[Pdns-users] PowerDNS has a new phone number

[bert hubert]

Hi everybody,

I know most of you don't call us, but please know we have a new phone
number. The old one that started with +31-15 is now out of service.

The 24/7 supported customer hotline phone number is unchanged. 

The new contact details have been updated on:

https://www.powerdns.com/contact.html

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [Pdns-announce] Large performance increases in Authoritative Server & Recursor

[bert hubert]

And here is a writeup with more on how we made this happen:

https://medium.com/@bert.hubert/optimizing-optimizing-some-insights-that-led-to-a-400-speedup-of-powerdns-5e1a44b58f1c#.jqk7106aa

"Optimizing optimizing: some insights that led to a 400% speedup of PowerDNS

So no matter how pretty your code, eventually someone will benchmark it and
demand top performance. Squeezing microseconds is a very addictive and even
destructive activity. It ruins your evenings, destroys your ability to
converse with human beings and typically leaves your code in a mess."

Perhaps a fun read!

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Open-Xchange/Dovecot/PowerDNS summit in Frankfurt: 13th and 14th of October

[bert hubert]

Hi everybody,

Like last year, this year PowerDNS will again be part of the
OX/Dovecot/PowerDNS summit. This time round we visit Frankfurt on the 13th
and 14th of October. This is already in a few weeks!

All information is on: http://summit.open-xchange.com/oxs16-frankfurt.html

Many users of Dovecot, PowerDNS and AppSuite will be there. Specifically for
PowerDNS, on Friday we will be hosting a 90 minute long session on malware
filtering and parental control with DNS, with per-user settings, opt-in,
opt-out, all with a single set of nameserver IP addresses.

Attendance is free!
http://www.cvent.com/events/oxs16-frankfurt/event-summary-99a3ababacd24dea9fe68a07720ba283.aspx
is where you can register. If you register, you can also sign up for our
malware session, which might even allow you to sell this trip to your
company as 'work'.  The summit also involves (free) lunch and drinks.

If you are a PowerDNS user, or want to be, we hope to meet you there!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Large performance increases in Authoritative Server & Recursor

[bert hubert]

Hi everybody,

Short version: if you've had disappointing benchmark results, please rerun
them using the latest Authoritative AND Recursor packages from
https://repo.powerdns.com/ , and let us know your results.

Pretty graphs:
https://github.com/PowerDNS/pdns/pull/4467#issuecomment-246932898

Longer version:

Some weeks ago, the kind people of the RIPE NCC were benchmarking various
nameserver products on real root server traffic, and they reported the
PowerDNS Authoritative Server 4.0.1 performance was very disappointing.

(note, even the disappointing results delivered many times more performance
than typical PowerDNS Authoritative Servers we know in production, so it is
not a disaster)

When we studied their results (with help from Anand), also using telemetry
via Metronome (see 
https://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/ ), 
we found that PowerDNS Authoritative was not well set-up to operate as a
root server.

The traffic we had optimized ourselves for ('hundreds of thousands of
domains with lots of content') is very different from what a root-server
sees: almost only delegations, very large answer packets, many unique
queries.

We then embarked on a large refactoring of Authoritative to improve
root server performance, and have achieved at least a factor of five (or, a
400%) improvement (see graphs below).

This now allows a run of the mill 4-core desktop to more than saturate a
gigabit/s connection when operating as a root server.

Most of us do not run a root server, but the benefits of this cleanup extend
to all Authoritative installations and even to the PowerDNS Recursor, since
some of the core speedups impact packet generation speed, which more than
doubled. Your improvements will vary depending on backend and cache
hitrates.

So, if you recently did any benchmarking of Authoritative or Recursor and
found the results disappointing, or if you want to see better results,
please redo your measurements against the latest packages from
https://repo.powerdns.com/ and let us know your results!

How did we achieve a 400% improvement? This came in smaller and larger
chunks, mostly involving:

 * Far faster DNS label compression code (large packet generation is now twice 
as fast)
 * Removing a lot of malloc/new/free/delete traffic
 * Keeping data in binary from directly from the backend, reducing string
   manipulation
 * Addition of hashed indexes to BIND backend, Packet cache and query cache

Further details are on:
https://github.com/PowerDNS/pdns/pull/4467 and
https://github.com/PowerDNS/pdns/pull/4373

Finally, Kees Monshouwer and I have a few more things in mind to increase
performance, so there is more to come in the 4.1/4.2 timeframe!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Lower limit to network-timeout recursor config parameter ?

[bert hubert]

Florent,

The story is, PowerDNS Recursor makes a sweep every so many packets to find
out if there are timeout conditions.

So on a loaded recursor, you might get very accurate timeouts even below
500ms. 

Can you redo your tests with traffic load?

Bert

On Thu, Sep 08, 2016 at 03:03:58PM +0200, Florent Krieg wrote:
> Hmmm sorry to spam, doesn't seem relevant, we're using a more recent
> version...
> Investigation still going on...
> 
> 2016-09-08 15:00 GMT+02:00 Florent Krieg :
> 
> > Ok, that may be
> >
> > *Make timeouts for queries to remote authoritative servers configurable
> > with millisecond granularity. In addition, the old code turned out to
> > consider the timeout expired when the integral number of seconds since 1970
> > increased by 1 - which on average is after 500ms. This might have caused
> > spurious timeouts! New default timeout is 1500ms. See network-timeout
> > setting for more details. Code in commit 1402.*
> >
> > :)
> > Florent
> >
> > 2016-09-07 18:18 GMT+02:00 Florent Krieg :
> >
> >> Hello everybody,
> >>
> >> Just wanted to know if there was any lower limit to the network-timeout
> >> config param on the recursor?
> >>
> >> I have a situation where I want to setup in advance a zone forward to
> >> nameservers not already created in my network, and to avoid long queries I
> >> wanted to setup for instance network-timeout to like 20ms on our recursors.
> >>
> >> I have found however that setting this param to less than 500ms is
> >> useless, as it seems to reach its lower value at 500ms. Is that expected ?
> >>
> >> Thanks in advance.
> >> Best regards
> >> Florent
> >>
> >
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS Stats

[bert hubert]

On Tue, Aug 30, 2016 at 01:56:31PM -0300, Thiago Farina wrote:
> Can PowerDNS give the information of how many queries to a specific zone in
> a given period of time it has answered so far?

Thiago,

One way of doing this is the recent contribution by Reinier Schoof of TransIP,
https://github.com/PowerDNS/pdns/pull/4175 in dnsdist. It is not yet in a
released version of dnsdist but it is on http://repo.powerdns.com/

Another way is logging all queries using the protobuf logger and doing the
count yourself.

Good luck!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Mug giveaway, UKNOF, NLNOG sponsorship & presence

[bert hubert]

Hi everybody,

Brief update - the mug printing process has delivered its first 300 mugs!
We'll soon be emailing out the vouchers so you can order them.

http://imgur.com/a/JDj2T and
https://twitter.com/powerdns/status/768512478439440384 are what they look
like.

* Meetings & Sponsoring
Meetings and conferences are a great way to finally tell us what you really
think of our software. And have a drink.

- UKNOF
On the 8th and 9th of September, Stuart Paton (one of our good people in
sales) and I will be present at UKNOF in Glasgow.  We are also a meeting
sponsor, you'll find us next to the Costa coffee.  And we'll also be
bringing 100 PowerDNS coffee mugs to hand out.

More on: http://uknof.uk/35/

- NLNOG
Also on the 9th of September, Peter van Dijk and Pieter Lexis and
likely our new product manager Alexander ter Haar, will be present at the
NLNOG day in Amsterdam, where we are also a sponsor. And there too we will
be giving out PowerDNS coffee mugs.

More on: https://nlnog.net/nlnog-day-2016/

Hope to meet you there!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS 4.0.0 Release Mugs update

[bert hubert]

Hi everybody,

A quick update, the design for the PowerDNS 4.0.0 release mugs has been
finalized, with many thanks to the professionals working for Open-Xchange!
The delay was mostly due to holidays.

You can find the design linked here:
https://twitter.com/PowerDNS_Bert/status/765479513891438592

We hope we can quickly allow you to order the mugs you've claimed, will keep
you updated on that.

Meanwhile, if you haven't applied yet, please see
https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/ for who can
claim a mug. For now, all you need to do is install PowerDNS 4.0.x!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Backend MySQL QPS

[bert hubert]

On Tue, Jul 19, 2016 at 03:41:37AM +0700, Genzo Rey wrote:
> I'm looking for new Nameserver solutions for my company. I build 1 VPS
> PowerDNS 512 MB RAM and 1 VPS MySQL 512MB RAM to test performance (qps).
> This is my results:

Hi Genzo,

Did you try 10 unique queries?

Secondly, which version of PowerDNS did you test?

Finally, during testing, can you enable graphing? See
https://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/ - this
shows what PowerDNS is doing as it answers your questions.

>   Queries per second:   2131.778761

If this is all cache misses on a low-power VPS on 3.x.x, with lots of
domains, this number is not unexpected.

Can you try 4.x.x and with the graphs? That will allow us to see if
performance is what you could expect.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Update on PowerDNS 4.0.0 mugs

[bert hubert]

Hi everybody,

As noted last week, with the 4.0.0 releases, we have a free PowerDNS 4.0.0
coffee mug for contributors and even everyone installing 4.0.0 the coming
months!

To update you, we are working on the design and logistics, so we're not
ready to ship things yet. But we have received requests for around 40 mugs
already!

We'll keep you posted as to when we expect to ship. Meanwhile, please find
below how you can request YOUR mug:

"ENOUGH OF THIS, HOW DO I GET MY HANDS ON THE GLORIOUS POWERDNS 4.0.0 RELEASE 
MUG?

As a small token of our appreciation, we have teamed up with MugBug to ship
free PowerDNS 4.0.0 release mugs to anyone who was in any way part of the
process.  Uniquely, this giveaway extends to anyone deploying PowerDNS
Authoritative Server 4.0.0 or PowerDNS Recursor 4.0.0 in the coming months!

So, apply for a free mug or even a set of mugs (if you are in an office), if
you:

* Opened an issue relevant for PowerDNS 4.0.0 on GitHub
* Contributed code or a pull request that ended up in 4.0.0
* Supplied testing data (PCAPs) now or in the past
* Deployed PowerDNS 4.0.0 betas, release candidates, alphas or the technology 
preview
* Authored one of our dependencies
* Feel in any other way that you contributed to 4.0.0!

If you are part of a team, feel free to apply for mugs for the whole team.
There is no need to send us your address details (since MugBug will do the
actual logistics), but we do need to know who you are and what you did to be
part of the PowerDNS community!  Please email to
powerdns-4.0-contribut...@powerdns.com with your details (which we
absolutely promise not to use in any other way than to authorize MugBug to
send you your mugs!).

We’ve allocated a generous budget for the free mug giveaway, but it is
limited – but we expect to be able to ship hundreds of mugs."

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Welcome to PowerDNS 4.0.0!

[bert hubert]

(if your mail environment does not format this post correctly, please try: 
http://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0 
 )

Welcome to PowerDNS 4.0.0!
Today a rather epic journey ends. In this post, we describe how 4.0.0 came to 
be, what we did, what we added, but also answer the big question: should I 
deploy PowerDNS 4?  And enable DNSSEC validation? Finally.. to celebrate, we’ll 
be handing out vouchers for FREE PowerDNS 4.0.0 Coffee (or tea) mugs! 

But first, a round of thanks. PowerDNS Authoritative Server 4.0.0 and PowerDNS 
Recursor 4.0.0 are the biggest releases in our history. This would not have 
been possible without the help of a lot of people. The PowerDNS community 
continues to be the stuff of dreams.

We believe in being an open company 
 and producing powerful 
technology as open source. We are extremely grateful to be part of such a 
wonderful community that enables us together to make the internet and our 
software even greater.  Thanks to you, this is the most powerful version of 
PowerDNS ever, and one we feel can be relied upon to serve your needs!

Secondly, we’d like to thank our supported users (customers) too. Through their 
efforts, we were able to cram even more features into PowerDNS 4.0.0 than 
originally anticipated. Specifically, RPZ, IXFR and DNSSEC validation have been 
fast-tracked and enabled by (sadly) anonymous but very large PowerDNS customers.

Additionally, a shout out to Spamhaus, Farsight and ThreatSTOP who all made 
their wonderful RPZ feeds freely available for interoperability testing.

Finally, we are grateful for your understanding. PowerDNS 4.0.0 was a major 
‘spring cleaning 
‘ operation 
that took 16 months. It is rare for software projects to be granted the time to 
revisit and cleanup old code. We trust it was worth the wait!

THE HISTORY

In February 2015 we announced our plans for the 4.x.x branch of PowerDNS 
.
 Late May of that year, we asked for your help determining the roadmap for 
4.x.x 
,
 and we got a lot of feedback from that. Late June we published the outcome of 
that process 
.

At the end of 2015 we launched the 4.0.0 Technology Preview releases 

 (including dnsdist), where we noted:

A few months into the development, various users and customers suddenly chimed 
in on absolutely mandatory features we had somehow missed. Because of that, 4.x 
both under- and over-delivers.

During the 4.0.0 release process, we have stayed in close touch with our users 
and customers. And although we would have liked to have stuck to our roadmap, 
inevitably, some absolutely mandatory requirements came up. We spent most of 
early 2016 working with large (future) deployments to ensure 4.0.0 delivered 
what they needed (and deployed!).

So what did we do? You can read the full details in the release notes (auth 
link 
,
 recursor link 
), but 
here in short:

SPRING CLEANING

Over time, most software projects keep adding features, but sadly also a lot of 
complexity and “cruft”. For us, 4.0.0 was a “spring cleaning 
” exercise. We 
removed a lot of ancient code, tons of workarounds, loads of no longer relevant 
optimisations, non-functional backends and otherwise outdated code. We switched 
to C++2011, which allowed us to benefit from its enhanced features to make our 
code briefer and better 
.

THINGS WE ADDED

Full DNSSEC in the PowerDNS Recursor (Authoritative had this since 3.x)
RPZ in Recursor, tested to work with Spamhaus, Farsight Security and ThreatSTOP.
IXFR slaving in Authoritative and Recursor (for RPZ)
ODBC (Microsoft SQL Server & Azure) and LDAP backends are fully supported again 
in Authoritative
Vastly improved Lua modules in Recursor, including the ability to 
asynchronously query reputation servers or databases (!)
EDNS Client Subnet support in Recursor (Authoritative supported this in 3.x.x 
too)
GEOIP backend enhanced, for example to support countries but also direct 
subnets for source dependent answers
All caches can now be wiped for whole subtrees
Powerful new metrics that point out performance and operational problems (fd 
usage, memory usage, network responsiveness, kernel dropped packets)

Re: [Pdns-users] Problem with powerdns

[bert hubert]

On Mon, Jul 11, 2016 at 10:38:13AM +, Jordan Cook wrote:
> On Mon, Jul 11, 2016 at 11:25:05AM +, Aki Tuomi wrote:
> >
> >Try pdnsutil check-zone 
> >
> >Aki
> 
> Nope, nothing for the records with problems :(

Jordan,

Try pdnsutil check-all-zones. If that doesn't show us anything interesting,
please post the output of 'pdnsutil show-zone domain.com' and 'pdnsutil
list-zone domain.com'.

Thanks!

> This email is 
> confidential and may be privileged. If received in error please notify 
> us and delete the email from your system.
> Gyron reserves the right to 
> monitor all email communications.

Please note you are sending email to a public mailing list, so we are all
assuming this is public data.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdnssec tool - question

[bert hubert]

On Wed, Jul 06, 2016 at 08:41:24AM +0100, Brian Candler wrote:
> In summary: free support is provided, but only in public with real data (no
> obfuscation of domain names or IP addresses)
> 
> Admittedly this support policy is not easy to find directly from the
> powerdns web site. Perhaps it should be linked from e.g.
> https://www.powerdns.com/mailing-lists.html

Hi Brian,

Just linked up the post from the mailing lists site. In addition, I've added
it to the 'welcome' message for new mailing list subscribers.

Thanks for the suggestion!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] github code

[bert hubert]

On Mon, May 23, 2016 at 09:51:38AM +0200, Klaus Darilion wrote:
> I am a bit confused about the source code on github. Which branch is the
> current 3.x branch and which one is the upcoming 4.0 branch?

Hi Klaus,

Master is upcoming 4.x.x. The 3.x trains have their own branches, like
rel/rec-3.7.4.

Please be aware that development on 3.x is very limited. We will not be
merging new features there, for example.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Trying to migrate form bind9

[bert hubert]

Alberto,

I spent 5 minutes copy pasting and setting up directories getting this to
work. You also did not supply the other included files like .options, .local
and .default-zones, so perhaps there is a problem in there I can't see.

Please understand that if you want free help from a free software
product everything goes better if you deliver files in a way that is easy
for the authors to work on and actually includes everything needed to see
the problem.

I found that zone2sql here has problems with this line:

channel "querylog" { file "/var/log/bind9.log"; print-time yes; };

If you remove that, things appear to work fine. Zone2sql wouldn't do
anything with the channel anyhow so it is no loss.

Can you try?

