Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
Alright so i think we're getting closer to the culprit. You will need to have the auth field set to '1' i.e. True for most if not all Yes, I knew it was RTFM :-/ .. this sorted the issue. Many thanks for your time looking into this Stefan, and also Bert Thanks Chris Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
.. and I hope the answer is RTFM, but... I`m looking to push out PDNS as our new primary auth servers and also with DNS-SEC, however only on certain zones. (Essentially to allow 2 migrations, one to PDNS then one to enable DNS-SEC). It is possible for pdnssec to also server non auth zones ? if so, how :) Using pdns-static-3.0rc3.20110719.2239-1, fairly standard options (gmysql-dnssec) - with the auth field set to 0, I can return an SOA, but no A records for non auth domains. Cheers Chris Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
On Thu, Jul 21, 2011 at 4:43 PM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: .. and I hope the answer is RTFM, but... I`m looking to push out PDNS as our new primary auth servers and also with DNS-SEC, however only on certain zones. (Essentially to allow 2 migrations, one to PDNS then one to enable DNS-SEC). It is possible for pdnssec to also server non auth zones ? if so, how :) Using pdns-static-3.0rc3.20110719.2239-1, fairly standard options (gmysql-dnssec) - with the auth field set to 0, I can return an SOA, but no A records for non auth domains. I am not sure what you mean by 'auth zone'. You can run non DNSSEC zones alongside DNSSEC signed ones no problem, PowerDNS will default to non-DNSSEC operation for a Zone if it doesn't find any key material or option for it in the backend. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
Hi Stefan, Thanks for the reply. Sorry for the confusion. I think option for dns-sec in the backend is the key here, because I have this set, as I want to serve some dns-sec zones but not all. Essentially, PDNS, with Mysql Backend (only), and I`m trying to serve dns-sec, and non dns-sec zones. launch=gmysql gmysql-dnssec Set in pdns.conf. In the database: Domains: | 6 | wibble.com | NULL | NULL | NATIVE | NULL | NULL| ++--++++-+-+ mysql select * from records where domain_id=6; +-+---+-+--+--+---+--+-+---+--+ | id | domain_id | name| type | content | ttl | prio | change_date | ordername | auth | +-+---+-+--+--+---+--+-+---+--+ | 694 | 6 | wibble.com | SOA | ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 | 86400 |0 | NULL | |0 | | 695 | 6 | mail.wibble.com | A| 1.1.1.1 | 86400 |0 | NULL | |0 | | 696 | 6 | wibble.com | NS | ns1.server.co.uk | 86400 |0 | NULL | |0 | So I have name server (ns1.server.co.uk is the physical server), SOA and an A record. The auth field (for DNS-SEC is 0) However results from dig: [root@ns1 ~]# dig wibble.com @localhost SOA ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 wibble.com @localhost SOA ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18174 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wibble.com.IN SOA ;; ANSWER SECTION: wibble.com. 86400 IN SOA ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:22:56 2011 ;; MSG SIZE rcvd: 101 So, no issues with the SOA, but the A [root@ns1 ~]# dig mail.wibble.com @localhost A ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 mail.wibble.com @localhost A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57290 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.wibble.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:28:20 2011 ;; MSG SIZE rcvd: 33 And in the logs: Jul 21 17:25:19 ns1 pdns[14821]: Should not get here (mail.wibble.com|1): please run pdnssec rectify-zone wibble.com Im guessing as I have gmysql-dnssec set, its assuming all zones are DNS-SEC enabled. So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database. Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Stefan Schmidt I am not sure what you mean by 'auth zone'. You can run non DNSSEC zones alongside DNSSEC signed ones no problem, PowerDNS will default to non-DNSSEC operation for a Zone if it doesn't find any key material or option for it in the backend. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Please consider the environment before printing this email. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
