+++ /dev/null
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
- DESC 'An integer denoting time to live'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
- DESC 'The class of a resource record'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
- DESC 'a well known service description, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
- DESC 'domain name pointer, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
- DESC 'host information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
- DESC 'mailbox or mail list information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
- DESC 'text string, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
- DESC 'for Responsible Person, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
- DESC 'for AFS Data Base location, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
- DESC 'Signature, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
- DESC 'Key, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
- DESC 'Geographical Position, RFC 1712'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
- DESC 'IPv6 address, RFC 1886'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
- DESC 'Location, RFC 1876'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
- DESC 'non-existant, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
- DESC 'service location, RFC 2782'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
- DESC 'Naming Authority Pointer, RFC 2915'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
- DESC 'Key Exchange Delegation, RFC 2230'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
- DESC 'certificate, RFC 2538'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
- DESC 'A6 Record Type, RFC 2874'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
- DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
- DESC 'Lists of Address Prefixes, RFC 3123'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
- DESC 'Delegation Signer, RFC 3658'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
- DESC 'SSH Key Fingerprint, RFC 4255'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
- DESC 'SSH Key Fingerprint, RFC 4025'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
- DESC 'RRSIG, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
- DESC 'NSEC, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
- DESC 'DNSKEY, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
- DESC 'DHCID, RFC 4701'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
- DESC 'Sender Policy Framework, RFC 4408'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
- SUP 'dNSDomain' STRUCTURAL
- MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
- HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
- AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
- AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
- NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
- DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
- IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
- DNSKEYRecord $ DHCIDRecord $ SPFRecord
- ) )
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
usr/bin/zone2ldap usr/bin/
usr/lib/*/pdns/libldapbackend.so*
+++ /dev/null
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
- DESC 'An integer denoting time to live'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
- DESC 'The class of a resource record'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
- DESC 'a well known service description, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
- DESC 'domain name pointer, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
- DESC 'host information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
- DESC 'mailbox or mail list information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
- DESC 'text string, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
- DESC 'for Responsible Person, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
- DESC 'for AFS Data Base location, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
- DESC 'Signature, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
- DESC 'Key, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
- DESC 'Geographical Position, RFC 1712'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
- DESC 'IPv6 address, RFC 1886'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
- DESC 'Location, RFC 1876'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
- DESC 'non-existant, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
- DESC 'service location, RFC 2782'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
- DESC 'Naming Authority Pointer, RFC 2915'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
- DESC 'Key Exchange Delegation, RFC 2230'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
- DESC 'certificate, RFC 2538'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
- DESC 'A6 Record Type, RFC 2874'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
- DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
- DESC 'Lists of Address Prefixes, RFC 3123'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
- DESC 'Delegation Signer, RFC 3658'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
- DESC 'SSH Key Fingerprint, RFC 4255'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
- DESC 'SSH Key Fingerprint, RFC 4025'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
- DESC 'RRSIG, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
- DESC 'NSEC, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
- DESC 'DNSKEY, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
- DESC 'DHCID, RFC 4701'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
- DESC 'Sender Policy Framework, RFC 4408'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
- SUP 'dNSDomain' STRUCTURAL
- MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
- HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
- AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
- AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
- NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
- DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
- IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
- DNSKEYRecord $ DHCIDRecord $ SPFRecord
- ) )
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
usr/bin/zone2ldap usr/bin/
usr/lib/*/pdns/libldapbackend.so*
+++ /dev/null
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
- DESC 'An integer denoting time to live'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
- DESC 'The class of a resource record'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
- DESC 'a well known service description, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
- DESC 'domain name pointer, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
- DESC 'host information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
- DESC 'mailbox or mail list information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
- DESC 'text string, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
- DESC 'for Responsible Person, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
- DESC 'for AFS Data Base location, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
- DESC 'Signature, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
- DESC 'Key, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
- DESC 'Geographical Position, RFC 1712'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
- DESC 'IPv6 address, RFC 1886'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
- DESC 'Location, RFC 1876'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
- DESC 'non-existant, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
- DESC 'service location, RFC 2782'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
- DESC 'Naming Authority Pointer, RFC 2915'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
- DESC 'Key Exchange Delegation, RFC 2230'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
- DESC 'certificate, RFC 2538'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
- DESC 'A6 Record Type, RFC 2874'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
- DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
- DESC 'Lists of Address Prefixes, RFC 3123'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
- DESC 'Delegation Signer, RFC 3658'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
- DESC 'SSH Key Fingerprint, RFC 4255'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
- DESC 'SSH Key Fingerprint, RFC 4025'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
- DESC 'RRSIG, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
- DESC 'NSEC, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
- DESC 'DNSKEY, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
- DESC 'DHCID, RFC 4701'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
- DESC 'Sender Policy Framework, RFC 4408'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
- SUP 'dNSDomain' STRUCTURAL
- MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
- HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
- AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
- AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
- NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
- DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
- IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
- DNSKEYRecord $ DHCIDRecord $ SPFRecord
- ) )
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
usr/bin/zone2ldap usr/bin/
usr/lib/*/pdns/libldapbackend.so*
+++ /dev/null
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
- DESC 'An integer denoting time to live'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
- DESC 'The class of a resource record'
- EQUALITY caseIgnoreIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
- DESC 'a well known service description, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
- DESC 'domain name pointer, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
- DESC 'host information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
- DESC 'mailbox or mail list information, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
- DESC 'text string, RFC 1035'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
- DESC 'for Responsible Person, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
- DESC 'for AFS Data Base location, RFC 1183'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
- DESC 'Signature, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
- DESC 'Key, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
- DESC 'Geographical Position, RFC 1712'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
- DESC 'IPv6 address, RFC 1886'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
- DESC 'Location, RFC 1876'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
- DESC 'non-existant, RFC 2535'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
- DESC 'service location, RFC 2782'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
- DESC 'Naming Authority Pointer, RFC 2915'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
- DESC 'Key Exchange Delegation, RFC 2230'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
- DESC 'certificate, RFC 2538'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
- DESC 'A6 Record Type, RFC 2874'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
- DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
- DESC 'Lists of Address Prefixes, RFC 3123'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
- DESC 'Delegation Signer, RFC 3658'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
- DESC 'SSH Key Fingerprint, RFC 4255'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
- DESC 'SSH Key Fingerprint, RFC 4025'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
- DESC 'RRSIG, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
- DESC 'NSEC, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
- DESC 'DNSKEY, RFC 3755'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
- DESC 'DHCID, RFC 4701'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
- DESC 'Sender Policy Framework, RFC 4408'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
- SUP 'dNSDomain' STRUCTURAL
- MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
- HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
- AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
- AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
- NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
- DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
- IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
- DNSKEYRecord $ DHCIDRecord $ SPFRecord
- ) )
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
usr/bin/zone2ldap usr/bin/
usr/lib/*/pdns/libldapbackend.so*
Returns the numerical value of a parameter. Uses ``atoi()`` internally
- Sample usage from the BindBackend: getting the 'check-interval' setting:
+ Sample usage from the BIND backend: getting the 'check-interval' setting:
.. code-block:: cpp
A backend that wants to act as a 'superslave' for a master should
implement the following method:
-::
+.. code-block:: cpp
- class DNSBackend
+ class DNSBackend
{
virtual bool superMasterBackend(const string &ip, const string &domain, const vector<DNSResourceRecord>&nsset, string *account, DNSBackend **db)
};
To compile a module for inclusion at runtime, which is great if you are a unix vendor, use ``--with-dynmodules='mod1 mod2 mod3'``.
These modules then end up as .so files in the compiled ``libdir``.
-By default, the :doc:`bind <../../backends/bind>`, :doc:`mysql <../../backends/generic-mysql>` and :doc:`random <../../backends/random>` are compiled into the binary. The :doc:`pipe <../../backends/pipe>` is, by default, compiled as a runtime loadable module.
+By default, the :doc:`bind <../../backends/bind>`, :doc:`mysql <../../backends/generic-mysql>` and :doc:`random <../../backends/random>` modules are compiled into the binary. The :doc:`pipe <../../backends/pipe>` is, by default, compiled as a runtime loadable module.
Getting the sources
-------------------
-Bind zone file backend
+BIND zone file backend
======================
* Native: Yes
* Module name: bind
* Launch: ``bind``
-The BindBackend started life as a demonstration of the versatility of
+The BIND backend started life as a demonstration of the versatility of
PowerDNS but quickly gained in importance when there appeared to be
-demand for a Bind 'work-alike'.
+demand for a BIND 'work-alike'.
-The BindBackend parses a Bind-style ``named.conf`` and extracts
+The BIND backend parses a BIND-style ``named.conf`` and extracts
information about zones from it. It makes no attempt to honour other
configuration flags, which you should configure (when available) using
the PowerDNS native configuration.
-**note**: Because this backend retrieves its configuration from a text file and not a database, the HTTP API is unable to process changes for this backend. This effectively makes the API read-only for zones hosted by the BIND backend.
+Unique to this PowerDNS backend is that it serves from plain zone files,
+which allows for hand-crafting zone files, only takes a tiny footprint
+in terms of server resource usage while being
+:ref:`performant efficiently <bind_performance>`.
+
+.. note::
+ Because this backend retrieves its configuration from plain files and
+ not a database, the HTTP API is unable to process changes for this
+ backend. This effectively makes the API read-only for zones hosted by
+ the BIND backend.
Configuration Parameters
------------------------
``bind-config``
~~~~~~~~~~~~~~~
-Location of the Bind configuration file to parse.
+Location of the BIND configuration file to parse.
-PowerDNS does not support every directive supported by Bind.
+PowerDNS does not support every directive supported by BIND.
It supports the following blocks and directives:
* ``options``
``bind-check-interval``
~~~~~~~~~~~~~~~~~~~~~~~
-How often to check for zone changes. See :ref:`bind-operation` section.
+Interval in seconds to check for zone file changes. Default is 0 (disabled).
+
+See :ref:`bind-operation` section for more information.
.. _setting-bind-dnssec-db:
:ref:`metadata-presigned` domain metadata is set
during the zonetransfer.
+.. warning::
+ If this is left empty on slaves and a presigned zone is transferred,
+ it will (silently) serve it without DNSSEC. This in turn results in
+ serving the domain as bogus.
+
.. _setting-bind-hybrid:
``bind-hybrid``
Operation
---------
-On launch, the BindBackend first parses the ``named.conf`` to determine
+On launch, the BIND backend first parses the ``named.conf`` to determine
which zones need to be loaded. These will then be parsed and made
available for serving, as they are parsed. So a ``named.conf`` with
100.000 zones may take 20 seconds to load, but after 10 seconds, 50.000
zones will already be available. While a domain is being loaded, it is
not yet available, to prevent incomplete answers.
-Reloading is currently done only when a request for a zone comes in, and
-then only after :ref:`setting-bind-check-interval`.
+Reloading is currently done only when a request (or zone transfer) for a
+zone comes in, and then only after :ref:`setting-bind-check-interval`
seconds have passed after the last check. If a change occurred, access
to the zone is disabled, the file is reloaded, access is restored, and
the question is answered. For regular zones, reloading is fast enough to
zero, no checks will be performed until the ``pdns_control reload`` is
given.
+Please note that also the :ref:`setting-slave-cycle-interval` setting
+controls how often a master would notify a slave about changes.
+Especially in 'hidden master' configurations, where servers usually
+don't receive regular queries, you may want to lower that setting to a
+value as low as :ref:`setting-bind-check-interval`.
+
pdns\_control commands
----------------------
``bind-add-zone <domain> <filename>``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Add zone ``domain`` from ``filename`` to PowerDNS's bind backend. Zone
+Add zone ``domain`` from ``filename`` to PowerDNS's BIND backend. Zone
will be loaded at first request.
.. note::
``bind-domain-status <domain> [domain]``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Output status of domain or domains. Can be one of
-``seen in named.conf, not parsed``, ``parsed successfully at <time>`` or
-``error parsing at line ... at <time>``.
+Output status of domain or domains. Can be one of:
+
+* ``seen in named.conf, not parsed``,
+* ``parsed successfully at <time>`` or
+* ``error parsing at line ... at <time>``.
``bind-list-rejects``
~~~~~~~~~~~~~~~~~~~~~
``rediscover``
~~~~~~~~~~~~~~
-Reread the bind configuration file (``named.conf``). If parsing fails,
+Reread the BIND configuration file (``named.conf``). If parsing fails,
the old configuration remains in force and ``pdns_control`` reports the
error. Any newly discovered domains are read, discarded domains are
removed from memory.
All zones with a changed timestamp are reloaded at the next incoming
query for them.
+.. _bind_performance:
+
Performance
-----------
-The BindBackend does not benefit from the packet cache as it is fast
+The BIND backend does not benefit from the packet cache as it is fast
enough on its own. Furthermore, on most systems, there will be no
benefit in using multiple CPUs for the packetcache, so a noticeable
speedup can be attained by specifying
~~~~~~
Works as expected. At startup, no notification storm is performed as
-this is generally not useful. Perhaps in the future the Bind Backend
+this is generally not useful. Perhaps in the future the BIND backend
will attempt to store zone metadata in the zone, allowing it to
determine if a zone has changed its serial since the last time
notifications were sent out.
Slave
~~~~~
-Also works as expected. The Bind backend expects to be able to write to
+Also works as expected. The BIND backend expects to be able to write to
a directory where a slave domain lives. The incoming zone is stored as
'zonename.RANDOM' and atomically renamed if it is retrieved
successfully, and parsed only then.
Native zones in the BIND backend are supported since version 4.1.0 of
the PowerDNS Authoritative Server.
-**note**: Any zone with no ``type`` set (an error in BIND) is assumed to
-be native.
+.. note::
+ Any zone with no ``type`` set (an error in BIND) is assumed to be native.
domains table. The following SQL does the job:
.. literalinclude:: ../../modules/gmysqlbackend/enable-foreign-keys.mysql.sql
+ :language: SQL
Using MySQL replication
-----------------------
This is the schema for 4.2. For 4.1, please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/godbcbackend/schema.mssql.sql>`_.
.. literalinclude:: ../../modules/godbcbackend/schema.mssql.sql
+ :language: SQL
Load this into the database as follows:
Add the options required to your ``pdns.conf``:
-::
+.. code-block:: ini
launch=godbc
godbc-datasource=pdns1
Below, you will find the schema for 4.2. If you are using 4.1 or earlier, please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/goraclebackend/schema.goracle.sql>`_.
.. literalinclude:: ../../modules/goraclebackend/schema.goracle.sql
+ :language: SQL
This schema contains all elements needed for master, slave and
superslave operation.
.. _setting-gpgsql-extra-connection-parameters:
``gpgsql-extra-connection-parameters``
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Extra connection parameters to forward to postgres. If you want to pin a
specific certificate for the connection you should set this to
This is the 4.2 schema. Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gpgsqlbackend/schema.pgsql.sql>`_.
.. literalinclude:: ../../modules/gpgsqlbackend/schema.pgsql.sql
+ :language: SQL
within one minute (this is determined by the
:ref:`setting-slave-cycle-interval`
setting). There is no need to inform PowerDNS that a new domain was
-added. Typical output is:
-
-.. code-block:: SQL
-
- Apr 09 13:34:29 All slave domains are fresh
- Apr 09 13:35:29 1 slave domain needs checking
- Apr 09 13:35:29 Domain example.com is stale, master serial 1, our serial 0
- Apr 09 13:35:30 [gPgSQLBackend] Connected to database
- Apr 09 13:35:30 AXFR started for 'example.com'
- Apr 09 13:35:30 AXFR done for 'example.com'
- Apr 09 13:35:30 [gPgSQLBackend] Closing connection
+added. Typical output is::
+
+ Apr 09 13:34:29 All slave domains are fresh
+ Apr 09 13:35:29 1 slave domain needs checking
+ Apr 09 13:35:29 Domain example.com is stale, master serial 1, our serial 0
+ Apr 09 13:35:30 [gPgSQLBackend] Connected to database
+ Apr 09 13:35:30 AXFR started for 'example.com'
+ Apr 09 13:35:30 AXFR done for 'example.com'
+ Apr 09 13:35:30 [gPgSQLBackend] Closing connection
From now on, PowerDNS is authoritative for the 'example.com' zone and
will respond accordingly for queries within that zone.
------------------------
The last thing you need to do is telling PowerDNS to use the SQLite
-backend.
+backend in pdns.conf:
-::
+.. code-block:: ini
- # in pdns.conf
launch=gsqlite3
gsqlite3-database=<path to your SQLite database>
to the database was made.
Compiling the SQLite backend
------------------------------
+----------------------------
Before you can begin compiling PowerDNS with the SQLite backend you need
to have the SQLite utility and library installed on your system. You can
+------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
| :doc:`LDAP <ldap>` | Yes | No | No | No | No | No | ``ldap`` |
+------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Lua <lua>` | Yes | Yes | No | No | Yes | Yes | ``lua`` |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
| :doc:`Lua2 <lua2>` | Yes | Yes | No | No | Yes | Yes | ``lua2`` |
+------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
| :doc:`MyDNS <mydns>` | Yes | No | No | No | No | No | ``mydns`` |
.. toctree::
:maxdepth: 1
+ :hidden:
bind
generic-sql
To launch the ldap backend:
-::
+.. code-block:: ini
launch=ldap
``ldap-host``
^^^^^^^^^^^^^
-(default "ldap://127.0.0.1:389/") : The values assigned to this
+(default "``ldap://127.0.0.1:389/``") : The values assigned to this
parameter can be LDAP URIs (e.g. ``ldap://127.0.0.1/`` or
``ldaps://127.0.0.1/``) describing the connection to the LDAP server.
There can be multiple LDAP URIs specified for load balancing and high
^^^^^^^^^^^^^^^^^
(default "no") : Use TLS encrypted connections to the LDAP server. This
-is only allowed if ldap-host is a ldap:// URI or a host name / IP
+is only allowed if ldap-host is an ``ldap://`` URI or a host name / IP
address.
.. _setting-ldap-timeout:
^^^^^^^^^
Wild-card domains are possible by using the asterisk in the
-``associatedDomain`` value like it is used in the bind zone files. The
+``associatedDomain`` value like it is used in the BIND zone files. The
"dc" attribute can be set to any value in simple or strict mode - this
doesn't matter.
``named.conf`` (usually located in /etc) as input and writes the dns
record entries in ldif format to stdout:
-::
+.. code-block:: shell
zone2ldap
--basedn=YOUR_BASE_DN \
Alternatively zone2ldap can be used to convert only single zone files
instead all zones:
-::
+.. code-block:: shell
zone2ldap
--basedn=YOUR_BASE_DN \
See :doc:`its manpage <../manpages/zone2ldap.1>` for a complete list of
options.
-Bind LDAP backend
+BIND LDAP backend
^^^^^^^^^^^^^^^^^
-When coming from the `Bind LDAP sdb
+When coming from the `BIND LDAP sdb
backend <http://bind9-ldap.bayour.com/>`__, the records can be kept in
the LDAP tree also for the PowerDNS LDAP backend. The schemas both
backends utilize is almost the same except for one important thing:
Domains for PowerDNS are stored in the attribute "associatedDomain"
-whereas Bind stores them split in "relativeDomainName" and "zoneName".
+whereas BIND stores them split in "relativeDomainName" and "zoneName".
There is a `migration
script <http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__ which
the "associatedDomain" and "dc" attributes. The utility is executed on
the command line by:
-::
+.. code-block:: shell
./bind2pdns-ldap
--host=HOSTNAME_OR_IP \
^^^^^^^^^^^^^^^^^
The easiest way for migrating DNS records is to use the output of a zone
-transfer (AXFR). Save the output of the ``dig`` program provided by bind
+transfer (AXFR). Save the output of the ``dig`` program provided by BIND
into a file and call ``zone2ldap`` with the file name as option to the
``--zone-file`` parameter. This will generate the appropriate ldif file,
which can be imported into the LDAP tree. The bash script except below
automates this:
-::
+.. code-block:: shell
DNSSERVER=127.0.0.1
DOMAINS="example.com 10.10.in-addr.arpa"
^^^^^^^^^^^^
Support for more authentication methods would be handy. Anyone
-interested may `contribute <https://github.com/PowerDNS/pdns>`__.?
+interested may `contribute <https://github.com/PowerDNS/pdns>`__.
All these ``log_facilities`` is available:
- * ``log_all``
- * ``log_ntlog``
- * ``log_alert``
- * ``log_critical``
- * ``log_error``
- * ``log_warning``
- * ``log_notice,``
- * ``log_info``
- * ``log_debug``
- * ``log_none``
+* ``log_all``
+* ``log_ntlog``
+* ``log_alert``
+* ``log_critical``
+* ``log_error``
+* ``log_warning``
+* ``log_notice,``
+* ``log_info``
+* ``log_debug``
+* ``log_none``
``dnspacket()``
~~~~~~~~~~~~~~~
Can only be used in the functions ``list()`` and ``getsoa()``.
+.. _backends_lua_fun_getarg:
+
``getarg("PARAMETER")``
~~~~~~~~~~~~~~~~~~~~~~~
``mustdo("PARAMETER")``
~~~~~~~~~~~~~~~~~~~~~~~
-This is the same as ```getarg()`` <#getarg>`__ but return a boolean
-instead of a string.
+This is the same as :ref:`getarg() <backends_lua_fun_getarg>`, but returns
+a boolean instead of a string.
You also have all the different QTypes in a table called 'QTypes'.
This will yield the following result:
-::
+.. code-block:: shell
- $dig any www.test.com @127.0.0.1 -p5300 +multiline
+ $ dig any www.test.com @127.0.0.1 -p5300 +multiline
; <<>> DiG 9.7.3 <<>> any www.test.com @127.0.0.1 -p5300 +multiline
;; global options: +cmd
;; Got answer:
.. _setting-lua-f_lookup:
-``lua-f_lookup = mynewfunction``
+.. code-block:: ini
+
+ lua-f_lookup = mynewfunction
will call the function ``mynewfunction`` for the lookup-routine.