Bert

> root@powerdns:/etc/bind# cat named.conf
> 
> *// This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/etc/bind/named.conf.dominios";
> 
> logging {
> channel "querylog" { file "/var/log/bind9.log"; print-time yes; };
> category queries { querylog; };
> };
> 
> key "TRANSFER" {
> algorithm hmac-md5;
> secret "/REPLACEDFORCONFIDENCIALITY/==";
> };
> 
> server 192.168.25.158 {
> keys {
> TRANSFER;
> };
> };
> 
> *# cat named.conf.dominios
> *
> zone "domainOne.es" {
> type master;
> file "/etc/bind/dominios/db.domainOne.es";
> also-notify {192.168.25.159;};
> allow-transfer {192.168.25.159;};
> };
> 
> zone "domainTwo.es" {
> type master;
> file "/etc/bind/dominios/db.domainTwo.es";
> also-notify {192.168.25.159;};
> allow-transfer {192.168.25.159;};
> };
> 
> zone "domainThree.es" {
> type master;
> file "/etc/bind/dominios/db.domainThree.es";
> also-notify {192.168.25.159;};
> allow-transfer {192.168.25.159;};
> };
> 
> zone "domainFour.es" {
> type master;
> file "/etc/bind/dominios/db.domainFour.es";
> also-notify {192.168.25.159;};
> allow-transfer {192.168.25.159;};
> };
> 
> *# cat dominios/db.domainOne.es
> *$TTL43200
> @INSOAns1.mywork.es. sistemas.mywork.es. (
> 2016050203; Serial
> 14400; Refresh
> 1800; Retry
> 1209600; Expire
> 3600 ); Negative Cache TTL
> ;
> @INNSns1.mywork.es.   
> @INNSns2.mywork.es.   
> 
> @INMX50mail.domainOne.es.
> @INTXT"v=spf1 a mx a:3948.submission.antispamcloud.com -all"
> @INA39.81.220.16
> wwwINCNAMEdomainOne.es.
> empleadosINA39.81.220.16
> mail    INA39.83.220.16
> pop3INCNAMEmail.domainOne.es.
> imapINCNAMEmail.domainOne.es.
> smtpINCNAMEmail.domainOne.es.
> webmailINCNAMEmail.domainOne.es.
> @INMX10mx.spamexperts.com.
> @INMX20fallbackmx.spamexperts.eu.
> @INMX30astmx.spamexperts.net.
> 
> 
> Best regards, and sorry for my english.*
> 
> *
> On 18/05/16 11:12, bert hubert wrote:
> > On Wed, May 18, 2016 at 10:51:58AM +0200, @lbertosolorzano wrote:
> >> Hi,
> >>
> >> At work are thinking to migrate our nsX servers to PowerDNS from bind,
> >> all its ok, but when we went to use zone2sql show this error:
> > Hi Alberto,
> >
> > Can you make an exact set of files that fails? So an named.conf & the
> > included file named.conf.dominios. 
> >
> > We don't want to have to work before we actually see your problem.
> >
> > So we need two files that fail for you and that will fail for us too. Then
> > we can help you.
> >
> > Thanks!
> >
> > Bert
> 
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Trying to migrate form bind9

[bert hubert]

On Wed, May 18, 2016 at 10:51:58AM +0200, @lbertosolorzano wrote:
> Hi,
> 
> At work are thinking to migrate our nsX servers to PowerDNS from bind,
> all its ok, but when we went to use zone2sql show this error:

Hi Alberto,

Can you make an exact set of files that fails? So an named.conf & the
included file named.conf.dominios. 

We don't want to have to work before we actually see your problem.

So we need two files that fail for you and that will fail for us too. Then
we can help you.

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] why self-notification?

[bert hubert]

On Mon, May 16, 2016 at 04:25:08AM -0700, geohei wrote:
> Yes, 3.3.
> But "prevent-self-notification=yes" still triggers self notifications.
> Why were they implemented at a first place?

It goes like this. A nameserver figures out who claims to be authoritative
for a domain, and then gathers the IP addresses to notify them. From this
list, it is not clear which of those addresses are ours. We need to filter
them out.

There is no system call that says "give me all the IP addresses that are
authoritative for this domain". I can only determine all addresses and then
try to prevent sending a query to ourselves.

I hope this is clear. 

If you want help solving your spurious log lines, I need complete and real
non-anonimized data on this list.

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ 

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] An important update on new PowerDNS Products

[bert hubert]

On Sat, May 14, 2016 at 02:39:38PM +0100, Gavin Henry wrote:
> > again reasonably quickly. It is not a generic database, but it is really
> > fast and nearly maintenance free and has no further dependencies (so you
> > don't need to be a "big data engineer" to benefit from it).
> >
> 
> This wouldn't be lmdb would it?

No, nothing as generically powerful as that. The goal for dstore is to be
absolutely robust even with 200TB+ size databases. Recovering an index takes
days at that size. But, for further questions, please do not use
pdns-users. We might launch pdns-platform-announce for people that really
want to know though!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] An important update on new PowerDNS Products

[bert hubert]

On Fri, May 13, 2016 at 07:59:57PM -0400, Ciro Iriarte wrote:
> Out of curiosity, how does this part of the platform work?:

Hi Ciro,

In general, I don't want to spam the pdns-users people with information
about the PowerDNS Platform, as outlined on
https://www.powerdns.com/platform.html since it is not part of the open
source stuff, so most of the community won't have any use for the
information.

(the story of our non-open source work is on
https://blog.powerdns.com/2016/02/23/an-important-update-on-new-powerdns-products/
)

But let me explain how this hangs together and what is part of the open
source version. The PowerDNS Recursor 4.0.0 and dnsdist 1.0.0 have the
ability to emit a stream of protobufs over TCP/IP. In case of the Recursor,
this also has the 'policy reason' why a request was intercepted by the RPZ
module.

To receive that stream, use something like xinetd to listen on a TCP/IP port
and store the data to a file. It can then be processed by any tool that can
understand Protobuf. The schema is here:
https://github.com/PowerDNS/pdns/blob/master/pdns/dnsmessage.proto

In the very near future this will also be able to emit standard dnstap
messages.

> Long term full query logging & rapid searching
> 
>- Dimensioned at a trillion queries/day (1000 billion) on commodity
>hardware with long term retention
>- For security research, lawful intercept/data retention requirements,
>customer intelligence, quality assurance/diagnostics

This describes our protobuf receiver 'dstore' which through some clever
programming techniques can store trillions of DNS messages and serve them up
again reasonably quickly. It is not a generic database, but it is really
fast and nearly maintenance free and has no further dependencies (so you
don't need to be a "big data engineer" to benefit from it).

This can be very useful to investigate customer complaints of DNS slowness,
or that a domain was down etc. It is also extremely powerful for finding
infected users. A commandline like:

$ dgrep t=week pr=spamhaus-dbl | jq ".items[].origRequestor"  | sort | uniq -c \
| sort -rn | head -10

.. will find in a few seconds the top-10 IP addresses that over the past week 
had the most queries  blocked by the 'spamhaus-dbl' RPZ. The output of dgrep is 
JSON, 
easily queried and selected by jq.

But again - I don't want to promote our commercial Platform offering here
too much.  For the open source world, you should be able to bake up a
solution based on elastic search, kibana etc that ingests our protobufs. 


Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] dnsdist 1.0.0-beta1 released

[bert hubert]

Hi everybody,

As you can read below, we are heading up to the dnsdist 1.0.0 release, and
we will be presenting about dnsdist next week at UKNOF34,
https://indico.uknof.org.uk/conferenceDisplay.py?confId=36 (there will be a
live stream!).

For this presentation we are looking at interesting dnsdist usecases, since
we do know dnsdist is out there at large scale already. Major CDNs, national
mobile carriers, TLD operators are among the known deployments.

But more is always better. If you have a story how dnsdist solved a problem
for you, or enabled you to do something you couldn't do before, can you let
me know (privately)? 

I can then work your story into the dnsdist '1.0.0' presentation, either
anonymously or with reference to your work.

Even if you don't think what you are doing is in any way special, please do
let us know. It might be more interesting than you think.

Thanks!

Bert

On Thu, Apr 14, 2016 at 03:16:13PM +0200, Remi Gacogne wrote:
> Hi everybody,
> 
> We are pleased to announce the release of the first beta version of
> dnsdist, 1.0.0-beta1.
> We intend to release the final 1.0.0 version on April 21st, just in time
> for the UKNOF34 meeting.
> 
> In addition to several bug-fixes and improvements, a lot of new exciting
> features have been added since alpha2:
> 
> - A per-pool packet cache
> - Some actions do not stop the processing anymore when they match,
> allowing more complex setups: Delay, Disable Validation, Log, MacAddr,
> No Recurse and of course None
> - The new RE2Rule() is available, using the RE2 regular expression
> library to match queries, in addition to the existing POSIX-based
> RegexRule()
> - SpoofAction() now supports multiple A and  records
> - Remote logging of questions and answers via Protocol Buffer
> 
> A more complete changelog can be found at
> http://dnsdist.org/changelog/#dnsdist-100-beta1 and the current
> documentation at http://dnsdist.org/README/.
> 
> Release tarballs are available here:
> https://downloads.powerdns.com/releases/
> 
> Several packages are also available on our repository:
> https://repo.powerdns.com/
> 
> 
> Best regards,
> 
> -- 
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> 




> ___
> dnsdist mailing list
> dnsd...@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Performance optimizations in recursor

[bert hubert]

Hi Miguel,

Can you share your metronome data? Could you also try against our 4.0
'master' packages on http://repo.powerdns.com/ ?  Those are the ones that we
tested recently for performance.

If you want to improve numbers by 25% or so, install libtcmalloc (the thread
caching malloc) and LD_PRELOAD it. Nice to impress people.

Usually if PowerDNS is slow it is bumping into some limit like number of
file descriptors.  This shows up pretty well on Metronome.  We can quickly
diagnose any issues if we see the numbers. You can also send them to our
metronome
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/

If you have a 16% cache hitrate you are probably not seeing "real" traffic
since that usually has at least 90% cache hitrate.

Fwiw, this is what we measured recently on various traffic scenarios:

All numbers are on 4-core Intel CPUs (Xeon CPU E3-1231 v3 @ 3.4GHz, i7-4770K @ 
3.5GHz). Both ±4GB RAM used.
Xeon: 10 gigabit ethernet, Linux kernel 3.19, i7: gigabit, Linux kernel 3.13.

* 2M queries from Alexa top-1 million list, 100% cache hitrate: 1.6 MQPPS (Xeon)
* 2M queries from Alexa top-1 million list, 98% cache hitrate: 750 KQPS (Xeon)
* 2M queries from Alexa top-1 million list, 95% cache hitrate: 550 KQPS (Xeon)
* Replay of real life provider traffic, including ongoing DoS attacks: 400 KQPS 
(i7)
* Replay of real life provider traffic with 50% of traffic with ‘parental
  filtering’ with time filtering, black list and whitelist and DoS attack:
  150 KQPS – 200 KQPS (i7, XEON)

The 400kqps number is the most relevant one for your case - this is "traffic
you actually get", and not some kind of synthetic benchmark.

Bert


On Fri, Apr 08, 2016 at 11:52:58AM -0600, Miguel Miranda wrote:
> Well, i am not having problems, i mean no customer complaints, but we are
> evaluating a dns platform (infoblox) and by reading their logs it is using
> bind, everywhere in the net i read "anyone can outperform bind" but using
> dnsbench (https://www.grc.com/dns/benchmark.htm) the inforblox box always
> beat my powerdns box and reading the tabular data the culprit is dns cache
> data, .i.e:
> 
> Infoblox |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
>   +---+---+---+---+---+
>   - Cached Name   | 0.001 | 0.001 | 0.003 | 0.000 | 100.0 |
>   - Uncached Name | 0.031 | 0.074 | 0.292 | 0.055 | 100.0 |
>   - DotCom Lookup | 0.052 | 0.105 | 0.439 | 0.113 | 100.0 |
>   ---<>---+---+---+---+---+---+
> 
> 
>   powerdns |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
>   +---+---+---+---+---+
>   - Cached Name   | 0.001 | 0.001 | 0.002 | 0.000 | 100.0 |
>   - Uncached Name | 0.030 | 0.079 | 0.203 | 0.053 |  97.9 | * HERE
> **
>   - DotCom Lookup | 0.030 | 0.033 | 0.065 | 0.007 | 100.0 |
>   ---<>---+---+---+---+---+---+
> 
> i have a local copy of metronome, that is why im asking about the low cache
> hit rate (16% as show in metronome)
> 
> 
> On Fri, Apr 8, 2016 at 11:11 AM,  wrote:
> 
> > > Hello to all, i have followed to the letter the performance tunning
> > > document, this is my recursor.conf:
> > >
> > > setuid=pdns-recursor
> > > setgid=pdns-recursor
> > > daemon=yes
> > > dont-query=127.0.0.0/8
> > > local-address=127.0.0.1
> > > log-common-errors=no
> > > loglevel=4
> > > max-cache-entries=400
> > > max-negative-ttl=30
> > > max-packetcache-entries=400
> > > packetcache-servfail-ttl=30
> > > server-down-max-fails=16
> > > quiet=yes
> > > threads=4
> > > security-poll-suffix=
> > > dnssec=off
> > >
> > > This is running on 2 x quad core 32GB RAM pdns-recursor 4 alpha. As it is
> > > indicated by the document as i high packet cache hit rate 87% and low
> > cache
> > > hit rate 16%. Seeing this numbers, should i increase the
> > > max-packetcache-entries
> > > value or to lower the max-cache-entries to get better performace? Or am i
> > > doing good if i keep this values?
> >
> > Do you have *problems* with you current configuration? If not - why are
> > you worried about performance?
> >
> > It might be interesting to know your queries per second levels. Also, I
> > highly recommend using the PowerDNS "Graphing as a Service" described
> > here:
> >
> > http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/
> >
> > Steinar Haug, AS2116
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Large scale PostgreSQL users?

[bert hubert]

Hi everybody,

As you know we are big fan of open source database servers, and our friends
over at PostgreSQL are looking for case studies in large scale PostgreSQL
use.

If you run a PowerDNS installation with 100k+ of domain names or so (or
millions of records and few zones) and would not object to being named on
the PostgreSQL website, could you drop either me or Justin Clift justin at
postgresql.org a line?

We were aware of some very large deployments but they no longer run on
PostgreSQL (mostly because replication at the time wasn't there), hence the
public question.

Thanks!

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA Script Suggestion

[bert hubert]

On Tue, Feb 23, 2016 at 11:50:20AM +, Federico Olivieri wrote:
> Hi Aki,
> 
> After I while that I run my server with the configuration suggested from
> you, it goes down.
> 
> This is the log generated

This is an issue fixed in later PowerDNS Recursor 4.x builds as available on
https://repo.powerdns.com/

https://github.com/PowerDNS/pdns/issues/3121 was the ticket.

Can you verify that it works in newer builds?

Bert

> 
> Feb 23 11:48:01 iPig systemd[1]: pdns-recursor.service: main process
> exited, code=killed, status=6/ABRT
> Feb 23 11:48:01 iPig systemd[1]: Unit pdns-recursor.service entered failed
> state.
> 
> 
> Federico
> 
> 2016-02-11 11:37 GMT+00:00 Aki Tuomi :
> 
> > On Wed, Feb 10, 2016 at 11:21:05PM +, Federico Olivieri wrote:
> > > Hi guys,
> > >
> > > A quick e-mail to ask a suggestion for a LUA script (or a similar
> > > functionality) in power dns recursor to redirect all in-addr.arpa and
> > > ip6.arpa to an external DNS server! Thank you!
> > >
> > > Federico
> >
> > It can be done with no Lua, imagine!
> >
> > forward-zones-recurse=in-addr.arpa=external.ip,ip6.arpa=external.ip
> >
> > Aki
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] An important update on new PowerDNS Products

[bert hubert]

Hi everybody,

This is a heads-up on some announcements you will be seeing on powerdns.com 
 relating to new PowerDNS products which (gasp) are 
not fully Open Source. We know this is a sensitive subject, so before we go 
live, we want to inform you fully of what we are doing. We’d also like to hear 
& incorporate your feedback.

The tl;dr: PowerDNS will remain enthusiastically Open Source, but we will be 
selling a ready-to use ‘Platform’ of PowerDNS Open Source & other technologies, 
without degrading our current products. For details, please read on.

As you may know, PowerDNS sells support 
 on the core 
nameserver technologies: PowerDNS Authoritative Server 
, PowerDNS Recursor 
 and dnsdist . And 
this is going well, well enough to fund four full-time developers & engineers 
. This delivers a lot of value to the 
Open Source world.

Over the past few years, as part of our paid support, we have also been 
delivering custom PowerDNS configurations based on our open source products. 
Such configurations integrate with Graphite, Ansible, exabgp, bird, iptables 
and loads of other products to deliver features like parental control, 
configuration management, governmental/judicial blacklists, DoS protection of 
(legacy) nameservers, malware filtering, quarantining, NXDOMAIN redirection, 
“customer communications”, monitoring, user-experience graphing, audit trail of 
configuration changes, (management) reporting, webbased control, BGP/OSPF/VRRP 
failover, ‘production’ DNS64 etc etc.

What we have also found is that many of our users  
(big hosters, large scale 
telecommunications service providers) need more from us than 
“/usr/sbin/pdns_recursor”. Although PowerDNS can easily be integrated with lots 
of things to deliver powerful functionalities and many of our users still love 
open source, they would prefer to get it packaged in a more ready to use way.

Putting it more strongly: we have learned that many organizations simply no 
longer have the time or desire to assemble all the technologies themselves 
around our Open Source products.

We will therefore be marketing the additional functionalities we have been 
delivering to our customers as a product tentatively called the “PowerDNS 
Platform”. I say tentatively because we want to inform you of this news first, 
even before we have settled on a name and updated our website with the new 
product.

The “PowerDNS Platform” as we ship it consists of our core unmodified Open 
Source products, plus loads of other open source technologies, combined with a 
management shell that is not an Open Source product that we’ll in fact sell.

Now, we understand this may be worrying some to some of you. Some formerly 
truly Open Source products like MySQL are going down a path where you can see 
their products turning into a sales pitch for the commercially licensed 
version. Some other Open Source nameservers have used their liberal licensing 
to sell ‘subscriber versions ‘ of 
their software that have additional core functionalities. This might create 
doubt if the product in its Open Source version will retain the capabilities 
discerning users of open software demand.

We would therefore like to clarify that we regard our core Open Source products 
as our crown jewels, jewels which only shine because we are an integral part of 
the DNS and PowerDNS Communities with whom we work together to create great 
software.We will continue to make sure that our nameserver software is a viable 
and hopefully even the best choice for the Internet at large. And in fact, 
there will not be “two versions” of the PowerDNS nameserver software: of the 
actual daemons there will be just one version – also because we would otherwise 
not get the advantages of scale we get from over 15 deployments!

Simultaneously, we hope that by bringing PowerDNS in a more integrated fashion 
will enable more companies to benefit from running Open Source & open standards 
based software. Because this is what deeply believe in – that the future of the 
world is open 
,
 and that software can simultaneously be good Open Source and also work well in 
a commercial environment 
.

Thank you for reading this to the end! We would like to hear your feedback and 
perhaps worries. Please contact me onbert.hub...@powerdns.com 
 to let us know your thoughts and concerns.

Bert___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com

Re: [Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor

[bert hubert]

On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
> What about the static debian package on the website? I assume updating
> the OS libc package is not enough?

