__color__,__group__,ticket,summary,component,version,type,severity,owner,status,created,_changetime,_description,_reporter 1, Release,244,Blackhole and exclusion support for pdns,auth,3.2,enhancement,normal,ahu,new,2009-05-29T10:21:52+0200,2012-11-30T13:36:52+0100,"Adds support for blackholing networks/addresses, this means that all packets from blackholed networks are dropped, and all TCP connections are closed immediately after accept(). This patch also changes behaviour of NetmaskGroup and friends by allowing use of ! to negate match. F.ex. blackhole=!127.0.0.1/32,127.0.0.0/8 would allow from localhost, but not from localnet. ",anon 2, Release,441,./configure fails on detecting libboost_program_options,component1,3.1,defect,blocker,somebody,reopened,2012-03-30T01:24:20+0200,2012-11-08T21:57:55+0100,"According to http://doc.powerdns.com/compiling-powerdns.html "" If your operating system does not have a Boost package, you don't need to compile all of boost just for PowerDNS. PowerDNS only uses Boost include files, so there is no need to install all of boost. Just untar the Boost distribution file and point instruct ./configure to find it, perhaps like this: $ CXXFLAGS=-I/home/bert/download/boost_1_33_0 ./configure ..."" but the ./configure step fails thus: setenv CXXCPP /usr/sfw/bin/cpp ; ./configure --prefix=/opt/powerdns --with-boost=""${HOME}/devel/src/boost_1_38_0"" CC=gcc CXX=g++ checking for Boost headers version >= 103400... /export/home/user/devel/src/boost_1_38_0 checking for Boost's header version... 1_38 checking boost/foreach.hpp usability... yes checking boost/foreach.hpp presence... yes checking for boost/foreach.hpp... yes checking for the toolset name used by Boost for g++... gcc34 -gcc checking boost/program_options.hpp usability... yes checking boost/program_options.hpp presence... yes checking for boost/program_options.hpp... yes checking for the Boost program_options library... no configure: error: cannot not find the flags to link with Boost program_options So the documentation states libraries are not needed, yet the ./configure looks for libboost_program_options-*gcc*.so. There is a bit of code in ./configure with a series of checks which appears to be the root cause. OS is SunOS 5.10 u3 (Solaris 10 11/06). The error occurs on both i86pc and sparc platforms. What do I need to do to fix this?",anon 2, Release,700,Deadlock for presigned AXFR (slave) with sqlite backend,auth,3.2,defect,major,ahu,new,2013-02-15T22:25:33+0100,2013-02-15T22:25:33+0100,"Metadata updates should be done within the same database transaction as the AXFR. Note that r2834 moved the commit of the AXFR transaction after the metadata updates, thus causing a deadlock when using the sqlite3 backend.",anon 2, Release,541,AXFR out produces STL error for TXT RR,auth,3.2,defect,normal,ahu,new,2012-08-01T08:24:24+0200,2012-12-17T15:19:48+0100,"Using PowerDNS from git, commit: e8b99826de32bfa98fddd1b02ec024061f69ebcc Outgoing zone transfer dies with the following error logged: {{{ Aug 01 08:18:30 AXFR of domain 'tiny.aa' initiated by 127.0.0.1 Aug 01 08:18:30 AXFR of domain 'tiny.aa' allowed: client IP 127.0.0.1 is in allow-axfr-ips Aug 01 08:18:30 gmysql Connection successful Aug 01 08:18:30 gmysql Connection successful Aug 01 08:18:30 Exception: Unable to parse DNS TXT '""ÅLAND ISLANDS""' Aug 01 08:18:30 TCP Connection Thread died because of STL error: Unable to parse DNS TXT '""ÅLAND ISLANDS""' }}} The zone was transferred IN to PowerDNS from BIND 9.9.0-P1 running the attached ''tiny.aa'' master file which passed ''named-checkzone'' without errors. For clarity, the zone contains binary (UTF-8) characters in the TXT RRset as shown from the dig to BIND: {{{ ; <<>> DiG 9.9.0 <<>> @127.0.0.3 tiny.aa axfr ; (1 server found) ;; global options: +cmd tiny.aa. 60 IN SOA localhost. root.localhost. 2010100300 10800 3600 604800 3600 tiny.aa. 60 IN NS localhost. AX.tiny.aa. 604800 IN TXT ""\195\133LAND ISLANDS"" CI.tiny.aa. 604800 IN TXT ""C\195\148TE D'IVOIRE"" localhost.tiny.aa. 60 IN A 127.0.0.1 tiny.aa. 60 IN SOA localhost. root.localhost. 2010100300 10800 3600 604800 3600 ;; Query time: 1 msec ;; SERVER: 127.0.0.3#53(127.0.0.3) ;; WHEN: Wed Aug 1 08:12:47 2012 ;; XFR size: 6 records (messages 1, bytes 211) }}} Best regards, -JP ",anon 2, Release,721,PowerDNS with bind backend did not show rejected zones in pdns_control bind-list-rejects,auth,3.2,defect,normal,ahu,new,2013-03-27T10:02:13+0100,2013-03-28T10:22:30+0100,"Hello, We have one buggy zone, which show in pdns_control rediscover output: Ok Done parsing domains, 1 rejected, 1 new, 0 removed But if we try use command for get more information about zone: pdns_control bind-list-rejects We got blank answer, it's bug, because in log or in error shown correctly: pdns_control BIND-DOMAIN-STATUS|grep art-dias.ru art-dias.ru: error at Wed Mar 27 12:50:13 2013 