PowerDNS 3.1
PowerDNS 3.1 relased, details here.
Posted at 12:20PM May 04, 2012 by ze in PowerDNS | Comments[1]
MongoDB Backend #2
In the last post, some compilation bugs were fixed, but the module is not functional yet.
The problem was a name colision, md5_finish to be specific, and now a workaround.
[Read More]Posted at 10:19PM Apr 19, 2012 by ze in PowerDNS | Comments[0]
MongoDB Backend #1
MongoDB is a NoSQL database, the last internet tendencie. This kind of database has the goal of solve some problems, where velocity and availability are more important than transational operations in data.
Few time ago, Fredrik Danerklint contributed with a new backend to PowerDNS, which stores the data in a MongoDB, and this post is to play a little with this tecnology.
[Read More]Posted at 12:56PM Apr 07, 2012 by ze in PowerDNS | Comments[1]
PowerDNS Authoritative Server 3.1 RC1
Looks like some parts of my last post are no longer necessary. Among the new features of the new version, we have auto-detection of pre-signed zones.
More details here.
Posted at 10:08PM Mar 24, 2012 by ze in PowerDNS | Comments[1]
A new beginning!
When I've started this blog, I had a goal in mind: try to be innovative and put unique content among the internet.
It turns out that for that goal, one language is not enough, so I'm starting a new blog, but this time only with english content. Maybe in the long term, if I'm capable of learn new languages (spoken, not programming languages!) I'll create another blog, one for each of those languages. To become master of a language, you need to practice. A lot. So, even if there are lot of english content, I can acomplish one of my life goals: learn deeply new things.
Right now, this looks like a independent blog (that's the real fact!), but I want to "merge" things, in a way that this site just looks like a portal.
I hope that you enjoy!
Posted at 02:21PM Feb 22, 2012 by ze in General | Comments[0]
PowerDNS: SUPERMASTER
We've seen in the AXFR replication post, each slave must be configured with all domains inserted at table domains with type SLAVE, so, that way, PowerDNS knows that it's authoritative for that information and other data should be treated as non-authoritative.
Up to few dozen of domains this scheme works very well, but when you have more than one hundred domains and the information is dynamic, this is not confortable anymore. That's why supermasters exists in PowerDNS. Using supermasters, we just said which server is the one that is trusted and the table domains is populated automatically.
Configuring the supermaster
First part: enable master and axfr in config file:
master=yes allow-axfr-ips=192.168.122.0/24 # now Ill use this range, its easier to me :-) # the easiest way to demonstrate things is configuring a sqlite3 database: # cat no-dnssec.schema.sqlite3.sql | sqlite3 pdnssec.sqlite3 # cat dnssec.schema.sqlite3.sql | sqlite3 pdnssec.sqlite3 # remember to check permissions launch=gsqlite3 gsqlite3-database=/var/lib/pdns/pdnssec.sqlite3 gsqlite3-dnssec=yes # avoid problems, configure this: local-address=192.168.122.100
Test domain:
insert into domains (name, type) values ('example.com', 'MASTER');
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'SOA', 'ns1.example.com ze.example.com 2012022201 3600 600 1209600 3600', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'NS', 'ns1.example.com', 3600, 1 from domains where name = 'example.com';insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.com', 'NS', 'ns2.example.com', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns1.example.com', 'A', '192.168.122.100', 3600, 1 from domains where name = 'example.com';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns2.example.com', 'A', '192.168.122.101', 3600, 1 from domains where name = 'example.com';
Slave config:
slave=yes allow-axfr-ips=192.168.122.0/24 # now Ill use this range, its easier to me :-) launch=gsqlite3 gsqlite3-database=/var/lib/pdns/pdnssec.sqlite3 gsqlite3-dnssec=yes # avoid problems, configure this: local-address=192.168.122.101
Slave database:
insert into supermasters values ('192.168.122.100', 'ns1.example.com', 'superuser');
Field description:
- ip: supermaster's ip (the ip used in AXFR);
- nameserver: supermaster's name. It's necessary that this name came in a NS record in AXFR
- User: at this moment, there is no authentication process in supermasters, so it's just for log. PowerDNS put it inside table domains.