As an addendum, also tried multi launch with the same issue specifying dnssec on one launch: launch=gmysql:sec,gmysql:nonsec gmysql-sec-dnssec gmysql-sec-host=127.0.0.1 gmysql-sec-user=x gmysql-sec-dbname=y gmysql-sec-password=z gmysql-nonsec-host=127.0.0.1 gmysql-nonsec-user=x gmysql-nonsec-dbname=y gmysql-nonsec-password=z Have to be missing something silly here. Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Chris Russell Sent: 21 July 2011 17:38 To: zaph...@zaphods.net Cc: pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec. Hi Stefan, Thanks for the reply. Sorry for the confusion. I think option for dns-sec in the backend is the key here, because I have this set, as I want to serve some dns-sec zones but not all. Essentially, PDNS, with Mysql Backend (only), and I`m trying to serve dns-sec, and non dns-sec zones. launch=gmysql gmysql-dnssec Set in pdns.conf. In the database: Domains: | 6 | wibble.com | NULL | NULL | NATIVE | NULL | NULL| ++--++++-+-+ mysql select * from records where domain_id=6; +-+---+-+--+--+---+--+-+---+--+ | id | domain_id | name| type | content | ttl | prio | change_date | ordername | auth | +-+---+-+--+--+---+--+-+---+--+ | 694 | 6 | wibble.com | SOA | ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 | 86400 |0 | NULL | |0 | | 695 | 6 | mail.wibble.com | A| 1.1.1.1 | 86400 |0 | NULL | |0 | | 696 | 6 | wibble.com | NS | ns1.server.co.uk | 86400 |0 | NULL | |0 | So I have name server (ns1.server.co.uk is the physical server), SOA and an A record. The auth field (for DNS-SEC is 0) However results from dig: [root@ns1 ~]# dig wibble.com @localhost SOA ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 wibble.com @localhost SOA ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18174 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wibble.com.IN SOA ;; ANSWER SECTION: wibble.com. 86400 IN SOA ns1.server.co.uk hostmaster.server.net 2011011702 10800 3600 1209600 86400 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:22:56 2011 ;; MSG SIZE rcvd: 101 So, no issues with the SOA, but the A [root@ns1 ~]# dig mail.wibble.com @localhost A ; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 mail.wibble.com @localhost A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57290 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.wibble.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 21 17:28:20 2011 ;; MSG SIZE rcvd: 33 And in the logs: Jul 21 17:25:19 ns1 pdns[14821]: Should not get here (mail.wibble.com|1): please run pdnssec rectify-zone wibble.com Im guessing as I have gmysql-dnssec set, its assuming all zones are DNS-SEC enabled. So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database. Cheers Chris -Original Message- From: pdns-users-boun...@mailman.powerdns.com [mailto:pdns-users-boun...@mailman.powerdns.com] On Behalf Of Stefan Schmidt I am not sure what you mean by 'auth zone'. You can run non DNSSEC zones alongside DNSSEC signed ones no problem, PowerDNS will default to non-DNSSEC operation for a Zone if it doesn't find any key material or option for it in the backend. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users Knowledge I.T. ‘Unifying Business Technology’ www.knowledgeit.co.uk Knowledge Limited, Company Registration: 1554385 Registered Office: New Century House, Crowther Road, Washington, Tyne Wear. NE38 0AQ Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR Tel: 0845 142 0020. Fax: 0845 142 0021 E-Mail Disclaimer: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Knowledge IT may
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
On Thu, Jul 21, 2011 at 6:38 PM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: So the question then becomes, can I run 2 gmysql backends, one for sec one for not. Docs don't really tell me this, especially preferably in the same database. Ah sorry i didn't read all the way down to your question. No you cannot. The reason for that is that backends are exhausted for zone content in the order in which they are specified in the launch statement and the for loop breaks after the first backend answers something else than 'i don't know', so the first to answer 'wins' one could say. This means that your 'sec' backend will always answer first for the content of the database. However you don't need to serve the data via a dedicated 'sec' and 'non sec' backend as even if dnssec is enabled for a backend PowerDNS will still serve that domain without dnssec perfectly normal. Please compare the output of dig soa zaphods.net @mandelbrot.zaphods.net +norec to dig soa zaphods.net @mandelbrot.zaphods.net +norec +dnssec Enabling DNSSEC for a domain does not mean that a name server will cease serving regular DNS content and protocol, it just means that it will respond differently when 'DNSSEC OK' (DO) bit is set for a query. Running `pdnssec rectify-zone wibble.com` will just add the 'mail' to the ordername column of your records table btw. With DNSSEC in non-narrow mode you need to run this whenever you change a record. I suspect running it might already solve your problem. Stefan ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Potentially Silly Question! - auth server, dns-(non) sec + sec.
