/'
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Cannot compile because of MySQL even if I do not want MySql support

2007-01-17 Thread Stephane Bortzmeyer 
PowerDNS (Subversion version of today, r949) cannot compile:

checking for MySQL library directory... configure: error: Didn't find the mysql 
library dir in '/usr/local/mysql/lib/mysql /usr/local/lib/mysql 
/opt/mysql/lib/mysql   /usr/lib/mysql /usr/local/mysql/lib 
/usr/local/lib /opt/mysql/lib /usr/lib /usr/sfw/lib/'

I do not want MySQL support! Even if I force it with --without-mysql, I get:

checking for MySQL library directory... configure: error: Didn't find the mysql 
library dir in 'no/lib/mysql no/lib'

Am I crazy to try the Subversion version?
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Domains with binary (e.g. UTF-8) labels

2006-12-20 Thread Stephane Bortzmeyer 
On Wed, Dec 20, 2006 at 10:06:02AM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 41 lines which said:

> End to end UTF-8 DNS w/o IDN is not around the corner, and not just
> because of PowerDNS.

Certainly (IDN was invented for a reason). The Web page
http://cr.yp.to/djbdns/idn.html shows an awful ignorance of both
Unicode and DNS.

PS: we (".fr" registry) recently received a bug report like that:

Dec 8 13:09:47 mastermind pdns[23171]: Received a malformed qdomain from 
X.Y.Z.T, 'SUIVI MATERIEL.local.fr': dropping
Dec 8 13:09:50 mastermind pdns[23171]: Received a malformed qdomain from 
X.Y.Z.T, 'www;pajemploi.ursaff.fr': dropping
Dec 8 13:10:09 mastermind pdns[15986]: Received a malformed qdomain from 
X.Y.Z.T, 'cédric.local.fr': dropping

So it seems that PowerDNS has trouble, not only with 8-bits characters
but with legal DNS ASCII characters like the semicolon, as well.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Domains with binary (e.g. UTF-8) labels

2006-12-16 Thread Stephane Bortzmeyer 
On Sat, Dec 16, 2006 at 10:17:23PM +0100,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 29 lines which said:

> To encode utf-8 domains so that they work, use 'IDN'.

IDN is mandatory for host names but should not be for domain names
without hosts.
 
> Read for example paragraph 3.5 of RFC 1035, which contains: "The
> labels must follow the rules for ARPANET host names."

It is 2.3.1 and it says so only as a *preference* and indicated as
such. RFC 2181 makes very clear that the DNS is 8-bits clean:

   The DNS itself places only one restriction on the particular labels
   that can be used to identify resource records.  That one restriction
   relates to the length of the label and the full name.  The length of
   any one label is limited to between 1 and 63 octets.  A full domain
   name is limited to 255 octets (including the separators).  The zero
   length full name is defined as representing the root of the DNS tree,
   and is typically written and displayed as ".".  Those restrictions
   aside, any binary string whatever can be used as the label of any
   resource record.  Similarly, any binary string can serve as the value
   of any record that includes a domain name as some or all of its value
   (SOA, NS, MX, PTR, CNAME, and any others that may be added).
   Implementations of the DNS protocols must not place any restrictions
   on the labels that can be used.  In particular, DNS servers must not
   refuse to serve a zone because it contains labels that might not be
   acceptable to some DNS client programs.  A DNS server may be
   configurable to issue warnings when loading, or even to refuse to
   load, a primary zone containing labels that might be considered
   questionable, however this should not happen by default.

IMHO, PowerDNS is deeply wrong here.

> Even if we would support arbitrary values, things are unlikely to work as
> intended. IDN was invented for a reason.

Not this one. BIND or NSD work fine with 8-bits labels. IDN was
invented for two reasons:

* most domain names contain host names and host names indeed do have
the restriction (RFC 1123). That's also the reason why all the domain
registries I know of prevent non-LDH labels registration (LDH =
letters/digits/hyphen).

* the most important problem with Unicode in domain names is not the
fact that 8-bits label work or not (they work with BIND or NSD). It is
the *canonicalization*. ASCII labels have only one canonicalization
rule and a very simple one ("case does not matter"). For Unicode,
things are more complicated, you need a much more complicated
algorithm for canonicalization and the IETF thought it should be only
in the applications, not in the DNS servers.

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: IDN Support - malformed qdomain

2006-11-29 Thread Stephane Bortzmeyer 
On Mon, Nov 27, 2006 at 04:25:26PM +0100,
 Franc Rodriguez <[EMAIL PROTECTED]> wrote 
 a message of 41 lines which said:

> Nov 27 16:04:02 Received a malformed qdomain from 192.168.1.1,
> 'www.caça.cat': dropping

Isn't it simply the fault of the client, that does not speak IDN and
which sent the raw Latin-1 request to PowerDNS?