As soon as the master goes up, the zone will be transfered to the slave, that's because PowerDNS query for domains that have type MASTER and put then in a sending queue. Now the logs of this test:
Master:
Feb 22 18:52:24 Reading random entropy from '/dev/urandom' Feb 22 18:52:24 This is a standalone pdns Feb 22 18:52:24 Listening on controlsocket in '/var/run/pdns.controlsocket' Feb 22 18:52:24 UDP server bound to 192.168.122.100:53 Feb 22 18:52:24 TCP server bound to 192.168.122.100:53 Feb 22 18:52:24 PowerDNS 3.0.1 (C) 2001-2011 PowerDNS.COM BV (Jan 10 2012, 16:28:34, gcc 4.4.3) starting up Feb 22 18:52:24 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 22 18:52:24 Creating backend connection for TCP Feb 22 18:52:24 Master/slave communicator launching Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 About to create 3 backend threads for UDP Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 No new unfresh slave domains, 0 queued for AXFR already Feb 22 18:52:24 1 domain for which we are master needs notifications Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:24 Done launching threads, ready to distribute questions Feb 22 18:52:25 Queued notification of domain 'example.com' to 192.168.122.100 Feb 22 18:52:25 Queued notification of domain 'example.com' to 192.168.122.101 Feb 22 18:52:25 Received NOTIFY for example.com from 192.168.122.100 but slave support is disabled in the configuration Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 AXFR of domain 'example.com' initiated by 192.168.122.101 Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 AXFR of domain 'example.com' to 192.168.122.101 finished Feb 22 18:52:26 Received unsuccessful notification report for 'example.com' from 192.168.122.100:53, rcode: 4 Feb 22 18:52:26 Removed from notification list: 'example.com' to 192.168.122.100:53 Feb 22 18:52:26 Removed from notification list: 'example.com' to 192.168.122.101:53 (was acknowledged) Feb 22 18:52:28 No master domains need notifications
Slave's logs:
Feb 22 18:51:25 Reading random entropy from '/dev/urandom' Feb 22 18:51:25 This is a standalone pdns Feb 22 18:51:25 Listening on controlsocket in '/var/run/pdns.controlsocket' Feb 22 18:51:25 UDP server bound to 192.168.122.101:53 Feb 22 18:51:25 TCP server bound to 192.168.122.101:53 Feb 22 18:51:25 PowerDNS 3.0.1 (C) 2001-2011 PowerDNS.COM BV (Jan 10 2012, 16:28:34, gcc 4.4.3) starting up Feb 22 18:51:25 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 22 18:51:25 Creating backend connection for TCP Feb 22 18:51:25 Master/slave communicator launching Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 About to create 3 backend threads for UDP Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 No new unfresh slave domains, 0 queued for AXFR already Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:51:25 Done launching threads, ready to distribute questions Feb 22 18:52:25 Received NOTIFY for example.com from 192.168.122.100 for which we are not authoritative Feb 22 18:52:25 Initiating transfer of 'example.com' from remote '192.168.122.100' Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 gsqlite3: connection to '/var/lib/pdns/pdnssec.sqlite3' successful Feb 22 18:52:25 Created new slave zone 'example.com' from supermaster 192.168.122.100, queued axfr Feb 22 18:52:25 AXFR started for 'example.com', transaction started Feb 22 18:52:25 AXFR done for 'example.com', zone committed
Supermasters and DNSSEC
With DNSSEC, things tend to be a bit more complicated. Just supermaster as is will not work properly. That's because we need to tell the slave that a slave zone is pre-signed. A good way to do that automatically is create a trigger to insert this information in metadata table:
CREATE TRIGGER set_presigned AFTER INSERT ON domains FOR EACH ROW BEGIN INSERT INTO domainmetadata (domain_id, kind, content) VALUES (NEW.ID, 'PRESIGNED', '1'); END;
As a demonstration, drop all data and create the above trigger
delete from records; delete from domains;
In master, sign the zone and notify the slave:
pdnssec sign-zone example.com pdns_control notify-host example.com 192.168.122.101
The same thing can be done to NSEC3, in case that you use it:
CREATE TRIGGER set_nsec3 AFTER INSERT ON domains FOR EACH ROW BEGIN INSERT INTO domainmetadata (domain_id, kind, content) VALUES (NEW.ID, 'NSEC3PARAM', '1 1 1 ab'); END;
More zones
It's not necessary to put one record in table supermasters for each domain, so, we use the same DNS server for more zones:
insert into domains (name, type) values ('example.net', 'MASTER');
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'SOA', 'ns1.example.com ze.example.net 2012022201 3600 600 1209600 3600', 3600, 1 from domains where name = 'example.net';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'NS', 'ns1.example.com', 3600, 1 from domains where name = 'example.net';insert into records (domain_id, name, type, content, ttl, auth) select id, 'example.net', 'NS', 'ns2.example.net', 3600, 1 from domains where name = 'example.net';
insert into records (domain_id, name, type, content, ttl, auth) select id, 'ns2.example.net', 'A', '192.168.122.101', 3600, 1 from domains where name = 'example.net';
Note that ns1 is the same.
