# host type data
[ $zone, 'NS', "ns.$zone" ],
# MX/SRV put priority <space> data
- [ $zone, 'MX', "10 mail.hotmail.com" ],
+ [ $zone, 'MX', "10 mail.example.com" ],
# No SOA records
- [ "test.$zone", 'A', '1.2.3.4' ],
+ [ "test.$zone", 'A', '192.0.2.66' ],
[ "text.$zone", 'TXT', "test\n123" ],
[ "longtext.$zone", 'TXT', "A" x 550 ],
The records table can now be filled by with the domain\_id set to the id of the domains table row just inserted.
## Slave operation
-These backends are fully slave capable. To become a slave of the 'powerdns.com' domain, execute this:
+These backends are fully slave capable. To become a slave of the 'example.com' domain, execute this:
```
- insert into domains (name,master,type) values ('powerdns.com','213.244.168.217','SLAVE');
+ insert into domains (name,master,type) values ('example.com','198.51.100.6','SLAVE');
```
And wait a while for PDNS to pick up the addition - which happens within one minute. There is no need to inform PDNS that a new domain was added. Typical output is:
Periodically, PDNS schedules checks to see if domains are still fresh. The default [`slave-cycle-interval`](settings.md#slave-cycle-interval) is 60 seconds, large installations may need to raise this value. Once a domain has been checked, it will not be checked before its SOA refresh timer has expired. Domains whose status is unknown get checked every 60 seconds by default.
## Superslave operation
-To configure a supermaster with IP address 10.0.0.11 which lists this installation as 'autoslave.powerdns.com', issue the following:
+To configure a supermaster with IP address 203.0.113.53 which lists this installation as 'autoslave.example.com', issue the following:
```
- insert into supermasters values ('10.0.0.11','autoslave.powerdns.com','internal');
+ insert into supermasters values ('203.0.113.53','autoslave.example.com','internal');
```
-From now on, valid notifies from 10.0.0.11 that list a NS record containing 'autoslave.powerdns.com' will lead to the provisioning of a slave domain under the account 'internal'. See [Supermaster](modes-of-operation.md#supermaster-automatic-provisioning-of-slaves) for details.
+From now on, valid notifies from 203.0.113.53 that list a NS record containing 'autoslave.example.com' will lead to the provisioning of a slave domain under the account 'internal'. See [Supermaster](modes-of-operation.md#supermaster-automatic-provisioning-of-slaves) for details.
## 3.13. Master operation
The PostgreSQL backend is fully master capable with automatic discovery of serial changes. Raising the serial number of a domain suffices to trigger PDNS to send out notifications. To configure a domain for master operation instead of the default native replication, issue:
- ns: ns2.example.com
- mx: 10 mx.example.com
fin.eu.service.geo.example.com:
- - a: 62.236.200.4
+ - a: 198.51.100.221
- txt: hello world
+ - aaaa: 2001:DB8::12:34DE:3
services:
service.geo.example.com: '%co.%cn.service.geo.example.com'
```
# perl dumpdb.pl /var/tmp/lmdb zone
key: moc.elpmaxe; value: 1 300 ns.example.com. hostmaster.example.com. 2012021101 86400 7200 604800 86400
# perl dumpdb.pl /var/tmp/lmdb data
-key: moc.elpmaxe MX; value: 1 300 10 mail.hotmail.com
+key: moc.elpmaxe MX; value: 1 300 10 mail.example.com
key: moc.elpmaxe NS; value: 1 300 ns.example.com
-key: moc.elpmaxe.tset A; value: 1 300 1.2.3.4
+key: moc.elpmaxe.tset A; value: 1 300 192.0.2.66
key: moc.elpmaxe.txet TXT; value: 1 300 test\010123
key: moc.elpmaxe.txetgnol TXT; value: REF 1
# perl dumpdb.pl /var/tmp/lmdb extended_data
#### Example JSON/RPC
Query:
```
-{"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com", "remote":"192.168.0.24", "local":"192.168.0.1", "real-remote":"192.168.0.24", "zone-id":-1}}
+{"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com", "remote":"192.0.2.24", "local":"192.0.2.1", "real-remote":"192.0.2.24", "zone-id":-1}}
```
Response:
```
-{"result":[{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60}]}
+{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
```
#### Example HTTP/RPC
Query:
```
GET /dnsapi/lookup/www.example.com/ANY HTTP/1.1
-X-RemoteBackend-remote: 192.168.0.24
-X-RemoteBackend-local: 192.168.0.1
-X-RemoteBackend-real-remote: 192.168.0.24
+X-RemoteBackend-remote: 192.0.2.24
+X-RemoteBackend-local: 192.0.2.1
+X-RemoteBackend-real-remote: 192.0.2.24
X-RemoteBackend-zone-id: -1
```
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
-{"result":[{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60}]}
+{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
```
### `list`
{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},
{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},
{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},
- {"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60},
- {"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60},
- {"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60}
+ {"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},
+ {"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},
+ {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}
]}
```
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
-{"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},{"qtype":"A", "qname":"www.example.com", "content":"192.168.1.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.168.0.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.168.0.3", "ttl": 60}]}