First make your error function then you put this in ``pdns.conf``:
-``lua-f_exec_error = YOUR_METHOD``
+.. code-block:: ini
+
+ lua-f_exec_error = YOUR_METHOD
DNSSEC
------
OUTPUT:
Expects a array which has tables with following keys:
+
- DNSName name - resource record name (can also be string)
- string type - type of resource record (can also be QType or valid integer)
- string content - resource record content
NOTES:
This function is **optional**.
+
+.. _backends_lua2_dns_get_domaininfo:
``dns_get_domaininfo(domain)``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OUTPUT:
Return false if not supported or found, otherwise expects a table with keys:
+
- string account - Associated account of this domain (default: <empty>)
- string kind - Domain kind (NATIVE,MASTER,SLAVE) (default: NATIVE)
- int id - Associated domain ID (default: -1)
Get domain information for all domains.
OUTPUT:
- Return false if not supported or found, otherwise return a table of string, domaininfo. See ``dns_get_domaininfo```.
+ Return false if not supported or found, otherwise return a table of string,
+ domaininfo. See :ref:`dns_get_domaininfo() <backends_lua2_dns_get_domaininfo>`.
NOTES:
This function is **optional**, except if you need master functionality.
OUTPUT:
Return false if not found or supported, otherwise expects array of tables with keys:
+
- int id - Key ID
- int flags - Key flags
- bool active - Is key active
OUTPUT:
Table with keys:
+
- unhashed - DNSName of the unhashed relative to domain
- before - (hashed) name of previous record relative to domain
- after - (hashed) name of next record relative to domain
(including the trailing slash or backslash, depending on your operating
system) and opendbx-database to the name of the file.
-.. code-block:: SQL
+.. code-block:: ini
opendbx-host-read = /path/to/file/
opendbx-host-write = /path/to/file/
SQLite Schema
~~~~~~~~~~~~~
-::
+.. code-block:: SQL
CREATE TABLE "domains" (
"id" INTEGER NOT NULL PRIMARY KEY,
SQLite3 Schema
~~~~~~~~~~~~~~
-::
+.. code-block:: SQL
CREATE TABLE "domains" (
"id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
the database file and doesn't support the default statement for starting
transactions. Please add the following lines to your pdns.conf:
-::
+.. code-block:: ini
opendbx-database = /var/lib/firebird2/data/powerdns.gdb
opendbx-sql-transactbegin = SET TRANSACTION
(key size exceeds implementation restriction for index
"pdns\_unq\_domains\_name") when creating the tables.
-::
+.. code-block:: SQL
CREATE TABLE "domains" (
"id" INTEGER NOT NULL,
default statement for starting transactions. Please add the following
lines to your pdns.conf:
-::
+.. code-block:: ini
opendbx-host-read = MSSQL2k
opendbx-host-write = MSSQL2k
opendbx-sql-transactbegin = BEGIN TRANSACTION
-::
+.. code-block:: SQL
SET quoted_identifier ON;
doesn't support the default statement for starting transactions. Please
add the following lines to your pdns.conf:
-::
+.. code-block:: ini
opendbx-host-read = SYBASE
opendbx-host-write = SYBASE
opendbx-sql-transactbegin = BEGIN TRANSACTION
-::
+.. code-block:: SQL
SET quoted_identifier ON;
Uses a different syntax for transactions and requires the following
additional line in your pdns.conf:
-::
+.. code-block:: ini
opendbx-sql-transactbegin = SET TRANSACTION NAME 'AXFR'
-::
+.. code-block:: SQL
CREATE TABLE "domains" (
"id" INTEGER NOT NULL,
Looking for records based on owner name and type. Default:
-::
+.. code-block:: SQL
SELECT fqdn, ttl, type, content, zone_id, last_change, auth
FROM Records
Looking for records from one zone based on owner name and type. Default:
-::
+.. code-block:: SQL
SELECT fqdn, ttl, type, content, zone_id, last_change, auth
FROM Records
Looking for records based on owner name. Default:
-::
+.. code-block:: SQL
SELECT fqdn, ttl, type, content, zone_id, last_change, auth
FROM Records
Looking for records from one zone based on owner name. Default:
-::
+.. code-block:: SQL
SELECT fqdn, ttl, type, content, zone_id, last_change, auth
FROM Records
Looking for all records from one zone. Default:
-::
+.. code-block:: SQL
SELECT fqdn, ttl, type, content, zone_id, last_change, auth
FROM Records
Fetch the content of the metadata entries of type ':kind' for the zone
called ':name', in their original order. Default:
-::
+.. code-block:: SQL
SELECT md.meta_content
FROM Zones z JOIN ZoneMetadata md ON z.id = md.zone_id
You can skip this if you do not plan to manage zones with the
``pdnsutil`` tool. Default:
-::
+.. code-block:: SQL
DELETE FROM ZoneMetadata md
WHERE zone_id = (SELECT id FROM Zones z WHERE z.name = lower(:name))
Create a metadata entry. You can skip this if you do not plan to manage
zones with the ``pdnsutil`` tool. Default:
-::
+.. code-block:: SQL
INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content)
VALUES (
Retrieved the TSIG key specified by ':name'. Default:
-::
+.. code-block:: SQL
SELECT algorithm, secret
FROM TSIGKeys
Retrieve the DNSSEC signing keys for a zone. Default:
-::
+.. code-block:: SQL
SELECT k.id, k.flags, k.active, k.keydata
FROM ZoneDNSKeys k JOIN Zones z ON z.id = k.zone_id
Delete a DNSSEC signing key. You can skip this if you do not plan to
manage zones with the ``pdnsutil`` tool. Default:
-::
+.. code-block:: SQL
DELETE FROM ZoneDNSKeys WHERE id = :keyid
Add a DNSSEC signing key. You can skip this if you do not plan to manage
zones with the ``pdnsutil`` tool. Default:
-::
+.. code-block:: SQL
- INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) "
+ INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata)
VALUES (
zonednskeys_id_seq.NEXTVAL,
(SELECT id FROM Zones WHERE name = lower(:name)),
Enable or disable a DNSSEC signing key. You can skip this if you do not
plan to manage zones with the **pdnsutil** tool. Default:
-::
+.. code-block:: SQL
UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid
Default:
-::
+.. code-block:: SQL
BEGIN
get_canonical_prev_next(:zoneid, :name, :prev, :next);
successor in NSEC3 zone ordering into ``:prev`` and ``:next``, and the
FQDN of the predecessor into ``:unhashed``. Default:
-::
+.. code-block:: SQL
BEGIN
get_hashed_prev_next(:zoneid, :hash, :unhashed, :prev, :next);
Get some basic information about the named zone before doing
master/slave things. Default:
-::
+.. code-block:: SQL
SELECT id, name, type, last_check, serial, notified_serial
FROM Zones
transfer. This happens inside a transaction, so if the transfer fails,
the old zone content will still be there. Default:
-::
+.. code-block:: SQL
DELETE FROM Records WHERE zone_id = :zoneid
happens inside the same transaction as delete-zone, so we will not end
up with a partially transferred zone. Default:
-::
+.. code-block:: SQL
INSERT INTO Records (id, fqdn, zone_id, ttl, type, content)
VALUES (records_id_seq.NEXTVAL, lower(:name), :zoneid, :ttl, :type, :content)
generally do any post-processing your schema requires. The do-nothing
default:
-::
+.. code-block:: SQL
DECLARE
zone_id INTEGER := :zoneid;
Return multiple rows, identical except for the master address, for zones
with more than one master. Default:
-::
+.. code-block:: SQL
SELECT z.id, z.name, z.last_check, z.serial, zm.master
FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
Set the last check timestamp after a successful check. Default:
-::
+.. code-block:: SQL
UPDATE Zones SET last_check = :lastcheck WHERE id = :zoneid
Return a list of zones that need to have ``NOTIFY`` packets sent out.
Default:
-::
+.. code-block:: SQL
SELECT id, name, serial, notified_serial
FROM Zones
Set the last notified serial after packets have been sent. Default:
-::
+.. code-block:: SQL
UPDATE Zones SET notified_serial = :serial WHERE id = :zoneid
nameservers in the NS records, when sending ``NOTIFY`` packets for the
named zone. Default:
-::
+.. code-block:: SQL
SELECT an.hostaddr
FROM Zones z JOIN ZoneAlsoNotify an ON z.id = an.zone_id
Return a list of masters for the zone specified by id. Default:
-::
+.. code-block:: SQL
SELECT master
FROM Zonemasters
Return a row if the specified host is a registered master for the named
zone. Default:
-::
+.. code-block:: SQL
SELECT zm.master
FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
If a supernotification should be accepted from ':ip', for the master
nameserver ':ns', return a label for this supermaster. Default:
-::
+.. code-block:: SQL
SELECT name
FROM Supermasters
A supernotification has just been accepted, and we need to create an
entry for the new zone. Default:
-::
+.. code-block:: SQL
INSERT INTO Zones (id, name, type)
VALUES (zones_id_seq.NEXTVAL, lower(:zone), 'SLAVE')
We need to register the first master server for the newly created zone.
Default:
-::
+.. code-block:: SQL
INSERT INTO Zonemasters (zone_id, master)
VALUES (:zoneid, :ip)
The only configuration options for backend are remote-connection-string
and remote-dnssec.
-::
+.. code-block:: ini
remote-connection-string=<type>:<param>=<value>,<param>=<value>...
parameters: path, timeout (default 2000ms)
-::
+.. code-block:: ini
remote-connection-string=unix:path=/path/to/socket
parameters: command,timeout (default 2000ms)
-::
+.. code-block:: ini
remote-connection-string=pipe:command=/path/to/executable,timeout=2000
parameters: url, url-suffix, post, post_json, timeout (default 2000ms)
-::
+.. code-block:: ini
remote-connection-string=http:url=http://localhost:63636/dns,url-suffix=.php
parameters: endpoint, timeout (default 2000ms)
-::
+.. code-block:: ini
remote-connection-string=zeromq:endpoint=ipc:///tmp/tmp.sock
Query:
-::
+.. code-block:: json
{"method":"initialize", "parameters":{"command":"/path/to/something", "timeout":"2000", "something":"else"}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com.", "remote":"192.0.2.24", "local":"192.0.2.1", "real-remote":"192.0.2.24", "zone-id":-1}}
Response:
-::
+.. code-block:: json
{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
Query:
-::
+.. code-block:: json
{"method":"list", "parameters":{"zonename":"example.com.","domain_id":-1}}
Response (split into lines for ease of reading)
-::
+.. code-block:: json
{"result":[
{"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},
Query:
-::
+.. code-block:: json
{"method":"getbeforeandafternamesabsolute", "params":{"id":0,"qname":"www.example.com"}}
Response:
-::
+.. code-block:: json
- {”result":{"before":"ns1","after":""}}
+ {"result":{"before":"ns1","after":""}}
Example HTTP/RPC
''''''''''''''''
Response:
-::
+.. code-block:: json
- {”result":{"before":"ns1","after":""}}
+ {"result":{"before":"ns1","after":""}}
``getAllDomainMetadata``
~~~~~~~~~~~~~~~~~~~~~~~~
always return something, if there are no values, you shall return empty
set or false.
- * Mandatory: No
- * Parameters: name
- * Reply: hash of key to array of strings
+* Mandatory: No
+* Parameters: name
+* Reply: hash of key to array of strings
Example JSON/RPC
''''''''''''''''
Query:
-::
+.. code-block:: json
{"method":"getalldomainmetadata", "parameters":{"name":"example.com"}}
Response:
-::
+.. code-block:: json
{"result":{"PRESIGNED":["0"]}}
Query:
-::
+.. code-block:: json
{"method":"getdomainmetadata", "parameters":{"name":"example.com.","kind":"PRESIGNED"}}
Response:
-::
+.. code-block:: json
{"result":["0"]}
Query:
-::
+.. code-block:: json
{"method":"setdomainmetadata","parameters":{"name":"example.com","kind":"PRESIGNED","value":["YES"]}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"getdomainkeys","parameters":{"name":"example.com."}}
Response:
-::
+.. code-block:: json
{"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
Algorithm: 8 (RSASHA256)
Query:
-::
+.. code-block:: json
{"method":"adddomainkey", "parameters":{"key":{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
Algorithm: 8 (RSASHA256)
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
- {"method":"removedomainkey","parameters":"{"name":"example.com","id":1}}
+ {"method":"removedomainkey","parameters":{"name":"example.com","id":1}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"activatedomainkey","parameters":{"name":"example.com","id":1}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"deactivatedomainkey","parameters":{"name":"example.com","id":1}}
Response:
-::
+.. code-block:: json
{"result": true}
Query:
-::
+.. code-block:: json
{"method":"gettsigkey","parameters":{"name":"example.com."}}
Response:
-::
+.. code-block:: json
- {"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
+ {"result":{"algorithm":"hmac-md5","content":"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
Example HTTP/RPC
''''''''''''''''
Query:
-::
+.. code-block:: json
{"method":"getdomaininfo","parameters":{"name":"example.com"}}
Response:
-::
+.. code-block:: json
- {"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
+ {"result":{"id":1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
Example HTTP/RPC
''''''''''''''''
Query:
-::
+.. code-block:: json
{"method":"setnotified","parameters":{"id":1,"serial":2002010100}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"isMaster","parameters":{"name":"example.com","ip":"198.51.100.0.1"}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"superMasterBackend","parameters":{"ip":"198.51.100.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
Response:
-::
+.. code-block:: json
{"result":true}
Alternative response:
-::
+.. code-block:: json
{"result":{"account":"my account","nameserver":"ns2.example.com"}}
Query:
-::
+.. code-block:: json
{"method":"createSlaveDomain","parameters":{"ip":"198.51.100.0.1","domain":"pirate.example.net"}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"auth":true}]}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"auth":true},"trxid":1370416133}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"feedEnts","parameters":{"domain_id":2,"trxid":1370416133,"nonterm":["_sip._udp","_udp"]}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"feedEnts3","parameters":{"domain_id":2,"domain":"example.com","times":1,"salt":"9642","narrow":false,"trxid":1370416356,"nonterm":["_sip._udp","_udp"]}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"startTransaction","parameters":{"trxid":1234,"domain_id":1,"domain":"example.com"}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"commitTransaction","parameters":{"trxid":1234}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"abortTransaction","parameters":{"trxid":1234}}
Response:
-::
+.. code-block:: json
{"result":true}
Query:
-::
+.. code-block:: json
{"method":"calculateSOASerial","parameters":{"domain":"unit.test","sd":{"qname":"unit.test","nameserver":"ns.unit.test","hostmaster":"hostmaster.unit.test","ttl":300,"serial":1,"refresh":2,"retry":3,"expire":4,"default_ttl":5,"domain_id":-1,"scopeMask":0}}}
Response:
-::
+.. code-block:: json
{"result":2013060501}
Query:
-::
+.. code-block:: json
{"method":"directBackendCmd","parameters":{"query":"PING"}}
Response:
-::
+.. code-block:: json
{"result":"PONG"}
Query:
-::
+.. code-block:: json
{"method": "getAllDomains", "parameters": {"include_disabled": true}}
Response:
-::
+.. code-block:: json
{"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"native"}]}
Query:
-::
+.. code-block:: json
{"method":"searchRecords","parameters":{"pattern":"www.example*","maxResults":100}}
Response:
-::
+.. code-block:: json
{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
Query:
-::
+.. code-block:: json
{"method": "getUpdatedMasters", "parameters": {}}
Response:
-::
+.. code-block:: json
{"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"master"}]}
Query:
-::
+.. code-block:: json
{
"method": "lookup",
Reply:
-::
+.. code-block:: json
{
"result":
Reply:
-::
+.. code-block:: json
{
"result":
Released June 29th 2016
-**note**: rc1 was tagged in git but never officially released. Kees
-Monshouwer discovered an issue in the gmysql backend that would
-terminate the daemon on a connection error, this fixed in rc2.
+.. note::
+ rc1 was tagged in git but never officially released. Kees
+ Monshouwer discovered an issue in the gmysql backend that would
+ terminate the daemon on a connection error, this fixed in rc2.
This Release Candidate adds IXFR consumption and fixes some issues with
prepared statements:
:tags: Tools, Improvements
:pullreq: 4584
- Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).
+ Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).
.. change::
:tags: Internals, New Features
:tickets: 7357
API: Add response-by-qtype and response-by-rcode on /statistics endpoint
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 6021
+
+ Several improvements to processing of notifies.
+
+ * Turn off supermaster support by default (adds new setting).
+ * PowerDNS was wasting a lot of queries while processing notifies.
+ * Use comboaddress for IPs (was strings)
If however our slaves would ignore us, as some are prone to do, we can
send some additional notifications
-::
+.. code-block:: shell
$ sudo pdns_control notify example.org
Added to queue
Conversely, if PowerDNS needs to be reminded to retrieve a zone from a
master, a command is provided
-::
+.. code-block:: shell
$ sudo pdns_control retrieve forfun.net
Added retrieval request for 'forfun.net' from master 212.187.98.67
Disclosure Policy
^^^^^^^^^^^^^^^^^
- - Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- - Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- - We will always credit researchers in our :doc:`../security-advisories/index`.
-
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
+- We will always credit researchers in our :doc:`../security-advisories/index`.
As an example, securing an existing zone can be as simple as:
-::
+.. code-block:: shell
$ pdnsutil secure-zone powerdnssec.org
never published.
To make sure that the internet knows that the key that is used for
-signing is the authentic key, confirmation can be gotten from the parent
+signing is the authentic key, confirmation can be obtained from the parent
zone. This means that to become operational, a zone operator will have
to publish a representation of the signing key to the parent zone, often
a ccTLD or a gTLD. This representation is called a DS record, and is a
To deliver a correctly signed zone with the :ref:`dnssec-pdnsutil-dnssec-defaults`, invoke:
-::
+.. code-block:: shell
pdnsutil secure-zone ZONE
To view the DS records for this zone (to transfer to the parent zone),
run
-::
+.. code-block:: shell
pdnsutil show-zone ZONE
For a more traditional setup with a KSK and a ZSK, use the following
sequence of commands:
-::
+.. code-block:: shell
pdnsutil add-zone-key ZONE ksk 2048 active rsasha256
pdnsutil add-zone-key ZONE zsk 1024 active rsasha256
industry standard private key format, version 1.2. To import an existing
KSK, use
-::
+.. code-block:: shell
pdnsutil import-zone-key ZONE FILENAME ksk
Such a single replicated database requires no further attention beyond
monitoring already required during non-DNSSEC operations.
+Please note that the ALIAS record type is
+:ref:`not supported <alias_and_dnssec>` in this mode.
+
Records, Keys, signatures, hashes within PowerDNS in online signing mode
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
existence of a record, and this setting, which is also stored away from zone
records, lives with the DNSSEC keying material.
+.. _dnssec-nsec-modes:
+
(Hashed) Denial of Existence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PowerDNS supports unhashed secure denial-of-existence using NSEC
records. These are generated with the help of the (database) backend,
which needs to be able to supply the 'previous' and 'next' records in
-canonical ordering.
+canonical ordering. NSEC is the default mode for secured zones in
+PowerDNS.
The Generic SQL Backends have fields that allow them to supply these
relative record names.
NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend,
where the backend should be able to supply the previous and next domain
-names in hashed order.
+names in hashed order. This is the default mode for NSEC3 in PowerDNS.
NSEC3 in 'narrow' mode uses additional hashing calculations to provide
-hashed secure denial-of-existence 'on the fly', without further
-involving the database.
+hashed secure denial-of-existence 'on the fly' per
+`RFC 7129 <https://tools.ietf.org/html/rfc7129>`__, without further
+involving the database. This mode will make PowerDNS to send out "white
+lies" and prevents zone enumeration, but these responses require online
+signing capabilities by all nameservers and therefore denies incoming
+AXFRs for zones in this mode.
.. _dnssec-signatures:
is derived from the SOA records *minimum* field. When using NSEC3, the
TTL of the NSEC3PARAM record is also derived from that field.
+.. _dnssec_presigned_records:
+
Pre-signed records
------------------
In this mode, PowerDNS serves zones that already contain DNSSEC records.
-Such zones can either be slaved from a remote master, or can be signed
-using tools like OpenDNSSEC, ldns-signzone, and dnssec-signzone.
+Such zones can either be slaved from a remote master in online signing
+mode, or can be pre-signed using tools like OpenDNSSEC, ldns-signzone,
+and dnssec-signzone.
Even in this mode, PowerDNS will synthesize NSEC(3) records itself
because of its architecture. RRSIGs of these NSEC(3) will still need to
BIND-mode operation
-------------------
-The :doc:`bindbackend <../backends/bind>` can manage keys in an
-SQLite3 database without launching a separate gsqlite3 backend.
+The :doc:`BIND backend <../backends/bind>` can manage keys and other
+DNSSEC-related :doc:`domain metadata <../domainmetadata>` in an SQLite3
+database without launching a separate gsqlite3 backend.
-To use this mode, add
-``bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`` to pdns.conf, and run
-``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3``. Then,
-restart PowerDNS.
+To use this mode, run
+``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3`` and set
+:ref:`setting-bind-dnssec-db` in pdns.conf to the path of the created
+database. Then, restart PowerDNS.
.. note::
This SQLite database is different from the database used for the regular :doc:`SQLite 3 backend <../backends/generic-sqlite3>`.
--------------------------
PowerDNS can also operate based on 'BIND'-style zone & configuration
-files. This 'bindbackend' has full knowledge of DNSSEC but has no
+files. This 'BIND backend' has full knowledge of DNSSEC but has no
native way of storing keying material.
However, since PowerDNS supports operation with multiple simultaneous
backends, this is not a problem.
In hybrid mode, keying material and zone records are stored in different
-backends. This allows for 'bindbackend' operation in full DNSSEC mode.
+backends. This allows for 'BIND backend' operation in full DNSSEC mode.