Posted at 12:00AM Feb 22, 2012 by ze in PowerDNS | Comments[0]
Testing all the trusted DNSSEC's chain
Pensando em linha de comando, existem duas opções para validar a cadeia de DNSSEC: dig e drill.
Thiking about command line, there are two options to validade DNSSEC's chaing: dig and drill.
Below, drill's output:
drill -S powerdns.benetasso.com -k /etc/trusted-key.key
;; Number of trusted keys: 1
;; Chasing: powerdns.benetasso.com. A
DNSSEC Trust tree:
powerdns.benetasso.com. (A)
|---benetasso.com. (DNSKEY keytag: 49720 alg: 8 flags: 256)
|---benetasso.com. (DNSKEY keytag: 53404 alg: 8 flags: 257)
|---benetasso.com. (DS keytag: 53404 digest type: 2)
| |---com. (DNSKEY keytag: 54350 alg: 8 flags: 256)
| |---com. (DNSKEY keytag: 30909 alg: 8 flags: 257)
| |---com. (DS keytag: 30909 digest type: 2)
| |---. (DNSKEY keytag: 51201 alg: 8 flags: 256)
| |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
|---benetasso.com. (DS keytag: 53404 digest type: 1)
|---com. (DNSKEY keytag: 54350 alg: 8 flags: 256)
|---com. (DNSKEY keytag: 30909 alg: 8 flags: 257)
|---com. (DS keytag: 30909 digest type: 2)
|---. (DNSKEY keytag: 51201 alg: 8 flags: 256)
|---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful
The file /etc/trusted-key.key, a "trusted key" was installed in my system when I installed the distro's package bind-utils, where you can find the command dig. Now the same thing using dig:
dig +dnssec +sigchase zefacts.benetasso.com ;; RRset to chase: zefacts.benetasso.com. 247 IN CNAME powerdns.benetasso.com. ;; RRSIG of the RRset to chase: zefacts.benetasso.com. 247 IN RRSIG CNAME 8 3 3600 20120223000000 20120209000000 49720 benetasso.com. AZ0w9LNJbwGYqQwXe7jOgkmkqPJt06lUo+nikjD5Q6I9pkkDWd2sL5qj 0C48i0Sd9dSR1cXhuqbEwsY18NaqYQ8w/lNEfPzw9TGZZpMZxYixdbe+ awgKEfGPHTNDBDemcrWsnCeNJYcDsIDopTw0DkMYiKGdsZaQad8NLFSB W2ZuFU3jQOvEgSg/tPz7I1PABDPSnsfvp0bsDIDB/G/8aSS4cZI6QpfJ /mJegskfnVePyzHEU9k7ri/W2lCm+xka0q1ACdtNpHWksfy1hRO9HCJ2 6d23P1Y77AZ9vUXmy8dcVSefoAFZ8FHirU5cTWfJL6zSVd/K5wJadBG8 O1Es2A== Launch a query to find a RRset of type DNSKEY for zone: benetasso.com. ;; DNSKEYset that signs the RRset to chase: benetasso.com. 3567 IN DNSKEY 256 3 8 AwEAAZVczKqQ6iSv+arDk87aAqCrM13ckszy4+8hXaGCHXCKY+M1l2x3 VvrqHFNdqEJFGCCo86yWK0D+m7WAHngs7mCh80V0VtlcgLaNkpRdfQvi 0QyAsELlkuPS8jnwcLZlxWX0BAFma4QnYONIOMHLHGz6pBysvoxN+p6S khh4Br1aGHDYdAAD2CZURS0qARbedD0zHtnu66//yWakmhxfJhnzcUxf HdVi+1vxH97cckPGIb0thDMLzCWp0hL8DxKDtOEFf/YmfQl8tJD0Hb7F VVTnKfK7kY9xSwZ1DUc8eyD/zeTNFzffo0kwe64XTrCFkQik7b1bLBqs gp7uVFCX0Hs= benetasso.com. 