Hi Chris, On Thu, Jul 21, 2011 at 8:57 PM, Chris Russell chris.russ...@knowledgeit.co.uk wrote: I think I've confused the issue with the two backends, I actually set this up as a test as running with one wasn't working. To back to the original issue, I have PDNSsec + DNS-SEC + ipv6 working flawlessly, without issues. However, for other reasons I need to serve zones where I don't wish to have any signing information in the database for this zone. This means I don't want to run secure-zone or rectify-zone instead keep that zone DNS-SEC free. Essentially configuring DNS-SEC on a zone by zone basis. That is the default and afaik only way PowerDNS works. The problem is, I can push records into the DB as per a standard unsigned zone, but pdnssec will not serve these records only the SOA. So can pdnssec serve unsigned zones where no DNS-SEC related records exist when the g-mysql backend is set to gmysql-dnssec ? Alright so i think we're getting closer to the culprit. You will need to have the auth field set to '1' i.e. True for most if not all records Documentation [1] says: The 'auth' field should be set to '1' for data for which is itself authoritative, which includes the SOA record and its own NS records. The 'auth' field should be 0 however for NS records which are used for delegation, and also for any glue (A, ) records present for this purpose. Do note that the DS record for a secure delegation should be authoritative! And that works for me. Even so you are not serving DNSSEC signed zone data i think when setting dnssec to on for a backend PowerDNS will just assume that if the auth field is there and is '0' or False that it does not need to serve this as authoritative data. Or am I stuck with PDNS serving DNS-SEC enabled zones, OR non DNS-SEC enabled zones but not both :-/ Nope, definitely not. This usually just works. dig a foo.zaphods.org @mandelbrot.zaphods.net +norec +dnssec ; DiG 9.7.3 a foo.zaphods.org @mandelbrot.zaphods.net +norec +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7345 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 2800 ;; QUESTION SECTION: ;foo.zaphods.org. IN A ;; ANSWER SECTION: foo.zaphods.org.3600IN A 127.0.0.1 ;; Query time: 54 msec ;; SERVER: 217.197.86.168#53(217.197.86.168) ;; WHEN: Thu Jul 21 21:12:26 2011 ;; MSG SIZE rcvd: 60 mysql select * from dns_record where domain_id=778; +-+---+-+--+--+--+--+-+-+---+--+ | id | domain_id | name| type | content | ttl | prio | description | dynamic | ordername | auth | +-+---+-+--+--+--+--+-+-+---+--+ | 7448641 | 778 | zaphods.org | NS | chiyoda.zaphods.net | 3600 |0 | NULL| 0 | |1 | | 7448642 | 778 | zaphods.org | NS | mandelbrot.zaphods.net | 3600 |0 | NULL| 0 | | 1 | | 7448643 | 778 | zaphods.org | NS | shinagawa.zaphods.net | 3600 |0 | NULL| 0 | |1 | | 7448644 | 778 | zaphods.org | NS | taito.zaphods.net | 3600 |0 | NULL| 0 | |1 | | 7448645 | 778 | zaphods.org | SOA | mandelbrot.zaphods.net hostmas...@zaphods.net 2011072101 28800 14400 360 86400 86400 | 3600 |0 | NULL| 0 | |1 | | 7448646 | 778 | foo.zaphods.org | A| 127.0.0.1 | 3600 |0 | | 0 | |1 | +-+---+-+--+--+--+--+-+-+---+--+ 6 rows in set (0.00 sec) (note that my have renamed my queries to use 'dns_record' as table name for the 'records' table as python django kind of insisted on that naming scheme - no biggie ;-) versus dig a foo.zaphods.net @mandelbrot.zaphods.net +norec +dnssec ; DiG 9.7.3 a foo.zaphods.net @mandelbrot.zaphods.net +norec +dnssec ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 55871 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0 ;; QUESTION SECTION: ;foo.zaphods.net.