To benefit from this mode, include at least one database-based backend
in the :ref:`setting-launch` statement. See the :doc:`backend specific documentation <../backends/index>`
Going insecure
--------------
-::
+.. code-block:: shell
pdnsutil disable-dnssec ZONE
parent zone will make the zone BOGUS. Make sure the parent zone removes
the DS record *before* going insecure.
+.. _dnssec-operational-nsec-modes-params:
+
Setting the NSEC modes and parameters
-------------------------------------
As stated earlier, PowerDNS uses NSEC by default. If you want to use
NSEC3 instead, issue:
-::
+.. code-block:: shell
- pdnsutil set-nsec3 ZONE [PARAMETERS]
+ pdnsutil set-nsec3 ZONE [PARAMETERS] ['narrow']
e.g.
-::
+.. code-block:: shell
pdnsutil set-nsec3 example.net '1 0 1 ab'
- Flags, set to ``1`` for :rfc:`NSEC3 Opt-out <5155#section-6>`, this best
set as ``0``
- Number of iterations of the hash function, read :rfc:`RFC 5155, Section
- 10.3 <5155#section-10.3>` for recommendations
+ 10.3 <5155#section-10.3>` for recommendations. Limited by the
+ :ref:`setting-max-nsec3-iterations` setting.
- Salt to apply during hashing, in hexadecimal, or ``-`` to use no salt
+Optionally, NSEC3 can be set to 'narrow' mode. For more information refer
+to :ref:`dnssec-nsec-modes`.
+
To convert a zone from NSEC3 to NSEC operations, run:
-::
+.. code-block:: shell
pdnsutil unset-nsec3 ZONE
is considered undesirable. In this case, consider running in pre-signed
mode.
+A slightly more complex approach is running a *hidden* master in simple
+online signing mode, but on a highly secured system unreachable for the
+public. Internet-connected slaves can then transfer the zones pre-signed
+from this master over a secure private network. This topology offers
+substantial security benefits with regards to key material while
+maintaining ease of daily operation by PowerDNS's features in online
+mode.
+
+See also :ref:`dnssec_presigned_records`.
+
Performance
-----------
Since version 4.0, when securing a zone using ``pdnsutil secure-zone``,
a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is
-used as ZSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as
+used as CSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as
the KSK and two ZSKs. As all keys are online in the database, it made no
sense to have this split-key setup.
recommended** to use this in production.
Instructions on how to setup SoftHSM to work with the feature after
-compilation on ubuntu/debian (tested with Ubuntu 12 and 14). -
-``apt-get install softhsm p11-kit opensc`` - create directory
-/etc/pkcs11/modules - Add file called 'softhsm' there with (on newer
-versions, use softhsm.module)
-``module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so managed: yes``
-- Verify it works: ``p11-kit -l`` - Create at least two tokens (ksk and
-zsk) with (slot-number starts from 0)
+compilation on Ubuntu/Debian (tested with Ubuntu 12.04 and 14.04).
-::
+- ``apt-get install softhsm p11-kit opensc``
+- create directory ``/etc/pkcs11/modules``
+- create a file ``softhsm`` (``softhsm.module`` on newer versions),
+ with contents:::
- ```
- sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
- ```
-
-- Using pkcs11-tool, initialize your new keys.
+ module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so managed: yes
- ::
+- Verify that it works: ``p11-kit -l``
+- Create at least two tokens (ksk and zsk) with (slot-number starts from 0)::
- sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
+ sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
-- Assign the keys using (note that token label is not necessarily same
- as object label, see p11-kit -l)
+- Using pkcs11-tool, initialize your new keys.::
- ::
+ sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
- pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
+- Assign the keys using (note that token label is not necessarily same
+ as object label, see p11-kit -l)::
-- Verify that everything worked, you should see valid data there
+ pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
- ::
+- Verify that everything worked, you should see valid data there::
- pdnsutil show-zone zone
+ pdnsutil show-zone zone
- SoftHSM signatures are fast enough to be used in live environment.
-------------
Instructions on how to use CryptAS
-```Athena IDProtect Key USB Token V2J`` <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`__
-Smart Card token on Ubuntu 14. - install the manufacturer\`s support
-software on your system and initialize the Smart Card token as per
-instructions (do not use PIV). - apt-get install p11-kit opensc - create
-directory /etc/pkcs11/modules - Add file called 'athena.module' with
-content
+`Athena IDProtect Key USB Token V2J <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`_
+Smart Card token on Ubuntu 14.04.
-::
+- Install the manufacturer's support software on your system and initialize
+ the Smart Card token as per instructions (do not use PIV).
+- ``apt-get install p11-kit opensc``
+- Create directory ``/etc/pkcs11/modules``.
+- Create file named ``athena.module`` with contents::
- ```
module: /lib64/libASEP11.so
managed: yes
- ```
-
-- Verify it worked, it should resemble output below. do not continue if
- this does not show up.
-
- ::
-
- $ p11-kit -l
- athena: /lib64/libASEP11.so
- library-description: ASE Cryptoki
- library-manufacturer: Athena Smartcard Solutions
- library-version: 3.1
- token: IDProtect#0A50123456789
- manufacturer: Athena Smartcard Solutions
- model: IDProtect
- serial-number: 0A50123456789
- hardware-version: 1.0
- firmware-version: 1.0
- flags:
- rng
- login-required
- user-pin-initialized
- token-initialized
-
-- Using pkcs11-tool, initialize your new keys. After this IDProtect
- Manager no longer can show your token certificates and keys, at least
- on version v6.23.04.
-
- ::
-
- pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
- pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
-
-- Verify that keys are there.
-
- ::
-
- $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
- Using slot 0 with a present token (0x0)
- Public Key Object; RSA 2048 bits
- label: zone-ksk
- Usage: encrypt, verify, wrap
- Public Key Object; RSA 2048 bits
- label: zone-zsk
- Usage: encrypt, verify, wrap
- Private Key Object; RSA
- label: zone-ksk
- Usage: decrypt, sign, unwrap
- Private Key Object; RSA
- label: zone-zsk
- Usage: decrypt, sign, unwrap
-
-- Assign the keys using
-
- ::
-
- pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
-
-- Verify that everything worked, you should see valid data there.
-
- ::
-
- pdnsutil show-zone zone
-
-- Note that the physical token is pretty slow, so you have to use it as
- hidden master. It has been observed to produce about
- 1.5signatures/second.
-
+- Verify it worked, it should resemble output below. Do not continue if
+ this does not show up. ::
+
+ $ p11-kit -l
+ athena: /lib64/libASEP11.so
+ library-description: ASE Cryptoki
+ library-manufacturer: Athena Smartcard Solutions
+ library-version: 3.1
+ token: IDProtect#0A50123456789
+ manufacturer: Athena Smartcard Solutions
+ model: IDProtect
+ serial-number: 0A50123456789
+ hardware-version: 1.0
+ firmware-version: 1.0
+ flags:
+ rng
+ login-required
+ user-pin-initialized
+ token-initialized
+
+- Using pkcs11-tool, initialize your new keys. After this IDProtect
+ Manager no longer can show your token certificates and keys, at least
+ on version v6.23.04. ::
+
+ pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
+ pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
+
+- Verify that keys are there::
+
+ $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
+ Using slot 0 with a present token (0x0)
+ Public Key Object; RSA 2048 bits
+ label: zone-ksk
+ Usage: encrypt, verify, wrap
+ Public Key Object; RSA 2048 bits
+ label: zone-zsk
+ Usage: encrypt, verify, wrap
+ Private Key Object; RSA
+ label: zone-ksk
+ Usage: decrypt, sign, unwrap
+ Private Key Object; RSA
+ label: zone-zsk
+ Usage: decrypt, sign, unwrap
+
+- Assign the keys using::
+
+ pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
+
+- Verify that everything worked, you should see valid data there. ::
+
+ pdnsutil show-zone zone
+
+- Note that the physical token is pretty slow, so you have to use it as
+ hidden master. It has been observed to produce about 1.5 signatures/second.
-----------------
For permissions, a number of per zone settings are available via the
-:doc:`domain metadata `<domainmetadata>`.
+:doc:`domain metadata <domainmetadata>`.
.. _metadata-allow-dnsupdate-from:
~~~~~~~~~~~~~~~~~~~~
This setting has the same function as described in the configuration
-options (See ref:`above <dnsupdate-configuration-options>`). Only one item is
+options (See :ref:`above <dnsupdate-configuration-options>`). Only one item is
allowed per row, but multiple rows can be added. An example:
::
update. If you have GSS-TSIG enabled, you can use Kerberos principals
here. An example, using :program:`pdnsutil` to create the key:
-::
+.. code-block:: shell
- pdnsutil generate-tsig-key test hmac-md5
+ $ pdnsutil generate-tsig-key test hmac-md5
Create new TSIG key test hmac-md5 kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
-
+
+::
+
sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
sql> select id from domains where name='example.org';
5
sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test');
-An example of how to use a TSIG key with the :program:`nsupdate` command:
-
-::
+An example of how to use a TSIG key with the :program:`nsupdate` command::
nsupdate <<!
server <ip> <port>
FORWARD-DNSUPDATE
~~~~~~~~~~~~~~~~~
-See `Configuration options <dnsupdate-configuration-options>` for what it does,
+See :ref:`Configuration options <dnsupdate-configuration-options>` for what it does,
but per domain.
::
We're going to use a TSIG key for security. We're going to generate a
key using the following command:
-::
+.. code-block:: shell
dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate
This generates two files (Kdhcpdupdate.*.key and
Kdhcpdupdate.*.private). You're interested in the .key file:
-::
+.. code-block:: shell
# ls -l Kdhcp*
-rw------- 1 root root 53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key
Enabled DNS update (:rfc:`2136`) support functionality in PowerDNS by adding
the following to the PowerDNS configuration file (pdns.conf).
-::
+.. code-block:: ini
dnsupdate=yes
allow-dnsupdate-from=
The object has following methods available:
-- DNSName getQName() - name to update
-- DNSName getZonename() - zone name
-- int getQType() - record type, it can be 255(ANY) for delete.
-- ComboAddress getLocal() - local socket address
-- ComboAddress getRemote() - remote socket address
-- Netmask getRealRemote() - real remote address (or netmask if EDNS Subnet is used)
-- DNSName getTsigName() - TSIG **key** name (you can assume it is validated here)
-- string getPeerPrincipal() - Return peer principal name (user@DOMAIN, service/machine.name@DOMAIN, host/MACHINE$@DOMAIN)
+- ``DNSName getQName()`` - name to update
+- ``DNSName getZonename()`` - zone name
+- ``int getQType()`` - record type, it can be 255(ANY) for delete.
+- ``ComboAddress getLocal()`` - local socket address
+- ``ComboAddress getRemote()`` - remote socket address
+- ``Netmask getRealRemote()`` - real remote address (or netmask if EDNS Subnet is used)
+- ``DNSName getTsigName()`` - TSIG **key** name (you can assume it is validated here)
+- ``string getPeerPrincipal()`` - Return peer principal name (``user@DOMAIN``,
+ ``service/machine.name@DOMAIN``, ``host/MACHINE$@DOMAIN``)
There are many same things available as in recursor Lua scripts, but
-there is also resolve(qname, qtype) which returns array of records.
+there is also ``resolve(qname, qtype)`` which returns array of records.
Example:
-::
+.. code-block:: lua
resolve("www.google.com", pdns.A)
Simple example script:
-.. code:: lua
+.. code-block:: lua
--- This script is not suitable for production use
Example:
-::
+.. code-block:: shell
pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
::
- select id from domains where name='example.com';
+ sql> select id from domains where name='example.com';
7
- insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
- insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
+ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
+ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
To disallow all IP's, except those explicitly allowed by domainmetadata
records, add ``allow-axfr-ips=`` to ``pdns.conf``.
multiple times). The nameserver may have contain an optional port
number. e.g.:
-::
+.. code-block:: shell
pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300
pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
Or in SQL:
-::
+.. code-block:: SQL
insert into domainmetadata (domain_id, kind, content) values (7,'ALSO-NOTIFY','192.0.2.1:5300');
insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8:53::1');
methods are supplied for all DNS data types in use.
Now add ``TLSARecordContent::report()`` to
-```reportOtherTypes()`` <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L594>`__.
+`reportOtherTypes() <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L594>`__.
And that's it. For completeness, add TLSA and 52 to the QType enum in
-```qtype.hh`` <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/qtype.hh#L116>`__,
+`qtype.hh <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/qtype.hh#L116>`__,
which makes it easier to refer to the TLSA record in code if so
required.
setting to an existing resolver and enable
:ref:`setting-expand-alias`:
-::
+.. code-block:: ini
resolver=[::1]:5300
expand-alias=yes
Authoritative Server 4.0.x. Hence, ALIAS records are always expanded on
a direct A or AAAA query.
+.. _alias_and_dnssec:
+
ALIAS and DNSSEC
----------------
following lines, adjusted for your local setup (specifically, you may
not want to use the 'root' user):
-::
+.. code-block:: ini
launch=gmysql
gmysql-host=127.0.0.1
--------------------------
Connect to MySQL as a user with sufficient privileges and issue the
-following commands:
+following commands below if you are running the 4.2 or master version of PowerDNS:
+
+Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql>`_.
+
.. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
+ :language: SQL
+
+We recommend you add the following MySQL statements as well. These will add
+foreign key constraints to the tables in order to automate deletion of records, key
+material, and other information upon deletion of a domain from the
+domains table. These will only work on the InnoDB storage engine, but if you
+followed our guide so far, that's exactly the engine we are using.
+
+The following SQL does the job:
+
+.. literalinclude:: ../../modules/gmysqlbackend/enable-foreign-keys.mysql.sql
+
Now we have a database and an empty table. PowerDNS should now be able
to launch in monitor mode and display no errors:
15:39:55 [gMySQLbackend] MySQL connection succeeded
In a different shell, a sample query sent to the server should now
-return quickly without data:
+return quickly *without* data:
-::
+.. code-block:: shell
- $ dig +short www.example.com @127.0.0.1
- $
+ $ dig +short www.example.com @127.0.0.1 # should print nothing
.. warning::
When debugging DNS problems, don't use ``host``. Please use
If we now requery our database, ``www.example.com`` should be present:
-::
+.. code-block:: shell
$ dig +short www.example.com @127.0.0.1
192.0.2.10
Unable to launch, no backends configured for querying
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-PowerDNS did not find the ``launch=gmysql`` instruction in pdns.conf.
+You currently don't have a backend configured in the configuration file.
+Add a :ref:`setting-launch` statement for the backend you want to use.
+
+If you are following this guide and using a MySQL database as a backend,
+please add the ``launch=gmysql`` instruction to pdns.conf.
Multiple IP addresses on your server, PowerDNS sending out answers on the wrong one, Massive amounts of 'recvfrom gave error, ignoring: Connection refused'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To start the rollover, add an **active** new KSK to the zone
(example.net in this case):
-::
+.. code-block:: shell
pdnsutil add-zone-key example.net ksk active
rollover is now in the "New KSK" stage. Retrieve the DS record(s) for
the new KSK:
-::
+.. code-block:: shell
pdnsutil show-zone example.net
The key-id for the old KSK is shown in the output of
``pdnsutil show-zone example.net``.
-::
+.. code-block:: shell
pdnsutil remove-zone-key example.net KEY-ID
To make the authoritative server listen on the local loopback address
and port 5300 change the following in ``pdns.conf``:
-::
+.. code-block:: ini
local-ipv6=
local-address=127.0.0.1
``recursor.conf``. The domains should be forwarded to 127.0.0.1:5300
(the new address and port of the Authoritative Server):
-::
+.. code-block:: ini
forward-zones=private.example.com=127.0.0.1:5300
forward-zones+=another.example.com=127.0.0.1:5300
To make the authoritative server listen on the local loopback address
and port 5300 change the following in ``pdns.conf``:
-::
+.. code-block:: ini
local-ipv6=
local-address=127.0.0.1
different port than the Authoritative Server. Set the following in
``recursor.conf``:
-::
+.. code-block:: ini
local-address=127.0.0.1
local-port=5301
``recursor.conf``. The domains should be forwarded to 127.0.0.1:5300
(the new address and port of the Authoritative Server):
-::
+.. code-block:: ini
forward-zones=private.example.com=127.0.0.1:5300
forward-zones+=another.example.com=127.0.0.1:5300
``pdns-myinstance.conf`` exists in the configuration directory, the
following command will start the service:
-::
+.. code-block:: shell
systemctl start pdns@myinstance.service
Similarly you can enable it at boot:
-::
+.. code-block:: shell
systemctl enable pdns@myinstance.service
you can skip this step), we add an ECDSA 256 bit key (algorithm 13)
here:
-::
+.. code-block:: shell
pdnsutil add-zone-key example.net zsk inactive ecdsa256
To change the RRSIGs on your records, the new key must be made active.
Note: you can get the key-ids with ``pdnsutil show-zone example.net``:
-::
+.. code-block:: shell
pdnsutil activate-zone-key example.net new-key-id
pdnsutil deactivate-zone-key example.net previous-key-id
The last step is to remove the old key from the completely:
-::
+.. code-block:: shell
pdnsutil remove-zone-key example.net previous-key-id
X-Api-Key: secret
Content-Type: application/json
- {"key": "mytsigkey, "key": "GQNyFy1QagMUarHmiSgsIJajghdTGJGVcN5TRVwgbclzxGyhQR1uYLCOyJ/uj9uj12jyeLwzJuW12wCI9PYv7Q=="}
+ {"name": "mytsigkey", "key": "GQNyFy1QagMUarHmiSgsIJajghdTGJGVcN5TRVwgbclzxGyhQR1uYLCOyJ/uj9uj12jyeLwzJuW12wCI9PYv7Q=="}
.. code-block:: http
zone files or be more dynamic in nature.
PowerDNS has the concepts of 'backends'. A backend is a datastore that
-the server will consult that contains DNS records (and some meta-data).
+the server will consult that contains DNS records (and some metadata).
The backends range from database backends (:doc:`MySQL <backends/generic-mysql>`, :doc:`PostgreSQL <backends/generic-postgresql>`, :doc:`Oracle <backends/oracle>`)
-and :doc:`Bind-zonefiles <backends/bind>` to :doc:`co-processes <backends/pipe>` and :doc:`JSON API's <backends/remote>`.
+and :doc:`BIND zone files <backends/bind>` to :doc:`co-processes <backends/pipe>` and :doc:`JSON API's <backends/remote>`.
Multiple backends can be enabled in the configuration by using the
:ref:`setting-launch` option. Each backend can be configured separately.
Getting Started
---------------
- * :doc:`Install the Authoritative Server <installation>`
- * :doc:`Configure the Server <settings>`
- * :doc:`Configure the backend(s) <backends/index>`
+* :doc:`Install the Authoritative Server <installation>`
+* :doc:`Configure the Server <settings>`
+* :doc:`Configure the backend(s) <backends/index>`
Getting Support
---------------
Public support is available via several different channels:
- * This documentation
- * `The mailing list <https://www.powerdns.com/mailing-lists.html>`_
- * ``#powerdns`` on `irc.oftc.net <irc://irc.oftc.net/#powerdns>`_
+* This documentation
+* `The mailing list <https://www.powerdns.com/mailing-lists.html>`_
+* ``#powerdns`` on `irc.oftc.net <irc://irc.oftc.net/#powerdns>`_
The PowerDNS company can provide help or support you in private as well.
For first class and rapid support, please contact powerdns.support@powerdns.com, or see the `.com website <https://www.powerdns.com/support-services-consulting.html>`__.
PowerDNS Authoritative Server is available through the
`apt <https://packages.debian.org/pdns-server>`__ system.