3567 IN DNSKEY 257 3 8 AwEAAZXFXbYGTAPAPS276qxI16a5DRZEUasPdrWD98zgRwNxj5bwxbuQ ags9/fR6k+eGL4isGhib/VTYhiAk+lv2HKJZDJ9PVIjWiwLEPs3TwFhg 7vIuB4jr1zMLFmgfQH/HT0WDYS0/0kjlkMA3C9o9vc09M3MFz5XOATh6 IWf3V7N7NAUnPi1Fl593goIm4wF0l1DG1OWZyMOkZmx0uScpnemOu0UM bW0YhwVIWmFbbs+ZkBGDJ5TdQcQ+sy/9VM4JZrA9kTy1lPa6i2WIQ/G3 1W5U/kTdvlOBBk6UbS/fq8H2I9TiVXkYoUEmqEVL6WA965SOseVitGLT GY7LMMBJ5ME= ;; RRSIG of the DNSKEYset that signs the RRset to chase: benetasso.com. 3567 IN RRSIG DNSKEY 8 2 3600 20120223000000 20120209000000 53404 benetasso.com. RAFpNwFLQXWD6EDn/t4dNXOnnWxakfrlGGiN0LQYX9KHKKoSLBQZmj2V tvnlp7tSJqL5kloS4VyR7jJRVMgzvNUrZ08iYPyOOUBtdfb96HnH52f3 LNV6oHN8lbzxMrsWdHTo63bLEhS1SEa/t1YNVbOXXWBhARLQriBZc5rm m5rSQX3oIxKle3yyRZBD7gAUWDlVbzXH5AcXpm5xWtRA4jItdMO4tPsy emp1oDlWJx5J1JibiBoIoSEsKqG3wwW+Q6oUj3ZE97aXBpRc0C38XMQy O9OpvgUJR3nclQoSGD5dpV/u5JMD38wQBXDFs/jTK0pSptGxtZNDsjBS 96l1qg== Launch a query to find a RRset of type DS for zone: benetasso.com. ;; DSset of the DNSKEYset benetasso.com. 86368 IN DS 53404 8 2 2236E9BA6EB2651DE80758F9C90170C299A7B5D72D4E60166E6505C7 B7D987C9 benetasso.com. 86368 IN DS 53404 8 1 55164ED247F652EB0FA56ACF165E73ADC30AC385 ;; RRSIG of the DSset of the DNSKEYset benetasso.com. 86368 IN RRSIG DS 8 2 86400 20120221011820 20120214000820 54350 com. NpSbn8axzHFsOhVj1D9K1wN0CF8Oq1TSB14xfwxOD09RcrBMNd2Pp9YO J8/h57SQCckTQSfmAos5rbT2LXzd8CrGAnKzZC3AGBT/5aPAYjxT/pMN xs7pnL215+F3tT1q0ZG8d1iE9ji7dGHWQhTmnzDhP1ofggq7Bh1hKOll 6kU= ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING CNAME RRset for zefacts.benetasso.com. with DNSKEY:49720: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for benetasso.com. with DNSKEY:53404: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: com. ;; DNSKEYset that signs the RRset to chase: com. 86368 IN DNSKEY 256 3 8 AQO+/56uGUHXvOkjGGlaY9IVCOwv55QfC4NXezPHQKg9zexkHifvAHvS cV8/Yx23mk7GYh12ZkPjWz2GZyqG4aLlCMWorT5iLHFFcPcAmBV5DgCa tGF186Kt/u2/gIDrLQVrOO7zsabIsQds4bh/n1cNXm+xpN29KMtRYNvD BFUWBw== com. 86368 IN DNSKEY 257 3 8 AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh 2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK Nnv4oPo/ ;; RRSIG of the DNSKEYset that signs the RRset to chase: com. 86368 IN RRSIG DNSKEY 8 1 86400 20120218192533 20120211192033 30909 com. v5YwO2Gs8O1sFlPF5v+CJA3yUyjQDmojKfBNzmMO7bt7KRqb5CfEMJ0Y LiSgi1LokC6IrRlQWZeiHRVkNcCs0rxRT4uq83SaKztwE4oyI+ZxyO60 W+iDMaIJjyV1P+DAlbBcRdhyH76srlIB29oOYJ6hJrBAmut16ZX5+5ne YTWiBDxcuPVGH5Q0VUe5X+dgacqkk/tvJ9zzTEvWRu9oEdgfGVCpsMQZ YjrHSaRTjJlbtaD/6Fy69G3I+sr444L+DS1SYNm9nDDh65UsW4/GPX68 