parsing 'art-dias.ru' from file '/etc/bind/art-dias.ru': Trying to insert non-zone data, name='artdias.ru', qtype=A, zone='art-dias.ru' Mar 27 12:50:11 ns1 pdns[494]: Rediscovery was requested Mar 27 12:50:12 ns1 pdns[494]: [bindbackend] Parsing 169614 domain(s), will report when done Mar 27 12:50:13 ns1 pdns[494]: [bindbackend] error at Wed Mar 27 12:50:13 2013 parsing 'art-dias.ru' from file '/etc/bind/art-dias.ru': Trying to insert non-zone data, name='artdias.ru', qtype=A, zone='art-dias.ru' Mar 27 12:50:15 ns1 pdns[494]: [bindbackend] Done parsing domains, 1 rejected, 2 new, 0 removed Thank you! PowerDNS 3.2, official package for Debian.",anon 2, Release,724,pdn_control bind-domain-status did not work properly,auth,3.2,defect,normal,ahu,new,2013-03-27T12:42:02+0100,2013-03-28T10:21:24+0100,"Hello, We got error ""Mar 27 15:48:20 ns2 pdns[28510]: Error sending data to pdns_control: Broken pipe"" when trying to got status for all domains: root@ns2:~# pdns_control bind-domain-status|wc -l 2055 root@ns2:~# pdns_control bind-domain-status|wc -l 37193 root@ns2:~# pdns_control bind-domain-status|wc -l 2055 Totaly we have about 160 000 zones in named.conf. PowerDNS 3.2",anon 3, Release,623,distributor-threads causes timeouts,auth,3.2,defect,blocker,ahu,new,2012-11-27T17:08:57+0100,2013-01-07T13:08:32+0100,"This is tested against 2.9.22, 3.1 and 3.2-rc1. The symptom is that when testing with dnsperf (testing a single A record lookup) there's a noticeable amount of requests that time out when distributor-threads > 1. The amount varies a bit, but is approx 0.5% timeouts on 2.9 and 3.1, and a bit more on 3.2-rc1. The timeouts come in clumps of sequential or nearly sequential queries that time out, followed by many that are fine. The server is a simple authoritative server using a mysql backend with query-cache and packet-cache disabled. Many things have been tried in mysql (qcache, MEMORY tables, etc with no effect on the issue) leading me to believe that it's a problem in pdns. With a single distributor-thread, increasing receiver-thread has varying effects depending on release. On 2.9 and 3.1, having receiver-threads > 1 also causes timeouts, and is slower than having receiver-threads=1. On 3.2, which is ordinarily about 50% slower than 2.9 and 3.1, having receiver-threads >1 does not cause timeouts and gives a ~ 40% speedup over 2.9/3.1 with 1 of each thread. Increasing distributor-threads also has varying impacts. On all versions it causes timeouts (~ 0.5% on 2.9/3.1 and ~ 0.8% on 3.2-rc1) On 2.9 and 3.1, increasing distributor-threads offers a linear performance increase (i.e. 2 threads is twice as fast as 1) limited by the number of CPU cores available. dnsperf output below: {{{ dnsperf -d dnsperf.txt -s ns21 -S 5 -l 30 -t 10 DNS Performance Testing Tool Nominum Version 2.0.0.0 (example query data file: /usr/share/dnsperf/queryfile-example-current) [Status] Command line: dnsperf -d dnsperf.txt -s ns21 -S 5 -l 30 -t 10 [Status] Sending queries (to 10.150.30.234) [Status] Started at: Tue Nov 27 16:04:16 2012 [Status] Stopping after 30.000000 seconds 1354032261.500599: 2496.274865 [Timeout] Query timed out: msg id 10 [Timeout] Query timed out: msg id 11 [Timeout] Query timed out: msg id 12 [Timeout] Query timed out: msg id 13 [Timeout] Query timed out: msg id 14 [Timeout] Query timed out: msg id 15 [Timeout] Query timed out: msg id 16 [Timeout] Query timed out: msg id 17 [Timeout] Query timed out: msg id 18 [Timeout] Query timed out: msg id 19 [Timeout] Query timed out: msg id 20 [Timeout] Query timed out: msg id 21 [Timeout] Query timed out: msg id 22 [Timeout] Query timed out: msg id 23 [Timeout] Query timed out: msg id 24 [Timeout] Query timed out: msg id 25 [Timeout] Query timed out: msg id 26 [Timeout] Query timed out: msg id 27 [Timeout] Query timed out: msg id 28 [Timeout] Query timed out: msg id 29 [Timeout] Query timed out: msg id 30 [Timeout] Query timed out: msg id 31 [Timeout] Query timed out: msg id 32 [Timeout] Query timed out: msg id 33 [Timeout] Query timed out: msg id 34 [Timeout] Query timed out: msg id 35 [Timeout] Query timed out: msg id 36 [Timeout] Query timed out: msg id 37 [Timeout] Query timed out: msg id 38 [Timeout] Query timed out: msg id 39 [Timeout] Query timed out: msg id 40 [Timeout] Query timed out: msg id 41 [Timeout] Query timed out: msg id 42 [Timeout] Query timed out: msg id 43 [Timeout] Query timed out: msg id 44 [Timeout] Query timed out: msg id 45 [Timeout] Query timed out: msg id 46 [Timeout] Query timed out: msg id 47 [Timeout] Query timed out: msg id 48 [Timeout] Query timed out: msg id 49 [Timeout] Query timed out: msg id 50 [Timeout] Query timed out: msg id 51 [Timeout] Query timed out: msg id 52 [Timeout] Query timed out: msg id 53 [Timeout] Query timed out: msg id 54 [Timeout] Query timed out: msg id 55 [Timeout] Query timed out: msg id 56 [Timeout] Query timed out: msg id 57 [Timeout] Query timed out: msg id 58 [Timeout] Query timed out: msg id 59 [Timeout] Query timed out: msg id 60 [Timeout] Query timed out: msg id 61 [Timeout] Query timed out: msg id 62 [Timeout] Query timed out: msg id 63 [Timeout] Query timed out: msg id 64 [Timeout] Query timed out: msg id 65 [Timeout] Query timed out: msg id 66 [Timeout] Query timed out: msg id 69 [Timeout] Query timed out: msg id 70 [Timeout] Query timed out: msg id 71 [Timeout] Query timed out: msg id 72 [Timeout] Query timed out: msg id 73 [Timeout] Query timed out: msg id 74 [Timeout] Query timed out: msg id 75 [Timeout] Query timed out: msg id 76 [Timeout] Query timed out: msg id 77 [Timeout] Query timed out: msg id 78 [Timeout] Query timed out: msg id 79 [Timeout] Query timed out: msg id 80 [Timeout] Query timed out: msg id 81 [Timeout] Query timed out: msg id 82 [Timeout] Query timed out: msg id 83 [Timeout] Query timed out: msg id 84 [Timeout] Query timed out: msg id 85 [Timeout] Query timed out: msg id 86 [Timeout] Query timed out: msg id 87 [Timeout] Query timed out: msg id 88 [Timeout] Query timed out: msg id 89 [Timeout] Query timed out: msg id 90 [Timeout] Query timed out: msg id 91 [Timeout] Query timed out: msg id 92 [Timeout] Query timed out: msg id 93 [Timeout] Query timed out: msg id 94 [Timeout] Query timed out: msg id 95 [Timeout] Query timed out: msg id 96 [Timeout] Query timed out: msg id 97 [Timeout] Query timed out: msg id 98 [Timeout] Query timed out: msg id 99 [Timeout] Query timed out: msg id 100 [Timeout] Query timed out: msg id 101 1354032266.505923: 2227.827809 [Timeout] Query timed out: msg id 124 1354032271.512214: 2396.984115 [Timeout] Query timed out: msg id 23746 [Timeout] Query timed out: msg id 23747 [Timeout] Query timed out: msg id 23748 [Timeout] Query timed out: msg id 23749 [Timeout] Query timed out: msg id 23750 [Timeout] Query timed out: msg id 23751 [Timeout] Query timed out: msg id 23752 [Timeout] Query timed out: msg id 23753 [Timeout] Query timed out: msg id 23754 [Timeout] Query timed out: msg id 23755 [Timeout] Query timed out: msg id 23756 [Timeout] Query timed out: msg id 23757 [Timeout] Query timed out: msg id 23758 [Timeout] Query timed out: msg id 23759 [Timeout] Query timed out: msg id 23761 [Timeout] Query timed out: msg id 23762 [Timeout] Query timed out: msg id 23763 [Timeout] Query timed out: msg id 23765 [Timeout] Query timed out: msg id 23767 [Timeout] Query timed out: msg id 23769 [Timeout] Query timed out: msg id 23770 [Timeout] Query timed out: msg id 23771 [Timeout] Query timed out: msg id 23772 [Timeout] Query timed out: msg id 23773 [Timeout] Query timed out: msg id 23774 [Timeout] Query timed out: msg id 23777 [Timeout] Query timed out: msg id 23778 [Timeout] Query timed out: msg id 23779 [Timeout] Query timed out: msg id 23780 [Timeout] Query timed out: msg id 23781 [Timeout] Query timed out: msg id 23783 [Timeout] Query timed out: msg id 23784 [Timeout] Query timed out: msg id 23785 [Timeout] Query timed out: msg id 23786 [Timeout] Query timed out: msg id 23787 [Timeout] Query timed out: msg id 23788 [Timeout] Query timed out: msg id 23790 [Timeout] Query timed out: msg id 23791 [Timeout] Query timed out: msg id 23792 [Timeout] Query timed out: msg id 23793 [Timeout] Query timed out: msg id 23794 [Timeout] Query timed out: msg id 23795 [Timeout] Query timed out: msg id 23796 [Timeout] Query timed out: msg id 23798 [Timeout] Query timed out: msg id 23799 [Timeout] Query timed out: msg id 23800 [Timeout] Query timed out: msg id 23801 [Timeout] Query timed out: msg id 23802 [Timeout] Query timed out: msg id 23803 [Timeout] Query timed out: msg id 23804 [Timeout] Query timed out: msg id 23805 [Timeout] Query timed out: msg id 23806 [Timeout] Query timed out: msg id 23807 [Timeout] Query timed out: msg id 23808 [Timeout] Query timed out: msg id 23809 [Timeout] Query timed out: msg id 23810 [Timeout] Query timed out: msg id 23811 [Timeout] Query timed out: msg id 23812 [Timeout] Query timed out: msg id 23813 [Timeout] Query timed out: msg id 23814 [Timeout] Query timed out: msg id 23815 [Timeout] Query timed out: msg id 23816 [Timeout] Query timed out: msg id 23817 [Timeout] Query timed out: msg id 23819 [Timeout] Query timed out: msg id 23821 [Timeout] Query timed out: msg id 23822 [Timeout] Query timed out: msg id 23823 [Timeout] Query timed out: msg id 23826 [Timeout] Query timed out: msg id 23827 [Timeout] Query timed out: msg id 23828 [Timeout] Query timed out: msg id 23829 [Timeout] Query timed out: msg id 23830 [Timeout] Query timed out: msg id 23831 [Timeout] Query timed out: msg id 23832 [Timeout] Query timed out: msg id 23833 [Timeout] Query timed out: msg id 23835 [Timeout] Query timed out: msg id 23836 [Timeout] Query timed out: msg id 23837 [Timeout] Query timed out: msg id 23838 [Timeout] Query timed