-::
+.. code-block:: shell
- # apt-get install pdns-server
+ $ sudo apt-get install pdns-server
Debian splits the backends into `several different
packages <https://packages.debian.org/pdns-backend>`__, install the
required backend as follows:
-::
+.. code-block:: shell
- # apt-get install pdns-backend-$backend
+ $ sudo apt-get install pdns-backend-$backend
Redhat-based Systems
~~~~~~~~~~~~~~~~~~~~
Add either to your list of repositories and install PowerDNS by issuing:
-::
+.. code-block:: shell
- # yum install pdns
+ $ sudo yum install pdns
The different backends can be installed using
-::
+.. code-block:: shell
- # yum install pdns-backend-$backend
+ $ sudo yum install pdns-backend-$backend
FreeBSD
~~~~~~~
For the package:
-::
+.. code-block:: shell
- # pkg install dns/powerdns
+ $ sudo pkg install dns/powerdns
To have your system build the port:
-::
+.. code-block:: shell
cd /usr/ports/dns/powerdns/ && make install clean
PowerDNS Authoritative Server is available through Homebrew:
-::
+.. code-block:: shell
$ brew install pdns
**Formatting options:**
- - ``%1%`` to ``%4%`` are individual octets
- - Example record query: ``1.0.0.127.in-addr.arpa``
- - ``%1%`` = 127
- - ``%2%`` = 0
- - ``%3%`` = 0
- - ``%4%`` = 1
- - ``%5%`` joins the four decimal octets together with dashes
- - Example: ``%5%.static.example.com`` is equivalent to ``%1%-%2%-%3%-%4%.static.example.com``
- - ``%6%`` converts each octet from decimal to hexadecimal and joins them together
- - Example: A query for ``15.0.0.127.in-addr.arpa``
- - ``%6`` would be ``7f00000f`` (127 is 7f, and 15 is 0f in hexadecimal)
+ - ``%1%`` to ``%4%`` are individual octets
+ - Example record query: ``1.0.0.127.in-addr.arpa``
+ - ``%1%`` = 127
+ - ``%2%`` = 0
+ - ``%3%`` = 0
+ - ``%4%`` = 1
+ - ``%5%`` joins the four decimal octets together with dashes
+ - Example: ``%5%.static.example.com`` is equivalent to ``%1%-%2%-%3%-%4%.static.example.com``
+ - ``%6%`` converts each octet from decimal to hexadecimal and joins them together
+ - Example: A query for ``15.0.0.127.in-addr.arpa``
+ - ``%6`` would be ``7f00000f`` (127 is 7f, and 15 is 0f in hexadecimal)
**NOTE:** At the current time, only forward dotted format works with :func:`createForward` (i.e. ``127.0.0.1.static.example.com``)
Formatting options:
- - ``%1%`` to ``%32%`` are individual characters (nibbles)
- - **Example PTR record query:** ``a.0.0.0.1.0.0.2.ip6.arpa``
- - ``%1%`` = 2
- - ``%2%`` = 0
- - ``%3%`` = 0
- - ``%4%`` = 1
- - ``%33%`` converts the compressed address format into a dashed format, e.g. ``2001:a::1`` to ``2001-a--1``
- - ``%34%`` to ``%41%`` represent the 8 uncompressed 2-byte chunks
- - **Example:** PTR query for ``2001:a:b::123``
- - ``%34%`` - returns ``2001`` (chunk 1)
- - ``%35%`` - returns ``000a`` (chunk 2)
- - ``%41%`` - returns ``0123`` (chunk 8)
+ - ``%1%`` to ``%32%`` are individual characters (nibbles)
+ - **Example PTR record query:** ``a.0.0.0.1.0.0.2.ip6.arpa``
+ - ``%1%`` = 2
+ - ``%2%`` = 0
+ - ``%3%`` = 0
+ - ``%4%`` = 1
+ - ``%33%`` converts the compressed address format into a dashed format, e.g. ``2001:a::1`` to ``2001-a--1``
+ - ``%34%`` to ``%41%`` represent the 8 uncompressed 2-byte chunks
+ - **Example:** PTR query for ``2001:a:b::123``
+ - ``%34%`` - returns ``2001`` (chunk 1)
+ - ``%35%`` - returns ``000a`` (chunk 2)
+ - ``%41%`` - returns ``0123`` (chunk 8)
**NOTE:** At the current time, only dashed compressed format works for this function (i.e. ``2001-a-b--1.static6.example.com``)
Reference
---------
- .. toctree::
+.. toctree::
:maxdepth: 2
functions
We provide a convenient object class that can store unique ComboAddresses in no particular
order and allows fast retrieval of individual elements based on their values
- .. code-block:: lua
-
- addr = newCA("1.2.3.4")
- myset = newCAS()
- myset:add(addr)
- if myset:check(addr) then -- prints "found!"
- print('found!')
- end
+.. code-block:: lua
+
+ addr = newCA("1.2.3.4")
+ myset = newCAS()
+ myset:add(addr)
+ if myset:check(addr) then -- prints "found!"
+ print('found!')
+ end
Functions and methods of a ``ComboAddressSet``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LUA Reference
-------------
- .. toctree::
+.. toctree::
:maxdepth: 2
comboaddress
:param string message: The message to log
:param int loglevel: The urgency level of the message. Defaults to `pdns.loglevels.Warning`
- You can use the following constants as log levels :
-
- - `pdns.loglevels.Alert`
- - `pdns.loglevels.Critical`
- - `pdns.loglevels.Debug`
- - `pdns.loglevels.Emergency`
- - `pdns.loglevels.Info`
- - `pdns.loglevels.Notice`
- - `pdns.loglevels.Warning`
- - `pdns.loglevels.Error`
+ You can use the following constants as log levels :
+
+ - `pdns.loglevels.Alert`
+ - `pdns.loglevels.Critical`
+ - `pdns.loglevels.Debug`
+ - `pdns.loglevels.Emergency`
+ - `pdns.loglevels.Info`
+ - `pdns.loglevels.Notice`
+ - `pdns.loglevels.Warning`
+ - `pdns.loglevels.Error`
.. function:: pdnsrandom([maximum])
Synopsis
--------
-**dumresp** *LOCAL-ADDRESS* *LOCAL-PORT* *NUMBER-OF-PROCESSES*
+**dumresp** *LOCAL-ADDRESS* *LOCAL-PORT* *NUMBER-OF-PROCESSES* [tcp]
Description
-----------
Options
-------
-None
+tcp: Whether to listen and accept TCP connections in addition to
+UDP packets. Defaults to false.
See also
--------
When logging, each log-line contains the UUID of the request, this allows finding errors caused by certain requests.
With 'none', nothing is logged except for errors.
With 'normal' (the default), one line per request is logged in the style of the common log format::
+
[NOTICE] [webserver] 46326eef-b3ba-4455-8e76-15ec73879aa3 127.0.0.1:57566 "GET /metrics HTTP/1.1" 200 1846
+
with 'detailed', the full requests and responses (including headers) are logged along with the regular log-line from 'normal'.
See also
bind-add-zone *DOMAIN* *FILENAME*
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-When using the bindbackend, add a zone. This zone is added in-memory
+When using the BIND backend, add a zone. This zone is added in-memory
and served immediately. Note that this does not add the zone to the
bind-config file. *FILENAME* must be an absolute path.
bind-domain-status [*DOMAIN*...]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-When using the bindbackend, list status of all domains. Optionally,
+When using the BIND backend, list status of all domains. Optionally,
append *DOMAIN*\ s to get the status of specific zones.
bind-list-rejects
^^^^^^^^^^^^^^^^^
-When using the bindbackend, get a list of all rejected domains.
+When using the BIND backend, get a list of all rejected domains.
bind-reload-now *DOMAIN* [*DOMAIN*...]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-When using the bindbackend, immediately reload *DOMAIN* from disk.
+When using the BIND backend, immediately reload *DOMAIN* from disk.
ccounts
^^^^^^^
^^^^^^^^^^
Instructs backends that new domains may have appeared in the
-database, or, in the case of the Bind backend, in named.conf.
+database, or, in the case of the BIND backend, in named.conf.
reload
^^^^^^
export-zone-dnskey *ZONE* *KEY-ID*
Export to standard output DNSKEY and DS of key with key id *KEY-ID*
within zone called *ZONE*.
+export-zone-ds *ZONE*
+ Export to standard output all KSK DS records for *ZONE*.
export-zone-key *ZONE* *KEY-ID*
Export to standard output full (private) key with key id *KEY-ID*
within zone called *ZONE*. The format used is compatible with BIND
the added key.
remove-zone-key *ZONE* *KEY-ID*
Remove a key with id *KEY-ID* from a zone called *ZONE*.
-set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**]
+set-nsec3 *ZONE* ['*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*'] [**narrow**]
Sets NSEC3 parameters for this zone. The quoted parameters are 4
values that are used for the the NSEC3PARAM record and decide how
NSEC3 records are created. The NSEC3 parameters must be quoted on
*FLAGS* to 1 enables NSEC3 opt-out operation. Only do this if you
know you need it. For *ITERATIONS*, please consult RFC 5155, section
10.3. And be aware that a high number might overload validating
- resolvers. The *SALT* is a hexadecimal string encoding the bits for
- the salt, or - to use no salt. Setting **narrow** will make PowerDNS
- send out "white lies" about the next secure record. Instead of
- looking it up in the database, it will send out the hash + 1 as the
- next secure record. A sample commandline is: "pdnsutil set-nsec3
- powerdnssec.org '1 1 1 ab' narrow". **WARNING**: If running in
- RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
- require a DS update in the parent zone.
+ resolvers and that a limit can be set with ``max-nsec3-iterations``
+ in ``pdns.conf``. The *SALT* is a hexadecimal string encoding the bits
+ for the salt, or - to use no salt. Setting **narrow** will make PowerDNS
+ send out "white lies" (RFC 7129) about the next secure record to
+ prevent zone enumeration. Instead of looking it up in the database,
+ it will send out the hash + 1 as the next secure record. Narrow mode
+ requires online signing capabilities by the nameserver and therefore
+ zone transfers are denied. If only the zone is provided as argument,
+ the 4-parameter quoted string defaults to ``'1 0 1 ab'``. A sample
+ commandline is: ``pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow``.
+ **WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching
+ from NSEC to NSEC3 will require a DS update in the parent zone.
unset-nsec3 *ZONE*
Converts *ZONE* to NSEC operations. **WARNING**: If running in
RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
Description
-----------
-:program:`zone2json` parses Bind named.conf files and zonefiles and outputs
+:program:`zone2json` parses BIND named.conf files and zonefiles and outputs
JSON on standard out, which can then be fed to the PowerDNS API.
-:program:`zone2json` understands the Bind master file extension ``$GENERATE``
+:program:`zone2json` understands the BIND master file extension ``$GENERATE``
and will also honour ``$ORIGIN`` and ``$TTL``.
Options
INPUT Options
-------------
---named-conf=<PATH> Read *PATH* to get the bind configuration
+--named-conf=<PATH> Read *PATH* to get the BIND configuration
--zone=<PATH> Parse only the zone file at *PATH* Conflicts with ``--named-conf`` parameter.
--zone-name=<NAME> When parsing a single zone without $ORIGIN statement, set *ZONE* as the zone name.
Description
-----------
-:program:`zone2ldap` is a program that converts bind zonefiles to ldif format
+:program:`zone2ldap` is a program that converts BIND zonefiles to ldif format
which can inserted to an LDAP server.
Options
--basedn=<DN> Base DN to store objects below
--dnsttl Add dnsttl attribute to every entry
--layout=<layout> How to arrange entries in the directory ("simple" or "tree")
---named-conf=<PATH> Path to a Bind named.conf to parse
+--named-conf=<PATH> Path to a BIND named.conf to parse
--resume Continue after errors
--verbose Verbose comments on operation
--zone-file=<PATH> Zone file to parse
Description
-----------
-:program:`zone2sql` parses Bind named.conf files and zonefiles and outputs SQL
+:program:`zone2sql` parses BIND named.conf files and zonefiles and outputs SQL
on standard out, which can then be fed to your database.
-:program:`zone2sql` understands the Bind master file extension ``$GENERATE``
+:program:`zone2sql` understands the BIND master file extension ``$GENERATE``
and will also honour ``$ORIGIN`` and ``$TTL``.
For backends supporting slave operation there is also an option to keep
INPUT Options
-------------
---named-conf=<PATH> Read *PATH* to get the bind configuration
+--named-conf=<PATH> Read *PATH* to get the BIND configuration
--zone=<PATH> Parse only the zone file at *PATH* Conflicts with **--named-conf** parameter.
--zone-name=<NAME> When parsing a single zone without $ORIGIN statement, set *ZONE* as
the zone name.
the 'domains' table with the IP of your current master. On your current
master, make sure that this master allows AXFRs to this new slave.
-::
+.. code-block:: SQL
INSERT INTO domains (name,type,master) VALUES ('example.net', 'SLAVE', '198.51.100.101');
this server is the new :ref:`master <master-operation>`, change the type of
domain in the database:
-::
+.. code-block:: SQL
UPDATE domains set type='MASTER' where type='SLAVE';
Or, if you want to use :ref:`native <native-operation>`:
-::
+.. code-block:: SQL
UPDATE domains set type='NATIVE' where type='SLAVE';
Using the BIND backend
~~~~~~~~~~~~~~~~~~~~~~
-To use the bind backend, set ``launch=bind`` and
+To use the BIND backend, set ``launch=bind`` and
``bind-config=/path/to/named.conf`` in your ``pdns.conf``. Note that
PowerDNS will not honor any options from named.conf, it will only use
-the ``zone`` statements. See the :doc:`Bind backend <backends/bind>`
+the ``zone`` statements. See the :doc:`BIND backend <backends/bind>`
documentation for more information.
To a Generic SQL backend
To migrate, the ``zone2sql`` tool is provided. This tool parses a BIND
``named.conf`` file and zone files and outputs SQL on standard out,
-which can then be fed to your database. It understands the Bind master
+which can then be fed to your database. It understands the BIND master
file extension ``$GENERATE`` and will also honour ``$ORIGIN`` and
``$TTL``.
An example call to ``zone2sql`` could be:
-::
+.. code-block:: shell
zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
This tool lets you migrate data from one backend to another, it moves
all data, including zones, metadata and crypto keys (if present). Some
-example use cases are moving from Bind style zonefiles to SQL based, or
+example use cases are moving from BIND-style zonefiles to SQL based, or
other way around, or moving from MyDNS to gMySQL.
Prerequisites
All backends which implement this feature must make sure that they can
handle transactions so as to not leave the zone in a half updated state.
MySQL configured with either BerkeleyDB or InnoDB meets this
-requirement, as do PostgreSQL and Oracle. The Bindbackend implements
+requirement, as do PostgreSQL and Oracle. The BIND backend implements
transaction semantics by renaming files if and only if they have been
retrieved completely and parsed correctly.
Supermaster: automatic provisioning of slaves
---------------------------------------------
+.. versionchanged:: 4.2.0
+ Supermaster support needs to be explicitly enabled with the
+ :ref:`setting-supermaster` setting.
+
PowerDNS can recognize so called 'supermasters'. A supermaster is a host
which is master for domains and for which we are to be a slave. When a
master (re)loads a domain, it sends out a notification to its slaves.
Before a supermaster notification succeeds, the following conditions
must be met:
- - :ref:`setting-supermaster` support must be enabled
- - The supermaster must carry a SOA record for the notified domain
- - The supermaster IP must be present in the 'supermaster' table
- - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
- - If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
- - If you turn off :ref:`setting-allow-unsigned-supermaster`, then your supermaster(s) are required to sign their notifications.
+
+- :ref:`setting-superslave` support must be enabled
+- The supermaster must carry a SOA record for the notified domain
+- The supermaster IP must be present in the 'supermaster' table
+- The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
+- If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
+- If you turn off :ref:`setting-allow-unsigned-supermaster`, then your supermaster(s) are required to sign their notifications.
.. warning::
If you use another PowerDNS server as master and have
want has an ``id`` of 3, the following SQL statement will enable the Lua
script ``my.lua`` for that domain:
-::
+.. code-block:: SQL
INSERT INTO domainmetadata (domain_id, kind, content) VALUES (3, "LUA-AXFR-SCRIPT", "/lua/my.lua");
Consider the following simple example:
-::
+.. code-block:: lua
function axfrfilter(remoteip, zone, record)
- ``mrtg``: Dump statistics in mrtg format. See the performance
:ref:`counters` documentation.
- .. note::
+.. note::
Packages provided by Operating System vendors might support
different or less commands.
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019041201 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019042601 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
; Auth
; dnsdist
dnsdist-1.3.3.security-status 60 IN TXT "1 OK"
dnsdist-1.4.0-alpha1.security-status 60 IN TXT "1 OK"
+dnsdist-1.4.0-alpha2.security-status 60 IN TXT "1 OK"
'responses' sent to the PowerDNS Authoritative Server 'question' address
can be blocked by issuing:
-::
+.. code-block:: shell
iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP
For those running custom PowerDNS versions, just applying this patch may
be easier:
-::
+.. code-block:: diff
--- pdns/common_startup.cc (revision 2326)
+++ pdns/common_startup.cc (working copy)
``8bit-dns``
------------
-- Allow 8 bit dns queries
+- Boolean
- Default: no
.. versionadded:: 4.0.0
Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
will drop all incoming notifies.
+.. _setting-allow-recursion:
+
+``allow-recursion``
+-------------------
+
+- IP ranges, separated by commas
+- Default: 0.0.0.0/0
+
+.. deprecated:: 4.1.0
+ Recursion has been removed, see :doc:`guides/recursion`
+
+By specifying ``allow-recursion``, recursion can be restricted to
+netmasks specified. The default is to allow recursion from everywhere.
+Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
+
.. _setting-allow-unsigned-notify:
``allow-unsigned-notify``
Turning this off requires all supermaster notifications to be signed by
valid TSIG signature. It will accept any existing key on slave.
-.. _setting-allow-recursion:
-
-``allow-recursion``
--------------------
-
-- IP ranges, separated by commas
-- Default: 0.0.0.0/0
-
-.. deprecated:: 4.1.0
- Recursion has been removed, see :doc:`guides/recursion`
-
-By specifying ``allow-recursion``, recursion can be restricted to
-netmasks specified. The default is to allow recursion from everywhere.
-Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
-
.. _setting-also-notify:
``also-notify``
- Boolean
- Default: yes
-.. versionchanged:: 4.0.1, was 'no' before.
+.. versionchanged:: 4.0.1
+ was 'no' before.
Answer questions for the ANY on UDP with a truncated packet that refers
the remote server to TCP. Useful for mitigating reflection attacks.
.. versionadded:: 4.0.0
.. versionchanged:: 4.2.0
-This setting has been removed in 4.2.0.
+ This setting has been removed in 4.2.0.
Disallow data modification through the REST API when set.
Seconds to store packets in the :ref:`packet-cache`.
+.. _setting-carbon-instance:
+
+``carbon-instance``
+-------------------
+
+- String
+- Default: auth
+
+.. versionadded:: 4.2.0
+
+Set the instance or third string of the metric key. Be careful not to include
+any dots in this setting, unless you know what you are doing.
+See :ref:`metricscarbon`
+
+.. _setting-carbon-interval:
+
+``carbon-interval``
+-------------------
+
+- Integer
+- Default: 30
+
+If sending carbon updates, this is the interval between them in seconds.
+See :ref:`metricscarbon`.
+
.. _setting-carbon-namespace:
``carbon-namespace``
careful not to include any dots in this setting, unless you know what
you are doing. See :ref:`metricscarbon`
-.. _setting-carbon-instance:
-
-``carbon-instance``
--------------------
-
-- String
-- Default: auth
-
-.. versionadded:: 4.2.0
-
-Set the instance or third string of the metric key. Be careful not to include
-any dots in this setting, unless you know what you are doing.
-See :ref:`metricscarbon`
-
.. _setting-carbon-server:
``carbon-server``
You may specify an alternate port by appending :port, ex:
127.0.0.1:2004. See :ref:`metricscarbon`.
-.. _setting-carbon-interval:
-
-``carbon-interval``
--------------------
-
-- Integer
-- Default: 30
-
-If sending carbon updates, this is the interval between them in seconds.
-See :ref:`metricscarbon`.
-
.. _setting-chroot:
``chroot``
.. _setting-default-ksk-algorithm:
``default-ksk-algorithm``
---------------------------
+-------------------------
- String
- Default: ecdsa256
The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
Only relevant for algorithms with non-fixed keysizes (like RSA).
-.. _setting-default-soa-name:
-
-``default-soa-name``
---------------------
-
-- String
-- Default: a.misconfigured.powerdns.server
-
-Name to insert in the SOA record if none set in the backend.
-
.. _setting-default-soa-edit:
``default-soa-edit``
Mail address to insert in the SOA record if none set in the backend.
+.. _setting-default-soa-name:
+
+``default-soa-name``
+--------------------
+
+- String
+- Default: a.misconfigured.powerdns.server
+
+Name to insert in the SOA record if none set in the backend.
+
.. _setting-default-ttl:
``default-ttl``
If this is enabled, ALIAS records are expanded (synthesised to their
A/AAAA).
-If this is disabled (the default), ALIAS records will not expanded and
+If this is disabled (the default), ALIAS records will not be expanded and
the server will will return NODATA for A/AAAA queries for such names.
-**note**: :ref:`setting-resolver` must also be set for ALIAS
-expansion to work!
+.. note::
+ :ref:`setting-resolver` must also be set for ALIAS expansion to work!
-**note**: In PowerDNS Authoritative Server 4.0.x, this setting did not
-exist and ALIAS was always expanded.
+.. note::
+ In PowerDNS Authoritative Server 4.0.x, this setting did not exist and
+ ALIAS was always expanded.
.. _setting-forward-dnsupdate:
In its most simple form, supply all backends that need to be launched.
e.g.
-::
+.. code-block:: ini
launch=bind,gmysql,remote
different configuration, you can specify a name for later
instantiations. e.g.:
-::
+.. code-block:: ini
launch=gmysql,gmysql:server2
configure the ``host`` setting of the first or main instance, and
``gmysql-server2-host`` for the second one.
-Running multiple instances of the bind backend is not allowed.
+Running multiple instances of the BIND backend is not allowed.
.. _setting-load-modules:
way of figuring out what IP address a packet was sent to when binding to
any.
-.. _setting-log-timestamp:
-
-``log-timestamp``
------------------
-
-.. versionadded:: 4.1.0
-
-- Bool
-- Default: yes
-
-When printing log lines to stdout, prefix them with timestamps.
-Disable this if the process supervisor timestamps these lines already.
-
-.. note::
- The systemd unit file supplied with the source code already disables timestamp printing
-
-.. _setting-lua-records-exec-limit:
-
-``lua-records-exec-limit``
------------------------------
-
-- Integer
-- Default: 1000
-
-Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
-Setting this to any value less than or equal to 0 will set no limit.
-
-.. _setting-non-local-bind:
-
-``non-local-bind``
-------------------
-
-- Boolean
-- Default: no
-
-Bind to addresses even if one or more of the
-:ref:`setting-local-address`'s do not exist on this server.
-Setting this option will enable the needed socket options to allow
-binding to non-local addresses. This feature is intended to facilitate
-ip-failover setups, but it may also mask configuration issues and for
-this reason it is disabled by default.
-
-.. _setting-lua-axfr-script:
-
-``lua-axfr-script``
--------------------
-
-- String
-- Default: empty
-
-.. versionadded:: 4.1.0
-
-Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
-
.. _setting-local-address-nonexist-fail:
``local-address-nonexist-fail``
If set to 'no', informative-only DNS details will not even be sent to
syslog, improving performance.
+.. _setting-log-dns-queries:
+
+``log-dns-queries``
+-------------------
+
+- Boolean
+- Default: no
+
+Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
+of logging! Only enable for debugging! Set :ref:`setting-loglevel`
+to at least 5 to see the logs.
+
+.. _setting-log-timestamp:
+
+``log-timestamp``
+-----------------
+
+- Bool
+- Default: yes
+
+.. versionadded:: 4.1.0
+
+When printing log lines to stdout, prefix them with timestamps.