5UjNO+F1yJIXX1anSx1zHr3XTb1WEfxPXRRAY7R6REi+YbmRtXQsUT5k YOpvIA== Launch a query to find a RRset of type DS for zone: com. ;; DSset of the DNSKEYset com. 86368 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 ;; RRSIG of the DSset of the DNSKEYset com. 86368 IN RRSIG DS 8 1 86400 20120221000000 20120213230000 51201 . VfwLUMXcOfc1+AWXqubGQE4NXoYaMTKLnjk2RWfkrfKQA6P75UoM31Ep +imnE60Fo2ZO07cXXhMOCZJzNBnXb8zUzVprY3xeeqCn9tj3gSIiaTyd M4G/tsy0U7fGXcgEOvIw8q09Ol7cvNyImA8nvGF3L2TrF2zrm0JqbKlm jv8= ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for benetasso.com. with DNSKEY:54350: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Now, we are going to validate this DNSKEY by the DS ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for com. with DNSKEY:30909: success ;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset ;; Now, we want to validate the DS : recursive call Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset that signs the RRset to chase: . 172768 IN DNSKEY 256 3 8 AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5GKoYFHoU2vn2 Zqr261Lk7a6jfBKYny5GX7BDRJcVvig36TgOinE9QP5KVS0RxdrOl98g KLwFMORfNf/wjCwjPdEl1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7B LxbJ7HwF . 172768 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ;; RRSIG of the DNSKEYset that signs the RRset to chase: . 172768 IN RRSIG DNSKEY 8 0 172800 20120224235959 20120210000000 19036 . mscTKQHP565VvCXdb3XbvTGevcAq7XzsrPgBoWSm6nknsDuxNZnFQAN7 qKRFFnYMXEYaAAe3WBFg874rFG0fpOKL1QpvlLvAVwtWcAe+gVhRTkfR qt3dC8V+9xyRVFRY4NYz2KBnmOnQj+ahgarHP8Ymf2akPoUDhHQleO/z 8U3Vr+P9p5gNN+3rt3WKinjsf/p/L5Tfu0d2ZwC2Tqtd0sD0RDtA+ZXC JLTsIRF9Lz/CqNRYtUra3Pu2u8mX5X9Np+88s4CX1yXFZM0RvjeSbdwy wb0dbUQv9YLP5ENp7O5JdhcYVU87g3tFwZ7KZqiUyN8N8HEcgvzWefoy YzKBbw== Launch a query to find a RRset of type DS for zone: . ;; NO ANSWERS: no more ;; WARNING There is no DS for the zone: . ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for com. with DNSKEY:51201: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
Posted at 12:00AM Feb 14, 2012 by ze in PowerDNS | Comments[0]
benetasso.com now with DNSSEC
There is no point in talk about DNSSEC in a domains without it. Problem solved:http://dnscheck.iis.se/
Posted at 12:00AM Feb 05, 2012 by ze in PowerDNS | Comments[0]
PowerDNS: AXFR replication
AXFR and IXFR are old DNS' replication standards. The big advantage of them is the interoperability with other DNS servers. Most companies don't have only one DNS provider in their environments, to use database replication.