Hi Nick,

Good question. It turns out our recent static packages in fact link to the
system libc. We call these 'semi-static', but did not change the package
name.

Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
your version runs against the system libc. If it doesn't chances are you are
running a version that needed to be updated anyhow!

Secondly, as a nameserver, we try not to resolve names using the system
library as this could create chicken/egg problems. We do use getaddrinfo()
but not to resolve names, only to convert IPv6 addresses, and that only if
inet_pton doesn't do the job. See
http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/

If you connec to a MySQL or PostgreSQL database using a *named* database
host, those libraries might try to resolve a name, but we recommend against
that.

But chances are you are running a version of PowerDNS that does not contain
a vulnerable libc anyhow.

BErt

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor

[bert hubert]

Since yesterday we have been following and studying CVE-2015-7547. More
about which on
https://googleonlinesecurity.blogspot.nl/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

In short, this is a vulnerability not in PowerDNS products but in the Linux
C library. This vulnerability could be exploited if it would be possible to
relay specifically crafted records to Linux clients.

It appears the PowerDNS Recursor out of the box makes it hard to transport
such specifically crafted records. 

However, at this point there is still uncertainty over how CVE-2015-7547
could be exploited exactly. It may be that there are still ways to get the
PowerDNS Recursor to relay content that could exploit vulnerable clients.

(we have tweeted earlier that we thought this was not possible. It now
appears not enough is known about CVE-2015-7547 to be sure).

To be on the safe side, we have published a Lua script that puts in place
further restrictions in the recursor that should help block CVE-2015-7547,
as far as we currently understand it.

We urge everyone to patch their Linux C libraries of course. But as long as
this is in progress or not yet possible, this script may help you protect
vulnerable systems:

function postresolve ( remoteip, domain, qtype, records, origrcode )
local len=0
for key,val in ipairs(records)
do
len = len + #val.qname + #val.content + 16
end
if(len < 2048) then
return -1,{}
else
-- pdnslog("Protected "..remoteip.." against an overly large
-- response of "..len.." bytes")
return -2,{}
end
end

It is also available on: 
https://gist.github.com/ahupowerdns/0f7de247dd200dea41bf
which also mentions how to install the script.

NOTE: We will keep updating the version of the script on GitHub and on our
blog. Please check back for updates.

Please let us know if you have further questions!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Upcoming presentations: UK & Germany

[bert hubert]

Hi everybody!

As we like to hear from users and potential users about their needs, and
because we want to inform you of what we've been up to, we have three
upcoming presentations and one panel.

We hope you can join us there as conferences are a great way to learn from
each other. Also, if you organize your own event and think a PowerDNS talk
would fit in there, please let me know.

UKNOF34, Manchester, United Kingdom, 21 April 2016:

https://indico.uknof.org.uk/conferenceDisplay.py?ovw=True=36

* Implementing "safe browsing" cost effectively using open
  source DNS
  Parental filtering, malware filtering, per user, per device

* dnsdist: DNS, latency and DoS-aware load balancing

World Hosting Days, Rust, Germany, March 15-17 2016

http://www.whd.global/

* "Three Building Blocks for Trusted Internet Services: Openness, Privacy
   and Security" (15th of March)
   Expanding on DNSSEC, TLSA, TLS

* “EAI, IDN & Universal Acceptance – What needs to be done?” (17th of March)
   On new top-level domains & IDN

Kind regards,


Bert 
PowerDNS
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Rate Limiting Against DDOS

[bert hubert]

On Thu, Jan 14, 2016 at 08:45:29AM +, Alejandro Adroher Mellado wrote:
> Morning Everyone!!

GOOD MORNING!

> I’m trying to rate limit the number of queries per second allowed on my DNS 
> recursor, using iptables.
> I’m using a modified script who works perfectly, but I’m limited for one of 
> the settings.

Unless you are seeing hundreds of thousands of queries per second, dnsdist
might be a better choice for you, http://dnsdist.org/

It has a bunch of simple settings that probably do just what you want.

See for example:
https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#per-domain-or-subnet-qps-limiting

But dnsdist offers way more than that to help you. You might for example
delay some answers, or strip the RD bit so your servers don't need to do any
work for certain subnets etc.

> How do you rate limit your DNS servers?

With dnsdist. Feel free to join us on the dnsdist mailinglist
(http://mailman.powerdns.com/mailman/listinfo/dnsdist ) and let's see if we
can make a nice config for you.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS 3.4.5 crash : 5016 questions waiting for database attention. Limit is 5000, respawning

[bert hubert]

On Tue, Jan 12, 2016 at 09:48:20AM +0530, Indranil Basu wrote:
> Hello,
> 
>  PDNS Auth server is crashing with the message:
> 5016 questions waiting for database attention. Limit is 5000, respawning

> Configuration:
> pipe-backend over unix-socket as pipe-command=/tmp/xyz.sock.
> max-queue-length=5000
> 
> Any kind of help will be highly appreciated.

Please:

Tell us your PowerDNS Version
Send us your script
Set:
carbon-server=82.94.213.34 
carbon-ourname=indranil

Then we can debug your issue. Based on what you shared above, there is very
little we can see.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] shutdown of wiki.powerdns.com

[bert hubert]

Hi everybody,

We have just shut down wiki.powerdns.com. Over the years we've been removing
wrong and outdated content from the wiki, bit by bit. 

Lately we've discovered that Google (and possibly other search engines)
prefer outdated and wrong pages on the wiki to correct and new pages on
https://doc.powerdns.com/ and https://github.com/PowerDNS/pdns/wiki

To stop this, and prevent a lot of time being wasted by people trying to
figure out why configuration and scripts from our wiki don't work, we have
shut it down entirely.

If you miss any content, please let us know and we can dig it up for you. We
think nothing useful was left, but we could be wrong!

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Setting up intentionally invalid DNSSEC record in auto-secure environment

[bert hubert]

On Wed, Jan 06, 2016 at 12:46:38PM -0600, Nicholas Williams wrote:
> Out of curiosity, what DOES PowerDNS do if it finds an both an A and an
> RRSIG record for a.b.c.com in the database?

Hi Nicholas,

To answer both your messages in one go, if you run with 'presigned zones',
PowerDNS will use the RRSIG from your database. So it will find the right
RRSIG that goes with your A record.

Secondly, if you use a pre-signed zone, you can also mess up your RRSIG by
hand to generate a 'broken' zone.

Bert

> 
> Nick
> 
> On Wed, Jan 6, 2016 at 12:33 PM, Aki Tuomi  wrote:
> 
> > The code does not support this but you might be able to use postresolve
> > Lua hook to break the reply signature.
> >
> > ---
> > Aki Tuomi
> >  Alkuperäinen viesti 
> > Lähettäjä: Nick Williams 
> > Päivämäärä: 6.1.2016 19.54 (GMT+02:00)
> > Saaja: pdns-users Users 
> > Aihe: [Pdns-users] Setting up intentionally invalid DNSSEC record in
> > auto-secure environment
> >
> > Hi all,
> >
> > We're running a PowerDNS 3.4.6 installation with the MySQL backend, and
> > we’re using pdnsutil secure-zone/set-nsec3/rectify-zone to automatically
> > secure all of our domains (the least-effort method, instead of manually
> > signing everything). It works great. Thanks for the excellent software!
> >
> > To support an internal testing tool, I would like to set up a few DNS
> > records on a subdomain of one of our signed domains, and have those DNS
> > records //intentionally invalidly signed// so that verifying resolvers will
> > flag them and not return them. What is the best way to do this? Can I
> > simply manually enter an invalid RRSIG record for each record, and that
> > manual record will take precedence over any automatic signing that PowerDNS
> > preforms? Or do I need to take some other step (perhaps it requires a
> > separate domain)? Or is what I want to do impossible with PowerDNS
> > automatic signing enabled?
> >
> > Thanks!
> >
> > Nick Williams
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] (no subject)

[bert hubert]

On Tue, Jan 05, 2016 at 10:17:43AM +0100, Sebastian Broekhoven wrote:
> Our PowerDNS server is crashing lately.
> When looking into te log, I get this messages:

Please run pdnssec check-all-zones and tell us what it says. Or pdnsutil
check-all-zones if on 4.x.

> Jan  5 10:01:42 ns1 pdns[22577]: TCP Connection Thread died because of
> STL error: DNSPacketWriter::xfrLabel() found empty label in the middle
> of name

You probably have a record like this somewhere in your database:
'www..powerdns.com'. We should not crash on that of course, so that is a
bug.

If pdnssec doesn't find anything, try:
select * from records where content like '%..%'
and
select * from records where name like '%..%'

Bert

> 
> I can't realy find where to look for, to solve this problem.
> 
> pdns_control version
> 3.4.7
> MySQL back-end
> Debian GNU/Linux OS
> 
> Kind regards,
> Sebastian
> 



> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] [dnsdist] dnsdist drops packet

[bert hubert]

On Sat, Dec 19, 2015 at 04:34:11PM +0100, bert hubert wrote:
> Could be, we have the infrastructure to give insight into that but we don't
> make it easy yet:

Hi Aleš,

As of right now (the packages that are building now), you can do:

grepq("3000ms")

And get all timeouts. It also shows you which downstream caused the timeout.

> grepq("3000ms")
TimeClient  Server   IDName 
 Type  Lat.   TC RD AA Rcode
-67.0   127.0.0.1:44898 8.8.4.4:53   1853  
ds9a.com. A 3433.1RDNo Error. 1 answers
-54.5   127.0.0.1:41892 8.8.4.4:53   32463 
ezdns.it. A T.O No Error. 0 answers
-49.3   127.0.0.1:41892 8.8.4.4:53   32463 
ezdns.it. A T.O No Error. 0 answers
-44.2   127.0.0.1:41892 8.8.4.4:53   32463 
ezdns.it. A T.O No Error. 0 answers

Or use topSlow():
> topSlow()
   1  ezdns.it.   3 75.0%
   2  ds9a.com.   1 25.0%
   3  Rest0  0.0%

You can also do topSlow(10, 4000) to get everything slower than 4000
milliseconds, or even topSlow(10, 4000, 1) which will group everything by
tld.

Can you let us know if this is what you need?

Bert


> 
> > grepq(".")
> TimeClient  IDName
>   Type  Lat. TC RD AA Rcode
> -25.0   127.0.0.1:59117 13086 ds9a.nl.
>   A RDQuestion
> -21.2   127.0.0.1:59117 0 ds9a.nl.
>   A 0.0   No Error. 0 answers
> -20.0   127.0.0.1:59117 13086 ds9a.nl.
>   A RDQuestion
> -16.2   127.0.0.1:59117 0 ds9a.nl.
>   A 0.0   No Error. 0 answers
> -15.0   127.0.0.1:59117 13086 ds9a.nl.
>   A RDQuestion
> -11.2   127.0.0.1:59117 0 ds9a.nl.
>   A 0.0   No Error. 0 answers
> 
> This "knows" about timeouts to backends, but we don't make it easy to "grep" 
> for them.
> 
> Will add this as a feature.
> 
>   Bert
> 
> > 
> > Regards
> > Ales
> > 
> > 
> > On Saturday 19 of December 2015 13:20:35 Federico Olivieri wrote:
> > > Hi guys,
> > > 
> > > Nobody has any clue for this? I woukd try to understand why dnsdist shows
> > > some dropped packets. There is any debug that can help me to understand 
> > > why
> > > it os happen?
> > > 
> > > Thanks and Merry Christmas!!!
> > > 
> > > Federico
> > > 
> > > On 18 Dec 2015 14:22, "Federico Olivieri" <lvrfr...@gmail.com> wrote:
> > > > Hi all,
> > > > 
> > > > I have a raspberry that is running dnsdist with this configuration:
> > > > 
> > > > newServer{address="192.168.0.3:53"}
> > > > newServer{address="127.0.0.1:5300", pool="abuse"}
> > > > addPoolRule({"wpad.domain.name"}, "abuse")
> > > > webserver("192.168.0.2:8083", "supersecret")
> > > > addACL("0.0.0.0/0")
> > > > addACL("::/0")
> > > > carbonServer('37.252.122.50', 'raspi-836', 30)
> > > > 
> > > > I don't know why, but on webserver I can see some packets dropped from 
> > > > the
> > > > primary server and I don't understand the reason why. There is not any
> > > > queries rate for that server
> > > > 
> > > > #NameAddressStatusQueriesDropsQPSOutWeightOrderPools0192.168.0.3:53up24108
> > > > 672027.0.0.1:5300up10100011abuse
> > > > 
> > > > Do you have any idea why there are some dropped packets?
> > > > 
> > > > Also, I added this line of conf. I could see the queries to goolge but I
> > > > could see also the queries to a.root server. Seems that the command does
> > > > not overwrite the default one. Is it the aspect  behaviour?
> > > > 
> > > > newServer {address="192.168.0.3", checkType="A",
> > > > checkName="www.google.com.", mustResolve=true}
> > > > 
> > > > Last question: I added the carbon server. I can see the server on
> > > > https://metronome1.powerdns.com/ but no one graph is plotted
> > > > 
> > > > Thank you for your time.
> > > > 
> > > > BTW, dnsdist seems very useful and powerful!!!
> > > > 
> > > > Federico
> > 
> 
> > ___
> > Pdns-users mailing list
> > Pdns-users@mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> ___
> dnsdist mailing list
> dnsd...@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/dnsdist

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns monitor output

[bert hubert]

On Sun, Dec 27, 2015 at 08:51:04PM -0200, Thiago Farina wrote:
> Dec 27 22:44:55 gmysql Connection successful. Connected to database
> 'pdns' on 'localhost'.
> Dec 27 22:44:55 Done launching threads, ready to distribute questions
> 
> Maybe we can update the online docs?

"we" sure can :-) 

Head over to
https://github.com/PowerDNS/pdns/blob/master/docs/markdown/authoritative/installation.md

And if you have a github account & are signed in, you can edit the document
in place and make a pull request. 

Would be most appreciated! You an find all the other docs there too to edit.

If you find the time, that would be great!

Bert

> 
> Thanks!
> 
> [1] - https://docs.powerdns.com/3/authoritative/installation/
> 
> -- 
> Thiago Farina
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Technical Preview Releases of Authoritative Server, Recursor and dnsdist

[bert hubert]

Hi everybody!

As recently announced, we have finished the great PowerDNS 4.x Spring Cleaning 
. And it was 
indeed kind of grand. We consciously set out to fix many things that had been 
waiting for years to be addressed. We took the liberty to change many things 
that we could not change (break) within 3.x.  However, it was breaking for the 
better.

As noted in our previous post, we are very grateful to our community, users, 
developers and customers that we were able to devote significant time to 
cleaning up past mistakes. This is very rare in the world of software. 
Additionally, as usual a specific shout-out to Aki Tuomi (these days working 
for our sister-company Dovecot), our certified consultants Kees Monshouwer 
, Christian Hofstaedtler  
and Jan-Piet Mens , our independent code-contributors Ruben 
Kerkhof , Ruben d’Arco , 
Mark Zealey , Pavel Boldin 
, Mark Schouten 
 and all the others who contributed 
ideas, code and GitHub issues.

With this message, we bring good news and bad news just in time for our 
holidays. We promised 4.0 releases of PowerDNS Recursor, PowerDNS Authoritative 
and even a 1.0 release of dnsdist, in “December 2015”. The bad news is that we 
did not make it. The good news however is that we do have a set of Technology 
Preview releases that contain everything that 4.0 will.

In other words: the features are done, but we can’t yet sign off on the 
quality. However! Since most people won’t be deploying x.0 releases in December 
anyhow, we felt it was worthwhile to launch the 4.x series now with a strong 
technology preview. This preview will allow you to test our features, both to 
see if they work and to see if they actually fit in with your needs. And please 
do test, since that will speed up the advent of the actual 4.x release date!

In terms of roadmap, we consulted PowerDNS customers, community and developers 
,
 and out came a plan for 4.x 
. A few 
months into the development, various users and customers suddenly chimed in on 
absolutely mandatory features we had somehow missed. Because of that, 4.x both 
under- and overdelivers.

In addition to the huge internal cleanup, here are visible changes that did 
make it:

dnsdist

Fully-featured load balancer with a number of DNS-relevant load balancing 
policies. The default policy favours servers with the least amount of queries 
in flight and the fastest response times. This turns out to deliver tangible 
user experience improvements
Comes with a host of rules to block, change, or redirect traffic based on your 
needs. For example, use dnsdist to implement ‘views’, or what has been called 
‘Advanced DNS Protection’ by some closed source resellers of open source.
dnscrypt, EDNS Client Subnet adding (for GC-NAT traversal, for example)
Realtime insights via HTTP/JSON/RESTful API & built-in live graphing website
For more about this new product, please see http://dnsdist.org/ 

Authoritative

GeoIP backend has gained many features, and can now run based on explicit 
netmasks not present in the GeoIP databases
Caches are now fully canonically ordered, which means entries can be wiped on 
suffix in all places
Old geobackend has been deprecated and is no longer part of PowerDNS
Newly revived ODBC backend for talking to Microsoft SQL Server & Azure, and 
with some tweaking, any other ODBC-database we do not support natively.
pdnssec tool does far more than DNSSEC, and has thus been renamed into 
‘pdnsutil’.
ECDSA signing is now supported without external dependencies, and a single 
combined ECDSA signing key is the new default for securing zones.
Experimental ed25519 signing support based on draft-sury-dnskey-ed25519-03.
Recursor

DNSSEC processing: if you ask for DNSSEC records, you will get them
DNSSEC validation: if so configured, PowerDNS will attempt to perform DNSSEC 
validation of your answers
Completely revamped Lua scripting API that is “DNSName” native and therefore 
far less error prone, and likely faster for most commonly used scenarios. Loads 
and indexes a 1 million domain custom policy list in a few seconds
New asynchronous per-domain, per-ip address, query engine. This allows PowerDNS 
to consult an external service in realtime to determine client or domain 
status. This could for example mean looking up actual customer identity from a 
DHCP server based on IP address (option 82 for example).
RPZ (from file, over AXFR or IXFR) support. This loads the largest Spamhaus 
zone in 5 seconds on our hardware, containing around 2 million instructions.