+Disable this if the process supervisor timestamps these lines already.
+
+.. note::
+ The systemd unit file supplied with the source code already disables timestamp printing
+
.. _setting-logging-facility:
``logging-facility``
Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values,
e.g. error = 3, warning = 4, notice = 5, info = 6
-.. _setting-log-dns-queries:
+.. _setting-lua-axfr-script:
-``log-dns-queries``
+``lua-axfr-script``
-------------------
-- Boolean
-- Default: no
+- String
+- Default: empty
-Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
-of logging! Only enable for debugging! Set :ref:`setting-loglevel`
-to at least 5 to see the logs.
+.. versionadded:: 4.1.0
+
+Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
.. _setting-lua-prequery-script:
internally for regression testing. The API of this functionality is not
guaranteed to be stable, and is in fact likely to change.
+.. _setting-lua-records-exec-limit:
+
+``lua-records-exec-limit``
+-----------------------------
+
+- Integer
+- Default: 1000
+
+Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
+Setting this to any value less than or equal to 0 will set no limit.
+
.. _setting-master:
``master``
.. versionchanged:: 4.1.0
The packet and query caches are distinct. Previously, this setting was used for
- both the packet and query caches. See ref:`setting-max-packet-cache-entries` for
+ both the packet and query caches. See :ref:`setting-max-packet-cache-entries` for
the packet-cache setting.
Maximum number of entries in the query cache. 1 million (the default)
- Integer
- Default: 500
-Limit the number of NSEC3 hash iterations
+Limit the number of NSEC3 hash iterations for zone configurations.
+For more information see :ref:`dnssec-operational-nsec-modes-params`.
.. _setting-max-packet-cache-entries:
- Integer
- Default: 60
-Seconds to store queries with no answer in the Query Cache. See ref:`query-cache`.
+Seconds to store queries with no answer in the Query Cache. See :ref:`query-cache`.
.. _setting-no-config:
- Boolean
- Default: no
-Do not attempt to read the configuration file.
+Do not attempt to read the configuration file. Useful for configuration
+by parameters from the command line only.
.. _setting-no-shuffle:
Do not attempt to shuffle query results, used for regression testing.
-.. _setting-overload-queue-length:
-
-``overload-queue-length``
--------------------------
-
-- Integer
-- Default: 0 (disabled)
-
-If this many packets are waiting for database attention, answer any new
-questions strictly from the packet cache.
-
-.. _setting-reuseport:
+.. _setting-non-local-bind:
-``reuseport``
--------------
+``non-local-bind``
+------------------
- Boolean
-- Default: No
-
-On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
-each receiver-thread to open a new socket on the same port which allows
-for much higher performance on multi-core boxes. Setting this option
-will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
-back to a single socket when it is not available. A side-effect is that
-you can start multiple servers on the same IP/port combination which may
-or may not be a good idea. You could use this to enable transparent
-restarts, but it may also mask configuration issues and for this reason
-it is disabled by default.
-
-.. _setting-rng:
-
-``rng``
--------
-
-- String
-- Default: auto
-
-Specify which random number generator to use. Permissible choises are
- - auto - choose automatically
- - sodium - Use libsodium ``randombytes_uniform``
- - openssl - Use libcrypto ``RAND_bytes``
- - getrandom - Use libc getrandom, falls back to urandom if it does not really work
- - arc4random - Use BSD ``arc4random_uniform``
- - urandom - Use ``/dev/urandom``
- - kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
-
-.. note::
- Not all choises are available on all systems.
-
-.. _setting-security-poll-suffix:
-
-``security-poll-suffix``
-------------------------
-
-- String
-- Default: secpoll.powerdns.com.
-
-Domain name from which to query security update notifications. Setting
-this to an empty string disables secpoll.
-
-.. _setting-server-id:
-
-``server-id``
--------------
-
-- String
-- Default: The hostname of the server
+- Default: no
-This is the server ID that will be returned on an EDNS NSID query.
+Bind to addresses even if one or more of the
+:ref:`setting-local-address`'s do not exist on this server.
+Setting this option will enable the needed socket options to allow
+binding to non-local addresses. This feature is intended to facilitate
+ip-failover setups, but it may also mask configuration issues and for
+this reason it is disabled by default.
.. _setting-only-notify:
:ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
.. note::
- If your slaves support Internet Protocol version, which your master does not,
+ If your slaves support an Internet Protocol version, which your master does not,
then set ``only-notify`` to include only supported protocol version.
Otherwise there will be error trying to resolve address.
For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
- so allow only IPv4 with ``only-notify``::
+ so allow only IPv4 with ``only-notify``:
+
+ .. code-block:: ini
only-notify=0.0.0.0/0
``out-of-zone-additional-processing``
-------------------------------------
-.. deprecated:: 4.2.0
- This setting has been removed.
-
- Boolean
- Default: yes
+.. deprecated:: 4.2.0
+ This setting has been removed.
+
Do out of zone additional processing. This means that if a malicious
user adds a '.com' zone to your server, it is not used for other domains
and will not contaminate answers. Do not enable this setting if you run
during outgoing AXFR. Note that if your slaves do not support ALIAS,
they will return NODATA for A/AAAA queries for such names.
+.. _setting-overload-queue-length:
+
+``overload-queue-length``
+-------------------------
+
+- Integer
+- Default: 0 (disabled)
+
+If this many packets are waiting for database attention, answer any new
+questions strictly from the packet cache.
+
.. _setting-prevent-self-notification:
``prevent-self-notification``
Number of AXFR slave threads to start.
+.. _setting-reuseport:
+
+``reuseport``
+-------------
+
+- Boolean
+- Default: No
+
+On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
+each receiver-thread to open a new socket on the same port which allows
+for much higher performance on multi-core boxes. Setting this option
+will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
+back to a single socket when it is not available. A side-effect is that
+you can start multiple servers on the same IP/port combination which may
+or may not be a good idea. You could use this to enable transparent
+restarts, but it may also mask configuration issues and for this reason
+it is disabled by default.
+
+.. _setting-rng:
+
+``rng``
+-------
+
+- String
+- Default: auto
+
+Specify which random number generator to use. Permissible choises are:
+
+- auto - choose automatically
+- sodium - Use libsodium ``randombytes_uniform``
+- openssl - Use libcrypto ``RAND_bytes``
+- getrandom - Use libc getrandom, falls back to urandom if it does not really work
+- arc4random - Use BSD ``arc4random_uniform``
+- urandom - Use ``/dev/urandom``
+- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
+
+.. note::
+ Not all choises are available on all systems.
+
+.. _setting-security-poll-suffix:
+
+``security-poll-suffix``
+------------------------
+
+- String
+- Default: secpoll.powerdns.com.
+
+Domain name from which to query security update notifications. Setting
+this to an empty string disables secpoll.
+
.. _setting-send-signed-notify:
``send-signed-notify``
respective slave. Hence, in setups with multiple slaves with different TSIG keys
it may be required to send NOTIFYs unsigned.
+.. _setting-server-id:
+
+``server-id``
+-------------
+
+- String
+- Default: The hostname of the server
+
+This is the server ID that will be returned on an EDNS NSID query.
+
.. _setting-setgid:
``setgid``
If set, change user id to this uid for more security. See :doc:`security`.
+.. _setting-signing-threads:
+
+``signing-threads``
+-------------------
+
+- Integer
+- Default: 3
+
+Tell PowerDNS how many threads to use for signing. It might help improve
+signing speed by changing this number.
+
.. _setting-slave:
``slave``
------------------------
- Integer
-- 60
+- Default: 60
-On a master, this is the amounts of seconds between the master checking
+On a master, this is the amount of seconds between the master checking
the SOA serials in its database to determine to send out NOTIFYs to the
slaves. On slaves, this is the number of seconds between the slave
checking for updates to zones.
*received* from a master. This is useful when using when running a
signing-slave.
-.. _setting-signing-threads:
-
-``signing-threads``
--------------------
-
-- Integer
-- Default: 3
-
-Tell PowerDNS how many threads to use for signing. It might help improve
-signing speed by changing this number.
-
.. _setting-soa-expire-default:
``soa-expire-default``
called ``pdns.pid`` by default. See :ref:`setting-config-name`
and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
-.. _setting-supermaster:
+.. _setting-superslave:
-``supermaster``
+``superslave``
---------------
- Boolean
- Default: no
.. versionadded:: 4.2.0
+ In versions before 4.2.x, this setting did not exist and supermaster support
+ was enabled by default.
Turn on supermaster support. See :ref:`supermaster-operation`.
The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request.
.. note::
- The webserver logs these line on the NOTICE level. The :ref:`settings-loglevel` seting must be 5 or higher for these lines to end up in the log.
+ The webserver logs these line on the NOTICE level. The :ref:`setting-loglevel` seting must be 5 or higher for these lines to end up in the log.
.. _setting-webserver-password:
$ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
Another of importing and activating TSIG keys into the database is using
-:doc:`pdnsutil <manpages/pdnsutil.1>`::
+:doc:`pdnsutil <manpages/pdnsutil.1>`:
+
+.. code-block:: shell
pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
pdnsutil activate-tsig-key powerdnssec.org test master
previous section.
For the Generic SQL backends, configuring the use of TSIG for AXFR
-requests could be achieved as follows:
-
-::
+requests could be achieved as follows::
insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
select id from domains where name='powerdnssec.org';
This can also be done using
:doc:`/manpages/pdnsutil.1`:
-::
+.. code-block:: shell
pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
pdnsutil activate-tsig-key powerdnssec.org test slave
the previous section.
In the interest of interoperability, the configuration above is (not
-quite) similar to the following BIND statements:
-
-::
+quite) similar to the following BIND statements::
key test. {
algorithm hmac-md5;
See the `3.X <https://doc.powerdns.com/3/authoritative/upgrading/>`__
upgrade notes if your version is older than 3.4.2.
+4.1.X to 4.2.0
+--------------
+
+- Superslave operation is no longer enabled by default, use :ref:`setting-superslave` to enable. This setting was called ``supermaster`` in some 4.2.0 prereleases.
+
4.1.0 to 4.1.1
--------------
make sure that no records, comments or keys exists for domains that you already
removed. This is not enabled by default, because we're not sure what the
consequences are from a performance point of view. If you do have feedback,
-please let us know how this effects your setup.
+please let us know how this affects your setup.
Please note that it's not possible to apply this, before you cleaned up your
database, as the foreign keys do not exist.
return delcount;
}
+
+template<typename Index>
+std::pair<typename Index::iterator,bool>
+lruReplacingInsert(Index& i,const typename Index::value_type& x)
+{
+ std::pair<typename Index::iterator,bool> res = i.insert(x);
+ if (!res.second) {
+ moveCacheItemToBack(i, res.first);
+ res.second = i.replace(res.first, x);
+ }
+ return res;
+}
::arg().setSwitch("slave","Act as a slave")="no";
::arg().setSwitch("master","Act as a master")="no";
- ::arg().setSwitch("supermaster", "Act as a supermaster")="no";
+ ::arg().setSwitch("superslave", "Act as a superslave")="no";
::arg().setSwitch("disable-axfr-rectify","Disable the rectify step during an outgoing AXFR. Only required for regression testing.")="no";
::arg().setSwitch("guardian","Run within a guardian process")="no";
::arg().setSwitch("prevent-self-notification","Don't send notifications to what we think is ourself")="yes";
class FindNS
{
public:
- vector<string> lookup(const DNSName &name, UeberBackend *b)
+ vector<string> lookup(const DNSName &name, UeberBackend *b, const DNSName& zone)
{
vector<string> addresses;
this->resolve_name(&addresses, name);
if(b) {
- b->lookup(QType(QType::ANY),name);
- DNSZoneRecord rr;
- while(b->get(rr))
- if(rr.dr.d_type == QType::A || rr.dr.d_type==QType::AAAA)
+ b->lookup(QType(QType::ANY),name);
+ while (true) {
+ try {
+ DNSZoneRecord rr;
+ if (!b->get(rr))
+ break;
+ if (rr.dr.d_type == QType::A || rr.dr.d_type == QType::AAAA)
addresses.push_back(rr.dr.d_content->getZoneRepresentation()); // SOL if you have a CNAME for an NS
+ }
+ // After an exception, b can be inconsistent so break
+ catch (PDNSException &ae) {
+ g_log << Logger::Error << "Could not lookup address for nameserver " << name << " in zone " << zone << ", cannot notify: " << ae.reason << endl;
+ break;
+ }
+ catch (std::exception &e) {
+ g_log << Logger::Error << "Could not lookup address for nameserver " << name << " in zone " << zone << ", cannot notify: " << e.what() << endl;
+ break;
+ }
+ }
}
return addresses;
}
nce.d_value = value;
{
WriteLock l(&s_metacachelock);
- replacing_insert(s_metacache, nce);
+ lruReplacingInsert(s_metacache, nce);
}
}
}
kce.d_ttd = now + ttl;
{
WriteLock l(&s_keycachelock);
- replacing_insert(s_keycache, kce);
+ lruReplacingInsert(s_keycache, kce);
}
}
Changelog
=========
+.. changelog::
+ :version: 1.4.0-alpha2
+ :released: 26th of April 2019
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7410
+
+ Ignore Path MTU discovery on UDP server socket
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7708
+
+ Alternative solution to the unaligned accesses.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7718
+
+ Exit when setting ciphers fails (GnuTLS)
+
+ .. change::
+ :tags: New Features
+ :pullreq: 7726
+ :tickets: 6911, 7526
+
+ Add DNS over HTTPS support based on libh2o
+
.. changelog::
:version: 1.4.0-alpha1
:released: 12th of April 2019
+ .. change::
+ :tags: New Features
+ :pullreq: 7209
+
+ Make recursor & dnsdist communicate (ECS) 'variable' status
+
.. change::
:tags: Improvements
:pullreq: 7167
.. _DNSClass:
DNSClass
-------
+--------
These constants represent the `CLASS <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-2>`__ of a DNS record.
comboaddress
netmaskgroup
dnsname
+ dnsnameset
dq
ebpf
dnscrypt
.. function:: RecordsTypeCountRule(section, qtype, minCount, maxCount)
Matches if there is at least ``minCount`` and at most ``maxCount`` records of type ``type`` in the section ``section``.
- ``section`` can be specified as an integer or as a ref:`DNSSection`.
+ ``section`` can be specified as an integer or as a :ref:`DNSSection`.
``qtype`` may be specified as an integer or as one of the :ref:`built-in QTypes <DNSQType>`, for instance ``DNSQType.A`` or ``DNSQType.TXT``.
:param int section: The section to match on
}
}
+ void remove(const DNSName &name) const
+ {
+ remove(name.getRawLabels());
+ }
+
+ /* Removes the node at `labels`, also make sure that no empty
+ * children will be left behind in memory
+ */
+ void remove(std::vector<std::string> labels) const
+ {
+ SuffixMatchTree smt(*labels.rbegin());
+ auto child = children.find(smt);
+ if (child == children.end()) {
+ // No subnode found, we're done
+ return;
+ }
+
+ // We have found a child
+ labels.pop_back();
+ if (labels.empty()) {
+ // The child is no longer an endnode
+ child->endNode = false;
+
+ // If the child has no further children, just remove it from the set.
+ if (child->children.empty()) {
+ children.erase(child);
+ }
+ return;
+ }
+
+ // We are not at the end, let the child figure out what to do
+ child->remove(labels);
+ }
+
T* lookup(const DNSName& name) const
{
if(children.empty()) { // speed up empty set
return child->lookup(labels);
}
+ // Returns all end-nodes, fully qualified (not as separate labels)
+ std::vector<DNSName> getNodes() const {
+ std::vector<DNSName> ret;
+ if (endNode) {
+ ret.push_back(DNSName(d_name));
+ }
+ for (const auto& child : children) {
+ auto nodes = child.getNodes();
+ for (const auto &node: nodes) {
+ ret.push_back(node + DNSName(d_name));
+ }
+ }
+ return ret;
+ }
};
/* Quest in life: serve as a rapid block list. If you add a DNSName to a root SuffixMatchNode,
anything part of that domain will return 'true' in check */
struct SuffixMatchNode
{
- SuffixMatchNode()
- {}
- std::string d_human;
- SuffixMatchTree<bool> d_tree;
+ public:
+ SuffixMatchNode()
+ {}
+ SuffixMatchTree<bool> d_tree;
+
+ void add(const DNSName& dnsname)
+ {
+ d_tree.add(dnsname, true);
+ d_nodes.insert(dnsname);
+ }
- void add(const DNSName& dnsname)
- {
- if(!d_human.empty())
- d_human.append(", ");
- d_human += dnsname.toString();
+ void add(std::vector<std::string> labels)
+ {
+ d_tree.add(labels, true);
+ DNSName tmp;
+ while (!labels.empty()) {
+ tmp.appendRawLabel(labels.back());
+ labels.pop_back(); // This is safe because we have a copy of labels
+ }
+ d_nodes.insert(tmp);
+ }
- d_tree.add(dnsname, true);
- }
+ void remove(const DNSName& name)
+ {
+ d_tree.remove(name);
+ d_nodes.erase(name);
+ }
- void add(std::vector<std::string> labels)
- {
- d_tree.add(labels, true);
- }
+ void remove(std::vector<std::string> labels)
+ {
+ d_tree.remove(labels);
+ DNSName tmp;
+ while (!labels.empty()) {
+ tmp.appendRawLabel(labels.back());
+ labels.pop_back(); // This is safe because we have a copy of labels
+ }
+ d_nodes.erase(tmp);
+ }
- bool check(const DNSName& dnsname) const
- {
- return d_tree.lookup(dnsname) != nullptr;
- }
+ bool check(const DNSName& dnsname) const
+ {
+ return d_tree.lookup(dnsname) != nullptr;
+ }
- std::string toString() const
- {
- return d_human;
- }
+ std::string toString() const
+ {
+ std::string ret;
+ bool first = true;
+ for (const auto& n : d_nodes) {
+ if (!first) {
+ ret += ", ";
+ }
+ first = false;
+ ret += n.toString();
+ }
+ return ret;
+ }
+ private:
+ mutable std::set<DNSName> d_nodes; // Only used for string generation
};
std::ostream & operator<<(std::ostream &os, const DNSName& d);
{
public:
includeboilerplate(DNAME)
+ DNAMERecordContent(const DNSName& content) : d_content(content){}
+ const DNSName& getTarget() const { return d_content; }
+private:
DNSName d_content;
};
class IPObfuscator
{
public:
+ virtual ~IPObfuscator()
+ {
+ }
virtual uint32_t obf4(uint32_t orig)=0;
virtual struct in6_addr obf6(const struct in6_addr& orig)=0;
};
#include <thread>
StatBag S;
-std::atomic<uint64_t>* g_counter;
+static std::atomic<uint64_t>* g_counter;
-void printStatus()
+static void printStatus()
{
auto prev= g_counter->load();
for(;;) {
}
}
-void usage() {
- cerr<<"Syntax: dumresp LOCAL-ADDRESS LOCAL-PORT NUMBER-OF-PROCESSES"<<endl;
+static void usage() {
+ cerr<<"Syntax: dumresp LOCAL-ADDRESS LOCAL-PORT NUMBER-OF-PROCESSES [tcp]"<<endl;
+}
+
+static void turnQueryIntoResponse(dnsheader* dh)
+{
+ (*g_counter)++;
+
+ dh->qr=1;
+ dh->ad=0;
+}
+
+static void tcpConnectionHandler(int sock)
+try
+{
+ char buffer[1500];
+ auto dh = reinterpret_cast<struct dnsheader*>(buffer);
+
+ for (;;) {
+ uint16_t len = 0;
+ ssize_t got = read(sock, &len, sizeof(len));
+
+ if (got == 0) {
+ break;
+ }
+
+ if (got != sizeof(len))
+ unixDie("read 1");
+
+ len = ntohs(len);
+
+ if (len < sizeof(dnsheader))
+ unixDie("too small");
+
+ if (len > sizeof(buffer))
+ unixDie("too large");
+
+ got = read(sock, buffer, len);
+ if (got != len)
+ unixDie("read 2: " + std::to_string(got) + " / " + std::to_string(len));
+
+ if (dh->qr)
+ continue;
+
+ turnQueryIntoResponse(dh);
+
+ uint16_t wirelen = htons(len);
+ if (write(sock, &wirelen, sizeof(wirelen)) != sizeof(wirelen))
+ unixDie("send 1");
+
+ if (write(sock, buffer, len) < 0)
+ unixDie("send 2");
+ }
+
+ close(sock);
+}
+catch(const std::exception& e) {
+ cerr<<"TCP connection handler got an exception: "<<e.what()<<endl;
+}
+
+static void tcpAcceptor(const ComboAddress local)
+{
+ Socket tcpSocket(local.sin4.sin_family, SOCK_STREAM);
+#ifdef SO_REUSEPORT
+ int one=1;
+ if(setsockopt(tcpSocket.getHandle(), SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