out: msg id 23839 [Timeout] Query timed out: msg id 23840 [Timeout] Query timed out: msg id 23841 [Timeout] Query timed out: msg id 23842 [Timeout] Query timed out: msg id 23843 1354032276.518604: 2690.161973 }}} Config file: {{{ setuid=pdns setgid=pdns daemon=yes local-address=10.150.30.234 launch=gmysql:main gmysql-main-user=*** gmysql-main-password=*** gmysql-main-dbname=main cache-ttl=0 query-cache-ttl=0 negquery-cache-ttl=60 disable-axfr=yes disable-tcp=no distributor-threads=1 receiver-threads=1 recursor=no guardian=yes master=yes log-failed-updates=no webserver=yes log-dns-details=no logging-facility=0 loglevel=3 max-queue-length=5000 queue-limit=5 }}}",anon 3, Release,629,recursor packetcache ignores edns size,recursor,3.5-recursor,defect,blocker,ahu,new,2012-12-05T15:03:19+0100,2013-01-11T13:16:37+0100,"The Recursor packet cache appears to ignore EDNS bufsize, meaning that if client A sends a query with a big bufsize, client B (who does not even use EDNS) could get the big response too. ",peter 3, Release,657,pdns reload/rediscover race conditions,auth,3.2,defect,blocker,ahu,new,2013-01-04T12:00:22+0100,2013-01-07T13:09:29+0100,"I noticed this as a result of the changes in 3.2 whereby each receiver gets its own distributor - whenever the dynhandler calls ->getBackend() it will only find the one in its' current thread, so reload won't propergate to backends within other threads. However, I suspect this condition has always been around as a race - if I have multiple distributors and I call reload; one thread is issuing reloads while all the other backend threads are currently executing (potentially). I guess if you call reload in previous versions on a highly loaded server with multiple backends you could probably get it to crash. The attached patch changes it so that each backend has a variable which is changed to signal that a reload or rediscover has been requested. When processing gets to an appropriate point ie before it next queries the backend database, such an operation will be run. Note that it is not run in ::get as we don't want a backend to be reloaded between performing a lookup and getting the records. This patch means that reload/reinitialize are not done straight away as in previous versions, but on a moderately loaded server this should not be a problem as they will be performed the next time a backend is called. Mark",anon 3, Release,682,NS missing in secure delegation NSEC3 bitmap,auth,3.2,defect,blocker,ahu,new,2013-01-21T12:57:44+0100,2013-01-22T09:57:14+0100,"Kees Monshouwer reported that adding {{{ secure-delegated IN DS 54319 8 2 a0b9c38cd324182af0ef66830d0a0e85a1d58979c9834e18c871779e040857b7 secure-delegated IN NS ns1.secure-delegated.dnssec-parent.com. secure-delegated IN NS ns2.secure-delegated.dnssec-parent.com. ns1.secure-delegated IN A 1.2.3.4 ns2.secure-delegated IN A 5.6.7.8 }}} to dnssec-parent.com makes verify-dnssec-zone with ""NS exists, but NSEC3 does not mention it for secure-delegated.dnssec-parent.com.""",peter 3, Release,417,"please don't post security issues here, contact security@netherlabs.nl",component1,,defect,critical,somebody,reopened,2012-01-05T09:03:17+0100,2012-05-09T20:25:59+0200,"I just deleted your ticket 417, can you please contact us?",ahu 3, Release,191,pdns control socket should be made after chroot,auth,3.2,defect,major,ahu,new,2008-07-21T11:29:54+0200,2012-10-10T14:02:54+0200,"pdns process creates a control socket. In chroot mode, the creation is done before chrooting, thus causing pdns to lose access to it. To fix this, one should make pdns create socket after chrooting. Aki Tuomi",anon 3, Release,328,pdns-recursor performance heavily degrades after 2GB (?) usage.,recursor,3.3,defect,major,ahu,new,2010-11-23T23:32:47+0100,2012-05-09T22:12:09+0200,"We have noticed on two of our recently-upgraded 3.3 pdns-recursor machines that the service's performance takes a massive hit after running for a few days. Some forensics reveals that this occurs as soon as the recursor is using 2GB of memory. CPU usage is at expected levels for a day or so after the machine is restarted. The machine's performance graphs show that 2GB memory usage is the ""magic point"" at which the problem occurs. Then, CPU usage of the pdns-recursor process will then increase to about 5x its previous value. Restarting the process will temporarily alleviate the issue. We have worked around this issue by only having one thread spawn, which halves memory usage. Halving max-cache-entries with keeping two threads also seems to prevent this, although performance is not nearly as good. However both workarounds limit the capacity of the recursor. We have seen this appear on the 3.3 recursor. We can not confirm or not if this is present on 3.2 as the upgrades were done from 3.1.",dgamble 3, Release,511,Botan 1.8 EC signatures