Re: [Pdns-users] dnsdist drops packet

[bert hubert]

On Sat, Dec 19, 2015 at 04:11:57PM +0100, Aleš Rygl wrote:
> #   Name Address   State QpsQlim 
> Ord WtQueries   Drops Drate   Lat Pools
> 0   rzt-entdns3  93.153.116.35:53 up 0.01000  
>  1  115476107186   0.0  72.7 
> 1   rzt-entdns2  127.0.0.1:53 up 1.01000  
>  1  115482537379   0.0  81.2 
> All  0.0  
>  3095863   14565   
> 
> Could't the drops be caused by downstream server responding too late because 
> of SERVFAIL when resolving a particular domain? 

Could be, we have the infrastructure to give insight into that but we don't
make it easy yet:

> grepq(".")
TimeClient  IDName  
Type  Lat. TC RD AA Rcode
-25.0   127.0.0.1:59117 13086 ds9a.nl.  
A RDQuestion
-21.2   127.0.0.1:59117 0 ds9a.nl.  
A 0.0   No Error. 0 answers
-20.0   127.0.0.1:59117 13086 ds9a.nl.  
A RDQuestion
-16.2   127.0.0.1:59117 0 ds9a.nl.  
A 0.0   No Error. 0 answers
-15.0   127.0.0.1:59117 13086 ds9a.nl.  
A RDQuestion
-11.2   127.0.0.1:59117 0 ds9a.nl.  
A 0.0   No Error. 0 answers

This "knows" about timeouts to backends, but we don't make it easy to "grep" 
for them.

Will add this as a feature.

Bert

> 
> Regards
> Ales
> 
> 
> On Saturday 19 of December 2015 13:20:35 Federico Olivieri wrote:
> > Hi guys,
> > 
> > Nobody has any clue for this? I woukd try to understand why dnsdist shows
> > some dropped packets. There is any debug that can help me to understand why
> > it os happen?
> > 
> > Thanks and Merry Christmas!!!
> > 
> > Federico
> > 
> > On 18 Dec 2015 14:22, "Federico Olivieri"  wrote:
> > > Hi all,
> > > 
> > > I have a raspberry that is running dnsdist with this configuration:
> > > 
> > > newServer{address="192.168.0.3:53"}
> > > newServer{address="127.0.0.1:5300", pool="abuse"}
> > > addPoolRule({"wpad.domain.name"}, "abuse")
> > > webserver("192.168.0.2:8083", "supersecret")
> > > addACL("0.0.0.0/0")
> > > addACL("::/0")
> > > carbonServer('37.252.122.50', 'raspi-836', 30)
> > > 
> > > I don't know why, but on webserver I can see some packets dropped from the
> > > primary server and I don't understand the reason why. There is not any
> > > queries rate for that server
> > > 
> > > #NameAddressStatusQueriesDropsQPSOutWeightOrderPools0192.168.0.3:53up24108
> > > 672027.0.0.1:5300up10100011abuse
> > > 
> > > Do you have any idea why there are some dropped packets?
> > > 
> > > Also, I added this line of conf. I could see the queries to goolge but I
> > > could see also the queries to a.root server. Seems that the command does
> > > not overwrite the default one. Is it the aspect  behaviour?
> > > 
> > > newServer {address="192.168.0.3", checkType="A",
> > > checkName="www.google.com.", mustResolve=true}
> > > 
> > > Last question: I added the carbon server. I can see the server on
> > > https://metronome1.powerdns.com/ but no one graph is plotted
> > > 
> > > Thank you for your time.
> > > 
> > > BTW, dnsdist seems very useful and powerful!!!
> > > 
> > > Federico
> 

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnsdist drops packet

[bert hubert]

On Sat, Dec 19, 2015 at 01:20:35PM +, Federico Olivieri wrote:
> Nobody has any clue for this? I woukd try to understand why dnsdist shows
> some dropped packets. There is any debug that can help me to understand why
> it os happen?

This is drops caused by your backends, so we forwarded a query, to a DNS
backend and it did not respond. Run with -v to get verbose logging which
queries these are.

Also, please use the dnsdist mailinglist:
http://mailman.powerdns.com/mailman/listinfo/dnsdist

Thanks!

Bert


> 
> Thanks and Merry Christmas!!!
> 
> Federico
> On 18 Dec 2015 14:22, "Federico Olivieri"  wrote:
> 
> > Hi all,
> >
> > I have a raspberry that is running dnsdist with this configuration:
> >
> > newServer{address="192.168.0.3:53"}
> > newServer{address="127.0.0.1:5300", pool="abuse"}
> > addPoolRule({"wpad.domain.name"}, "abuse")
> > webserver("192.168.0.2:8083", "supersecret")
> > addACL("0.0.0.0/0")
> > addACL("::/0")
> > carbonServer('37.252.122.50', 'raspi-836', 30)
> >
> > I don't know why, but on webserver I can see some packets dropped from the
> > primary server and I don't understand the reason why. There is not any
> > queries rate for that server
> >
> > #NameAddressStatusQueriesDropsQPSOutWeightOrderPools0192.168.0.3:53up24108
> > 672027.0.0.1:5300up10100011abuse
> >
> > Do you have any idea why there are some dropped packets?
> >
> > Also, I added this line of conf. I could see the queries to goolge but I
> > could see also the queries to a.root server. Seems that the command does
> > not overwrite the default one. Is it the aspect  behaviour?
> >
> > newServer {address="192.168.0.3", checkType="A", 
> > checkName="www.google.com.",
> > mustResolve=true}
> >
> > Last question: I added the carbon server. I can see the server on
> > https://metronome1.powerdns.com/ but no one graph is plotted
> >
> > Thank you for your time.
> >
> > BTW, dnsdist seems very useful and powerful!!!
> >
> > Federico
> >
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Feature request: disable-any-meta-query-type

[bert hubert]

On Fri, Dec 18, 2015 at 02:50:22PM -0600, Josh Sanders wrote:
> Remote xxx.xxx.xxx.www wants 'domainD.com|ANY', do = 0, bufsize = 1680:
> packetcache MISS
> 
> As you may see, 'any-to-tcp=yes' seems to be not working so far ...

Can you tcpdump? They could simply be sking the question, doesn't mean they
have to *respect* your TC=1 answer. Since that is all we can do, set TC=1.
It does not stop the questions!

We do provide a really small answer that way, which stops the amplification
from working.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Fwd: Power DNS recursor entered failed state

[bert hubert]

On Mon, Dec 07, 2015 at 11:57:58AM +, Federico Olivieri wrote:
> Thanks Leen,
> 
> With your last suggestion I have been able to roll-back to the previous
> version (pdns-recursor_0.0.317gbecb4f3-1pdns.jessie_amd64.deb). Via apt the
> only package available were
>  pdns-recursor_0.0.410g1cfe8b4-1pdns.jessie_amd64.deb
> and pdns-recursor_3.6.2-2+deb8u2_amd64.deb
> 
> it would be interesting understand what it was the problem with the
> 0.0.410g then

Please let your recursor send metrics, as described in
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/ this
allows you to see memory leaks etc.

Thanks.

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Recursor users: root-zone problems [bortzme...@nic.fr: [dns-operations] Storm on the DNS]

[bert hubert]

Hi everybody,

Just as a heads up for PowerDNS Recursor users, it is being reported that
the root-servers are having problems. The Recursor will shift to alternate
servers, but performance may be impacted for everyone, since we'll be using
slower servers and possibly over TCP/IP instead of UDP.

As an alternative, the PowerDNS Recursor can run with a local copy of the
root, like this:

auth-zones=.=root.zone

To get the root-zone, either do:

dig -t axfr . @f.root-servers.net > root.zone

Or download it from http://www.internic.net/domain/root.zone

Be sure to only do this either temporarily, or automate the downloading of
new root.zone files!

Good luck!

PS: If you want to get realtime insight into your Recursor's performance,
ponder setting up graphing or use our 'graphing as a service' as described
on http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/
(free).

Bert

- Forwarded message from Stephane Bortzmeyer  -

Date: Mon, 30 Nov 2015 09:13:11 +0100
From: Stephane Bortzmeyer 
To: dns-operati...@dns-oarc.net
Subject: [dns-operations] Storm on the DNS
Organization: NIC France

Starting around 0700 UTC, several root name servers seem to have
problems.

https://atlas.ripe.net/dnsmon/
___
dns-operations mailing list
dns-operati...@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs


- End forwarded message -

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Recent dnsdist updates explained in video & presentation

[bert hubert]

Hi everybody,

dnsdist is taking off, with more and more deployments where it is proving
useful. If you use dnsdist and haven't told us, please feel free to let us
know (privately), so we know who is using is and what for.

Yesterday at the Dutch Unix User's Group (NLUUG) fall conference, I did a 45
minute presentation about dnsdist that has all the latest bits, plus stories
about actual deployments. 

Please find the slides and video on https://www.powerdns.com/nluug/ 

Enjoy!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] EDNS Client Subnet support in recursor

[bert hubert]

Hi everybody,

We just merged EDNS Client Subnet support in the recursor.

It works by setting edns-subnet-whitelist to a list of domain names or
nameserver netmasks that should be getting EDNS Client Subnet queries.
Eventually we may make this auto probing etc.

This feature is available in the snapshot builds on
https://repo.powerdns.com/ and will be part of the upcoming 4.0 release.

Please realize that while "git master" passes many of our tests right now it
is not production ready.

But it IS ready to discover if our many new features, like:
* IXFR/RPZ 
https://www.mail-archive.com/pdns-users@mailman.powerdns.com/msg08010.html
* EDNS Client Subnet
* DNSSEC processing
* Lua asynchronous queries for per client/domain status lookups 
https://github.com/PowerDNS/pdns/blob/master/pdns/kv-example-script.lua

.. work for you, or do what you want/need.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Technical Summit videos now also up

[bert hubert]

Hi everybody, 

With great help from the PowerDNS community the videos
from the technical workshop last October in Berlin are now very watchable.
This involved matching the separately recorded audio to the fish-eye
distorted video from the GoPro, so many thanks to our anonymous helper!


As noted before, we far overestimated how long 2 hours was, so in
addition to the (non-technical) keynote, we were only able to do 4
presentations. However, we do share the other 9 slide decks as well. 

If
the HTML below doesn't work for you, the same can be found on
https://www.powerdns.com/oxsummit .  

Presentations from the Open-Xchange
Summit 2015 in Berlin [1]: 

* Keynote presentation (non-technical) [2]

* PowerDNS tour [3], VIDEO! [4]
* Authoritative Server [5], VIDEO! [6]

* PowerDNS Recursor [7], VIDEO! [8]
* dnsdist [9], VIDEO! [10]

Other
presentations: 

* Ox Summit PowerDNS Metronome.pdf [11]
*
PLexis-PowerDNS-Ansible.pdf [12]
* PLexis-PowerDNS-Documentation.pdf
[13]
* PLexis-PowerDNS-GUIs.pdf [14]
* powerdns-oxsummit-2015-api.pdf
[15]
* powerdns-oxsummit-2015-auth-dnssec.pdf [16]
*
powerdns-oxsummit-2015-authscripting.pdf [17]
*
powerdns-oxsummit-2015-recursorlua.pdf [18]
*
powerdns-oxsummit-2015-tools.pdf [19]

 Enjoy!

Links:
--
[1]
http://summit.open-xchange.com/
[2] https://vimeo.com/142651548
[3]
https://www.powerdns.com/oxsummit/2015%20powerdns%20intro.pdf
[4]
https://www.youtube.com/watch?v=QsQV8eA-ykA
[5]
https://www.powerdns.com/oxsummit/powerdns-oxsummit-2015-auth.pdf
[6]
https://www.youtube.com/watch?v=7yc566LPdwM
[7]
https://www.powerdns.com/oxsummit/OX%20Summit%20PowerDNS%20Recursor.pdf
[8]
https://www.youtube.com/watch?v=OUsp3wsJ3us
[9]
https://www.powerdns.com/oxsummit/2015%20powerdns%20dnsdist.pdf
[10]
https://www.youtube.com/watch?v=g5I8L4qISd4
[11]
https://www.powerdns.com/oxsummit/Ox%20Summit%20PowerDNS%20Metronome.pdf
[12]
https://www.powerdns.com/oxsummit/PLexis-PowerDNS-Ansible.pdf
[13]
https://www.powerdns.com/oxsummit/PLexis-PowerDNS-Documentation.pdf
[14]
https://www.powerdns.com/oxsummit/PLexis-PowerDNS-GUIs.pdf
[15]
https://www.powerdns.com/oxsummit/powerdns-oxsummit-2015-api.pdf
[16]
https://www.powerdns.com/oxsummit/powerdns-oxsummit-2015-auth-dnssec.pdf
[17]
https://www.powerdns.com/oxsummit/powerdns-oxsummit-2015-authscripting.pdf
[18]
https://www.powerdns.com/oxsummit/powerdns-oxsummit-2015-recursorlua.pdf
[19]
https://www.powerdns.com/oxsummit/powerdns-oxsummit-2015-tools.pdf
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] SERVFAIL pdns-recursor

[bert hubert]

On Sun, Nov 01, 2015 at 03:23:42PM +, Federico Olivieri wrote:
> Hi guys!
> Any suggestions/clue?

It says 'timeouts', which suggests you might have issues reaching google.
Please point your recursor to metronome as explained in
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/
so we can diagnose if there are network issues.

Thanks!

> 
> Thanks in advance
> 
> Federico
> On 30 Oct 2015 12:06, "Federico Olivieri"  wrote:
> 
> > Hi guys,
> >
> > I know that this topics has been already discussed in the past but
> > unfortunately the answer gave are not really clear to me (for a my leak of
> > knowledge :) )
> >
> > On my server I can see many SERVFAIL error messages. Some of them are
> > related to invers arp (not interested in them) other, are related to more
> > common domani name (as youtube, facebook and google)
> >
> > i.e
> >
> > oot@banana:/var/log# cat messages.1 | grep "SERVFAIL" | grep -v
> > "in-addr.arpa" | grep "google"
> > Oct 22 17:05:58 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'mtalk.google.com.' because: Too much time
> > waiting for mtalk.google.com.|A, timeouts: 5, throttles: 2, queries: 6,
> > 8076msec
> > Oct 22 17:05:59 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'www.google.com.' because: Too much time
> > waiting for www.google.com.|A, timeouts: 5, throttles: 0, queries: 6,
> > 8746msec
> > Oct 22 17:05:59 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of '1.client-channel.google.com.' because:
> > Too much time waiting for 1.client-channel.google.com.|A, timeouts: 5,
> > throttles: 0, queries: 6, 8745msec
> > Oct 22 17:05:59 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of '1.client-channel.google.com.' because:
> > Too much time waiting for 1.client-channel.google.com.|A, timeouts: 5,
> > throttles: 0, queries: 6, 8261msec
> > Oct 22 17:05:59 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'www.google.com.' because: Too much time
> > waiting for www.google.com.|A, timeouts: 5, throttles: 0, queries: 6,
> > 8261msec
> > Oct 22 17:05:59 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'mtalk.google.com.' because: Too much time
> > waiting for mtalk.google.com.|A, timeouts: 5, throttles: 2, queries: 6,
> > 8365msec
> > Oct 22 17:06:01 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'mtalk.google.com.' because: Too much time
> > waiting for mtalk.google.com.|A, timeouts: 5, throttles: 5, queries: 6,
> > 8103msec
> > Oct 22 17:06:01 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'www.google.com.' because: Too much time
> > waiting for www.google.com.|A, timeouts: 5, throttles: 1, queries: 6,
> > 8161msec
> > Oct 22 17:06:01 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of '1.client-channel.google.com.' because:
> > Too much time waiting for 1.client-channel.google.com.|A, timeouts: 5,
> > throttles: 1, queries: 6, 8160msec
> > Oct 22 17:06:03 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'mtalk.google.com.' because: Too much time
> > waiting for mtalk.google.com.|A, timeouts: 5, throttles: 4, queries: 6,
> > 8191msec
> > Oct 22 17:06:04 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of '1.client-channel.google.com.' because:
> > Too much time waiting for 1.client-channel.google.com.|A, timeouts: 4,
> > throttles: 2, queries: 5, 7187msec
> > Oct 22 17:06:04 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of '1.client-channel.google.com.' because:
> > Too much time waiting for 1.client-channel.google.com.|A, timeouts: 4,
> > throttles: 0, queries: 5, 7144msec
> > Oct 22 17:06:04 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'www.google.com.' because: Too much time
> > waiting for www.google.com.|A, timeouts: 4, throttles: 0, queries: 5,
> > 7143msec
> > Oct 22 17:06:04 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'mtalk.google.com.' because: Too much time
> > waiting for mtalk.google.com.|A, timeouts: 5, throttles: 4, queries: 6,
> > 7795msec
> > Oct 22 17:06:06 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.11 during resolve of 'mtalk.google.com.' because: Too much time
> > waiting for mtalk.google.com.|A, timeouts: 5, throttles: 4, queries: 6,
> > 8446msec
> > Oct 22 17:06:07 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.12 during resolve of 'www.googleapis.com.' because: Too much
> > time waiting for www.googleapis.com.|, timeouts: 5, throttles: 0,
> > queries: 6, 8107msec
> > Oct 22 17:06:08 banana pdns_recursor[2485]: Sending SERVFAIL to
> > 192.168.0.12 during resolve of 'clients4.google.com.' because: Too much
> > 

[Pdns-users] RPZ support, roadmap changes, New employee, movie, presentations

[bert hubert]

Hi everybody,

Here's a bunch of announcements all in one message so we don't bother you
too much.

1) We have a new employee! Please welcome Remi Gacogne, who will be
developing and working on all things PowerDNS starting next week. Since
we've become part of Open-Xchange, we've gained new users and new
technologies (like dnsdist and weakforced
(https://github.com/PowerDNS/weakforced - together with Dovecot), and Remi
will help us with that!

2) The RPZ support we talked about has now been merged in the 4.0
development branch (as described in
http://mailman.powerdns.com/pipermail/pdns-users/2015-October/011711.html ).
To test, find packages on https://repo.powerdns.com/

https://builder.powerdns.com/#/ also has up to the minute builds for your
testing pleasure.

3) My presentation at the Open-Xchange Summit in Berlin is now available as
video: https://vimeo.com/142651548 Please note that I was down with
something during the summit, I usually look a bit healthier ;-)

The other presentations are available on https://www.powerdns.com/oxsummit/
Our video recording of those presentations is also nearly ready.