Test with:

dig @my.powerdns.server ANY xn--caa-3la.cat.

and it should work. If so, test with an IDN client (such as Mozilla
Firefox).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Empty nonterminals and NXDOMAIN (Was: Verify PowerDNS answers?

2006-11-16 Thread Stephane Bortzmeyer 
On Fri, Oct 13, 2006 at 04:33:45PM +0200,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 37 lines which said:

> Perhaps someone else, smarter than I am, can come up with a
> solution. As nobody noticed our possible non-compliance for 7 years
> straight, I'm rather unwilling to overhaul things as you might
> understand.

The question of "empty nonterminals" (domains without any records but
wth subdomains underneath) was discussed today at the OARC meeting
(specially in the context of ENUM where empty nonterminals are much
more common, for instance 3.e164.arpa while 3.3.e164.arpa is
delegated).

We checked that the djbware TinyDNS has the same problem (it sends
NXDOMAIN for empty nonterminals, tested on cr.yp.to nameservers with
the ns.yp.to domain, which is an empty nonterminal).

The consensus of the present people was that, sorry, PowerDNS is
wrong, seriously wrong. Some resolvers may, on reception of NXDOMAIN,
never try domains underneath.

May be the data model of PowerDNS (list of tuples, while the DNS is a
tree) was not a good idea. I don't know but what seems sure is that
there is a bug.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: have some commandline management system for powerdns?

2006-10-10 Thread Stephane Bortzmeyer 
On Tue, Oct 10, 2006 at 02:30:52PM +0800,
 huang mingyou <[EMAIL PROTECTED]> wrote 
 a message of 10 lines which said:

>I want use a command line management system to manage the
> powerdns domains and records, have some good free software for this?

What backend do you use? If it is a DBMS, all DBMSs have a
command-line tool to run SQL requests.

Example with PostgreSQL:

psql -c "INSERT INTO ...
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Verify PowerDNS answers?

2006-10-06 Thread Stephane Bortzmeyer 
On Fri, Oct 06, 2006 at 03:41:42PM +0200,
 bert hubert <[EMAIL PROTECTED]> wrote 
 a message of 23 lines which said:

> DJB states the following, based on RFC 2308:

He is certainly not an authority on DNS and I find nothing in RFC 2308
which corroborates his claims (do note he is careful not to indicate a
specific section or paragraph).

So, I believe that PowerDNS is wrong here.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: authoritative answers or not?

2006-10-06 Thread Stephane Bortzmeyer 
On Fri, Oct 06, 2006 at 03:25:52PM +0200,
 Alex van den Bogaerdt <[EMAIL PROTECTED]> wrote 
 a message of 25 lines which said:

> By the way: I believe this to be true for NS records as well, but
> both pdns and bind agree on this and give a non authoritative
> answer.

The NS records in the zone are authoritative. The NS records in the
*parent* zone are the delegation and are *not* authoritative (that's
why they are not signed by DNSSEC).

See the difference on ns2.nic.fr - which i neither BIND nor PowerDNS,
by the way - between nic.fr (the machine is authoritative) and
wikipedia.fr (the machine is not authoritative, although it is a ".fr"
name server).
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Verify PowerDNS answers?

2006-10-06 Thread Stephane Bortzmeyer 
On Fri, Oct 06, 2006 at 03:31:20AM +0200,
 Alex van den Bogaerdt <[EMAIL PROTECTED]> wrote 
 a message of 20 lines which said:

> > We would like to migrate our existing BIND setup to PowerDNS, but
> > I first need to prove that PowerDNS will return the same answers
> > that BIND does for a given set of zones.
> 
> I don't know about such a tool, but I do know that pdns does not
> behave in the same way as bind.

And the problem with Augie Schwer's idea is that it is perfectly legal
to *not* behave exactly like BIND, since the DNS standard leaves many
options open. BIND 9 does not behave like BIND 8, by far (many oif our
registrars' scripts broke when we moved our servers to BIND 9).

Check ".fr" or ".", which have a mix of name servers. You'll see they
do not reply the same.

> A domain without any resource record (a legal situation) is reported
> to not exist according to pdns.

This is a bug (although one which is unlikely to occur in the real
world), not a legal difference in behavior.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: PowerDNS vs. TopLayer - Response not RFC compliant?

2006-09-22 Thread Stephane Bortzmeyer 
On Thu, Sep 21, 2006 at 04:51:16PM +0200,
 Jonathan (Listserv Account) <[EMAIL PROTECTED]> wrote 
 a message of 51 lines which said:

>   More specifically, the QDCOUNT field of the packet (which
>   corresponds to the Question Count field) has a value that is not
>   equal to "1" - the only defined valid value for this is "1."

Clearly false. RFC 1035 says:

QDCOUNT an unsigned 16 bit integer specifying the number of
entries in the question section.
...
The question section is used to carry the "question" in most queries,
i.e., the parameters that define what is being asked.  The section
contains QDCOUNT (usually 1) entries, each of the following format:

And I find no other RFC which is more specific here.
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users