Re: [Pdns-users] DNSSEC and

mpt to perform key rollover on the same > database at the same time? Do they not step on each other's toes? > > -Xan > > > > On 8/22/23 07:03, Frank Louwers via Pdns-users wrote: >> Hi Xan, >> It depends which DNSSEC you choose. If you would pick "Online Si

Re: [Pdns-users] DNSSEC and

Hi Xan, It depends which DNSSEC you choose. If you would pick "Online Signing" for instance (great unless you have very busy servers with lots of domains), the "keying data" is stored in the database as well, so both servers would use the same data to sign the zone, resulting in consistent

Re: [Pdns-users] Unable to edit domainmetadata with API

Hi Shailendra, This is documented behaviour: https://doc.powerdns.com/authoritative/domainmetadata.html states: The option SOA-EDIT-API can not be written or read via the HTTP API metadata endpoint. Cheers, Frank Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be > On 30 Jun 2023,

Re: [Pdns-users] Blocklist file format

Hi, There's also extensive RPZ and PowerDNS docs at https://docs.spamhaus.com/dns-firewall/docs/source/configuration/power_dns_config.html (it uses Spamhaus's RPZs, but applies to other RPZs as well). Kind Regards, Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be > On 7 Mar 2023, at

Re: [Pdns-users] request: Sample replication setup with dnsdist

Hi Daniel, The best (and preferred) way to run both auth and the recursor on the same machine, is to run them on 2 separate IP addresses, as 2 separate setups. Regardless of whether or not you're using dnsdist. Frank Louwers PowerDNS Certified Consultant @ Kiwazo.be > On

Re: [Pdns-users] Issue with SOA request PDNS server

Hi Jhonny, It seems like you're looking at the wrong zone. The error you get, is about the reverse delegation of the 200.7.160.0/20 subnet. You do have 200.7.160.0/24 correctly set up: ❯ dig -x 200.7.160.0 soa @200.7.160.10 +norec ... ;; AUTHORITY SECTION: 160.7.200.in-addr.arpa. 3600IN

Re: [Pdns-users] PowerDNS Active - Passive Mode

Hi Cem, Thanks for your design documents. Is there a reason you only want the Mars DC dns infrastructure to be only online when the Venus one fails? Is that because the records are different? Because the easiest setup might be to have both online all the time. if you do want failover, the

Re: [Pdns-users] PowerDNS Active - Passive Mode

Hi Cem, What you mean by "active passive"? Do you mean a main node and a standby backup node? For DNS it's recommended to just have multiple nodes which are all active, or use a networking technique such as anycast, bgp-ondemand route advertisement, or even better a dns aware load balancer

Re: [Pdns-users] MySQL/MariaDb Scaling

Hi Thomas, Most setups I've worked on, didn't move the thousands of domains to LMDB, but only activated LMDB on demand for domains under attack. The main reason not to use the LMDB backend for that many domains, is the fact that LMDB doesn't have any replication mechanisms. Also, the PowerDNS

Re: [Pdns-users] MySQL/MariaDb Scaling

Hi, As Thomas said: your setup looks sane, and if it currently works for you, there's no need to change anything. If you do have zones that are getting hit by a random-subdomain-lookup attack, I would recommend to have a separate NS with a BIND or LMDB backend ready to serve only those

Re: [Pdns-users] Zone A Record

Hi Ralph, Could you try this: resource "powerdns_record" "test" { zone = "test.de ." name = "test.de ." type = "A" records = ["10.1.1.1"] } (So with the . at the end of both zone and name)? Could you also paste the TF output and any entries in the

Re: [Pdns-users] DNS Forwarding on Master/Slave Servers

Hi Steven, There are a couple of problems with your domain that prevent it from functioning correctly. First up, it seems like the ns1/ns2/ns3.opensourceserver.io glue records at the .IO cctld are all registered with the same IP address. That's probably not

Re: [Pdns-users] [E] Re: Powerdns on AWS Instances

While this will indeed work, please note that using dnsdist.org has huge advantages: a simple (dns-unaware) LB will LB the request, either round-robin or in a least-outstanding manner. A dns-aware LB (such as dnsdist) will do this much more intelligently, which results in higher cache ration

Re: [Pdns-users] pdns query wrong SOA records with ipv6 and miss the right domain this way

> On 6 Oct 2020, at 20:42, bert hubert via Pdns-users > wrote: > > On Tue, Oct 06, 2020 at 08:29:49PM +0200, Oliver Dzombic via Pdns-users wrote: >> SELECT content,ttl,prio,type,domain_id,disabled,name,auth FROM records >> WHERE disabled=0 and type='SOA' and >>