4) Our 4.0 roadmap has been altered a bit based on customer demand. Release
remains planned for early December.  The recursor will be
released first, with the following additional features compared to our
original announced roadmap:

RPZ/IXFR support (Spamhaus and others)
EDNS Subnet support 
dnssec-protect

IXFR slaving will also make it to 4.0 Authoritative. 

Furthermore, this is the status of the rest of the 4.0 Recursor roadmap:

Visible new features:
  DNSSEC *aware* recursor
Note: this is not yet validation, but it will enable you to validate DNSSEC 
through PowerDNS

This will happen, including verification of correct answers based on DNSSEC 
signatures
(this is a little bit more than we announced)

  Software repositories for all products and popular distributions - first only 
for git master
https://repo.powerdns.com/

Done

  (Packet)cache in recursor in reverse order so we can support wiping subdomains

Almost there.

Infrastructure work:
  port PowerDNS Recursor to “libco” (we rely on some outdated deprecated 
threading APIs now)

To be done

  EDNS probing outgoing recursor

Mostly there

  Unix domain socket APIs actually become the HTTP API
  rec_control / pdns_control moves to that HTTP API over Unix Domain
  Allow multiple simultaneous outstanding questions (solve the A/ problem)

Will go to 4.1

  DNSName all the things (we treat DNS as human readable ASCII internally)
  DNSResourceRecord out of the flow of Recursor - it is just silly 

Done & Done

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] strange servfail

[bert hubert]

Hi Martin,

You appear to have put domain names in the type field! The error messages say 
the type is example.example.com.

 Bert

On Oct 29, 2015 17:10, Martin  wrote:
>
> Hi,
>
> I have setup a simple MySQL backend for a domain with a few MX records, a 
> couple of A records, two NS records and a SOA record for the domain.
>
> All dig commands are run from a completely unrelated server:
>
> dig a www.example.com is working: it returns the right A record
>
> dig a example.com is working: it returns the right A record
>
> Now this is where things go wrong:
>
> dig a abc.example.com returns a SERVFAIL but I am expecting a NXDOMAIN 
> response because there is no A record for abc.example.com
>
> I checked the PowerDNS logs and this is there:
>
> Oct 29 16:44:45 ns1 pdns[27687]: Exception building answer packet (Unknown 
> DNS type 'example.example.com') sending out servfail
> Oct 29 16:44:45 ns1 pdns[27687]: Exception building answer packet (Unknown 
> DNS type 'example.example.com') sending out servfail
> Oct 29 16:44:45 ns1 pdns[27687]: Exception building answer packet (Unknown 
> DNS type 'example.example.com') sending out servfail
> Oct 29 16:44:45 ns1 pdns[27687]: Exception building answer packet (Unknown 
> DNS type 'example.example.com') sending out servfail
> Oct 29 16:44:45 ns1 pdns[27687]: Exception building answer packet (Unknown 
> DNS type 'example.example.com') sending out servfail
>
> Five messages with unknow dns type 'domain.domain.tld'.
>
> I have tried an online tool like http://www.kloth.net/services/dig.php as 
> well and it generates the same error in the logs but only once instead of 
> five times.
>
> Can anyone point me in the right direction? I'm stumped. I'm running the 
> latest version on Debian.
>
> Thanks,
>
> Martin
>
>  
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnssec problems

[bert hubert]

Quick response from phone, try removing the GOST signature from parent zone, it 
might be confusing things. No one uses that normally.

 Bert

On Oct 27, 2015 23:18, Curtis Maurand  wrote:
>
> I set up pdnssec for a rather critical zone xyonet.com.  I then published the 
> ds records to opensrs using
>
> pdnssec show-zone xyonet.com  which got me:
>
> DS = xyonet.com IN DS 31879 8 1 b0a50a1f2ec6d0a2e11c1a5152c674fc10a7366a ; ( 
> SHA1 digest )
> DS = xyonet.com IN DS 31879 8 2 
> cdc8a0e46d79fd2b391dcce9b5740ec5d1021d4eccc1038dbe97ef83b8703986 ; ( SHA256 
> digest )
> DS = xyonet.com IN DS 31879 8 3 
> 9621349b03aeda5ab8ffb9e71bf18a2d55491c1da41721447046f77394502d2a ; ( GOST R 
> 34.11-94 digest )
> DS = xyonet.com IN DS 31879 8 4 
> fd0a82a3a1cc67e0ca0b02a5d0ca661191c047788257a90477ffe75aeb5a0cc7d3768fed9997621a8d97d2951c8477e3
>  ; ( SHA-384 digest )
>
> I published all 4 of the keys.  Verisign comes back and give me the error: 
> "The DNSKEY RRset was not signed by any keys in the chain-of-trust"
>
> Have I done something wrong, here?  suddenly today google's public dns 
> servers are not resolving anything on xyonet.com.  level 3 is and some others 
> are not.  The only change I made was publishing the dnssec records.
>
>
> -- 
> Curtis Maurand
> cur...@maurand.com
> 207-252-7748
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] IXFR/RPZ support first version Re: RBL response and dead-end

[bert hubert]

Hi everybody,

So we worked really hard on it last week and a half, and now we have the
very first version of the PowerDNS Recursor that understands RPZ and can
do incremental slaving of large RPZ zones over IXFR.

Thanks go out to MX Tools and Spamhaus who, after John contacted them, gave
us a real life moving RPZ zone to test against.

We should have packages tomorrow, but if you can build from Git (not that
hard), the code is on https://github.com/ahupowerdns/pdns.git
or https://github.com/ahupowerdns/pdns/tree/rpz - this link also explains
how to build.

The configuration is slightly too simple still and still lacks 'override'
policies, but internally the support is there to do that.

The configuration can currently be set like this:

rpz-masters=1.2.3.4:your.rpz.zone

When you fire it up, it looks like this:

Oct 25 21:03:58 Listening for TCP queries on 127.0.0.1:5300
Oct 25 21:03:58 Loading RPZ zone 'dbl.rpz.spamhaus.org.' from 1.2.3.4:53
Oct 25 21:03:58 Loaded & indexed 1311 policy records so far
Oct 25 21:03:59 Loaded & indexed 8159 policy records so far
Oct 25 21:04:00 Loaded & indexed 349303 policy records so far
Oct 25 21:04:01 Loaded & indexed 732118 policy records so far
Oct 25 21:04:02 Loaded & indexed 1226113 policy records so far
Oct 25 21:04:02 Done: 1318691 policy records active, SOA: need.to.know.only. 
hostmaster.spamhaus.org. 1445803348 60 60 432000 60
Oct 25 21:05:02 Getting IXFR deltas for dbl.rpz.spamhaus.org. from 1.2.3.4:53, 
our serial: 1445803348
Oct 25 21:05:02 Processing 1 deltas for RPZ dbl.rpz.spamhaus.org.
Oct 25 21:05:02 Had removal of *.pem.webcam.
Oct 25 21:05:02 Had 9 RPZ removals, 1 additions for dbl.rpz.spamhaus.org. New 
serial: 1445803468

You can also load a straight up file with 'rpz-file=zone-file'. Just make
sure it has an $ORIGIN right now, or is FQDN.

It is all very rough right now, and not ready for production yet, but we got
a LOT of feedback about our upcoming RPZ stuff.  Your feedback is very
welcome! 

Next up is making sure you can override policy per zone so you can redirect
to your warning server etc.

Bert



On Fri, Oct 16, 2015 at 12:27:45PM -0400, John Miller wrote:
> Hi Phil,
> 
> I found out about the feature from Bert's slides at:
> 
> https://www.powerdns.com/oxsummit/, specifically
> 
> https://www.powerdns.com/oxsummit/OX%20Summit%20PowerDNS%20Recursor.pdf
> 
> There seems to be a feature request at
> https://github.com/PowerDNS/pdns/issues/2789, but I'm not sure if
> there are any others.  I'm sure someone from the pdns team will chime
> in shortly on the official state of RPZ.  I'll be glad to see it get
> included; we switched over to BIND for RPZ support; would be nice to
> use pdns-recursor again.
> 
> John
> 
> On Fri, Oct 16, 2015 at 12:19 PM, Phil Daws  wrote:
> > Hello John,
> >
> > Thank you for the help and RPZ sounds very interesting indeed.  Is there an 
> > RFE one can track to see where it is in the pipeline ?
> >
> > Thanks, Phil
> >
> > - On 16 Oct, 2015, at 17:10, John Miller johnm...@brandeis.edu wrote:
> >
> >> Hi Phil,
> >>
> >> Presumably you're talking about recursive queries, right?  You can
> >> currently script pdns-recursor to do this; check out
> >> https://doc.powerdns.com/md/recursor/scripting/ to get started.  From
> >> what I understand, it's in the works to build this into the code
> >> itself - this is a feature called "Response Policy Zones."
> >>
> >> John
> >>
> >> On Fri, Oct 16, 2015 at 11:52 AM, Phil Daws  wrote:
> >>> Hello:
> >>>
> >>> Is it possible with PDNS to receive a DNS query, look up the name against 
> >>> an
> >>> RBL, and if it fails return an IP which is either a dead-end or directs 
> >>> to a
> >>> "Bad URL" splash page ?
> >>>
> >>> All help appreciated, Thanks. Phil
> >>
> 
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS presentations and audio from Open-Xchange summit

[bert hubert]

Hi everybody!

Yesterday and today we met many many PowerDNS users at the Open-Xchange
summit here in Berlin. You can hear and see our presentations on:

https://www.powerdns.com/oxsummit/

Peter, Pieter and I worked really hard on writing no less than 13 chapters
of presentation covering:

PowerDNS overall intro
PowerDNS Authoritative Server
PowerDNS Recursor
dnsdist
Metronome
PowerDNS Ansible playbooks
PowerDNS Documentation
PowerDNS GUIs
PowerDNS API
PowerDNS Auth DNSSEC
PowerDNS Auth scripting
PowerDNS Recursor Lua
PowerDNS Tools

We only had time for the first four presentations because of the good
questions and because we underestimated how much material we had made.

But the good news is that everything is online now!

Enjoy!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] lua getlocaladdress in auth prequery

[bert hubert]

On Tue, Sep 15, 2015 at 11:24:44AM +0200, Klaus Darilion wrote:
> > I tried Debian stable: 3.4.1-4+deb8u3
> > I can also test 3.4.6-1~bpo8+1 (jessie-backports)
> 
> The same problem with 3.4.6-1~bpo8+1 (jessie-backports)

Hi Klaus,

First, let me note that the Lua pre-query interface in auth is undocumented,
and the feature is labelled "DO NOT USE" if you manage to find it in our
--help output ;-)

However, you are correct in finding that getLocal() is not hooked up there. 

https://github.com/ahupowerdns/pdns/tree/getlocalauth has a fix for master,
https://github.com/ahupowerdns/pdns/commit/995dd336b57bb234427b71dc6f20c93787361cc6
is the patch.

Could you test?

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Fwd: Modifying DNS Response

[bert hubert]

On Thu, Sep 10, 2015 at 05:39:33PM +0300, Önem Özgülgen wrote:
> Hello,
> 
> First of all, thanks for your response Bert.
> 
> As making it correctly and stable, not just destination ip address also
> source ip address should be changed.
> 
> Maybe, this can't be done via Lua, but is it possible to do via breaking
> the dns packets in PowerDNS source code?

Onem,

Sending responses from IP addresses you don't own requires a little extra
work, plus the network has to cooperate. So out of the box, I don't see
PowerDNS supporting this since it is very much a niche thing. But let us
know if you really need it!

Bert

> 
> Just wonder if something possible before an Anycast DNS solution.
> 
> On Thu, Sep 10, 2015 at 5:33 PM, bert hubert <bert.hub...@powerdns.com>
> wrote:
> 
> > On Thu, Sep 10, 2015 at 01:19:23AM +0300, Önem Özgülgen wrote:
> > > Is it possible to change query sender ip address of the dns packet and
> > > making response to another ip address "legally"?
> >
> > No, not right now. And if I understand you correctly, you'd not only have
> > to
> > change the response destination address, but also the source address,
> > because otherwise 'they' in london would not recognize your response?
> >
> > That would be especially hard. Only changing the destination IP would be
> > somewhat doable.
> >
> > Please let us know!
> >
> > Bert
> >

> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Modifying DNS Response

[bert hubert]

On Thu, Sep 10, 2015 at 01:19:23AM +0300, Önem Özgülgen wrote:
> Is it possible to change query sender ip address of the dns packet and
> making response to another ip address "legally"?

No, not right now. And if I understand you correctly, you'd not only have to
change the response destination address, but also the source address,
because otherwise 'they' in london would not recognize your response?

That would be especially hard. Only changing the destination IP would be
somewhat doable.

Please let us know!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Conferences, various

[bert hubert]

Hi everybody,

We try not to bore you too much with announcements, so here is a bundle:

* Tomorrow this Thursday I'll be at the 'security summit at the beach',
  https://www.ssatb.nl/ in The Hague.  If you or any of your coworkers are
  there, please find me!

* Next week on Wednesday September 16th we are at the Liberty Gloal Tech
  Summit in Amsterdam, https://www.libertyglobaltechsummit.com/ and again,
  we'd love to meet you if you are there.

* Friday 18th of of September, most of us will be at the NLNOG day 2015,
  http://nlnog.net/nlnog-dag-2015/ . Both Peter and I are presenting. This
  is at Leaseweb in Amsterdam.

* October 8 and 9 we are in Berlin at the Open-Xchange summit,
  http://summit.open-xchange.com/ and as previously announced, there will be
  a PowerDNS meetup there too.
  
http://blog.powerdns.com/2015/07/15/powerdns-at-open-xchange-summit-in-berlin-8-9-october-2015/
  has the details. A few people have already let us know they'll be there,
  we'd love to hear from you!

* We're still looking for great people! Please take a look at
  https://www.powerdns.com/careers.html to see if you or any one you know
  might be a match. Please spread the word!

Cheers,

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] AXFR chunk error: Server Not Authoritative for zone / Not Authorized

[bert hubert]

On Sun, Aug 30, 2015 at 02:10:28PM +0200, a b wrote:
 The superslave reports thus:
 
 pdns[1058]: Initiating transfer of '16.172.in-addr.arpa' from remote 
 '172.16.2.4'
 pdns[1058]: Initiating transfer of 'dmz' from remote '172.16.2.4'
 pdns[1058]: Unable to AXFR zone '16.172.in-addr.arpa' from remote 
 '172.16.2.4' (resolver): AXFR chunk error: Server Not Authoritative for zone 
 / Not Authorized
 pdns[1058]: Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver): 
 AXFR chunk error: Server Not Authoritative for zone / Not Authorized
 
 However, the supermaster is:
 
 - authoritative over the dmz zone;

Which version does the master run? Can you tcpdump for us? Can you reproduce
using a recent powerdns version on master?

Will the master answer to 'dig -t axfr 16.172.in-addr.arpa @172.16.2.4' from
your slave?

Bert


 - has the correct NS records (double-, triple-, and quadruple-checked);
 - has the correct SOA records (double-, triple-, and quadruple-checked);
 - answering all query (NS, SOA, A, PTR) types correctly.
 
 All the zone_id numbers correctly match with the id fields in the zones 
 table.
 pdns_resolver is not installed nor configured to be queried in pdns.conf.
 
 I even compared the configuration to the internal DNS servers, and apart from 
 different data, it all checks out.
 
 After a week worth of troubleshooting, I am at a loss as to what the problem 
 is.
 Any hints?
 
 

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] New mailinglist for dnsdist

[bert hubert]

Hi everybody,

dnsdist usage is increasing, and this tool is of interest to PowerDNS and
non-PowerDNS users alike.

We've therefore created a new mailing list dedicated to dnsdist. Please find
it via http://mailman.powerdns.com/mailman/listinfo/dnsdist

Hope to see you there!

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 5001 questions waiting for database attention. Limit is 5000, respawning

[bert hubert]

On Wed, Aug 19, 2015 at 09:29:26AM -0400, Stan Weatherby wrote:
 Hello,
 
 We are experiencing a very strange issue. Our PDNSD servers keep getting
 the error: 5001 questions waiting for database attention.  Limit is 5000,
 respawning which is killing the answer side.

Hi Stan,

This can happen regardless of backend. If your pipe backend is blocking or
slow, you would get this. The error message is confusing in that it mentions
'database' and not 'backend'. I've changed this in
https://github.com/PowerDNS/pdns/commit/3172f9b6c35de2dd05b3a8abe6312f67e4c9f5fa

What you could do is hook up your PowerDNS to
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/ which
will provide a lot of insight into what might be going on.

 Here is the strange thing, we are not using the MySQL backend, we are
 using the pipe backend and running heavy cache.  In the config file we do
 not ask to load MySQL just “pipe”, has anyone else experienced this issue? 
 We see this happen on loads of about 50 requests per second CPU - RAM -
 and all other system resources are running at a nominal load.

At a guess, your pipe backend is blocking on something.

 Maybe we are missing some performance tuning? Still wondering why PDNSD is 
 looking for the DB.

No worries, it isn't looking for a db.  Our error was just confusing.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Any plans for RPZ

[bert hubert]

We're getting loads of questions for RPZ support all of a sudden so
something is likely to happen.

Is there a specific service or feed that you need support for?

Bert

On Wed, Aug 12, 2015 at 07:25:07AM +, Søren Andersen wrote:
 Still no plans for RPZ support? :)
 
 /Søren

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdf

[bert hubert]

On Tue, Aug 11, 2015 at 02:55:55PM -0300, Thiago Farina wrote:

 Is there a pdf version of docs.powerdns.com available?

Not anymore, sorry! The new layout is a lot pretier, but we lost the
ability to PDF it up easily.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Intermittent SERVFAIL Response

[bert hubert]

On Tue, Aug 18, 2015 at 10:33:15AM -0400, Scott Hollenbeck wrote:
 I'm running PowerDNS Recursor 3.7.3 on a pair of Ubuntu 14.04.3 LTS servers.
 I'm getting intermittent SERVFAIL responses on both servers to queries for a
 particular name. Could someone please help me understand what might be
 causing these failures? Here are examples of the SERVFAIL responses I'm
 seeing on one of the servers:

Hi Scott,

Can you repeat with trace-regex turned on for this domain? Also, asking ANY
queries confuses things, could you try 'A' queries?

https://doc.powerdns.com/md/recursor/running/ has details on trace-regex.

Thanks!