+ unixDie("setsockopt for REUSEPORT");
+#endif
+
+ tcpSocket.bind(local);
+ tcpSocket.listen(1024);
+
+ ComboAddress rem("::1");
+ auto socklen = rem.getSocklen();
+
+ for (;;) {
+ int sock = accept(tcpSocket.getHandle(), reinterpret_cast<struct sockaddr*>(&rem), &socklen);
+ if (sock == -1) {
+ continue;
+ }
+
+ std::thread connectionHandler(tcpConnectionHandler, sock);
+ connectionHandler.detach();
+ }
}
int main(int argc, char** argv)
try
{
+ bool tcp = false;
+
for(int i = 1; i < argc; i++) {
- if((string) argv[i] == "--help"){
+ if(std::string(argv[i]) == "--help"){
usage();
return(EXIT_SUCCESS);
}
- if((string) argv[i] == "--version"){
+ if(std::string(argv[i]) == "--version"){
cerr<<"dumresp "<<VERSION<<endl;
return(EXIT_SUCCESS);
}
}
- if(argc != 4) {
+ if(argc == 5) {
+ if (std::string(argv[4]) == "tcp") {
+ tcp = true;
+ }
+ else {
+ usage();
+ exit(EXIT_FAILURE);
+ }
+ }
+ else if(argc != 4) {
usage();
exit(EXIT_FAILURE);
}
- auto ptr = mmap(NULL, sizeof(std::atomic<uint64_t>), PROT_READ | PROT_WRITE,
+ auto ptr = mmap(nullptr, sizeof(std::atomic<uint64_t>), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
g_counter = new(ptr) std::atomic<uint64_t>();
-
+
+ int numberOfListeners = atoi(argv[3]);
+ ComboAddress local(argv[1], atoi(argv[2]));
+
int i=1;
- for(; i < atoi(argv[3]); ++i) {
+ for(; i < numberOfListeners; ++i) {
if(!fork())
break;
}
- if(i==1) {
+
+ if (i==1) {
std::thread t(printStatus);
t.detach();
+
+ if (tcp) {
+ for (int j = 0; j < numberOfListeners; j++) {
+ cout<<"Listening to TCP "<<local.toStringWithPort()<<endl;
+ std::thread tcpAcceptorThread(tcpAcceptor, local);
+ tcpAcceptorThread.detach();
+ }
+ }
}
-
- ComboAddress local(argv[1], atoi(argv[2]));
- Socket s(local.sin4.sin_family, SOCK_DGRAM);
+
+ Socket s(local.sin4.sin_family, SOCK_DGRAM);
#ifdef SO_REUSEPORT
int one=1;
if(setsockopt(s.getHandle(), SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
#endif
s.bind(local);
- cout<<"Bound to "<<local.toStringWithPort()<<endl;
- char buffer[1500];
- struct dnsheader* dh = (struct dnsheader*)buffer;
- int len;
- ComboAddress rem=local;
+ cout<<"Bound to UDP "<<local.toStringWithPort()<<endl;
+
+ ComboAddress rem = local;
socklen_t socklen = rem.getSocklen();
+ char buffer[1500];
+ auto dh = reinterpret_cast<struct dnsheader*>(buffer);
+
for(;;) {
- len=recvfrom(s.getHandle(), buffer, sizeof(buffer), 0, (struct sockaddr*)&rem, &socklen);
- (*g_counter)++;
+ uint16_t len = recvfrom(s.getHandle(), buffer, sizeof(buffer), 0, reinterpret_cast<struct sockaddr*>(&rem), &socklen);
+
if(len < 0)
unixDie("recvfrom");
+ if (len < sizeof(dnsheader))
+ unixDie("too small " + std::to_string(len));
+
if(dh->qr)
continue;
- dh->qr=1;
- dh->ad=0;
- if(sendto(s.getHandle(), buffer, len, 0, (struct sockaddr*)&rem, socklen) < 0)
- unixDie("sendto");
+ turnQueryIntoResponse(dh);
+
+ if(sendto(s.getHandle(), buffer, len, 0, reinterpret_cast<const struct sockaddr*>(&rem), socklen) < 0)
+ unixDie("sendto");
}
}
-catch(std::exception& e)
+catch(const std::exception& e)
{
cerr<<"Fatal error: "<<e.what()<<endl;
exit(EXIT_FAILURE);
nsset.insert(getRR<NSRecordContent>(rr.dr)->getNS().toString());
for(set<string>::const_iterator j=nsset.begin();j!=nsset.end();++j) {
- vector<string> nsips=fns.lookup(DNSName(*j), B);
+ vector<string> nsips=fns.lookup(DNSName(*j), B, di.zone);
if(nsips.empty())
g_log<<Logger::Warning<<"Unable to queue notification of domain '"<<di.zone<<"': nameservers do not resolve!"<<endl;
else
return results;
}
+
+size_t getPipeBufferSize(int fd)
+{
+#ifdef F_GETPIPE_SZ
+ int res = fcntl(fd, F_GETPIPE_SZ);
+ if (res == -1) {
+ return 0;
+ }
+ return res;
+#else
+ errno = ENOSYS;
+ return 0;
+#endif /* F_GETPIPE_SZ */
+}
+
+bool setPipeBufferSize(int fd, size_t size)
+{
+#ifdef F_SETPIPE_SZ
+ if (size > std::numeric_limits<int>::max()) {
+ errno = EINVAL;
+ return false;
+ }
+ int newSize = static_cast<int>(size);
+ int res = fcntl(fd, F_SETPIPE_SZ, newSize);
+ if (res == -1) {
+ return false;
+ }
+ return true;
+#else
+ errno = ENOSYS;
+ return false;
+#endif /* F_SETPIPE_SZ */
+}
bool setReceiveSocketErrors(int sock, int af);
int closesocket(int fd);
bool setCloseOnExec(int sock);
-uint64_t udpErrorStats(const std::string& str);
+size_t getPipeBufferSize(int fd);
+bool setPipeBufferSize(int fd, size_t size);
+
+uint64_t udpErrorStats(const std::string& str);
uint64_t getRealMemoryUsage(const std::string&);
uint64_t getSpecialMemoryUsage(const std::string&);
uint64_t getOpenFileDescriptors(const std::string&);
ret.push_back(rr); // put in the original
rr.dr.d_type = QType::CNAME;
rr.dr.d_name = prefix + rr.dr.d_name;
- rr.dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(prefix + getRR<DNAMERecordContent>(rr.dr)->d_content));
+ rr.dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(prefix + getRR<DNAMERecordContent>(rr.dr)->getTarget()));
rr.auth = 0; // don't sign CNAME
target= getRR<CNAMERecordContent>(rr.dr)->getTarget();
ret.push_back(rr);
//
DomainInfo di;
if(!B.getDomainInfo(p->qdomain, di, false) || !di.backend) {
- if(::arg().mustDo("supermaster")) {
+ if(::arg().mustDo("superslave")) {
g_log<<Logger::Warning<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative, trying supermaster"<<endl;
return trySuperMaster(p, p->getTSIGKeyname());
}
uint16_t g_outgoingEDNSBufsize;
bool g_logRPZChanges{false};
+// Used in the Syncres to not throttle certain servers
+GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
+
#define LOCAL_NETS "127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10"
#define LOCAL_NETS_INVERSE "!127.0.0.0/8, !10.0.0.0/8, !100.64.0.0/10, !169.254.0.0/16, !192.168.0.0/16, !172.16.0.0/12, !::1/128, !fc00::/7, !fe80::/10"
// Bad Nets taken from both:
static void makeThreadPipes()
{
+ auto pipeBufferSize = ::arg().asNum("distribution-pipe-buffer-size");
+ if (pipeBufferSize > 0) {
+ g_log<<Logger::Info<<"Resizing the buffer of the distribution pipe to "<<pipeBufferSize<<endl;
+ }
+
/* thread 0 is the handler / SNMP, we start at 1 */
for(unsigned int n = 1; n <= (g_numWorkerThreads + g_numDistributorThreads); ++n) {
auto& threadInfos = s_threadInfos.at(n);
threadInfos.pipes.readQueriesToThread = fd[0];
threadInfos.pipes.writeQueriesToThread = fd[1];
+ if (pipeBufferSize > 0) {
+ if (!setPipeBufferSize(threadInfos.pipes.writeQueriesToThread, pipeBufferSize)) {
+ g_log<<Logger::Warning<<"Error resizing the buffer of the distribution pipe for thread "<<n<<" to "<<pipeBufferSize<<": "<<strerror(errno)<<endl;
+ auto existingSize = getPipeBufferSize(threadInfos.pipes.writeQueriesToThread);
+ if (existingSize > 0) {
+ g_log<<Logger::Warning<<"The current size of the distribution pipe's buffer for thread "<<n<<" is "<<existingSize<<endl;
+ }
+ }
+ }
+
if (!setNonBlocking(threadInfos.pipes.writeQueriesToThread)) {
unixDie("Making pipe for inter-thread communications non-blocking");
}
g_statisticsInterval = ::arg().asNum("statistics-interval");
+ {
+ SuffixMatchNode dontThrottleNames;
+ vector<string> parts;
+ stringtok(parts, ::arg()["dont-throttle-names"]);
+ for (const auto &p : parts) {
+ dontThrottleNames.add(DNSName(p));
+ }
+ g_dontThrottleNames.setState(dontThrottleNames);
+
+ NetmaskGroup dontThrottleNetmasks;
+ stringtok(parts, ::arg()["dont-throttle-netmasks"]);
+ for (const auto &p : parts) {
+ dontThrottleNetmasks.addMask(Netmask(p));
+ }
+ g_dontThrottleNetmasks.setState(dontThrottleNetmasks);
+ }
+
s_balancingFactor = ::arg().asDouble("distribution-load-factor");
if (s_balancingFactor != 0.0 && s_balancingFactor < 1.0) {
s_balancingFactor = 0.0;
::arg().set("max-tcp-clients","Maximum number of simultaneous TCP clients")="128";
::arg().set("server-down-max-fails","Maximum number of consecutive timeouts (and unreachables) to mark a server as down ( 0 => disabled )")="64";
::arg().set("server-down-throttle-time","Number of seconds to throttle all queries to a server after being marked as down")="60";
+ ::arg().set("dont-throttle-names", "Do not throttle nameservers with this name or suffix")="";
+ ::arg().set("dont-throttle-netmasks", "Do not throttle nameservers with this IP netmask")="";
::arg().set("hint-file", "If set, load root hints from this file")="";
::arg().set("max-cache-entries", "If set, maximum number of entries in the main cache")="1000000";
::arg().set("max-negative-ttl", "maximum number of seconds to keep a negative cached entry in memory")="3600";
::arg().set("max-recursion-depth", "Maximum number of internal recursion calls per query, 0 for unlimited")="40";
::arg().set("max-udp-queries-per-round", "Maximum number of UDP queries processed per recvmsg() round, before returning back to normal processing")="10000";
::arg().set("protobuf-use-kernel-timestamp", "Compute the latency of queries in protobuf messages by using the timestamp set by the kernel when the query was received (when available)")="";
+ ::arg().set("distribution-pipe-buffer-size", "Size in bytes of the internal buffer of the pipe used by the distributor to pass incoming queries to a worker thread")="0";
::arg().set("include-dir","Include *.conf files from this directory")="";
::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
#include <pthread.h>
#include "iputils.hh"
#include "dnsname.hh"
+#include "sholder.hh"
#include <atomic>
+extern GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+extern GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
+
/** this class is used both to send and answer channel commands to the PowerDNS Recursor */
class RecursorControlChannel
{
return new string("pong\n");
}
+static string getDontThrottleNames() {
+ auto dtn = g_dontThrottleNames.getLocal();
+ return dtn->toString() + "\n";
+}
+
+static string getDontThrottleNetmasks() {
+ auto dtn = g_dontThrottleNetmasks.getLocal();
+ return dtn->toString() + "\n";
+}
+
+template<typename T>
+static string addDontThrottleNames(T begin, T end) {
+ if (begin == end) {
+ return "No names specified, keeping existing list\n";
+ }
+ vector<DNSName> toAdd;
+ while (begin != end) {
+ try {
+ auto d = DNSName(*begin);
+ toAdd.push_back(d);
+ }
+ catch(const std::exception &e) {
+ return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing added\n";
+ }
+ begin++;
+ }
+
+ string ret = "Added";
+ auto dnt = g_dontThrottleNames.getCopy();
+ bool first = true;
+ for (auto const &d : toAdd) {
+ if (!first) {
+ ret += ",";
+ }
+ first = false;
+ ret += " " + d.toLogString();
+ dnt.add(d);
+ }
+
+ g_dontThrottleNames.setState(dnt);
+
+ ret += " to the list of nameservers that may not be throttled";
+ g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+ return ret + "\n";
+}
+
+template<typename T>
+static string addDontThrottleNetmasks(T begin, T end) {
+ if (begin == end) {
+ return "No netmasks specified, keeping existing list\n";
+ }
+ vector<Netmask> toAdd;
+ while (begin != end) {
+ try {
+ auto n = Netmask(*begin);
+ toAdd.push_back(n);
+ }
+ catch(const std::exception &e) {
+ return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing added\n";
+ }
+ catch(const PDNSException &e) {
+ return "Problem parsing '" + *begin + "': "+ e.reason + ", nothing added\n";
+ }
+ begin++;
+ }
+
+ string ret = "Added";
+ auto dnt = g_dontThrottleNetmasks.getCopy();
+ bool first = true;
+ for (auto const &t : toAdd) {
+ if (!first) {
+ ret += ",";
+ }
+ first = false;
+ ret += " " + t.toString();
+ dnt.addMask(t);
+ }
+
+ g_dontThrottleNetmasks.setState(dnt);
+
+ ret += " to the list of nameserver netmasks that may not be throttled";
+ g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+ return ret + "\n";
+}
+
+template<typename T>
+static string clearDontThrottleNames(T begin, T end) {
+ if(begin == end)
+ return "No names specified, doing nothing.\n";
+
+ if (begin + 1 == end && *begin == "*"){
+ SuffixMatchNode smn;
+ g_dontThrottleNames.setState(smn);
+ string ret = "Cleared list of nameserver names that may not be throttled";
+ g_log<<Logger::Warning<<ret<<", requested via control channel"<<endl;
+ return ret + "\n";
+ }
+
+ vector<DNSName> toRemove;
+ while (begin != end) {
+ try {
+ if (*begin == "*") {
+ return "Please don't mix '*' with other names, nothing removed\n";
+ }
+ toRemove.push_back(DNSName(*begin));
+ }
+ catch (const std::exception &e) {
+ return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing removed\n";
+ }
+ begin++;
+ }
+
+ string ret = "Removed";
+ bool first = true;
+ auto dnt = g_dontThrottleNames.getCopy();
+ for (const auto &name : toRemove) {
+ if (!first) {
+ ret += ",";
+ }
+ first = false;
+ ret += " " + name.toLogString();
+ dnt.remove(name);
+ }
+
+ g_dontThrottleNames.setState(dnt);
+
+ ret += " from the list of nameservers that may not be throttled";
+ g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+ return ret + "\n";
+}
+
+template<typename T>
+static string clearDontThrottleNetmasks(T begin, T end) {
+ if(begin == end)
+ return "No netmasks specified, doing nothing.\n";
+
+ if (begin + 1 == end && *begin == "*"){
+ auto nmg = g_dontThrottleNetmasks.getCopy();
+ nmg.clear();
+ g_dontThrottleNetmasks.setState(nmg);
+
+ string ret = "Cleared list of nameserver addresses that may not be throttled";
+ g_log<<Logger::Warning<<ret<<", requested via control channel"<<endl;
+ return ret + "\n";
+ }
+
+ std::vector<Netmask> toRemove;
+ while (begin != end) {
+ try {
+ if (*begin == "*") {
+ return "Please don't mix '*' with other netmasks, nothing removed\n";
+ }
+ auto n = Netmask(*begin);
+ toRemove.push_back(n);
+ }
+ catch(const std::exception &e) {
+ return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing added\n";
+ }
+ catch(const PDNSException &e) {
+ return "Problem parsing '" + *begin + "': "+ e.reason + ", nothing added\n";
+ }
+ begin++;
+ }
+
+ string ret = "Removed";
+ bool first = true;
+ auto dnt = g_dontThrottleNetmasks.getCopy();
+ for (const auto &mask : toRemove) {
+ if (!first) {
+ ret += ",";
+ }
+ first = false;
+ ret += " " + mask.toString();
+ dnt.deleteMask(mask);
+ }
+
+ g_dontThrottleNetmasks.setState(dnt);
+
+ ret += " from the list of nameservers that may not be throttled";
+ g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+ return ret + "\n";
+}
+
+
string RecursorControlParser::getAnswer(const string& question, RecursorControlParser::func_t** command)
{
*command=nop;
// should probably have a smart dispatcher here, like auth has
if(cmd=="help")
return
+"add-dont-throttle-names [N...] add names that are not allowed to be throttled\n"
+"add-dont-throttle-netmasks [N...]\n"
+" add netmasks that are not allowed to be throttled\n"
"add-nta DOMAIN [REASON] add a Negative Trust Anchor for DOMAIN with the comment REASON\n"
"add-ta DOMAIN DSRECORD add a Trust Anchor for DOMAIN with data DSRECORD\n"
"current-queries show currently active queries\n"
+"clear-dont-throttle-names [N...] remove names that are not allowed to be throttled. If N is '*', remove all\n"
+"clear-dont-throttle-netmasks [N...]\n"
+" remove netmasks that are not allowed to be throttled. If N is '*', remove all\n"
"clear-nta [DOMAIN]... Clear the Negative Trust Anchor for DOMAINs, if no DOMAIN is specified, remove all\n"
"clear-ta [DOMAIN]... Clear the Trust Anchor for DOMAINs\n"
"dump-cache <filename> dump cache contents to the named file\n"
"dump-throttlemap <filename> dump the contents of the throttle to the named file\n"
"get [key1] [key2] .. get specific statistics\n"
"get-all get all statistics\n"
+"get-dont-throttle-names get the list of names that are not allowed to be throttled\n"
+"get-dont-throttle-netmasks get the list of netmasks that are not allowed to be throttled\n"
"get-ntas get all configured Negative Trust Anchors\n"
"get-tas get all configured Trust Anchors\n"
"get-parameter [key1] [key2] .. get configuration parameters\n"
if (cmd=="set-dnssec-log-bogus")
return doSetDnssecLogBogus(begin, end);
+ if (cmd == "get-dont-throttle-names") {
+ return getDontThrottleNames();
+ }
+
+ if (cmd == "get-dont-throttle-netmasks") {
+ return getDontThrottleNetmasks();
+ }
+
+ if (cmd == "add-dont-throttle-names") {
+ return addDontThrottleNames(begin, end);
+ }
+
+ if (cmd == "add-dont-throttle-netmasks") {
+ return addDontThrottleNetmasks(begin, end);
+ }
+
+ if (cmd == "clear-dont-throttle-names") {
+ return clearDontThrottleNames(begin, end);
+ }
+
+ if (cmd == "clear-dont-throttle-netmasks") {
+ return clearDontThrottleNetmasks(begin, end);
+ }
+
return "Unknown command '"+cmd+"', try 'help'\n";
}
--- /dev/null
+jsonstat endpoint
+=================
+
+.. http:get:: /jsonstat
+
+ Get statistics from recursor in JSON format.
+ The ``Accept`` request header is ignored.
+ This endpoint accepts a ``command`` and ``name`` query for different statistics:
+
+ * ``get-query-ring``: Retrieve statistics from the query subsection. ``name`` can be ``servfail-queries`` or ``queries``. Supports optional argument ``public-filtered`` which if set to any value will group queries by the public suffix list.
+ * ``get-remote-ring``: Retrieve statistics from the remotes subsection. ``name`` can be ``remotes``, ``servfail-remotes``, ``bogus-remotes`` (added in 4.2.0), ``large-answer-remotes``, or ``timeouts`` (added in 4.2.0).
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-query-ring&name=servfail-queries HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 94
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[2, "wpad.americas.hpecorp.net", "A"], [1, "wpad.americas.hpecorp.net", "AAAA"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-query-ring&name=queries HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 69
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[1, "a.powerdns.com", "A"], [1, "b.powerdns.com", "A"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-query-ring&name=queries&public-filtered=true HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 39
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[2, "powerdns.com", "A"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-remote-ring&name=remotes HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 62
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[11, "10.0.2.15"], [7, "::1"], [4, "127.0.0.1"]]}
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 43
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[2, "::1"], [1, "127.0.0.1"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-remote-ring&name=bogus-remotes HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 32
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.2.0-alpha1
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[20, "127.0.0.1"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-remote-ring&name=servfail-remotes HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 31
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[4, "127.0.0.1"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-remote-ring&name=large-answer-remotes HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 43
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.1.11
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[2, "127.0.0.1"], [1, "::1"]]}
+
+ **Example request**:
+
+ .. sourcecode:: http
+
+ GET /jsonstat?command=get-remote-ring&name=timeouts HTTP/1.1
+ Host: example.com
+ Accept: application/json, text/javascript
+ X-API-Key: examplekey
+
+ **Example response**:
+
+ .. sourcecode:: http
+
+ HTTP/1.1 200 OK
+ Access-Control-Allow-Origin: *
+ Connection: close
+ Content-Length: 189
+ Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+ Content-Type: application/json
+ Server: PowerDNS/4.2.0-alpha1
+ X-Content-Type-Options: nosniff
+ X-Frame-Options: deny
+ X-Permitted-Cross-Domain-Policies: none
+ X-Xss-Protection: 1; mode=block
+
+ {"entries": [[3, "15.219.145.20"], [3, "15.211.192.20"], [2, "15.219.160.20"], [2, "15.203.224.20"], [2, "15.219.145.21"], [2, "15.219.160.21"], [2, "15.211.192.21"], [2, "15.203.224.21"]]}
endpoint-cache
endpoint-failure
endpoint-rpz-stats
+ endpoint-jsonstat
Commands
--------
+add-dont-throttle-names NAME [NAME...]
+ Add names for nameserver domains that may not be throttled.
+
+add-dont-throttle-netmasks NETMASK [NETMASK...]
+ Add netmasks for nameservers that may not be throttled.
+
add-nta *DOMAIN* [*REASON*]
Add a Negative Trust Anchor for *DOMAIN*, suffixed optionally with
*REASON*.
current-queries
Shows the currently active queries.
+clear-dont-throttle-names NAME [NAME...]
+ Remove names that are not allowed to be throttled. If *NAME* is '*', remove all
+
+clear-dont-throttle-netmasks NETMASK [NETMASK...]
+ Remove netmasks that are not allowed to be throttled. If *NETMASK* is '*', remove all
+
clear-nta *DOMAIN*...
Remove Negative Trust Anchor for one or more *DOMAIN*\ s. Set domain to
'*' to remove all NTA's.
get-all
Retrieve all known statistics.