Our setup will be the following:
Use the configurations that make sense in your environment, but here I'll use for both master and slave PowerDNSs. All configurations are simple, like most of DNS stuff (aside DNNSEC).
--- /etc/pdns/pdns.conf --- # configuracao do master master=yes allow-axfr-ips=192.0.2.0/24 # default configurations, but important to work disable-axfr=no disable-tcp=no # Database launch=gpgsql gpgsql-user=pdns gpgsql-dbname=powerdns gpgsql-dnssec=yes
Thinking about the backend, here a PostgreSQL configuration:
insert into domains (name, type) values ('example.com', 'MASTER');
insert into records values (default, currval('domains_id_seq'), 'example.com', 'SOA', 'ns1.example.com postmaster.example.com 2012013001 3600 600 1209600 3600', 3600, default, default);
insert into records values (default, currval('domains_id_seq'), 'example.com', 'NS', 'ns1.example.com', 3600, default, default);
insert into records values (default, currval('domains_id_seq'), 'example.com', 'NS', 'ns2.example.com', 3600, default, default);
insert into records values (default, currval('domains_id_seq'), 'ns1.example.com', 'A', '192.0.2.2', 3600, default, default);
insert into records values (default, currval('domains_id_seq'), 'ns2.example.com', 'A', '192.0.2.3', 3600, default, default);
insert into records values (default, currval('domains_id_seq'), 'example.com', 'A', '192.0.2.4', 3600, default, default);
Now the DNSSEC part:
pdnssec secure-zone example.com
What's the difference between MASTER and NATIVE? When pdns_server starts, it checks for domains that have MASTER in their type, to notify all slaves.
Slave
The slave operation is simple too:
--- /etc/pdns/pdns.conf --- # configuracao do slave slave=yes allow-axfr-ips=192.0.2.0/24 # default configurations, but important to work disable-axfr=no disable-tcp=no # Database launch=gpgsql gpgsql-user=pdns gpgsql-dbname=powerdns gpgsql-dnssec=yes
The slave database will be the following:
insert into domains (name, type) values ('example.com', 'SLAVE');
After this configuration, execute this command to make the pdns_server knowns that all DNSSEC information are inside the table records and use then correctly:
pdnssec set-presigned example.com
In the same way that MASTER is probed when a master PowerDNS starts, a slave look at SLAVE domains to retrieve new changes, using the SOA's TTL to query the master. If you want to push information from master to slave, use the "notify" command in master:
pdns_control notify example.com
And that's it! All configurations to a simple AXFR. The above setup is just an example, and if both sides are PowerDNS, you have some shortcuts to make life easier, check my post about SUPERMASTERS.
Posted at 12:00AM Jan 29, 2012 by ze in PowerDNS | Comments[0]
PowerDNS: easy upgrade to 3.0
To upgrade PowerDNS to version 3.0 it's necessary database's schema changes. This can or cannot be easy in you environment. Here, I propose a simple approach to test PowerDNS 3.0 with DNSSEC without disrupt your production or your database.