Bert

 
 $ dig @localhost www.concoursmustang.com any
 
 ;  DiG 9.9.5-3ubuntu0.4-Ubuntu  @localhost www.concoursmustang.com
 any
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 23134
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;www.concoursmustang.com.   IN  ANY
 
 ;; Query time: 3004 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue Aug 18 09:31:23 EDT 2015
 ;; MSG SIZE  rcvd: 41
 
 $ dig @localhost www.concoursmustang.com a
 
 ;  DiG 9.9.5-3ubuntu0.4-Ubuntu  @localhost www.concoursmustang.com a
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 29329
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;www.concoursmustang.com.   IN  A
 
 ;; Query time: 3003 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue Aug 18 09:36:28 EDT 2015
 ;; MSG SIZE  rcvd: 41
 
 A successful result for a different domain:
 
 $ dig @localhost powerdns.com a
 
 ;  DiG 9.9.5-3ubuntu0.4-Ubuntu  @localhost powerdns.com a
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53794
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;powerdns.com.  IN  A
 
 ;; ANSWER SECTION:
 powerdns.com.   40190   IN  A   82.94.213.34
 
 ;; Query time: 1 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue Aug 18 09:41:27 EDT 2015
 ;; MSG SIZE  rcvd: 46
 
 Successful queries on the second server:
 
 $ dig @localhost www.concoursmustang.com a
 
 ;  DiG 9.9.5-3ubuntu0.4-Ubuntu  @localhost www.concoursmustang.com a
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40855
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;www.concoursmustang.com.   IN  A
 
 ;; ANSWER SECTION:
 www.concoursmustang.com. 14400  IN  CNAME   concoursmustang.com.
 concoursmustang.com.14400   IN  A   70.40.195.107
 
 ;; Query time: 64 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue Aug 18 09:35:55 EDT 2015
 ;; MSG SIZE  rcvd: 71
 
 $ dig @localhost www.concoursmustang.com any
 
 ;  DiG 9.9.5-3ubuntu0.4-Ubuntu  @localhost www.concoursmustang.com
 any
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6474
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;www.concoursmustang.com.   IN  ANY
 
 ;; ANSWER SECTION:
 www.concoursmustang.com. 14385  IN  CNAME   concoursmustang.com.
 concoursmustang.com.40278   IN  NS  ns2.hostmonster.com.
 concoursmustang.com.14385   IN  A   70.40.195.107
 concoursmustang.com.40278   IN  NS  ns1.hostmonster.com.
 
 ;; Query time: 0 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Tue Aug 18 09:36:10 EDT 2015
 ;; MSG SIZE  rcvd: 119
 
 These servers are configured similarly. Both are configured to accept
 queries only from machines on my local network.
 
 Thanks,
 Scott
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Gargabe records on slave

[bert hubert]

On Sat, Aug 01, 2015 at 09:51:59PM +0200, Bjoern Franke wrote:
 Hi,
 
 we are running Powerdns 3.4.5-1 on 2 Debian Jessie systems. The master
 uses MySQL, the slave sqlite.
 
 After axfering one zone, the slave gets some garbage records:

These are empty non terminal records, needed to generate correct answers. So
you probably do have a something._domainkey.ffnw.de record and a ffnwe.de
record. This empty record is there to generate the proper DNS response for
_domainkey.ffnw.de.

 Now I'm confused how to fix this besides creating the whole zone new.

If you run 'pdnssec rectify-zone ffnw.de' they will appear on the master
too.

In practice, this all does not matter too much.

https://doc.powerdns.com/md/authoritative/dnssec/#rules-for-filling-out-fields-in-database-backends
has a bit on 'empty non terminals'.

I hope this helps!

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Use PowerDNS for APN/GRPS/3GPPP/LTE context? We need your help

[bert hubert]

Dear PowerDNS community,

We're currently looking into several uses for PowerDNS in a mobile/telco
environment, specifically for APN resolution and LTE details.

If you use PowerDNS in this context, and would like to help PowerDNS, could
you please contact powerdns.id...@powerdns.com? We have some (urgent)
questions, and your answers could help PowerDNS along in this field. 

If you have any specific needs in the mobile arena which we don't cover
right now, please also contact us. We can make it happen.

Thanks!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursor DNS access

[bert hubert]

On Thu, Jul 16, 2015 at 12:22:47PM +0200, a b wrote:

 nl1.dnsnode.net.
 ns1.pine.nl.
 xs.powerdns.com.
 
 xs.powerdns.com I am assuming is the security vulnerability phone home 
 feature, but what are these other two hosts? Why is it phoning home to 
 those?

These are the .NL servers, the PowerDNS.COM parent nameservers and finally a
PowerDNS nameserver. It is recursing to get the security status.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS at Open-Xchange summit in Berlin, October 8-9

[bert hubert]

Hi everybody!

Since we are now happily part of Open-Xchange, together with our friends at
Dovecot IMAPd, we will also be present at the Open-Xchange summit in Berlin,
October 8-9 this year. This is a free event, and you are invited!

Besides marketing presentations like 'The Power of DNS to Engage More
Customers', we'll also be having a serious technical presentation on Friday
about PowerDNS. Feel free to invite your manager to the first presentation
and join us for the second one ;-) 

Also important, the summit includes a 'Bier-Xchange', which also serves
other things than beer, plus a party at the end. More about the event can be
read on http://summit.open-xchange.com/ 

All PowerDNS users are cordially invited to join the summit, which is free
of charge: http://www.cvent.com/d/6rq9my/4W or using the 'Register Now'
button at the bottom of http://summit.open-xchange.com/ page.

If you register, please drop me an email so we can invite you to the
PowerDNS-specific gathering during the drinks and party.

Also: feel free to invite your manager to show that PowerDNS is a real
company and more than some free software from the internet.

Thanks!

Bert  Team



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] New documentation on PowerDNS backends, and what they are and aren't

[bert hubert]

Hi everybody,

We just posted this on our blog 
http://blog.powerdns.com/2015/06/23/what-is-a-powerdns-backend-and-how-do-i-make-it-send-an-nxdomain/

PowerDNS is a dynamic nameserver, with a ton of backends. If the supplied
backends aren’t flexible enough, our architecture enable operators to write
their own, or to use one of our forwarding backends (Pipe and Remote), which
can send PowerDNS queries over a pipe, a UNIX domain socket, an HTTP
connection or even a ZMQ link.

Very often however (weekly at this point!), we get questions from users
confused about our backends:

 Why does my backend get ANY queries, when no ANY queries are sent to the
  nameserver?
 How do I generate an NXDOMAIN response from my backend?
 Why do I get SOA queries, even for domains not in my backend?
 Why does PowerDNS ignore the records my backend sent back to put in the
  packet?
 Why do I get more backend queries than DNS queries (sometimes)?
 Why do I get *way less* backend queries than DNS queries at other times?
 Why are backends launched for AXFRs?

With your feedback, we hope to merge this blog post into our documentation
soon. Please let us know if this helps clarify what a PowerDNS backend is
supposed to do, and if we could do any better.

Thanks!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First draft of roadmap 4.0

[bert hubert]

Hi everybody,

Some weeks ago we asked you for your input on our roadmap, and you sure
delivered! We got dozens of comments, many of which resulted in additions to
the roadmap, or the moving around of features. Thank you!

Here is the provisional plan for 4.0. Before you read on, we'd like to
clarify one thing. This list is what we think we'll be doing, but it is not
a promise with a date attached to it. We understand that your deployment may
require promises with dates on it, and if so, please contact us via
https://www.powerdns.com/contact.html or off-list. 

If you miss anything on the roadmap that you suggested, it may be allocated
to 4.2 or 4.3 which have not yet been defined that well. Please also contact
us in case you miss something we told you we would do!

Finally, all other feedback is welcome too. Here goes.

The broad description of 4.0:

The 4.0 version of PowerDNS has been announced as a ‘spring cleanup’ and
that is indeed what is happening. Lots of infrastructure is being replaced,
simplified and enhanced. To concentrate the ‘pain’ of all these upheavals,
everything that is impactful from an infrastructure perspective has been
concentrated in 4.0.

Running 4.0 may be somewhat scary since so much changed. Because of that,
anyone who actually does deploy it will get smothered in support love so we
can learn from them.

This last sentence IS a promise from us. Feel free to experiment with 4.0,
and experience super rapid responses to issues and questions.  To get 4.0
snapshots, please head to https://repo.powerdns.com/ or build from github.

Here is what we plan to deliver for 4.0. Note that some of this is already
delivered. 

Visible new features:
  DNSSEC *aware* recursor
Note: this is not yet validation, but it will enable you to validate DNSSEC 
through PowerDNS
  Software repositories for all products and popular distributions - first only 
for git master
https://repo.powerdns.com/
  Metaslaving over AXFR (minimum viable product)
this means one server ‘slaves’ an entire master server
classical slaving is per zone not per server  sucks
  See this is an improved supermaster
  pdns_control add-zone, remove-zone, add-record, remove-record, change-record
  (Packet)cache in recursor in reverse order so we can support wiping subdomains
  In 4.0 time frame: dnsdist 0.9 release
Packages for all popular platforms, plus repos

Infrastructure work:
  port PowerDNS Recursor to “libco” (we rely on some outdated deprecated 
threading APIs now)
  EDNS probing outgoing recursor
  Unix domain socket APIs actually become the HTTP API
  rec_control / pdns_control moves to that HTTP API over Unix Domain
  Allow multiple simultaneous outstanding questions (solve the A/ problem)
  DNSName all the things (we treat DNS as human readable ASCII internally)
  DNSResourceRecord out of the flow of Recursor - it is just silly 
  Replace distributor (pipe based)
  Plus “solve” the startup problem
This is where you have a giant database of domains that is 'cold' after
a boot and can't service PowerDNS fast enough, leading to frequent restarts
until the cache is sufficiently warm

Documentation deliverables:
  Document “the startup problem” for auth (DNSDIST, warm up the database etc)
  Document the Lua hooks (prequery) in Authoritative for people who really want 
‘dns control’ versus ‘write a backend’?
  Remove all 4.0 remarks from documentation, archive current version with 4.0 
data
  Separately, as tarball? 
 
Deprecations:
  geobackend (replaced by geoip)

For 4.1, we plan to build on the newly delivered infratructure to deliver:

  Prefetching recursor: win the ‘google namebench latency contest’
Plus associated moderately scary infrastructure
  EDNS Subnet support outgoing: please Akamai
  Cache awareness included  cache upheavals
  DNSSEC-enable the API
Create key, add key, remove key etc + resign, rectify, the works
  “DNSflow async/tcp stream of all queries (qname, qtype, ip)”: preparation for 
our analytics
  Generic Key-Value-Range DB for the million-million challenge
Million records, million queries/second
  Dyndns http wrapper
  Validator testing ready for the DNSSEC awareness of 4.0

Good luck and please let us know your thoughts! And if you made it this far:
when will 4.0 happen?  We have written down December 2 2015 as the 'formal
launch date', but conceivably it will be earlier. 

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnsdist build error : dnsdist.cc:868:22: error: use of undeclared identifier 'rl_abort'

[bert hubert]

On Mon, Jun 08, 2015 at 09:34:07PM -0700, indranil.db wrote:
 I am trying to build tarball from
 http://buildmaster1.test.powerdns.plexis.eu/#/builders/7

Please specify what operating system, compiler version etc.

https://www.powerdns.com/mailing-lists.html has a list of things we need to
know so we can help you.

Bert

 
 dnsdist.cc:868:22: error: use of undeclared identifier 'rl_abort' 
     rl_bind_key('\t',rl_abort); 
                      ^ 
 dnsdist.cc:871:23: error: use of undeclared identifier 'rl_abort' 
     rl_bind_key('\t', rl_abort); 
                       ^ 
 2 warnings and 5 errors generated. 
 make[2]: *** [dnsdist.o] Error 1 
 make[1]: *** [all-recursive] Error 1 
 make: *** [all] Error 2 
 
 The same is observed when tried to make the source code from the Github
 repo.
 
 Any help will be appreciated
 
 Thanks and regards,
 -- IB
 
 
 
 --
 View this message in context: 
 http://powerdns.13854.n7.nabble.com/dnsdist-build-error-dnsdist-cc-868-22-error-use-of-undeclared-identifier-rl-abort-tp11607.html
 Sent from the PowerDNS mailing list archive at Nabble.com.
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] dnsdist too! Re: PowerDNS needs your help: what are we missing?

[bert hubert]

Hi everybody,

We're already getting decent amounts of feedback, please keep it up. We also
got a question if we are looking for suggestions on dnsdist: yes, very much
so!

http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/
and
http://dnsdist.org/

A version of the email below with clickable links is on
http://blog.powerdns.com/2015/05/26/powerdns-needs-your-help-what-are-we-missing/

Thanks!

Bert

On Mon, May 25, 2015 at 02:34:38PM +0200, bert hubert wrote:
 Hi everybody,
 
 As we're working on PowerDNS 4.x, we are wondering: what are we missing?
 
 The somewhat longer story is that as a software developer, a sort of
 feature-blindness appears. We try to make the software better, faster etc,
 but by focusing so much on the technology, one can lose sight of the use
 case.
 
 In this way it is possible that a software vendor neglects to implement
 something, even though many users desperately want it. If so, please speak
 up! The short version: please mail powerdns.id...@powerdns.com your ideas!
 
 As concrete examples, PowerDNS took its time to add an API, and once we had
 it, people immediately started using it, even before we had documented the
 API. Similarly, for many years, we did not deliver a proper graphing
 solution, and now that it is there it is highly popular.
 
 But what more are we missing? Should we expand into IPAM and do DHCP and IP
 address management? Should we make an out of the box NAT64/DNS64 solution?
 Do we need to improve replication beyond database native and AXFR-based
 (so 'super-duper-slave'?)? 
 
 Should we start doing versioned databases so people can roll back changes? 
 IXFR? 
 
 Should we add a built-in DNS based load balancer where we poll if your IP
 addresses are up?
 
 Or would it be wise to move on beyond the geographical versatile backends,
 and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles?
 
 Should the recursor gain cache sharing abilities? Or pre-fetching? Or even
 TTL-faking in case auths are down?
 
 The list above is just to prime your imagination: if you have any ideas on
 what you are missing, please reach out to powerdns.id...@powerdns.com!
 
   Bert
 
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS needs your help: what are we missing?

[bert hubert]

Hi everybody,

As we're working on PowerDNS 4.x, we are wondering: what are we missing?

The somewhat longer story is that as a software developer, a sort of
feature-blindness appears. We try to make the software better, faster etc,
but by focusing so much on the technology, one can lose sight of the use
case.

In this way it is possible that a software vendor neglects to implement
something, even though many users desperately want it. If so, please speak
up! The short version: please mail powerdns.id...@powerdns.com your ideas!

As concrete examples, PowerDNS took its time to add an API, and once we had
it, people immediately started using it, even before we had documented the
API. Similarly, for many years, we did not deliver a proper graphing
solution, and now that it is there it is highly popular.

But what more are we missing? Should we expand into IPAM and do DHCP and IP
address management? Should we make an out of the box NAT64/DNS64 solution?
Do we need to improve replication beyond database native and AXFR-based
(so 'super-duper-slave'?)? 

Should we start doing versioned databases so people can roll back changes? 
IXFR? 

Should we add a built-in DNS based load balancer where we poll if your IP
addresses are up?

Or would it be wise to move on beyond the geographical versatile backends,
and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles?

Should the recursor gain cache sharing abilities? Or pre-fetching? Or even
TTL-faking in case auths are down?

The list above is just to prime your imagination: if you have any ideas on
what you are missing, please reach out to powerdns.id...@powerdns.com!

Bert



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS 2.x End of Life Statement

[bert hubert]

PowerDNS 2.x End of Life Statement
21st of May 2015

PowerDNS Authoritative Server 2.9.22 was released more than 6 years ago, in 
January 2009. Because of its immense and durable popularity, some patch 
releases have been provided, the last one of which (2.9.22.6) was made 
available over three years ago in January 2012.

The 2.9.22.x series contains a number of probable and actual violations of the 
DNS standards. In addition, some behaviours of 2.9.22.x are standards 
conforming but cause interoperability problems in 2015. Finally, 2.9.22.4 and 
earlier are impacted byPowerDNS Security Advisory 2012-01 
https://doc.powerdns.com/md/security/powerdns-advisory-2012-01/, which means 
PowerDNS can be used in a Denial of Service attack.

Although we have long been telling users that we can no longer support the use 
of 2.x, and urging upgrades to 3.x, with this statement we formally declare 2.x 
end of life.

This means that any 2.x issues will not be addressed. This has been the case 
for a long time, but with this statement we make it formal.

To upgrade to 3.x, please consult the instructions on how to upgrade the 
database https://doc.powerdns.com/md/authoritative/upgrading/#29x-to-30. If 
you need help with upgrading, we providemigration services 
https://www.powerdns.com/support-services-consulting.html to our supported 
users. If you are currently running 2.9.22 and need help to tide you over, we 
can also provide that as part of a support agreement 
https://www.powerdns.com/support-services-consulting.html.

But we urge everyone to move on to PowerDNS Authoritative Server 3.4 or later – 
it is a faster, more standards conforming and more powerful nameserver!

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DH and SSL Problems

[bert hubert]

Dean,

I think you ended up on the wrong mailing list! Sadly DNS does not employ
any DH exchanges right now..

Bert

 It seems there is some issue with DH. Details are available in the
 usual places.
 
 This website is getting posted around the place. Perhaps someone can
 send in exim details?
 
 https://weakdh.org/sysadmin.html
 
 Also perhaps the Debian wiki? https://wiki.debian.org/Exim
 
 Dean
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Unable to bind to UDP socket to '0.0.0.0:53': Permission denied

[bert hubert]

On Thu, May 21, 2015 at 04:00:40PM +0530, sumit sharma wrote:
 Hi,
 
 I am using powerdns on RHEL6.4 . Inorder to use SO_REUSEPORT i upgraded the
 kernel to 3.9.11.
 I am using the configuration
 
 receiver-threads=4
 reuseport=yes
 
 When i switch on the reuseport, i see the below error exactly thrice.
 
 binding UDP socket to '0.0.0.0:53': Permission denied
 Unable to reuse port, falling back to original bind

Are you running as root or with permission to bind to 0.0.0.0:53 in the
first place?

Can you check if you get the same error without reuseport?

Bert

 
 Am i missing any step? Please advice.
 