+get-dont-throttle-names
+ Get the list of names that are not allowed to be throttled.
+
+get-dont-throttle-netmasks
+ Get the list of netmasks that are not allowed to be throttled.
+
get-ntas
Get a list of the currently configured Negative Trust Anchors.
Which domains we only accept delegations from (a Verisign special).
+.. _setting-dont-throttle-names:
+
+``dont-throttle-names``
+----------------------------
+.. versionadded:: 4.2.0
+
+- Comma separated list of domain-names
+- Default: (empty)
+
+When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled.
+Any servers' name suffix-matching the supplied names will never be throttled.
+
+.. warning::
+ Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-names`` could make this load on the upstream server even higher, resulting in further service degradation.
+
+.. _setting-dont-throttle-netmasks:
+
+``dont-throttle-netmasks``
+----------------------------
+.. versionadded:: 4.2.0
+
+- Comma separated list of netmasks
+- Default: (empty)
+
+When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled.
+Any servers matching the supplied netmasks will never be throttled.
+
+This can come in handy on lossy networks when forwarding, where the same server is configured multiple times (e.g. with ``forward-zones-recurse=example.com=192.0.2.1;192.0.2.1``).
+By default, the PowerDNS Recursor would throttle the "first" server on a timeout and hence not retry the "second" one.
+In this case, ``dont-throttle-netmasks`` could be set to ``192.0.2.1``.
+
+.. warning::
+ Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-netmasks`` could make this load on the upstream server even higher, resulting in further service degradation.
+
.. _setting-disable-packetcache:
``disable-packetcache``
share of queries, even if the incoming traffic is very skewed, with a larger
number of requests asking for the same qname.
+.. _setting-distribution-pipe-buffer-size:
+
+``distribution-pipe-buffer-size``
+---------------------------------
+.. versionadded:: 4.2.0
+
+- Integer
+- Default: 0
+
+Size in bytes of the internal buffer of the pipe used by the distributor to pass incoming queries to a worker thread.
+Requires support for `F_SETPIPE_SZ` which is present in Linux since 2.6.35. The actual size might be rounded up to
+a multiple of a page size. 0 means that the OS default size is used.
+A large buffer might allow the recursor to deal with very short-lived load spikes during which a worker thread gets
+overloaded, but it will be at the cost of an increased latency.
+
.. _setting-distributor-threads:
``distributor-threads``
The server will trust XPF records found in queries sent from those netmasks (both IPv4 and IPv6),
and will adjust queries' source and destination accordingly. This is especially useful when the recursor
is placed behind a proxy like `dnsdist <https://dnsdist.org>`_.
-Note that the ref:`setting-allow-from` setting is still applied to the original source address, and thus access restriction
+Note that the :ref:`setting-allow-from` setting is still applied to the original source address, and thus access restriction
should be done on the proxy.
.. _setting-xpf-rr-code:
* \param ne The NegCacheEntry to add to the cache
*/
void NegCache::add(const NegCacheEntry& ne) {
- replacing_insert(d_negcache, ne);
+ lruReplacingInsert(d_negcache, ne);
}
/*!
BOOST_CHECK_EQUAL(cache.size(), 100);
}
+BOOST_AUTO_TEST_CASE(test_prune_valid_entries) {
+ DNSName power1("powerdns.com.");
+ DNSName power2("powerdns-1.com.");
+ DNSName auth("com.");
+
+ struct timeval now;
+ Utility::gettimeofday(&now, 0);
+
+ NegCache cache;
+ NegCache::NegCacheEntry ne;
+
+ /* insert power1 then power2 */
+ ne = genNegCacheEntry(power1, auth, now);
+ cache.add(ne);
+ ne = genNegCacheEntry(power2, auth, now);
+ cache.add(ne);
+
+ BOOST_CHECK_EQUAL(cache.size(), 2);
+
+ /* power2 has been inserted more recently, so it should be
+ removed last */
+ cache.prune(1);
+ BOOST_CHECK_EQUAL(cache.size(), 1);
+
+ const NegCache::NegCacheEntry* got = nullptr;
+ bool ret = cache.get(power2, QType(1), now, &got);
+ BOOST_REQUIRE(ret);
+ BOOST_CHECK_EQUAL(got->d_name, power2);
+ BOOST_CHECK_EQUAL(got->d_auth, auth);
+
+ /* insert power1 back */
+ ne = genNegCacheEntry(power1, auth, now);
+ cache.add(ne);
+ BOOST_CHECK_EQUAL(cache.size(), 2);
+
+ /* replace the entry for power2 */
+ ne = genNegCacheEntry(power2, auth, now);
+ cache.add(ne);
+
+ BOOST_CHECK_EQUAL(cache.size(), 2);
+
+ /* power2 has been updated more recently, so it should be
+ removed last */
+ cache.prune(1);
+
+ BOOST_CHECK_EQUAL(cache.size(), 1);
+ got = nullptr;
+ ret = cache.get(power2, QType(1), now, &got);
+ BOOST_REQUIRE(ret);
+ BOOST_CHECK_EQUAL(got->d_name, power2);
+ BOOST_CHECK_EQUAL(got->d_auth, auth);
+}
+
BOOST_AUTO_TEST_CASE(test_wipe_single) {
string qname(".powerdns.com");
DNSName auth("powerdns.com");
RecursorStats g_stats;
GlobalStateHolder<LuaConfigItems> g_luaconfs;
+GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
thread_local std::unique_ptr<MemRecursorCache> t_RC{nullptr};
unsigned int g_numThreads = 1;
bool g_lowercaseOutgoing = false;
BOOST_CHECK_EQUAL(queriesCount, 9);
}
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+ const DNSName target("*.powerdns.com.");
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+ g_luaconfs.setState(luaconfsCopy);
+
+ sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+ if (type == QType::DS || type == QType::DNSKEY) {
+ if (domain == target) {
+ const auto auth = DNSName("powerdns.com.");
+ /* we don't want a cut there */
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* add a NSEC denying the DS */
+ std::set<uint16_t> types = { QType::NSEC };
+ addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
+ addRRSIG(keys, res->d_records, auth, 300);
+ return 1;
+ }
+ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+ }
+ else {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::A, "192.0.2.42");
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+ /* we don't _really_ need to add the proof that the exact name does not exist because it does,
+ it's the wildcard itself, but let's do it so other validators don't choke on it */
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ /* A + RRSIG, NSEC + RRSIG */
+ BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_like_expanded_from_wildcard) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+ const DNSName target("*.sub.powerdns.com.");
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+ g_luaconfs.setState(luaconfsCopy);
+
+ sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+ if (type == QType::DS || type == QType::DNSKEY) {
+ if (domain == target) {
+ const auto auth = DNSName("powerdns.com.");
+ /* we don't want a cut there */
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ else if (domain == DNSName("sub.powerdns.com.")) {
+ const auto auth = DNSName("powerdns.com.");
+ /* we don't want a cut there */
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* add a NSEC denying the DS */
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+ }
+ else {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::A, "192.0.2.42");
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ /* A + RRSIG, NSEC + RRSIG */
+ BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::AAAA), false, &cached, who), 0);
}
+BOOST_AUTO_TEST_CASE(test_dname_processing) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr);
+
+ primeHints();
+
+ const DNSName dnameOwner("powerdns.com");
+ const DNSName dnameTarget("powerdns.net");
+
+ const DNSName target("dname.powerdns.com.");
+ const DNSName cnameTarget("dname.powerdns.net");
+
+ const DNSName uncachedTarget("dname-uncached.powerdns.com.");
+ const DNSName uncachedCNAMETarget("dname-uncached.powerdns.net.");
+
+ const DNSName synthCNAME("cname-uncached.powerdns.com.");
+ const DNSName synthCNAMETarget("cname-uncached.powerdns.net.");
+
+ size_t queries = 0;
+
+ sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, uncachedTarget, uncachedCNAMETarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+ queries++;
+
+ if (isRootServer(ip)) {
+ if (domain.isPartOf(dnameOwner)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ if (domain.isPartOf(dnameTarget)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.1:53")) {
+ if (domain == target) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+ addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.2:53")) {
+ if (domain == cnameTarget) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, domain, QType::A, "192.0.2.2");
+ }
+ if (domain == uncachedCNAMETarget) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, domain, QType::A, "192.0.2.3");
+ }
+ return 1;
+ }
+ return 0;
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+ BOOST_CHECK_EQUAL(queries, 4);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+ BOOST_CHECK(ret[2].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+ // Now check the cache
+ ret.clear();
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+ BOOST_CHECK_EQUAL(queries, 4);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+ BOOST_CHECK(ret[2].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+ // Check if we correctly return a synthesizd CNAME, should send out just 1 more query
+ ret.clear();
+ res = sr->beginResolve(uncachedTarget, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(queries, 5);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[1].d_name, uncachedTarget);
+ BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), uncachedCNAMETarget);
+
+ BOOST_CHECK(ret[2].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[2].d_name, uncachedCNAMETarget);
+
+ // Check if we correctly return the DNAME from cache when asked
+ ret.clear();
+ res = sr->beginResolve(dnameOwner, QType(QType::DNAME), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(queries, 5);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ // Check if we correctly return the synthesized CNAME from cache when asked
+ ret.clear();
+ res = sr->beginResolve(synthCNAME, QType(QType::CNAME), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(queries, 5);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
+ BOOST_CHECK(ret[1].d_name == synthCNAME);
+ BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), synthCNAMETarget);
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+
+ const DNSName dnameOwner("powerdns");
+ const DNSName dnameTarget("example");
+
+ const DNSName target("dname.powerdns");
+ const DNSName cnameTarget("dname.example");
+
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ generateKeyMaterial(dnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ g_luaconfs.setState(luaconfsCopy);
+
+ size_t queries = 0;
+
+ sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+ queries++;
+ /* We don't use the genericDSAndDNSKEYHandler here, as it would deny names existing at the wrong level of the tree, due to the way computeZoneCuts works
+ * As such, we need to do some more work to make the answers correct.
+ */
+
+ if (isRootServer(ip)) {
+ if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return 1;
+ }
+ if (domain.countLabels() == 1 && type == QType::DS) { // powerdns|DS or example|DS
+ setLWResult(res, 0, true, false, true);
+ addDS(domain, 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return 1;
+ }
+ // For the rest, delegate!
+ if (domain.isPartOf(dnameOwner)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addDS(dnameOwner, 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ if (domain.isPartOf(dnameTarget)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addDS(dnameTarget, 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.1:53")) {
+ if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ addRRSIG(keys, res->d_records, domain, 300);
+ return 1;
+ }
+ if (domain == target && type == QType::DS) { // dname.powerdns|DS
+ return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
+ }
+ if (domain == target) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+ addRRSIG(keys, res->d_records, dnameOwner, 300);
+ addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.2:53")) {
+ if (domain.countLabels() == 1 && type == QType::DNSKEY) { // example|DNSKEY
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ addRRSIG(keys, res->d_records, domain, 300);
+ return 1;
+ }
+ if (domain == target && type == QType::DS) { // dname.example|DS
+ return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
+ }
+ if (domain == cnameTarget) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, domain, QType::A, "192.0.2.2");
+ addRRSIG(keys, res->d_records, dnameTarget, 300);
+ }
+ return 1;
+ }
+ return 0;
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
+
+ BOOST_CHECK_EQUAL(queries, 11);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_REQUIRE(ret[1].d_type == QType::RRSIG);
+ BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+ BOOST_CHECK(ret[2].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+ BOOST_CHECK(ret[3].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+ BOOST_CHECK(ret[4].d_type == QType::RRSIG);
+ BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
+
+ // And the cache
+ ret.clear();
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
+
+ BOOST_CHECK_EQUAL(queries, 11);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+ BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+ BOOST_CHECK(ret[2].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+ BOOST_CHECK(ret[3].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+ BOOST_CHECK(ret[4].d_type == QType::RRSIG);
+ BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
+
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
+ /*
+ * The DNAME itself is signed, but the final A record is not
+ */
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+
+ const DNSName dnameOwner("powerdns");
+ const DNSName dnameTarget("example");
+
+ const DNSName target("dname.powerdns");
+ const DNSName cnameTarget("dname.example");
+
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ g_luaconfs.setState(luaconfsCopy);
+
+ size_t queries = 0;
+
+ sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+ queries++;
+
+ if (isRootServer(ip)) {
+ if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return 1;
+ }
+ if (domain == dnameOwner && type == QType::DS) { // powerdns|DS
+ setLWResult(res, 0, true, false, true);
+ addDS(domain, 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return 1;
+ }
+ if (domain == dnameTarget && type == QType::DS) { // example|DS
+ return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
+ }
+ // For the rest, delegate!
+ if (domain.isPartOf(dnameOwner)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addDS(dnameOwner, 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ if (domain.isPartOf(dnameTarget)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addDS(dnameTarget, 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.1:53")) {
+ if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ addRRSIG(keys, res->d_records, domain, 300);
+ return 1;
+ }
+ if (domain == target && type == QType::DS) { // dname.powerdns|DS
+ return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
+ }
+ if (domain == target) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+ addRRSIG(keys, res->d_records, dnameOwner, 300);
+ addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.2:53")) {
+ if (domain == target && type == QType::DS) { // dname.example|DS
+ return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
+ }
+ if (domain == cnameTarget) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, domain, QType::A, "192.0.2.2");
+ }
+ return 1;
+ }
+ return 0;
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+ BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
+
+ BOOST_CHECK_EQUAL(queries, 9);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+ BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+ BOOST_CHECK(ret[2].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+ BOOST_CHECK(ret[3].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+ // And the cache
+ ret.clear();
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+ BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
+
+ BOOST_CHECK_EQUAL(queries, 9);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+ BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+ BOOST_CHECK(ret[2].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+ BOOST_CHECK(ret[3].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_processing_no_CNAME) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr);
+
+ primeHints();
+
+ const DNSName dnameOwner("powerdns.com");
+ const DNSName dnameTarget("powerdns.net");
+
+ const DNSName target("dname.powerdns.com.");
+ const DNSName cnameTarget("dname.powerdns.net");
+
+ size_t queries = 0;
+
+ sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+ queries++;
+
+ if (isRootServer(ip)) {
+ if (domain.isPartOf(dnameOwner)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ if (domain.isPartOf(dnameTarget)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+ addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.1:53")) {
+ if (domain == target) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+ // No CNAME, recursor should synth
+ return 1;
+ }
+ } else if (ip == ComboAddress("192.0.2.2:53")) {
+ if (domain == cnameTarget) {
+ setLWResult(res, 0, true, false, false);
+ addRecordToLW(res, domain, QType::A, "192.0.2.2");
+ }
+ return 1;
+ }
+ return 0;
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+ BOOST_CHECK_EQUAL(queries, 4);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+ BOOST_CHECK(ret[2].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+ // Now check the cache
+ ret.clear();
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+ BOOST_CHECK_EQUAL(queries, 4);
+
+ BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+ BOOST_CHECK(ret[0].d_name == dnameOwner);
+ BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+ BOOST_CHECK(ret[1].d_type == QType::CNAME);
+ BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+ BOOST_CHECK(ret[2].d_type == QType::A);
+ BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+}
+
/*
// cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
+#pragma once
#include <memory>
#include <atomic>
#include <mutex>
EDNSSubnetOpts SyncRes::s_ecsScopeZero;
string SyncRes::s_serverID;
SyncRes::LogMode SyncRes::s_lm;
+const std::unordered_set<uint16_t> SyncRes::s_redirectionQTypes = {QType::CNAME, QType::DNAME};
unsigned int SyncRes::s_maxnegttl;
unsigned int SyncRes::s_maxbogusttl;
return true;
}
- LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
vector<DNSRecord> cset;
vector<std::shared_ptr<RRSIGRecordContent>> signatures;
vector<std::shared_ptr<DNSRecord>> authorityRecs;
bool wasAuth;
uint32_t capTTL = std::numeric_limits<uint32_t>::max();
+ DNSName foundName;
+ QType foundQT = QType(0); // 0 == QTYPE::ENT
+
+ LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
/* we don't require auth data for forward-recurse lookups */
- if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+ if (t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+ foundName = qname;
+ foundQT = QType(QType::CNAME);
+ }
+
+ if (foundName.empty() && qname != g_rootdnsname) {
+ // look for a DNAME cache hit
+ auto labels = qname.getRawLabels();
+ DNSName dnameName(g_rootdnsname);
+
+ do {
+ dnameName.prependRawLabel(labels.back());
+ labels.pop_back();
+ if (dnameName == qname && qtype != QType::DNAME) { // The client does not want a DNAME, but we've reached the QNAME already. So there is no match
+ break;
+ }
+ LOG(prefix<<qname<<": Looking for DNAME cache hit of '"<<dnameName<<"|DNAME"<<"'"<<endl);
+ if (t_RC->get(d_now.tv_sec, dnameName, QType(QType::DNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+ foundName = dnameName;
+ foundQT = QType(QType::DNAME);
+ break;
+ }
+ } while(!labels.empty());
+ }
+ if(!foundName.empty()) {
for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
if (j->d_class != QClass::IN) {
continue;
/* This means we couldn't figure out the state when this entry was cached,
most likely because we hadn't computed the zone cuts yet. */
/* make sure they are computed before validating */
- DNSName subdomain(qname);
+ DNSName subdomain(foundName);
/* if we are retrieving a DS, we only care about the state of the parent zone */
if(qtype == QType::DS)
subdomain.chopOff();
computeZoneCuts(subdomain, g_rootdnsname, depth);
- vState recordState = getValidationStatus(qname, false);
+ vState recordState = getValidationStatus(foundName, false);
if (recordState == Secure) {
- LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, validating.."<<endl);
- state = SyncRes::validateRecordsWithSigs(depth, qname, QType(QType::CNAME), qname, cset, signatures);
+ LOG(prefix<<qname<<": got Indeterminate state from the "<<foundQT.getName()<<" cache, validating.."<<endl);
+ state = SyncRes::validateRecordsWithSigs(depth, foundName, foundQT, foundName, cset, signatures);
if (state != Indeterminate) {
LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, new validation result is "<<vStates[state]<<endl);
if (state == Bogus) {
capTTL = s_maxbogusttl;
}
- updateValidationStatusInCache(qname, QType(QType::CNAME), wasAuth, state);
+ updateValidationStatusInCache(foundName, foundQT, wasAuth, state);
}
}
}
- LOG(prefix<<qname<<": Found cache CNAME hit for '"<< qname << "|CNAME" <<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl);
+ LOG(prefix<<qname<<": Found cache "<<foundQT.getName()<<" hit for '"<< foundName << "|"<<foundQT.getName()<<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl);
DNSRecord dr=*j;
dr.d_ttl -= d_now.tv_sec;
dr.d_ttl = std::min(dr.d_ttl, capTTL);
const uint32_t ttl = dr.d_ttl;
- ret.reserve(ret.size() + 1 + signatures.size() + authorityRecs.size());
+ ret.reserve(ret.size() + 2 + signatures.size() + authorityRecs.size());
ret.push_back(dr);
for(const auto& signature : signatures) {
DNSRecord sigdr;
sigdr.d_type=QType::RRSIG;
- sigdr.d_name=qname;
+ sigdr.d_name=foundName;
sigdr.d_ttl=ttl;
sigdr.d_content=signature;
sigdr.d_place=DNSResourceRecord::ANSWER;
ret.push_back(authDR);
}
- if(qtype != QType::CNAME) { // perhaps they really wanted a CNAME!
- set<GetBestNSAnswer>beenthere;
+ DNSName newTarget;
+ if (foundQT == QType::DNAME) {
+ if (qtype == QType::DNAME && qname == foundName) { // client wanted the DNAME, no need to synthesize a CNAME
+ res = 0;
+ return true;
+ }
+ // Synthesize a CNAME
+ auto dnameRR = getRR<DNAMERecordContent>(*j);
+ if (dnameRR == nullptr) {
+ throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|DNAME cache entry");
+ }
+ const auto& dnameSuffix = dnameRR->getTarget();
+ DNSName targetPrefix = qname.makeRelative(foundName);
+ try {
+ dr.d_type = QType::CNAME;
+ dr.d_name = targetPrefix + foundName;
+ newTarget = targetPrefix + dnameSuffix;
+ dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newTarget));
+ ret.push_back(dr);
+ } catch (const std::exception &e) {
+ // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2)
+ // But this is consistent with processRecords
+ throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + foundName.toLogString() +
+ "', DNAME target: '" + dnameSuffix.toLogString() + "', substituted name: '" +
+ targetPrefix.toLogString() + "." + dnameSuffix.toLogString() +
+ "' : " + e.what());
+ }
- vState cnameState = Indeterminate;
+ LOG(prefix<<qname<<": Synthesized "<<dr.d_name<<"|CNAME "<<newTarget<<endl);
+ }
+
+ if(qtype == QType::CNAME) { // perhaps they really wanted a CNAME!
+ res = 0;
+ return true;
+ }
+
+ // We have a DNAME _or_ CNAME cache hit and the client wants something else than those two.
+ // Let's find the answer!