broken,auth,,defect,major,ahu,new,2012-07-02T13:58:17+0200,2013-01-11T16:34:24+0100,"$ ./pdnssec test-algorithm 13 Testing algorithm 13: 'CryptoPP ECDSA' -> 'CryptoPP ECDSA' Signature & verify ok, signature 961usec, verify 3468usec Testing algorithm 13: 'CryptoPP ECDSA' -> 'Botan 1.8 ECDSA' Requested for unknown EC domain parameters for algorithm 8270672 Testing algorithm 13: 'Botan 1.8 ECDSA' -> 'CryptoPP ECDSA' CryptoMaterial: this object contains invalid values Testing algorithm 13: 'Botan 1.8 ECDSA' -> 'Botan 1.8 ECDSA' Requested for unknown EC domain parameters for algorithm 64 The issue seems to be both powerdns and botan related. botan18signers.cc has d_algorithm attribute marked private, which makes it impossible for the parent to set it on initialization. Despite fixing this, the problem remains, but looks like: Testing algorithm 13: 'CryptoPP ECDSA' -> 'CryptoPP ECDSA' Signature & verify ok, signature 991usec, verify 3677usec Testing algorithm 13: 'CryptoPP ECDSA' -> 'Botan 1.8 ECDSA' Botan: Decoding error: BER: Length field is too large Testing algorithm 13: 'Botan 1.8 ECDSA' -> 'CryptoPP ECDSA' CryptoMaterial: this object contains invalid values Testing algorithm 13: 'Botan 1.8 ECDSA' -> 'Botan 1.8 ECDSA' Verification of signer Botan 1.8 ECDSA with verifier Botan 1.8 ECDSA failed ",anon 3, Release,687,make fails,auth,3.2,defect,major,ahu,new,2013-01-25T16:56:57+0100,2013-03-11T09:20:52+0100,"Attempting to configure and install pdns 3.2 and it fails after issuing the make command with the following error: lua-pdns.cc: In function âvoid popResourceRecordsTable(lua_State*, const string&, std::vector&)â: lua-pdns.cc:126:35: error: âlua_objlenâ was not declared in this scope lua-pdns.cc: In constructor âPowerDNSLua::PowerDNSLua(const string&)â: lua-pdns.cc:220:20: error: âlua_openâ was not declared in this scope make[4]: *** [lua-pdns.o] Error 1 make[4]: Leaving directory `/root/pdns-3.2/pdns' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/pdns-3.2/pdns' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/pdns-3.2/pdns' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/pdns-3.2' make: *** [all] Error 2 Here is my configure line: ./configure \ --prefix=/usr/local/powerdns_server \ --enable-cryptopp \ --enable-pdns_server \ --with-boost=/usr \ --with-modules="""" \ --with-dynmodules=""gmysql gpgsql"" \ --with-mysql \ --with-mysql-lib=/usr/lib \ --with-mysql-includes=/usr/include \ --with-pgsql \ --with-pgsql-lib=/usr/lib \ --with-pgsql-includes=/usr/include \ --with-lua \ --disable-recursor This same configure line does work with 3.1",anon 3, Release,290,qps stats are only generated on second stats run,recursor,,defect,minor,ahu,new,2010-04-15T18:23:35+0200,2010-04-15T18:23:35+0200,"The qps stats in the PowerDNS log are only shown after the second stats run. This is somewhat counterintuitive since they could be initialized with zero on startup of the daemon and then shown accordingly with the first stats run",anon 3, Release,496,"out-of-tree building doesn't work, needed for clean Debian pdns-static",auth,3.2,enhancement,minor,ahu,new,2012-06-16T23:46:16+0200,2012-10-06T12:46:04+0200,"Hi, PowerDNS 3.1 won't build in an out-of-tree setting: [146/635]mh@salida[schroot sid_build64]:~/packages/pdns/altes/pdns-3.1/buildtree $ ../configure --with-modules="""" --with-dynmodules="""" checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes config.status: creating modules/luabackend/Makefile config.status: creating modules/tinydnsbackend/Makefile config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands [147/636]mh@salida[schroot sid_build64]:~/packages/pdns/altes/pdns-3.1/buildtree $ make make all-recursive make[1]: Entering directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree' Making all in modules make[2]: Entering directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/modules' make[3]: Entering directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/modules' make[3]: Nothing to be done for `all-am'. make[3]: Leaving directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/modules' make[2]: Leaving directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/modules' Making all in codedocs make[2]: Entering directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/codedocs' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/codedocs' Making all in pdns make[2]: Entering directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/pdns' make all-recursive make[3]: Entering directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/pdns' Making all in ext/polarssl-1.1.2 /bin/bash: line 17: cd: ext/polarssl-1.1.2: No such file or directory make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/pdns' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree/pdns' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/mh/packages/pdns/altes/pdns-3.1/buildtree' make: *** [all] Error 2 [148/637]mh@salida[schroot sid_build64]:~/packages/pdns/altes/pdns-3.1/buildtree $ Having PowerDNS support out-of-tree-builds will make it much easier to build a pdns-static package from the Debian source tree. I would love to see tht work in PowerDNS. When inquiring about out-of-tree-builds, I was pointed towards http://www.gnu.org/savannah-checkouts/gnu/automake/manual/html_node/VPATH-Builds.html Maybe these docs will help to find out how to make PowerDNS support out-of-tree builds. They surely didn't help me ;-) I'm going to postpone additional work on the Debian PowerDNS package regarding pdns-static.deb until it has been determined whether this proposed change to upstream PowerDNS is worth implementing. Greetings Marc ",anon 3, Release,501,Please consider pulling from Debian's init script,auth,3.2,enhancement,minor,ahu,new,2012-06-17T18:12:08+0200,2012-11-30T14:29:55+0100,"Hi, I have reworked Debian's init script to properly emit LSB-compliant status messages, and have adopted Debian's init script logic which looks a bit more robust to me than the init script that you currently ship with PowerDNS. Please consider using bits from the current Debian init script (attached), but be aware that there are some things that only make sense on a Debian system, and I am not sure whether you can depend on the normal LSB init functions to be available. ",anon 3, Release,502,Please allow multiple launch statements,auth,3.2,enhancement,minor,ahu,reopened,2012-06-24T11:13:50+0200,2012-10-08T11:51:57+0200,"Hi, in Debian, I would like to be able to deliver each backend with a config snippet which contains a working configuration. This would be much easier if PowerDNS supported multiple launch statements in the configuration, adding all backends to be launched. Currently, multiple launch statements are not flagged as an error, and the last (?) instance wins. This leads to interesting debugging situations. Greetings Marc ",anon 3, Release,633,querying for domain names longer than 255 chars results in NOERROR,recursor,3.5-recursor,defect,minor,ahu,reopened,2012-12-06T10:13:33+0100,2013-03-28T21:16:23+0100,"NSD and BIND return FORMERR on such queries. Which I think is the correct reply. PowerDNS returns NOERROR, which is a bit strange, because such long names are clearly a violation of the spec.",anon 3, Release,698,DNSBackend::getSOA() does not check rr type,auth,3.2,enhancement,minor,ahu,new,2013-02-04T18:01:28+0100,2013-02-04T18:01:28+0100,This patch fixed getSOA() to check rr.qtype when looking for SOA records. Protects against script backend accidents where the user sends non-SOA record when SOA requested. ,anon 3, Release,718,Webserver statistics do not track non-authoritative domain query counts,auth,3.2,defect,minor,ahu,new,2013-03-21T15:02:34+0100,2013-03-26T09:51:43+0100,"When viewing the webserver statistics page, the section titled 'Queries for domains that we are not authoritative for' always shows 0, despite having queried for domains it is not authoritative for.",anon 3, Release,719,"Replace ""Trying to insert non-zone data"" by soft exclude of bad RR",auth,3.2,enhancement,minor,ahu,new,2013-03-22T07:56:15+0100,2013-03-25T15:14:39+0100,"Hello, I'm successfully migrated very big Bind9 (160 000 zones) instance to PowerDNS today, it's work prefectly, thank you! But there are one bad issue with powerdns bind backend. At example, we have following named zone (jc.andreyber.ru) with small bug: $TTL    3600 jc.andreyber.ru.        IN      SOA     ns3.fastvps.ru. support.fastvps.ru. (2013032207 10800 3600 604800 86400) jc.andreyber.ru.        IN      NS      ns1.selectel.org. jc.andreyber.ru.        IN      NS      ns2.selectel.org. jc.andreyber.ru.        IN      NS      ns3.selectel.org. jc.andreyber.ru.        IN      MX      10 mail jc.andreyber.ru IN      CNAME   justclick.ru. justclick.ru.   IN      A       5.9.77.28 As you can see, record justclick.ru. in out of bound our zone. If we try to run Bind 9 with this zone we got warning: Mar 22 10:10:13 mail-relarn named[667]: master/jc.andreyber.ru:11: ignoring out-of-zone data (justclick.ru) But all records except buggy still works fine! But in Powerdns's BIND backend we got full zone excluding. I think it's more clever remove only buggy record, not whole zone. I'm using 2.9.22 version, but this issue still exists in 3.2 also: throw AhuException(""Trying to insert non-zone data, name='""+bdr.qname+""', qtype=""+qtype.getName()+"", zone='""+bb2.d_name+""'""); Thank you! Backend: BIND OS: Debian 6 x86_64",anon 3, Release,91,Feature request powerdns_recursor: hidettl,recursor,3.5-recursor,enhancement,normal,ahu,assigned,2006-08-18T00:50:22+0200,2013-01-10T16:08:28+0100,"dnscache has a hidettl-option, I would like powerdns_recursor to have it too. It's the last feature I'd like to have so we can go from dnscache to powerdns_recursor as our DNS-recursors. I made a quick patch, but it doesn't work, C++ isn't my thing or maybe it's just the time of day. :-) The compiler-warning says it all: {{{ pdns_recursor.cc: In function `void startDoResolve(void*)': pdns_recursor.cc:531: warning: comparison between signed and unsigned integer expressions }}} Here is my patch, you'll get a good idea of what I was trying to accomplish. The more I think about it, I think the MustDo- or similair check should probably go into serviceMain instead. {{{ --- pdns_recursor.cc~ 2006-06-25 14:09:31.000000000 +0200 +++ pdns_recursor.cc 2006-08-18 00:38:46.000000000 +0200 @@ -525,7 +525,15 @@ if(ret.size()) { shuffle(ret); for(vector::const_iterator i=ret.begin();i!