 Thanks

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns stopped working after update from 3.4.1 to 3.4.4

[bert hubert]

Arnaud,

It is probably attempting to read the gsqlite3 module from 3.4.1 into 3.4.4.

Double check if the modules for 3.4.4 are installed and where 3.4.4 is
looking for them!

Bert

On Fri, May 15, 2015 at 03:36:04PM +0200, Arnaud Meyer wrote:
 Hi,
 
 I'm using pdns with sqlite3 on debian wheezy with packages from
 wheezy-backports. After an update from version 3.4.1 to version
 3.4.4 pdns stopped working. I'm getting the following errors in the
 log:
 
May 15 09:24:48 - pdns[19542]: TCP server is unable to launch
backends - will try again when questions come in: Undefined but
needed argument: 'gsqlite3-update-account-query'
May 15 09:24:48 - pdns[19542]: Caught an exception instantiating a
backend: Undefined but needed argument: 'gsqlite3-update-account-query'
May 15 09:24:48 - pdns[19542]: Cleaning up
May 15 09:24:48 - pdns[19542]: Exiting because communicator thread
died with error: Undefined but needed argument:
'gsqlite3-update-account-query'
 
 Does anyone know what this means? Thanks!
 
 Arnaud
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Recursor on multiple IPs within one machine

[bert hubert]

On Sat, May 09, 2015 at 06:01:40AM -0700, Anton wrote:
 I am testing PowerDNS Recursor with adns resolver. It has adnshost command to
 check A records.

Hi Anton,

I don't entirely understand your question. If you do benchmarking tests, by
all means use a recent version of PowerDNS, check your network for
connection tracking (stateful) filters, check the powerdns startup log if
sufficient file descriptors are available, if you use IPv6 if you followed
the tuning instructions logged at startup.

If you do a test, enable performance graphing as described in
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/

This allows you and us to see what bottlenecks you might be hitting.

Good luck!

Bert

 
 My machine is 
 Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz (8x3.40GHz)
 Ram is 16 Gb
 
 Async method of adns gives very very poor unstable results. 
 For example, if we check 100.000+ domain names of .pro domain zone handling
 5000 domains by one request, the result will be very unstable and
 unpredictable. Up to 90% of existing domains could not be recognized. With
 250 domains by one async request it works much slower than it could work in
 sync requests with same number of threads.
 
 If we use adnshost in domain by domain mode it gives rather complete
 result of exisiting A records.
 
 I have also used 120.000.000+ domain names list of .com .net .org .info and
 other zones to go through .co.uk zone with different number of threads to
 find optimal number of threads.
 
 With 1000 threads it will be 12-13 Mb of A records results.
 With 250 threads it will be up to 200 Mb of A records results. 
 
 So I want to understand what is it. 
 Currently in my tests it looks like root servers could cut some abnormal
 connections from one IP address.
 
 On other hand, 1000 threads works rather good on combined list of really
 existing domains like .com .org .net zones etc.
 250 threads also works good but, of course, it is slower.
 
 
 
 --
 View this message in context: 
 http://powerdns.13854.n7.nabble.com/PowerDNS-Recursor-on-multiple-IPs-within-one-machine-tp11536p11537.html
 Sent from the PowerDNS mailing list archive at Nabble.com.
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS-OARC livestream with PowerDNS

[bert hubert]

And really this is the last of it, but the presentation can be viewed on
https://www.youtube.com/watch?feature=player_embeddedv=PX3YYmBER7E#t=6403
and also contains various other potentially interesting powerdns things.

A full writeup of the meeting has been published on our blog,
http://blog.powerdns.com/2015/05/11/dns-oarc-spring-workshop-2015/

Bert

On Sun, May 10, 2015 at 11:14:46AM +0200, Peter van Dijk wrote:
 Hello,
 
 On 10 May 2015, at 9:17, bert hubert wrote:
 
 Hi everybody,
 
 This afternoon, in around 5 hours, we will present dnsdist at
 DNS-OARC. You
 can follow the livestream here:
 
 https://plus.google.com/events/c05u02q7bjd4glm2g505pm0t3fs
 
 This URL is for the morning session - please click
 https://plus.google.com/events/cs20c8p5gv4dluuscdq8ingg12o instead
 to see the afternoon session with Bert in it!
 
 Kind regards,
 -- 
 Peter van Dijk
 PowerDNS.COM BV - https://www.powerdns.com/
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] DNS-OARC livestream with PowerDNS

[bert hubert]

Hi everybody,

This afternoon, in around 5 hours, we will present dnsdist at DNS-OARC. You
can follow the livestream here:

https://plus.google.com/events/c05u02q7bjd4glm2g505pm0t3fs

We're up on 16:00 Amsterdam time. Details about our presentation, including
PDF, are on https://indico.dns-oarc.net/event/21/contribution/20

More on dnsdist on http://dnsdist.org/ dnsdist is a highly DNS-, DoS- and
abuse-aware loadbalancer. Its goal in life is to route traffic to the best
server, delivering top performance to legitimate users while shunting or
blocking abusive traffic.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Issue with mydns backend?

[bert hubert]

On Fri, May 08, 2015 at 05:18:06PM -0400, Steve Young wrote:
 Hi,
I've built pdns with the following options:
 
 ./configure --with-modules=bind gmysql mydns --without-lua

Try:

./configure --with-modules=bind gmysql mydns --without-lua

With the quotes.

Good luck!

Bert

 
 and the libraries are there but I get this message in the logs over and
 over again:
 
 May  8 17:15:24 ns1 pdns[6839]: Respawning
 
 May  8 17:15:25 ns1 pdns[9289]: Guardian is launching an instance
 
 May  8 17:15:25 ns1 pdns[9289]: Reading random entropy from '/dev/urandom'
 
 May  8 17:15:25 ns1 pdns[9289]: Unable to load module
 '/usr/lib64/pdns/libmydnsbackend.so': /usr/lib64/pdns/libmydnsbackend.so:
 undefined symbol: _ZN10DNSBackend7getAuthEP9DNSPacketP7SOADataRKSsi
 
 May  8 17:15:25 ns1 pdns[9289]: dnsbackend unable to load module in mydns
 
 May  8 17:15:26 ns1 pdns[6839]: Our pdns instance exited with code 1
 
 
 Anyone have an idea on how to correct this?  Thanks,
 
 
 -Steve

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS recursor on multi-core machine

[bert hubert]

On Wed, May 06, 2015 at 03:00:57PM +0700, Vu Le wrote:
 Does 8-core limitation still apply for recent version of
 pdns-recursor? If the answer is yes, what is the best way to fully
 utilize all cores on a 20-core machine. I guest I will have to use
 multiple instance?

Hi Vu Le,

It really depends - we've been doing measurements, and find that while more
cores do not increase bulk performance a lot, they do wonderful things for
query latency, especially when under some kind of attack.

But it is probably still true that threads=20 does not get you the best
performance.

You might get very good results with 4 PowerDNS Recursor each with
threads=4, and then use dnsdist to loadbalance between them. You can also
just run 4 recursors on 4 IP addresses of course and hand those out.

For more details, see http://dnsdist.org/

The reasons why we can't scale to infinity are multiple by the way. Threads
share stuff, even when you don't want them to: they share the socket, a
random generator, the malloc implementation, and within the C and C++
libraries there are loads of locks. 

We currently recommend that you try to scale to no more than 70kqps per
server, as above that level, the resulting query loads can start to reach
500kqps which tends to max out most server hardware, unless you are very
careful.

Good luck!

Bert


 
 Thanks everybody
 Vu Le.
 
 P/S: Sorry for accidentally hitting send button on last email.
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Records going missing in 3.4.4

[bert hubert]

On Fri, May 01, 2015 at 11:13:22AM -0700, Mark Moseley wrote:
 Of all the things I cleaned up, one thing I *didn't* clean up a lot of
 records with trailing dots in the content field (for NS/MX/CNAME records).

This could easily confuse things. If PowerDNS chases a CNAME and it
encounters a trailing dot, it tries to look that one up in the database. If
it then does not find that, it could turn the whole packet into an NXDOMAIN
and cache that.

Same thing with NS records and delegations etc.

The query-cache might conceivably also cache lacking records with a trailing
dot, but unsure.

I'd suggest cleaning up all those trailing dots and seeing what happens. If
the problem persists we could spend more time on it.

 We're in the middle of a big cleanup to eradicate these trailing dots and
 are back on 3.4.2 for the time being till we can get it done. But I was
 curious if a) this was a known issue; or b) anyone's seen it before, since
 the trailing dots part could be a red herring.

I have seen lots of weirdness with trailing dots, and above you can find one
scenario where you could get an NXDOMAIN. 


Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS 4.x development: PowerDNS git master is now 4.x C++ 2011 only!

[bert hubert]

Hi everybody!

As we had announced back in February in
http://mailman.powerdns.com/pipermail/pdns-dev/2015-February/001481.html we
have moved the main git repository ('master') of PowerDNS over to PowerDNS
4.x development. 

This means that if you track the git master, and do a pull, you'll now get a
pretty different codebase than what you were used to. It does pass a lot of
tests, but if you follow git master, it will be a wild ride for a while.

If we'll do 3.x-based developments, as also described on
http://blog.powerdns.com/2015/02/23/powerdns-development-plans-4-x-dnssec-c-2011/
, we'll do these on specific branches (for example, we have rel/rec-3.7.2
and rel/auth-3.4.5 etc). We will let you know what to follow when the time
comes.

If you have any questions, please ask away! And if you want to know more
about our 4.x plans, including DNSSEC in the recursor, please check out the
linked blog post.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Autoritative Server 2.9.22 issues

[bert hubert]

Hi everybody,

We've recently been contacted regarding issues people are having with
PowerDNS 2.9.22.x. While we are sympathetic, and seeing if we can do a
workaround with configuration statements or judicious use of 'dnsdist' (see
http://dnsdist.org), please be aware that we will not issue any further
2.9.22 releases.

PowerDNS Authoritative Server 2.9.22 is now more than 6 years old (!) and is
turning into the Windows XP of nameservers. It may well be the most
deployed version of PowerDNS.

As a heads up, please know that we'll be issuing a formal 'End of Life'
statement for 2.9.22.x shortly. We realize that this will make some people
(within your organization) unhappy, so this is your advance warning.

We have also upgraded our documentation to reflect the lack of further
updates.

To upgrade to 3.x, consult
https://doc.powerdns.com/md/authoritative/upgrading/#29x-to-30 . If you need
help upgrading, please feel free to either email your questions to the list,
or to contact us for private (paid) support, see
https://www.powerdns.com/support.html

Thanks for your understanding.

Bert
PowerDNS

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] First use of the PowerDNS 'upgrade now' system today

[bert hubert]

Hi everybody,

In response to the security releases we did yesterday, we've activated the
built-in PowerDNS 'upgrade now' system for the first time, and we have a
question for you.

This system is described in
http://blog.powerdns.com/2014/10/22/powerdns-security-status-polling/ and
documented on https://doc.powerdns.com/md/common/security/#security-polling

As you are upgrading, could you check if the message was logged correctly to
your syslog? We'd like to know if the system works as intended.

And, while we have your attention, we'd like to remind you that if you poll
the 'security-status' metric of PowerDNS (which you can also plot if you
want), you can get your monitoring system to warn you about upgrades!

See the second URL for how this works. Thanks!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNSSEC, pdns-recursor and libunbound

[bert hubert]

On Fri, Apr 24, 2015 at 11:07:46PM +0200, l...@consolejunkie.net wrote:
 The answer I got was:
 
 The validation is in comparison the easy part, changing the recursor
 to return the DNSSEC-information is more work.

We're on it people!
http://blog.powerdns.com/2015/02/23/powerdns-development-plans-4-x-dnssec-c-2011/

One reason it has been taking longer is that the large scale users are
worried about DNS in general, and have not had an appetite to add DNSSEC to
their worries.

In part, our work on dnsdist and DoS prevention had to happen before we can
expect enthusiasm about validation on large scale. 

But this year for real. Watch this space.

Bert

 
 So now you know.
 
 Have a good weekend,
  Leen.
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] job alert: sales engineers and technical staff Japan

[bert hubert]

Hi everybody,

Open-Xchange, Dovecot and PowerDNS are expanding in Japan.  Therefore we are
looking for Sales Engineers and Technical Staff.

Ability to work and function in Japan is of course required for these jobs.

If you are interested in joining our team, please contact me!

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Important PowerDNS announcement: merging with Open-Xchange!

[bert hubert]

Hi everybody,

As a followup to the announcement below, we had a great time at World
Hosting Days and met many current and possibly future PowerDNS users.

Some of you have asked for some clarification why we took this step, you can
find interesting perspectives in this The Register article:
http://www.theregister.co.uk/2015/03/24/open_xchange_skype_dovecot_merger/?page=2

The thing is, PowerDNS may power 40 - 50 per cent of all the domain names
out there – per principal author Bert Hubert – but the company has until now
had a grand total of two staff members. It's impressive that they've been
able to support as many users as they have through big-name customers such
as Deutsche Telekom and BT, but they've been limited on the sales front.

According to Hubert: We were servicing the needs of hundreds of millions of
internet users and servicing them well, but in the open-source world people
noticed that sometimes PowerDNS development would cease for a month or two,
because we were doing sales.

Merging with Open-Xchange, which has about 150 employees, fixes that problem
for PowerDNS - and does much the same thing for Dovecot too; both companies
can now just get on with it rather than having to tout around for
investments in order to grow.

This link also covers it:
http://www.thewhir.com/web-hosting-news/open-xchange-ceo-talks-dovecot-powerdns-mergers-whd-global-2015

And Open-Xchange blogged this:
http://blog.open-xchange.com/2015/03/24/powerdns/

Again, if you have any further questions. please do not hesitate to contact
us!

Bert

On Tue, Mar 24, 2015 at 11:37:43AM +0100, bert hubert wrote:
 Hi everybody,
 
 We’re currently at World Hosting Days[1] in Rust Germany, where we just
 announced that PowerDNS will be joining the Open-Xchange family of
 companies.  Last week it was also announced[2] that the famous Dovecot IMAP
 server project is now a part of OX[3] too.
 
 We’ve been working with Timo and his team at Dovecot and with the OX Team in
 Email Security projects and are already sharing personnel and infrastructure
 with each other and the cooperation works really well for all of us.
 
 From the Open-Xchange[4] website: “With over a decade of developing
 open-source software, Open-Xchange believes that only by engineering
 ruthlessly open products and services can the next generation of innovation
 emerge on the web.  “Stay Open” contains many aspects of how we develop,
 engineer and deploy our products together with and for client-partners.”
 
 We fully believe in that mission, and are glad that PowerDNS will become
 part of the Open-Xchange family.  It will be great to have Timo and friends
 from Dovecot as cousins!
 
 We’ll share more details of what the merger will and will not mean, but rest
 assured PowerDNS will stay as open and as community friendly as it has ever
 been.
 
 Meanwhile, if you are at WHD, please come meet us at the Open-Xchange booth!
 
 Also if you have any concerns, worries or questions about this development,
 please contact us.
 
 
 Bert, Peter and Pieter
 
 [1] http://whd.global/
 [2] http://www.open-xchange.com/announcements/18
 [3] http://www.dovecot.fi/
 [4] http://www.open-xchange.com/home
 
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS core dumps on FreeBSD 10.1 in a Jail when master=yes

[bert hubert]

Hi,

The story here is:
 Mar 26 13:10:35 Exiting because communicator thread died with STL error: 
 Creating local resolver socket for ::, does your OS miss IPv6?: Bad file 
 descriptor

PowerDNS can’t generate an IPv6 socket. You can probably solve that by setting: 
query-local-address6=

In the config file. This will disable PowerDNS from attempting to open up an 
IPv6 socket for notifications.

Can you let us know if that helps?

Bert

 On 26 Mar 2015, at 17:25, Aki Tuomi cmo...@youzen.ext.b2.fi wrote:
 
 On Thu, Mar 26, 2015 at 02:21:25PM +0100, Thor  E. Lie wrote:
 I have a few zones that I wish to send notify to a few bind servers.
 I've set up the notify and allow transfers for them and powerdns starts
 fine then, but once I set master=yes in my powerdns 
 config(/usr/local/etc/pdns/pdns.conf)
 the following happens:
 
 $ service pdns monitor
 Mar 26 13:10:33 Reading random entropy from '/dev/urandom'
 Mar 26 13:10:33 Loading '/usr/local/lib/pdns/libgmysqlbackend.so'
 Mar 26 13:10:33 [gmysqlbackend] This is the gmysql backend version 3.4.3 
 (Mar 20 2015, 16:33:08) reporting
 Mar 26 13:10:33 This is a standalone pdns
 Mar 26 13:10:33 UDP server bound to 10.0.0.3:53
 Mar 26 13:10:33 TCP server bound to 10.0.0.3:53
 Mar 26 13:10:33 PowerDNS Authoritative Server 3.4.3 
 (jenk...@autotest.powerdns.com) (C) 2001-2015 PowerDNS.COM BV
 Mar 26 13:10:33 Using 64-bits mode. Built on 20150320163720 by 
 r...@pkg.thorerik.com, clang 3.4.1 (tags/RELEASE_34/dot1-final 208032).
 Mar 26 13:10:33 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free 
 software, and you are welcome to redistribute it according to the terms of 
 the GPL version 2.
 Mar 26 13:10:35 Could not retrieve security status update for '3.4.3' on 
 'auth-3.4.3.security-status.secpoll.powerdns.com.', RCODE = Server Failure
 Mar 26 13:10:35 Master/slave communicator launching
 Mar 26 13:10:35 Creating backend connection for TCP
 % Mar 26 13:10:35 gmysql Connection successful. Connected to database 'pdns' 
 on '10.0.0.2'.
 Mar 26 13:10:35 About to create 3 backend threads for UDP
 Mar 26 13:10:35 gmysql Connection successful. Connected to database 'pdns' 
 on '10.0.0.2'.
 Mar 26 13:10:35 Exiting because communicator thread died with STL error: 
 Creating local resolver socket for ::, does your OS miss IPv6?: Bad file 
 descriptor
 Mar 26 13:10:35 gmysql Connection successful. Connected to database 'pdns' 
 on '10.0.0.2'.
 Bus error (core dumped)
 
 
 
 Can you run 
 
 gdb /path/to/pdns_server /path/to/core 
 bt
 quit 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Important PowerDNS announcement: merging with Open-Xchange!