+ if (foundQT == QType::CNAME) {
const auto cnameContent = getRR<CNAMERecordContent>(*j);
- if (cnameContent) {
- res=doResolve(cnameContent->getTarget(), qtype, ret, depth+1, beenthere, cnameState);
- LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl);
- updateValidationState(state, cnameState);
+ if (cnameContent == nullptr) {
+ throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|CNAME cache entry");
}
+ newTarget = cnameContent->getTarget();
}
- else
- res=0;
+
+ set<GetBestNSAnswer>beenthere;
+ vState cnameState = Indeterminate;
+ res = doResolve(newTarget, qtype, ret, depth+1, beenthere, cnameState);
+ LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the DNAME/CNAME quest: "<<vStates[cnameState]<<endl);
+ updateValidationState(state, cnameState);
return true;
}
}
}
- LOG(prefix<<qname<<": No CNAME cache hit of '"<< qname << "|CNAME" <<"' found"<<endl);
+ LOG(prefix<<qname<<": No CNAME or DNAME cache hit of '"<< qname <<"' found"<<endl);
return false;
}
continue;
}
- if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && rec->d_type != QType::CNAME && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) {
+ if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && s_redirectionQTypes.count(rec->d_type) == 0 && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) {
LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
rec = lwr.d_records.erase(rec);
continue;
}
}
-RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
+RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
{
bool wasForwardRecurse = wasForwarded && rdQuery;
tcache_t tcache;
std::vector<std::shared_ptr<DNSRecord>> authorityRecs;
const unsigned int labelCount = qname.countLabels();
bool isCNAMEAnswer = false;
+ bool isDNAMEAnswer = false;
for(const auto& rec : lwr.d_records) {
if (rec.d_class != QClass::IN) {
continue;
}
- if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
+ if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname && !isDNAMEAnswer) {
isCNAMEAnswer = true;
}
+ if(!isDNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::DNAME && qtype != QType(QType::DNAME) && qname.isPartOf(rec.d_name)) {
+ isDNAMEAnswer = true;
+ isCNAMEAnswer = false;
+ }
/* if we have a positive answer synthetized from a wildcard,
we need to store the corresponding NSEC/NSEC3 records proving
that the exact name did not exist in the negative cache */
- if(needWildcardProof) {
+ if(gatherWildcardProof) {
if (nsecTypes.count(rec.d_type)) {
authorityRecs.push_back(std::make_shared<DNSRecord>(rec));
}
count can be lower than the name's label count if it was
synthetized from the wildcard. Note that the difference might
be > 1. */
- if (rec.d_name == qname && rrsig->d_labels < labelCount) {
- LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
- needWildcardProof = true;
+ if (rec.d_name == qname && isWildcardExpanded(labelCount, rrsig)) {
+ gatherWildcardProof = true;
+ if (!isWildcardExpandedOntoItself(rec.d_name, labelCount, rrsig)) {
+ /* if we have a wildcard expanded onto itself, we don't need to prove
+ that the exact name doesn't exist because it actually does.
+ We still want to gather the corresponding NSEC/NSEC3 records
+ to pass them to our client in case it wants to validate by itself.
+ */
+ LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
+ needWildcardProof = true;
+ }
+ else {
+ LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl);
+ }
wildcardLabelsCount = rrsig->d_labels;
}
}
else {
bool haveLogged = false;
+ if (isDNAMEAnswer && rec.d_type == QType::CNAME) {
+ LOG("NO - we already have a DNAME answer for this domain");
+ continue;
+ }
if (!t_sstorage.domainmap->empty()) {
// Check if we are authoritative for a zone in this answer
DNSName tmp_qname(rec.d_name);
recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
}
else {
- LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
- recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
- /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
- if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) {
- recordState = Indeterminate;
+ /*
+ * RFC 6672 section 5.3.1
+ * In any response, a signed DNAME RR indicates a non-terminal
+ * redirection of the query. There might or might not be a server-
+ * synthesized CNAME in the answer section; if there is, the CNAME will
+ * never be signed. For a DNSSEC validator, verification of the DNAME
+ * RR and then that the CNAME was properly synthesized is sufficient
+ * proof.
+ *
+ * We do the synthesis check in processRecords, here we make sure we
+ * don't validate the CNAME.
+ */
+ if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) {
+ LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
+ recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
+ /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
+ if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) {
+ recordState = Indeterminate;
+ }
}
}
}
return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE);
}
-bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount)
+bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount)
{
bool done = false;
+ DNSName dnameTarget, dnameOwner;
+ uint32_t dnameTTL = 0;
for(auto& rec : lwr.d_records) {
if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN)
negindic=true;
}
- else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_type==QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
- ret.push_back(rec);
- if (auto content = getRR<CNAMERecordContent>(rec)) {
- newtarget=content->getTarget();
+ else if(rec.d_place==DNSResourceRecord::ANSWER && s_redirectionQTypes.count(rec.d_type) > 0 && // CNAME or DNAME answer
+ s_redirectionQTypes.count(qtype.getCode()) == 0) { // But not in response to a CNAME or DNAME query
+ if (rec.d_type == QType::CNAME && rec.d_name == qname) {
+ if (!dnameOwner.empty()) { // We synthesize ourselves
+ continue;
+ }
+ ret.push_back(rec);
+ if (auto content = getRR<CNAMERecordContent>(rec)) {
+ newtarget=content->getTarget();
+ }
+ } else if (rec.d_type == QType::DNAME && qname.isPartOf(rec.d_name)) { // DNAME
+ ret.push_back(rec);
+ if (auto content = getRR<DNAMERecordContent>(rec)) {
+ dnameOwner = rec.d_name;
+ dnameTarget = content->getTarget();
+ dnameTTL = rec.d_ttl;
+ if (!newtarget.empty()) { // We had a CNAME before, remove it from ret so we don't cache it
+ ret.erase(std::remove_if(
+ ret.begin(),
+ ret.end(),
+ [&qname](DNSRecord& rr) {
+ return (rr.d_place == DNSResourceRecord::ANSWER && rr.d_type == QType::CNAME && rr.d_name == qname);
+ }),
+ ret.end());
+ }
+ try {
+ newtarget = qname.makeRelative(dnameOwner) + dnameTarget;
+ } catch (const std::exception &e) {
+ // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2)
+ // But there is no way to set the RCODE from this function
+ throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + dnameOwner.toLogString() +
+ "', DNAME target: '" + dnameTarget.toLogString() + "', substituted name: '" +
+ qname.makeRelative(dnameOwner).toLogString() + "." + dnameTarget.toLogString() +
+ "' : " + e.what());
+ }
+ }
}
}
/* if we have a positive answer synthetized from a wildcard, we need to
return the corresponding NSEC/NSEC3 records from the AUTHORITY section
proving that the exact name did not exist */
- else if(needWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
+ else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
ret.push_back(rec); // enjoy your DNSSEC
}
// for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively
ret.push_back(rec);
}
else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER) {
- if(rec.d_type != QType::RRSIG || rec.d_name == qname)
+ if(rec.d_type != QType::RRSIG || rec.d_name == qname) {
ret.push_back(rec); // enjoy your DNSSEC
+ } else if(rec.d_type == QType::RRSIG && qname.isPartOf(rec.d_name)) {
+ auto rrsig = getRR<RRSIGRecordContent>(rec);
+ if (rrsig != nullptr && rrsig->d_type == QType::DNAME) {
+ ret.push_back(rec);
+ }
+ }
}
else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::NS && qname.isPartOf(rec.d_name)) {
if(moreSpecificThan(rec.d_name,auth)) {
}
}
+ if (!dnameTarget.empty()) {
+ // Synthesize a CNAME
+ auto cnamerec = DNSRecord();
+ cnamerec.d_name = qname;
+ cnamerec.d_type = QType::CNAME;
+ cnamerec.d_ttl = dnameTTL;
+ cnamerec.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newtarget));
+ ret.push_back(cnamerec);
+ }
return done;
}
d_totUsec += lwr.d_usec;
accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
+ bool dontThrottle = false;
+ {
+ auto dontThrottleNames = g_dontThrottleNames.getLocal();
+ auto dontThrottleNetmasks = g_dontThrottleNetmasks.getLocal();
+ dontThrottle = dontThrottleNames->check(nsName) || dontThrottleNetmasks->match(remoteIP);
+ }
+
if(resolveret != 1) {
/* Error while resolving */
if(resolveret == 0) {
LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<strerror(errno)<< endl);
}
- if(resolveret != -2 && !chained) { // don't account for resource limits, they are our own fault
+ if(resolveret != -2 && !chained && !dontThrottle) {
+ // don't account for resource limits, they are our own fault
+ // And don't throttle when the IP address is on the dontThrottleNetmasks list or the name is part of dontThrottleNames
t_sstorage.nsSpeeds[nsName.empty()? DNSName(remoteIP.toStringWithPort()) : nsName].submit(remoteIP, 1000000, &d_now); // 1 sec
// code below makes sure we don't filter COM or the root
t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 100);
}
else {
- // timeout
+ // timeout, 10 seconds or 5 queries
t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 10, 5);
}
}
/* we got an answer */
if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) {
LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl);
- if (!chained) {
+ if (!chained && !dontThrottle) {
t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
}
return false;
if(lwr.d_tcbit) {
*truncated = true;
- if (doTCP) {
+ if (doTCP && !dontThrottle) {
LOG(prefix<<qname<<": truncated bit set, over TCP?"<<endl);
/* let's treat that as a ServFail answer from this server */
t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
}
bool needWildcardProof = false;
+ bool gatherWildcardProof = false;
unsigned int wildcardLabelsCount;
- *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount, sendRDQuery);
+ *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, sendRDQuery);
if (*rcode != RCode::NoError) {
return true;
}
DNSName newauth;
DNSName newtarget;
- bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount);
+ bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount);
if(done){
LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl);
#include "ednssubnet.hh"
#include "filterpo.hh"
#include "negcache.hh"
+#include "sholder.hh"
#ifdef HAVE_CONFIG_H
#include "config.h"
#include <boost/uuid/uuid.hpp>
#endif
+extern GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+extern GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
+
class RecursorLua4;
typedef map<
static EDNSSubnetOpts s_ecsScopeZero;
static LogMode s_lm;
static std::unique_ptr<NetmaskGroup> s_dontQuery;
+ const static std::unordered_set<uint16_t> s_redirectionQTypes;
struct GetBestNSAnswer
{
vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly);
void sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, bool rdQuery);
- RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery);
- bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount);
+ RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery);
+ bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherwildcardProof, const unsigned int wildcardLabelsCount);
bool doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret);
while(B->get(rr))
nsset.insert(DNSName(rr.content));
for(const auto & j: nsset) {
- vector<string> nsips=fns.lookup(j, s_P->getBackend());
+ vector<string> nsips=fns.lookup(j, s_P->getBackend(),q->qdomain);
for(vector<string>::const_iterator k=nsips.begin();k!=nsips.end();++k) {
// cerr<<"got "<<*k<<" from AUTO-NS"<<endl;
if(*k == q->getRemote().toString())
smn.add(net);
BOOST_CHECK(smn.check(examplenet));
BOOST_CHECK(smn.check(net));
+
+ // Remove .net and check that example.net still exists
+ smn.remove(net);
+ BOOST_CHECK_EQUAL(smn.check(net), false);
+ BOOST_CHECK(smn.check(examplenet));
}
BOOST_AUTO_TEST_CASE(test_suffixmatch_tree) {
BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
BOOST_REQUIRE(smt.lookup(net));
BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+
+ // Remove .net, and check that example.net remains
+ smt.remove(net);
+ BOOST_CHECK(smt.lookup(net) == nullptr);
+ BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
+
+ smt = SuffixMatchTree<DNSName>();
+ smt.add(examplenet, examplenet);
+ smt.add(net, net);
+ smt.add(DNSName("news.bbc.co.uk."), DNSName("news.bbc.co.uk."));
+ smt.add(apowerdnscom, apowerdnscom);
+
+ smt.remove(DNSName("not-such-entry.news.bbc.co.uk."));
+ BOOST_REQUIRE(smt.lookup(DNSName("news.bbc.co.uk.")));
+ smt.remove(DNSName("news.bbc.co.uk."));
+ BOOST_CHECK(smt.lookup(DNSName("news.bbc.co.uk.")) == nullptr);
+
+ smt.remove(net);
+ BOOST_REQUIRE(smt.lookup(examplenet));
+ BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
+ BOOST_CHECK(smt.lookup(net) == nullptr);
+
+ smt.remove(examplenet);
+ BOOST_CHECK(smt.lookup(net) == nullptr);
+ BOOST_CHECK(smt.lookup(examplenet) == nullptr);
+
+ smt.add(examplenet, examplenet);
+ smt.add(net, net);
+ BOOST_REQUIRE(smt.lookup(examplenet));
+ BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
+ BOOST_REQUIRE(smt.lookup(net));
+ BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+
+ smt.remove(examplenet);
+ BOOST_CHECK_EQUAL(*smt.lookup(examplenet), net);
+ BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+ smt.remove(examplenet);
+ BOOST_CHECK_EQUAL(*smt.lookup(examplenet), net);
+ BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+ smt.remove(net);
+ BOOST_CHECK(smt.lookup(net) == nullptr);
+ BOOST_CHECK(smt.lookup(examplenet) == nullptr);
+ smt.remove(net);
+
+ size_t count = 0;
+ smt.visit([apowerdnscom, &count](const SuffixMatchTree<DNSName>& smt) {
+ count++;
+ BOOST_CHECK_EQUAL(smt.d_value, apowerdnscom);
+ });
+ BOOST_CHECK_EQUAL(count, 1);
+
+ BOOST_CHECK_EQUAL(*smt.lookup(apowerdnscom), apowerdnscom);
+ smt.remove(apowerdnscom);
+ BOOST_CHECK(smt.lookup(apowerdnscom) == nullptr);
+
+ count = 0;
+ smt.visit([&count](const SuffixMatchTree<DNSName>& smt) {
+ count++;
+ });
+ BOOST_CHECK_EQUAL(count, 0);
}
Labels field of the covering RRSIG RR, then the RRset and its
covering RRSIG RR were created as a result of wildcard expansion."
*/
+bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign)
+{
+ if (sign && sign->d_labels < labelCount) {
+ return true;
+ }
+
+ return false;
+}
+
static bool isWildcardExpanded(const DNSName& owner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
{
if (signatures.empty()) {
const auto& sign = signatures.at(0);
unsigned int labelsCount = owner.countLabels();
- if (sign && sign->d_labels < labelsCount) {
+ return isWildcardExpanded(labelsCount, sign);
+}
+
+bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign)
+{
+ if (owner.isWildcard() && (labelCount - 1) == sign->d_labels) {
+ /* this is a wildcard alright, but it has not been expanded */
return true;
}
-
return false;
}
+static bool isWildcardExpandedOntoItself(const DNSName& owner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
+{
+ if (signatures.empty()) {
+ return false;
+ }
+
+ const auto& sign = signatures.at(0);
+ unsigned int labelsCount = owner.countLabels();
+ return isWildcardExpandedOntoItself(owner, labelsCount, sign);
+}
+
/* if this is a wildcard NSEC, the owner name has been modified
to match the name. Make sure we use the original '*' form. */
static DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
/* we know that the name exists (but this qtype doesn't) so except
if the answer was generated by a wildcard expansion, no wildcard
could have matched (rfc4035 section 5.4 bullet 1) */
- if (!isWildcardExpanded(owner, v.second.signatures)) {
+ if (!isWildcardExpanded(owner, v.second.signatures) || isWildcardExpandedOntoItself(owner, v.second.signatures)) {
needWildcardProof = false;
}
/* check if the whole NAME is denied existing */
if(isCoveredByNSEC(qname, owner, nsec->d_next)) {
+ LOG(qname<<" is covered ");
/* if the name is an ENT and we received a NODATA answer,
we are fine with a NSEC proving that the name does not exist. */
if (wantsNoDataProof && nsecProvesENT(qname, owner, nsec->d_next)) {
}
if (!needWildcardProof) {
+ LOG("and we did not need a wildcard proof"<<endl);
return NXDOMAIN;
}
+ LOG("but we do need a wildcard proof so ");
if (wantsNoDataProof) {
+ LOG("looking for NODATA proof"<<endl);
if (provesNoDataWildCard(qname, qtype, validrrsets)) {
return NXQTYPE;
}
}
else {
+ LOG("looking for NO wildcard proof"<<endl);
if (provesNoWildCard(qname, qtype, validrrsets)) {
return NXDOMAIN;
}
DNSName getSigner(const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords);
bool isRRSIGNotExpired(const time_t now, const shared_ptr<RRSIGRecordContent> sig);
+bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
+bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
The tests are self-contained and require no further nameservers to be
installed.
-However, do make sure to build a dnsdist with libsodium and dnscrypt support
-as otherwise some tests will fail.
+However, do make sure to build a dnsdist with libsodium, dnscrypt, DoT and DoH
+support as otherwise some tests will fail.
To run a specific test, use something like:
./runtests test_Advanced.py:TestAdvancedSpoof.testSpoofActionMultiA
-
fi
. .venv/bin/activate
python -V
+
+if [ `uname -s` == Darwin ]
+then
+ if [ ! -e /usr/local/opt/curl-openssl ]
+ then
+ echo Please run: brew install curl-openssl, and try again
+ exit 1
+ else
+ export PYCURL_CURL_CONFIG=/usr/local/opt/curl-openssl/bin/curl-config
+ export LDFLAGS=-L/usr/local/opt/openssl/lib
+ export CPPFLAGS=-I/usr/local/opt/openssl/include
+ fi
+fi
pip install -r requirements.txt
+
protoc -I=../pdns/ --python_out=. ../pdns/dnsmessage.proto
protoc -I=../pdns/ --python_out=. ../pdns/dnstap.proto
$RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
--config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6='' \
- --slave --retrieval-threads=4 --slave=yes --supermaster=yes --query-local-address=127.0.0.2 \
+ --slave --retrieval-threads=4 --slave=yes --superslave=yes --query-local-address=127.0.0.2 \
--slave-cycle-interval=300 --allow-unsigned-notify=no --allow-unsigned-supermaster=no &
}
$RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
--config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6= \
- --slave --retrieval-threads=4 --slave=yes --supermaster=yes --query-local-address=127.0.0.2 \
+ --slave --retrieval-threads=4 --slave=yes --superslave=yes --query-local-address=127.0.0.2 \
--slave-cycle-interval=300 --dname-processing &
}
self.assertRRsetInAnswer(res, expectedA)
self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
+ def testSecureDNAMEToSecureAnswer(self):
+ res = self.sendQuery('host1.dname-secure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+ expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+ def testSecureDNAMEToSecureNXDomain(self):
+ res = self.sendQuery('nxd.dname-secure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToInsecureAnswer(self):
+ res = self.sendQuery('node1.dname-insecure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+ expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+ expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToInsecureNXDomain(self):
+ res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+ expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.')
+
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToBogusAnswer(self):
+ res = self.sendQuery('ted.dname-bogus.secure.example.', 'A')
+
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+ self.assertAnswerEmpty(res)
+
+ def testSecureDNAMEToBogusNXDomain(self):
+ res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A')
+
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+ self.assertAnswerEmpty(res)
+
+ def testInsecureDNAMEtoSecureAnswer(self):
+ res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+ expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+ def testSecureDNAMEToSecureCNAMEAnswer(self):
+ res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
+
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.')
+ expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
+ expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME1)
+ self.assertRRsetInAnswer(res, expectedCNAME2)
+ self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+ def testSecureDNAMEToInsecureCNAMEAnswer(self):
+ res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
+
+ expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.')
+ expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+ expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedA)
+ self.assertRRsetInAnswer(res, expectedCNAME1)
+ self.assertRRsetInAnswer(res, expectedCNAME2)
+ self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+ self.assertRRsetInAnswer(res, expectedDNAME)
+ self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+ def testSecureDNAMEToBogusCNAMEAnswer(self):
+ res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
+
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+ self.assertAnswerEmpty(res)
+
+ def testInsecureDNAMEtoSecureNXDomain(self):
+ res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
+ expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+ expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+ self.assertRRsetInAnswer(res, expectedCNAME)
+ self.assertRRsetInAnswer(res, expectedDNAME)
cname-secure.example. 3600 IN DS 49148 13 1 a10314452d5ec4d97fcc6d7e275d217261fe790f
ns.cname-secure.example. 3600 IN A {prefix}.15
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+dname-secure.example. 3600 IN DS 42043 13 2 11c67f46b7c4d5968bc5f6cc944d58377b762bda53ddb4f3a6dbe6faf7a9940f
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
bogus.example. 3600 IN NS ns.bogus.example.
bogus.example. 3600 IN DS 65034 13 1 6df3bb50ea538e90eacdd7ae5419730783abb0ee
ns.bogus.example. 3600 IN A {prefix}.12
*.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesntexist.secure.example.
cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example.
+
+dname-secure.secure.example. 3600 IN DNAME dname-secure.example.
+dname-insecure.secure.example. 3600 IN DNAME insecure.example.
+dname-bogus.secure.example. 3600 IN DNAME bogus.example.
""",
+ 'dname-secure.example': """
+dname-secure.example. 3600 IN SOA {soa}
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
+host1.dname-secure.example. IN A 192.0.2.21
+
+cname-to-secure.dname-secure.example. 3600 IN CNAME host1.secure.example.
+cname-to-insecure.dname-secure.example. 3600 IN CNAME node1.insecure.example.
+cname-to-bogus.dname-secure.example. 3600 IN CNAME ted.bogus.example.
+""",
'cname-secure.example': """
cname-secure.example. 3600 IN SOA {soa}
cname-secure.example. 3600 IN NS ns.cname-secure.example.
node1.insecure.example. 3600 IN A 192.0.2.6
cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example.
+
+dname-to-secure.insecure.example. 3600 IN DNAME dname-secure.example.
""",
'optout.example': """
optout.example. 3600 IN SOA {soa}
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA=
+""",
+
+ 'dname-secure.example': """
+Private-key-format: v1.2
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04=
"""
}
'10': ['example'],
'11': ['example'],
'12': ['bogus.example', 'undelegated.secure.example', 'undelegated.insecure.example'],
- '13': ['insecure.example', 'insecure.sub2.secure.example'],
+ '13': ['insecure.example', 'insecure.sub2.secure.example', 'dname-secure.example'],
'14': ['optout.example'],
'15': ['insecure.optout.example', 'secure.optout.example', 'cname-secure.example']
}
log-dns-queries=yes
log-dns-details=yes
loglevel=9
+dname-processing=yes
distributor-threads=1""".format(confdir=confdir,
bind_dnssec_db=bind_dnssec_db))
projects / thirdparty / pdns.git / commitdiff