+{"result":[{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},{"qtype":"NS", "qname":"example.com", "content":"ns1.example.com", "ttl": 60},{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},{"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},{"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}]}
```
### `getBeforeAndAfterNamesAbsolute`
#### Example JSON/RPC
Query:
```
-{"method":"isMaster","parameters":{"name":"example.com","ip":"10.0.0.1"}}
+{"method":"isMaster","parameters":{"name":"example.com","ip":"198.51.100.0.1"}}
```
Response:
#### Example HTTP/RPC
Query:
```
-GET /dnsapi/isMaster/example.com/10.0.0.1
+GET /dnsapi/isMaster/example.com/198.51.100.0.1
```
Response:
#### Example JSON/RPC
Query:
```
-{"method":"superMasterBackend","parameters":{"ip":"10.0.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
+{"method":"superMasterBackend","parameters":{"ip":"198.51.100.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
```
Response:
#### Example HTTP/RPC
Query:
```
-POST /dnsapi/supermasterbackend/10.0.0.1/example.com
+POST /dnsapi/supermasterbackend/198.51.100.0.1/example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 317
#### Example JSON/RPC
Query:
```
-{"method":"createSlaveDomain","parameters":{"ip":"10.0.0.1","domain":"pirate.unit.test"}}
+{"method":"createSlaveDomain","parameters":{"ip":"198.51.100.0.1","domain":"pirate.example.net"}}
```
Response:
#### Example HTTP/RPC
Query:
```
-POST /dnsapi/createslavedomain/10.0.0.1/pirate.unit.test
+POST /dnsapi/createslavedomain/198.51.100.0.1/pirate.example.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```
A setting to enable/disable DNS update support completely. The default is no, which means that DNS updates are ignored by PowerDNS (no message is logged about this!). Change the setting to **experimental-dnsupdate=yes** to enable DNS update support. Default is **no**.
## `allow-dnsupdate-from`
-A list of IP ranges that are allowed to perform updates on any domain. The default is 0.0.0.0/0, which means that all ranges are accepted. Multiple entries can be used on this line (**allow-dnsupdate-from=10.0.0.0/8 192.168.1.2/32**). The option can be left empty to disallow everything, this then should be used in combination with the **allow-dnsupdate-from** domainmetadata setting per zone.
+A list of IP ranges that are allowed to perform updates on any domain. The default is 0.0.0.0/0, which means that all ranges are accepted. Multiple entries can be used on this line (**allow-dnsupdate-from=198.51.100.0/8 203.0.113.2/32**). The option can be left empty to disallow everything, this then should be used in combination with the **allow-dnsupdate-from** domainmetadata setting per zone.
## `forward-dnsupdate`
Tell PowerDNS to forward to the master server if the zone is configured as slave. Masters are determined by the masters field in the domains table. The default behaviour is enabled (yes), which means that it will try to forward. In the processing of the update packet, the **allow-dnsupdate-from** and **TSIG-2136-ALLOW** are processed first, so those permissions apply before the **forward-dnsupdate** is used. It will try all masters that you have configured until one is successful.
This setting has the same function as described in the configuration options (See [above](#configuration-options)). Only one item is allowed per row, but multiple rows can be added. An example:
``` {.programlisting}
-sql> select id from domains where name='powerdnssec.org';
+sql> select id from domains where name='example.org';
5
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’10.0.0.0/8’);
-sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’192.168.1.2/32’);
+sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’198.51.100.0/8’);
+sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’203.0.113.2/32’);
```
-This will allow 10.0.0.0/8 and 192.168.1.2/32 to send DNS update messages for the powerdnssec.org domain.
+This will allow 198.51.100.0/8 and 203.0.113.2/32 to send DNS update messages for the example.org domain.
## TSIG-ALLOW-DNSUPDATE
This setting allows you to set the TSIG key required to do an DNS update. An example:
``` {.programlisting}
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
-sql> select id from domains where name='powerdnssec.org';
+sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test');
```
``` {.programlisting}
nsupdate <<!
server <ip> <port>
-zone powerdnssec.org
-update add test1.powerdnssec.org 3600 A 192.168.1.1
+zone example.org
+update add test1.example.org 3600 A 203.0.113.1
key test kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
send
!
See [Section 1, “Configuration options”](dnsupdate.html#dnsupdate-configuration "1. Configuration options") for what it does, but per domain.
``` {.programlisting}
-sql> select id from domains where name='powerdnssec.org';
+sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘FORWARD-DNSUPDATE’,’’);
```
An example:
``` {.programlisting}
-sql> select id from domains where name='powerdnssec.org';
+sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘SOA-EDIT-DNSUPDATE’,’INCREASE’);
```
Per subnet, you also have to tell **dhcpd** which (reverse-)domain it should update and on which master domain server it is running.