=ret.end();++i) { - pw.startRecord(i->qname, i->qtype.getCode(), i->ttl, i->qclass, (DNSPacketWriter::Place)i->d_place); + if (!::arg().mustDo (""client-ttl"")) { + pw.startRecord(i->qname, i->qtype.getCode(), i->ttl, i->qclass, (DNSPacketWriter::Place)i->d_place); + } else { + if (::arg().asNum(""client-ttl"") > i->ttl) { + pw.startRecord(i->qname, i->qtype.getCode(), ::arg().asNum(""client-ttl""), i->qclass, (DNSPacketWriter::Place)i->d_place); + } else { + pw.startRecord(i->qname, i->qtype.getCode(), i->ttl, i->qclass, (DNSPacketWriter::Place)i->d_place); + } + } shared_ptr drc(DNSRecordContent::mastermake(i->qtype.getCode(), i->qclass, i->content)); drc->toPacket(pw); @@ -1639,6 +1647,7 @@ try { Utility::srandom(time(0)); ::arg().set(""soa-minimum-ttl"",""Don't change"")=""0""; + ::arg().set(""client-ttl"",""ttl to sent to clients"")=""no""; ::arg().set(""soa-serial-offset"",""Don't change"")=""0""; ::arg().set(""no-shuffle"",""Don't change"")=""off""; ::arg().set(""aaaa-additional-processing"",""turn on to do AAAA additional processing (slow)"")=""off""; }}} Hope it's helpfull to you. ",leen@… 3, Release,148,better default paths for config and sockets.,recursor,,enhancement,normal,ahu,new,2007-06-12T17:25:27+0200,2012-08-13T13:52:54+0200,"the current default paths making it very hard to chroot pdns/pdns-recursor. especially the socket path set to ""/var/run"". on my system i use the following approach: {{{ $ mkdir -p /var/lib/powerdns/var/run/powerdns $ ln -s /var/lib/powerdns/var/run/powerdns /var/run/powerdns }}} chroot is configured to /var/lib/powerdns socket dir is configured to /var/run/powerdns. i do not think that moving /var/run itself into the pdns chroot and symlink it back is a good option. I would suggest to define a new default socket path and config file directory. and communicate the new settings to all distributors so we get a common directory layout among all distros/os.",anon 3, Release,209,bind ipv6 sockets with IPV6_V6ONLY,component1,,enhancement,normal,somebody,new,2008-11-19T18:44:02+0100,2008-11-19T18:44:02+0100,"hi, http://en.wikipedia.org/wiki/IPv4_mapped_address (found on http://lists.danga.com/pipermail/memcached/2008-February/006251.html) suggests that using the ipv4 in ipv6 mapping is not recommended. the attached patch implements that for the authoritive and recursive server. from my testing it will only break on possible setup local-address= local-ipv6=:: which wouldnt handle ipv4 anymore. any other set up should be work without any problems.",anon 3, Release,215,Support for RFC 4892 server information,auth,3.2,enhancement,normal,ahu,new,2009-01-07T16:30:57+0100,2012-10-10T14:04:33+0200,"The attached patches improve the support for server information from PowerDNS. * A ""disabled"" mode was added to VERSION.BIND to make the server treat these queries just like any other. If you have VERSION.BIND in one of your backends then that is the answer that will be returned. * HOSTNAME.BIND support was added with ""hostname"" (use the information reported by the gethostbyname() call), ""anonymous"" (return !ServFail), ""disabled"" (as above), or a custom string. * ID.SERVER support was added, which works the same as HOSTNAME.BIND but can have different values. HOSTNAME.BIND is set with the `hostname-string` variable in pdns.conf. ID.SERVER is set with the `server-id` variable in pdns.conf. I left the VERSION.BIND support answering queries of any class, although really it should only answer these for class CHAOS. I am a bit worried about breaking existing checks of people who are counting on it working for class INTERNET. The support for the NSID EDNS0 option should probably be extended to work identically to ID.SERVER, or perhaps have a separate configuration variable added. The treatment in the authoritative server is different from the recursive resolver, but it has always been like this. At some point they should probably be made to work the same. Shane Kerr ",anon 3, Release,252,Support for in-memory zones for slaves,auth,,enhancement,normal,ahu,new,2009-08-25T11:25:08+0200,2009-12-21T21:48:49+0100,"# Zone that is not stored to disk zone ""example.com"" { type