Re: [Pdns-users] Implementing virtual domains

Hi Daniel, Are these true aliases? (As in: every record can be copied exactly as it is, without changing anything). In that case, the ALIAS type should work for you (https://doc.powerdns.com/authoritative/guides/alias.html). If these are more like "templates", (eg: mydomain.com MX

Re: [Pdns-users] "HTTP/1.1 422 Unprocessable Entity" when creating a zone

That exact same example works in my setup, which uses 4.3.0 with a MySQL backend. Could you provide us your full config, backend & backend schema? Could you also increase logging (see https://docs.powerdns.com/authoritative/settings.html#webserver-loglevel) and send us the log when you're

Re: [Pdns-users] "HTTP/1.1 422 Unprocessable Entity" when creating a zone

Please find the docs for 4.2.x at https://docs.powerdns.com/authoritative/http-api/index.html#endpoints-and-objects-in-the-api In particular, note that the "masters" string must only be set if the type is Slave. Regards, Frank On 30 Jun 2020, at 15:20, Tomasz Chmielewski wrote: > > I'm

Re: [Pdns-users] "HTTP/1.1 422 Unprocessable Entity" when creating a zone

Hi Tomasz, What version are you using? The docs you mention, refer to an old version of PowerDNS Auth... Frank > On 30 Jun 2020, at 15:09, Tomasz Chmielewski via Pdns-users > wrote: > > I did it exactly as in PowerDNS README: > https://doc.powerdns.com/md/httpapi/README/ > > Does it mean

Re: [Pdns-users] Running auth server and recursor on the same server, upgrading from 4.0.9

Dear Yves, It might be best to describe your setup in a bit more detail: - what client devices use your resolver, are they all on internal IT infra? (Your home of office net?) How many devices are we talking about? How do they configure the ip of their resolver? (Hand-set, dhcp, ...)? - what

Re: [Pdns-users] Some questions about deploying a dns slave serrevrs using Powderdns sofftware

Hi Hoan, PowerDNS can replicate from a primary BIND server without problems. If the BIND zone is signed, PowerDNS will (by default) detect that, and act accordingly: it will enable dnssec replies, but will not try to perform signing by itself. See

Re: [Pdns-users] iprange is hitting my dns servers

Hi Steffan, It smells like a bunch of Windows clients that all want to lookup a DomainController... (all capitals, DC, ... typical MS naming conventions) Are the 195.121.82.103-195.121.82.139 ips under your control? Best of luck hunting :) Frank > On 10 Jun 2020, at 08:32, Steffan via

Re: [Pdns-users] Fwd: Re: configure: error: Did not find the mysql library dir in /usr/lib/mysql

Hi Cliff, Could you try without the --with-mysql-lib=/var parameter? Or with —with-mysql-lib=/usr? The dev libraries are not installed in /var/lib/mysql, but probably in /usr/lib/libmysql* Frank Louwers Certified PowerDNS Consultant > On 20 Dec 2018, at 15:12, Cliff Hayes

Re: [Pdns-users] Pdns-users Digest, Vol 191, Issue 14

Hi Satya, Yes, as Nginx includes capabilities to load balance UDP and TCP. So if you configure Nginx to load balance port 53 for both protocols, you could use Nginx as a load balancer for DNS. However, Nginx doesn’t understand the DNS protocol. It is a layer 4 LB, not a (dns-protocol aware)

Re: [Pdns-users] Unable to resolve domain when using DO and not AD

Dear Luca, > On 12 Dec 2018, at 19:53, Luca Lesinigo > wrote: > > Il giorno 12 dic 2018, alle ore 18:45, bert hubert > ha scritto: >>> Right now I am refraining to disclose the domain because I don’t know if >>> this behavior could

Re: [Pdns-users] How to understand cause of rejected notify

Hi MRob, Could you please try a ‘dig AXFR domain.com’ from your slave? Could you also provide us a full packet capture (pcap if possible)? I am starting to suspect a firewall issue… Frank > On 1 Dec 2018, at 22:44, MRob wrote: > >> All supermaster problems I know of can be resolved by

Re: [Pdns-users] recursor: no reverse lookups

Sig, First of all it’s best not to use nslookup. It can produce unpredictable and sometimes false results. Please use a tool like “dig” or “drill”. Is 192.168.94.66#53 the authoritative server for that 94.168.192.in-addr.arp domain? If so, then yes, the result is an authoritative answer, as