Inside BindBackend documentation, you have a sqlite3 database to store keys and other 3.0 stuff, things that BindBackend don't have support: PowerDNSSEC hybrid BIND-mode operation. Well, it turn out that we can configure our production database like a BindBackend, as a read-only store, and put all data in a new database, to do all tests before a full migration. Here, I'll use two PostgreSQL databases, creating an alias for the second one.
psql
ze=# create database powerdnssec;
ze=# \l powerdnssec
create table domains (
id SERIAL PRIMARY KEY,
name VARCHAR(255) NOT NULL,
master VARCHAR(128) DEFAULT NULL,
last_check INT DEFAULT NULL,
type VARCHAR(6) NOT NULL,
notified_serial INT DEFAULT NULL,
account VARCHAR(40) DEFAULT NULL
);
CREATE UNIQUE INDEX name_index ON domains(name);
CREATE TABLE records (
id SERIAL PRIMARY KEY,
domain_id INT DEFAULT NULL,
name VARCHAR(255) DEFAULT NULL,
type VARCHAR(10) DEFAULT NULL,
content VARCHAR(4096) DEFAULT NULL,
ttl INT DEFAULT NULL,
prio INT DEFAULT NULL,
change_date INT DEFAULT NULL,
CONSTRAINT domain_exists
FOREIGN KEY(domain_id) REFERENCES domains(id)
ON DELETE CASCADE
);
CREATE INDEX rec_name_index ON records(name);
CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
create table supermasters (
ip VARCHAR(25) NOT NULL,
nameserver VARCHAR(255) NOT NULL,
account VARCHAR(40) DEFAULT NULL
);
GRANT SELECT ON supermasters TO pdns;
GRANT ALL ON domains TO pdns;
GRANT ALL ON domains_id_seq TO pdns;
GRANT ALL ON records TO pdns;
GRANT ALL ON records_id_seq TO pdns;
alter table records add ordername VARCHAR(255);
alter table records add auth bool;
create index orderindex on records(ordername);
create table domainmetadata (
id SERIAL PRIMARY KEY,
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
kind VARCHAR(16),
content TEXT
);
create table cryptokeys (
id SERIAL PRIMARY KEY,
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
flags INT NOT NULL,
active BOOL,
content TEXT
);
GRANT ALL ON domainmetadata TO pdns;
GRANT ALL ON domainmetadata_id_seq TO pdns;
GRANT ALL ON cryptokeys TO pdns;
GRANT ALL ON cryptokeys_id_seq TO pdns;
create table tsigkeys (
id SERIAL PRIMARY KEY,
name VARCHAR(255),
algorithm VARCHAR(255),
secret VARCHAR(255)
);
create unique index namealgoindex on tsigkeys(name, algorithm);
GRANT ALL ON tsigkeys TO pdns;
GRANT ALL ON tsigkeys_id_seq TO pdns;
alter table records alter column type type VARCHAR(10);
Assuming that the production/legacy is called powerdns, we have the following configuration:
--- /etc/pdns/pdns.conf --- launch=gpgsql,gpgsql:sec gpgsql-user=pdns gpgsql-dbname=powerdns gpgsql-sec-user=pdns gpgsql-sec-dbname=powerdnssec gpgsql-sec-dnssec=yes
Using "benetasso.com" as an example, do the following commands:
# su - pdns -s /bin/bash
$ psql powerdnssec -c "insert into domains (name, type) values ('benetasso.com', 'NATIVE');"
$ pdnssec set-nsec3 benetasso.com '1 1 1 ab' narrow
$ pdnssec rectify-zone benetasso.com
Pronto! agora só falta publicar a DS:
$ pdnssec show-zone benetasso.com Zone has NARROW hashed NSEC3 semantics, configuration: 1 1 1 ab Zone is not presigned keys: ID = 1 (KSK), tag = 15812, algo = 8, bits = 2048 Active: 1 KSK DNSKEY = benetasso.com IN DNSKEY 257 3 8 AwEAAZSglooxX8aSJvvi/FtLX2A5FZ6FLGQAkcETE3hdLOJG/AWb0/... DS = benetasso.com IN DS 15812 8 1 75ab832514dc25ffdf4791a71c3b371accea8539 DS = benetasso.com IN DS 15812 8 2 7412bdb8d54165453ed9d9e5d91ab8095ab2c3c30309a5dd91c1289ddfc51402 ID = 2 (ZSK), tag = 57109, algo = 8, bits = 1024 Active: 1 ID = 3 (ZSK), tag = 53724, algo = 8, bits = 1024 Active: 0
Posted at 12:00AM Jan 21, 2012 by ze in PostgreSQL | Comments[0]