[bert hubert]

Hi everybody,

We’re currently at World Hosting Days[1] in Rust Germany, where we just
announced that PowerDNS will be joining the Open-Xchange family of
companies.  Last week it was also announced[2] that the famous Dovecot IMAP
server project is now a part of OX[3] too.

We’ve been working with Timo and his team at Dovecot and with the OX Team in
Email Security projects and are already sharing personnel and infrastructure
with each other and the cooperation works really well for all of us.

From the Open-Xchange[4] website: “With over a decade of developing
open-source software, Open-Xchange believes that only by engineering
ruthlessly open products and services can the next generation of innovation
emerge on the web.  “Stay Open” contains many aspects of how we develop,
engineer and deploy our products together with and for client-partners.”

We fully believe in that mission, and are glad that PowerDNS will become
part of the Open-Xchange family.  It will be great to have Timo and friends
from Dovecot as cousins!

We’ll share more details of what the merger will and will not mean, but rest
assured PowerDNS will stay as open and as community friendly as it has ever
been.

Meanwhile, if you are at WHD, please come meet us at the Open-Xchange booth!

Also if you have any concerns, worries or questions about this development,
please contact us.


Bert, Peter and Pieter

[1] http://whd.global/
[2] http://www.open-xchange.com/announcements/18
[3] http://www.dovecot.fi/
[4] http://www.open-xchange.com/home



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] World Hosting Days Private graphs

[bert hubert]

Hi everybody,

Two announcements in one: First, like 7000 others, we'll be visiting World
Hosting Days in Rust, Germany next week.  Peter, Pieter and I will be there,
as will be two of our wonderful Certified Consultants (Kees Monshouwer and
Christian Hofstaedtler).

If you want to meet up, please email any of us and we can coordinate. The
PowerDNS team will in any case be available for drinks!  We always like to
hear from users since you have more experience running PowerDNS than we do,
and can help us guide new features.

Secondly, last year we made our 'public graphing as a service' available,
as described on
http://blog.powerdns.com/2014/12/11/powerdns-graphing-as-a-service/

Today, we're happy to announce that we now also have a private variant for
supported customers and selected users.  This means you can benefit from a
one-line setup in PowerDNS (simply set the 'carbon-server' variable and you
are done), and view all your PowerDNS instances from one single interface,
and in private.

If you'd like to use our private graphing service, please contact us for
details.

The public instance on 
http://xs.powerdns.com/metronome/?server=AllbeginTime=-7200 is now
receiving over 1 gigabyte of graphs every week, so we think we are
fulfilling a need!

Cheers,

Bert
PowerDNS

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Introducing dnsdist: DNS, abuse- and DoS-aware query distribution for optimal performance

[bert hubert]

Hi everybody,

We just posted the following on our blog:
http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/

Summary:

Introducing dnsdist: DNS, abuse- and DoS-aware query distribution for
optimal performance

Over the years, PowerDNS users have frequently asked us about our preferred
DNS load balancing solution, and we’ve never had a satisfying answer for
that. Users of dedicated hardware often tell us that vendors spend most of
their time and effort on balancing HTTP, and frequently deliver substandard
or even buggy DNS functionality.

(...)
Putting these three things together (no really satisfying DNS aware load
balancer, drive for the very best performance, ongoing attacks) led us to
pollute the waters of the internet with yet another piece of software:
dnsdist.

From its README:

“dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in
life is to route traffic to the best server, delivering top performance to
legitimate users while shunting or blocking abusive traffic.”

The full post is on:

http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/

Please let us know your thoughts!

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Standardized DNS Record Types Not Supported by PowerDNS

[bert hubert]

 Sounds like the Supported Record Types page needs updating to add KX and 
 IPSECKEY.

Patches are welcome. It is very easy to update our Markdown documentation these 
days. https://github.com/PowerDNS/pdns/blob/master/docs/markdown/types.md and 
press the edit (pencil) icon.

 To bad about DNAME. I'd try to submit a patch but I'm a little too busy with 
 what I'm doing right now to take the time to learn about PDNS's codebase.

DNAME is actually available, experimental-dname-processing” makes that happen.

 TLSA does *not* supersede CAA—they work together. TLSA says here is the 
 valid public key for this host, and the client can reject any certs created 
 with other public keys. CAA says here is the valid certificate authority for 
 this host, and the client can reject any certs signed by any other 
 certificate authority. TLSA *does* increase security significantly on its 
 own, but adding CAA makes it even more secure.

I you have a CAA record and can point to a client that verifies it, we could 
look into it. It is very hard to implement things where we have to hunt for a 
client first. 

Bert



___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Configure private subdomain

[bert hubert]

On Tue, Mar 03, 2015 at 01:31:21PM +0200, Nikolaos Milas wrote:
 We are using pdns-2.9.22 with LDAP backend, using the Simple LDAP
 architecture.
(...)
 internal.example.com and to not send AXFRs to the other master
 servers, as specified in nSRecord attribute, for this particular
 subdomain.
 
 How can we do this?

I'm not entirely sure I understand your question, since AXFRs are not sent
but requested. However, I am sure that 2.9.22 can't do this.

In the 3.4 series we do have options to configure AXFR behaviour per domain,
https://doc.powerdns.com/md/authoritative/domainmetadata/ has a list.

So any solution will have to be found beyond 2.9.22. I am unsure how well
LDAP works in those releases though.
https://doc.powerdns.com/md/authoritative/backend-ldap/ has some words.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Authoritative Server 3.4.3 released

[bert hubert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everybody,

With this message, I'd like to congratulate our newest employee Pieter for
doing a PowerDNS release on his first day of work!

Even though the trains failed massively this morning in The Netherlands, it
all worked out.

Welcome to the team Pieter!

We introduced him in our recent blogpost 
http://blog.powerdns.com/2015/02/12/new-powerdns-employee-the-importance-of-testing-rcs-skipping-3-7-0-world-hosting-days-2015/

Pieter wrote a paper and software on DANE under our mentorship while at the
OS3 program at the University of Amsterdam, and later did an amazing job
converting our documentation to the splendor you can now find on
http://doc.powerdns.com/ Based on this work, we offered Pieter a job and
we’re very happy he accepted!

Pieter (not to be confused with existing employee Peter) will focus on
helping customers, improving our code  infrastructure, fixing bugs and
working on internet standards relevant for DNS.

Bert

On Mon, Mar 02, 2015 at 04:02:53PM +0100, Pieter Lexis wrote:
 Hi everybody,
 
 We're pleased to announce the immediate availability of the PowerDNS
 Authoritative Server version 3.4.3. This release is an iteration over
 3.4.2, mainly fixing small issues, correcting wrong behavior in tools
 and adding work to the experimental API.
 
 One major change is the fact we now send REFUSED AA=0 instead of NOERROR
 AA=1 for domains that we have no knowledge of. Read the blog[1] for more
 information.
 
 Tar.gz and packages are available on:
 
 * https://downloads.powerdns.com/releases/
 * Soon: https://www.monshouwer.eu/download/3rd_party/pdns/
(RHEL/CentOS, with the usual huge thanks to Kees Monshouwer).
 
 The changelog with clickable links can also be found at the usual spot[2].
 
 Bug fixes:
  * pdns_control: exit 1 on unknown command (Ruben Kerkhof)
  * evaluate KSK ZSK pairs per algorithm (Kees Monshouwer)
  * always set di.notified_serial in getAllDomains (Kees Monshouwer)
  * pdns_control: don't open socket in /tmp (Ruben Kerkhof)
 
 New features:
  * Limit who can send us AXFR notify queries (Ruben Kerkhof)
 
 Improvements:
  * respond REFUSED instead of NOERROR for unknown zone situations
  * Check for Lua 5.3 (Ruben Kerkhof)
  * Check compiler for relro support instead of linker (Ruben Kerkhof)
  * Replace PacketHandler with UeberBackend where possible (Christian
 Hofstaedtler)
  * PacketHandler: Share UeberBackend with DNSSECKeeper (Christian
 Hofstaedtler)
  * fix building with GCC 5
 
 1 - http://blog.powerdns.com/2015/03/02/from-noerror-to-refused/
 2 - https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-343
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlT0fTgACgkQHF7pkNLnFXXR8QCdH7HJexrDi6du4iOOfpFwMEDk
LhoAoLpBiZJ5yCBsxdO3Be2PJOjAuNgY
=Mh7X
-END PGP SIGNATURE-

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] AXFR Crashses

[bert hubert]

On Fri, Feb 27, 2015 at 02:15:12PM -0800, Mark Moseley wrote:
 We don't do a lot (or practically any) AXFRs, so I hadn't noticed this
 before now.

Hi Mark,

You probably have something in the database that upsets us (which should not
happen of course).

Can you run pdnssec check-zone on example2.com and see what it says?

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] How to add master zone through PowerDNS API?

[bert hubert]

On Thu, Feb 26, 2015 at 07:41:04PM +0100, Melvin Mughal wrote:
 I can't find any good reference on how to do this through the PowerDNS API.
 I want to post it a domain from the application via an API call and request
 to make a new master zone file for the domain with the zone template.

Hi Melvin,

Try:

# Create new zone example.org with nameservers ns1.example.org,
# ns2.example.org
curl -X POST --data '{name:example.org, kind: Master, masters: [],
 nameservers: [ns1.example.org, ns2.example.org]}' -v -H 'X-API-Key:
 changeme' http://127.0.0.1:8081/servers/localhost/zones | jq .

This is from: https://doc.powerdns.com/md/httpapi/README/

Can you let us know if this works?

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS development plans: 4.x DNSSEC, C++ 2011!

[bert hubert]

In this post, we’d like to share our current plans for .. PowerDNS 4.x!  We
shared this first with the PowerDNS-development community, and after we
gathered feedback, we’re now announcing it more broadly.

The tl;dr: For the next few months we will be spring cleaning git master,
and stable code and releases can be found in the auth-3.4 and rec-3.7
branches.  We'll also be moving to C++ 2011.  Please read on for the
whole story.

First some background. PowerDNS is a 15 year old software project, and over
these 1.5 decades, we have built up some ‘technical debt’
(http://en.wikipedia.org/wiki/Technical_debt), and it is time for a spring
cleaning in our code.

Meanwhile, we are broadening what our code does, to include for example
smart, DNS-native, load balancing and further denial of service mitigation. 
And of course, the major work of bringing carrier-grade DNSSEC to the
recursor.

Finally, we’ve fallen in love with C++ 2011, and we would like to start
taking advantage of this now 4 year old revision of C++.

All this means some important changes. For one, where it used to be the case
that our git ‘master’ was usually fit to run in production (and people
actually did this), for the coming few months please consider our master
branch a ‘heavy development zone’.  While we’ll try to keep things working,
it might break for hours or even days at a time.  Even though there will
be somewhat of a wild-west aspect to development, major changes will be
implemented as pull requests from separate branches that can be studied by
the community.

Meanwhile, PowerDNS 3.x development and maintenance will continue on
separate release branches.  The latest 3.x releases will remain actively
supported until 4.x is more powerful, more stable, and can be compiled on
Debian Stable (more about this later).  Active support means more than
passive maintenance, if there are pressing things that need to happen, they
will happen.  But the focus for new things will shift to 4.x.

(as an example, we are currently gathering the patches for auth-3.4.3, see
https://twitter.com/powerdns/status/569872447757025280 )

Things we will be addressing during our spring cleaning include:

   * We treat DNS names as ASCII strings, which we escape and unescape
 repeatedly.  DNS names are not ascii strings, and we keep finding
 issues related to us treating them like strings.

   * The PowerDNS Authoritative Server distributes queries to multiple
 backends inefficiently

   * The PowerDNS Recursor cache is both slower and less memory efficient
 than it could be

   * DNSSEC in the PowerDNS Recursor

   * Move our own atomic, locking and semaphore infrastructure to C++ 2011
 native

   * The Lua APIs use an ascii based interface for domain names and IP
 addresses, and this could be faster

One thing we are probably not going to do is change the database format, by
the way.

The somewhat bad news about the spring cleaning is that we’ll come out of it
as a C++ 2011 project, which means that to compile PowerDNS, you’ll need GCC
4.8 (released in March 2013).  Gcc 4.8 is not currently the default in
Debian stable or RHEL/CentOS 6, but it is available.

It is the default in RHEL7 and in what will become the next Debian stable. 
It also ships in Ubuntu 14.  We will also be targeting clang 3.5.  We have
chosen C++ 2011 for a variety of reasons, many of which are described in an
earlier blogpost
(http://bert-hubert.blogspot.nl/2015/01/on-c2011-quality-of-implementation.html).

NOTE: PowerDNS 4.x products WILL run on older distribution releases of
course!  However, on older distros, compiling with the system default
compiler may not work.

To clarify, the 4.x branch will not fundamentally alter PowerDNS. This
should not be compared to BIND 9 to BIND 10, for example (or even 8 to 9). 
Fundamentally we think the PowerDNS design is sound, it just needs a decent
spring cleaning.  This will come in especially handy when deploying our
DNSSEC validation.

So how long will it take until 4.x is production ready? We’ll let you know
once we get there, but we are hoping to finish the cleanup in several
months, after which we expect further work to iron out remaining issues.  In
any case, 3.x will remain supported until gcc 4.8 is widely available on
currently shipping distributions.

Thanks, and please again let us know your thoughts about this proposed plan.
Although this is what we intend to do, we can be change our mind if there
are good reasons to do so!

PowerDNS


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Reply-To Change?

[bert hubert]

On Mon, Feb 23, 2015 at 12:48:49PM -0600, Nicholas Williams wrote:
 This frequently trips me up a lot, and I end up replying directly to people
 and not sending to the list. I don't see any good reason for not having a
 list reply-to. Also, IIRC, the list software PowerDNS is using supports
 having a list reply-to.

Oddly enough, the lists we are on do it 'our' way. We rather have it err to
your reply being more private than you intended than being more public than
you intended. 

 Can we get this change implemented?

Probably not - this has been the setting for 15 years, we've not heard more
complaints. Sorry!

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DNS names and strings (was: PowerDNS development plans: 4.x DNSSEC, C++ 2011!)

[bert hubert]

On Mon, Feb 23, 2015 at 12:44:54PM -0600, Nicholas Williams wrote:
 I'm also very interested in finding out more about the change around ASCII
 names.

I can recommend our ever growing set of test cases:
https://github.com/ahupowerdns/pdns/blob/dnsname/pdns/test-dnsname_cc.cc

DNS, surprisingly, is 8-bit clean. You can put any stream of octets in DNS
(up to a certain length). However, this is not how we print it.

http://www.ietf.org/rfc/rfc4343.txt has some words on this.

  Unfortunately the term string is used in many different ways.
  Could you please elaborate on what that means exactly?
  E.g. will this affect the way NON-ASCII DNS names are stored in backend
  files?

No, it is not intended to make any changes, except for where we got it
wrong.

Wr internally have loads of places where we convert to and from (un)escaped
versions, add dots, remove dots etc. We get it wrong in some places now.

Bert


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] LUA iputils netmaskgroup match

[bert hubert]

On Thu, Feb 19, 2015 at 05:40:47PM +0100, Niels Peen wrote:
 Hello,
 
 I’m using a netmaskgroup to see if a given IP matches:
 
 if nmg:match(ca) then ..
 
 This works very well but I would like to know which specific netmask matched. 
 E.g. by having :match (also) return the matching netmask rather than (just) 
 returning true.
 
 Am I correct that this is currently not possible? If so, could this be 
 considered for a future release?

Hi Niels,

This is currently not possible, but it sounds like a great idea. 

It may be good to know that the netmaskgroup currently just tries all
netmasks to see if one fits, you could easily emulate this in Lua itself,
and it would not be slower. And then you would know which address matched.

Could you open a ticket requesting this feature on github?  Please put a
note in there we find it a fine idea.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Any status on DNSSEC in Recursor?

[bert hubert]

Hi Charles,

The status is that it is happening, and it should soon become more visible.

The start of this is described in our post from this morning:
http://mailman.powerdns.com/pipermail/pdns-dev/2015-February/001481.html

Please join us in testing 4.x as it will be appearing!

Bert


On Sun, Feb 15, 2015 at 11:19:24PM -0500, Charles Sprickman wrote:
 While asking Google, the same, I hit this old blog post:
 
 http://blog.powerdns.com/2013/09/16/dnssec-validation-for-the-recursor/
 
 Any new timeline on when this might happen?  Does the plan to implement it 
 still look the same?
 
 Thanks,
 
 Charles
 
 -- 
 Charles Sprickman
 NetEng/SysAdmin
 Bway.net - New York's Best Internet www.bway.net
 sp...@bway.net - 212.655.9344
 
 
 
 
 
 
 
 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users
 

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Windows 7 computers not getting split horizon change made by Lua script

[bert hubert]

On Thu, Feb 19, 2015 at 03:26:42PM +0100, h...@nitramlexa.com wrote:
 It works like a dream for everybody BUT Windows 7.
 Android, Linux and Windows XP all get the LAN address when asking
 for mail.example.com, but Windows 7 gets the public address.

Check with tcpdump what answers you are really sending out. Did you remember
to use setvariable() to make sure PowerDNS doesn't packetcache your lua
answers?

Good luck!

Bert


 
 I can see in logging in the Lua script that the Windows 7 machine
 asks for the name, and Lua returns the LAN address,
 but Windows 7 still gets the public IP.
 
 Any ideas to why?
 
 I'm also running Samba on the PDNS-recursor to let Windows access
 the NAS shares, but there's no wins defined anywhere,
 and the firewall / auth dns is not running Samba.
 
 Kind regards,
 Henrik Woffinden
 
 
 
 

 ___
 Pdns-users mailing list
 Pdns-users@mailman.powerdns.com
 http://mailman.powerdns.com/mailman/listinfo/pdns-users


___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] cnames

[bert hubert]

On Tue, Feb 17, 2015 at 09:11:44AM +0100, Steffan Noord wrote:
 Yes cnames are eval
 But some clients want to use them.
 
 After checking my dns server i see a error
 [Error] CNAME cmsetup.nl found, but other records with same label exist.
 
 The client has a cname www. cmsetup.nl
 and a cname cmsetup.nl  se up to another domain.
 But why is that a error.

Because sadly that is how DNS works. You can't have a CNAME together with a
SOA. This is not a powerdns issues.

Bert

___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users