``` {.programlisting}
-ddns-domainname "powerdnssec.org";
+ddns-domainname "example.org";
ddns-rev-domainname "in-addr.arpa.";
-zone powerdnssec.org {
+zone example.org {
primary 127.0.0.1;
key dhcpdupdate;
}
This tells **dhcpd** a number of things:
-1. Which domain to use (**ddns-domainname "powerdnssec.org";**)
+1. Which domain to use (**ddns-domainname "example.org";**)
2. Which reverse-domain to use (**dnssec-rev-domainname "in-addr.arpa.";**)
3. For the zones, where the primary master is located (**primary 127.0.0.1;**)
4. Which TSIG key to use (**key dhcpdupdate;**). We defined the key earlier.
This tells PowerDNS to:
-1. Enable DNS update support(**experimental-dnsupdate**)
-2. Allow updates from NO ip-address (**allow-dnsupdate-from=**)
+1. Enable DNS update support([`experimental-dnsupdate`](settings.md#experimental-dnsupdate))
+2. Allow updates from NO ip-address ([`allow-dnsupdate-from=`](settings.md#allow-dnsupdate-from))
-We just told powerdns (via the configuration file) that we accept updates from nobody via the **allow-dnsupdate-from** parameter. That's not very useful, so we're going to give permissions per zone, via the domainmetadata table.
+We just told powerdns (via the configuration file) that we accept updates from nobody via the [`allow-dnsupdate-from`](settings.md#allow-dnsupdate-from) parameter. That's not very useful, so we're going to give permissions per zone, via the domainmetadata table.
``` {.programlisting}
-sql> select id from domains where name='powerdnssec.org';
+sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata(domain_id, kind, content) values(5, ‘ALLOW-DNSUPDATE-FROM’,’127.0.0.1’);
```
``` {.programlisting}
sql> insert into tsigkeys (name, algorithm, secret) values ('dhcpdupdate', 'hmac-md5', 'FYhvwsW1ZtFZqWzsMpqhbg==');
-sql> select id from domains where name='powerdnssec.org';
+sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'dhcpdupdate');
sql> select id from domains where name='1.168.192.in-addr.arpa';
It is also possible to use a resolver living on a different port. To do so, specify a recursor like this: `recursor=192.0.2.1:5300`
-If the backend does not answer a question within a large amount of time, this is logged as 'Recursive query for remote 10.96.0.2 with internal id 0 was not answered by backend within timeout, reusing id'. This may happen when using 'BIND' as a recursor as it is prone to drop queries which it can't answer immediately.
+If the backend does not answer a question within a large amount of time, this is logged as 'Recursive query for remote 198.51.100.15 with internal id 0 was not answered by backend within timeout, reusing id'. This may happen when using 'BIND' as a recursor as it is prone to drop queries which it can't answer immediately.
To make sure that the local authoritative database overrides recursive information, PowerDNS first tries to answer a question from its own database. If that succeeds, the answer packet is sent back immediately without involving the recursor in any way. This means that for questions for which there is no answer, PowerDNS will consult the recursor for an recursive query, even if PowerDNS is authoritative for a domain! This will only cause problems if you 'fake' domains which don't really exist.
From 3.4 onward. Allow DNS updates from these IP ranges.
## `allow-recursion`
-By specifying `allow-recursion`, recursion can be restricted to netmasks specified. The default is to allow recursion from everywhere. Example: `allow-recursion=192.168.0.0/24, 10.0.0.0/8, 192.0.2.4`.
+By specifying `allow-recursion`, recursion can be restricted to netmasks specified. The default is to allow recursion from everywhere. Example: `allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4`.
## `also-notify`
-When notifying a domain, also notify these nameservers. Example: `also-notify=192.168.0.1, 10.0.0.1`. The IP adresses listed in `also-notify` always receive a notification. Even if they do not match the list in `only-notify`.
+When notifying a domain, also notify these nameservers. Example: `also-notify=192.0.2.1, 203.0.113.167`. The IP adresses listed in `also-notify` always receive a notification. Even if they do not match the list in `only-notify`.
## `any-to-tcp`
Boolean value (`yes` or `no`). Answer questions for the ANY and RRSIG types on UDP with a truncated packet that refers the remote server to TCP. Useful for mitigating reflection attacks. Defaults to `no`. Available since 3.3.
<script src="../../js/prettify-1.0.min.js"></script>
<script src="../../js/base.js"></script>
</body>
-</html>
\ No newline at end of file
+</html>
"override": "replace",
"domain": "www.cnn.com",
"rrtype": "AAAA",
- "values": ["1.1.1.1", "2.2.2.2"],
+ "values": ["203.0.113.4", "203.0.113..2"],
"until": <timestamp>,
"created": <timestamp>
}
<script src="../../js/prettify-1.0.min.js"></script>
<script src="../../js/base.js"></script>
</body>
-</html>
\ No newline at end of file
+</html>
projects / thirdparty / pdns.git / commitdiff