slave; memory-only yes; masters { 127.0.0.1; }; }; ",anon 3, Release,268,drop privileges before creating the controlsocket,recursor,,enhancement,normal,ahu,new,2010-02-12T17:51:25+0100,2010-02-12T17:51:25+0100,"Imho you should drop root privs before creating a control-socket and pidfile. This automatically requires a writable /var/run/powerdns (e.g.) for the configured user to write its control socket and pidfile in. ",anon 3, Release,269,rec_control only needs read/write permission on control-socket,recursor,3.5-recursor,enhancement,normal,ahu,new,2010-02-12T17:53:26+0100,2013-01-10T16:09:11+0100,It is not required to have write permission inside the directory where the control-socket resides. You only need to connect to the socket.,anon 3, Release,270,Please add --version to rec_control and any other pdns utility it is missing from :),component1,,enhancement,normal,somebody,new,2010-02-12T20:44:50+0100,2012-05-09T20:55:34+0200,"Please add --version to rec_control and any other pdns utility it is missing from. From pdns_recursor: (2:44pm) [seitz@renoir] [~] > pdns_recursor --version version: 3.2-rc1",anon 3, Release,275,ignoring ignore-rd-bit=on,documentation,3.4-pre,defect,normal,ahu,new,2010-03-01T17:20:34+0100,2012-05-09T20:55:13+0200,"we looked at the source and this flag are ignored. See http://wiki.powerdns.com/trac/changeset/844 VS http://wiki.powerdns.com/trac/changeset/846",anon 3, Release,291,Introduce top-throttled list,recursor,3.5-recursor,enhancement,normal,ahu,new,2010-04-25T12:58:33+0200,2013-01-10T16:09:28+0100,"For debugging/troubleshooting purposes it'd be great to have a ""top-throttled"" list (ringbuffer) to see which zones/nameservers are causing problems.",anon 3, Release,293,Documentation on threads and statistics,recursor,3.5-recursor,enhancement,normal,ahu,new,2010-04-25T13:16:12+0200,2013-01-21T15:09:00+0100,Document how the statistics are calculated when running with multiple threads,anon 3, Release,294,Improve reliance of option parser,component1,,enhancement,normal,somebody,new,2010-04-25T13:28:07+0200,2012-07-22T09:04:50+0200,"The recursor currently diverts silently from expected behavior when not providing an '=' to arguments on the CLI. This is very ambiguous for people coming from getopt-style tools since it's optional in these. For example: {{{ # Start pdns_recursor on port 5300 pdns_recursor --local-port=5300 # Start pdns_recursor on random port pdns_recursor --local-port 5300 }}} In comparison to ls (as example), which behaves identical in every case: {{{ training11:~# ls config dnsreplay luascripts powerdns zonefiles training11:~# ls -I '*dns*' config luascripts zonefiles training11:~# ls --ignore='*dns*' config luascripts zonefiles training11:~# ls --ignore '*dns*' config luascripts zonefiles training11:~# }}}",anon 3, Release,297,Provide better cache introspection,recursor,3.5-recursor,enhancement,normal,ahu,new,2010-04-25T13:33:56+0200,2013-01-10T16:27:32+0100,"E.g. dump or fetch data from NSspeeds, throttlemap, etc. ",anon 3, Release,315,Autorecord hook for powerdns auth 2.9.22,auth,2.9.22,enhancement,normal,ahu,new,2010-09-28T14:17:10+0200,2012-05-09T19:27:49+0200,"This patch enables hooking of ""fallback"" lookup for reverse records by allowing users to define extra processing round for suffixes. with autoreverse-domains option user can define suffixes, that will be appended a .rev suffix, if no other backend gives any reply, and sent to another round of processing where a backend can claim them. autoreverse-domains=8.e.6.0.1.0.0.2.ip6.arpa gives us f.e.e.b.d.a.e.d.f.e.e.b.d.a.e.d.0.0.0.0.0.0.5.0.8.e.6.0.1.0.0.2.ip6.arpa. 60 INPTR node-deadbeefdeadbeef.rev6e8-64.tdc.fi. with approriate backend answering for f.e.e.b.d.a.e.d.f.e.e.b.d.a.e.d.0.0.0.0.0.0.5.0.8.e.6.0.1.0.0.2.ip6.arpa.rev IN ANY ",anon 3, Release,320,Changeset r1714 isn't ideal,component1,,enhancement,normal,somebody,new,2010-10-10T23:39:15+0200,2010-10-10T23:39:15+0200,"Changeset r1714 to introduce inline ASM isn't ideal and a little wrong. The correct descrition of the problem is that the !__sync_fetch_and_* functions are compiler builtins and only available on GCC >= 4.1 (other compiler have different availability). So using !__sync_fetch_and_* on old GCC will fail. For example on old MacOS X Leopard (Apple GCC 4.0.x) or on RHEL-super-stable-but-outdated-sh*t. On RHEL you are prop. also bitten by this: http://www.redhat.com/archives/rhelv5-list/2007-April/msg00092.html I read it as if you do not take spec. care, you get GCC 3.4 as C++ compiler, prop. for endless compatiblility. The code should prop. look like this: {{{ #if defined(__GNUC__) && ( __GNUC__ < 4 || __GNUC_MINOR__ < 1 ) # if defined( __i386__ ) || defined( __x86_64__ ) static int atomic_exchange_and_add( unsigned int * pw, int dv ) { // int r = *pw; // *pw += dv; // return r; int r; __asm__ __volatile__ ( ""lock xadd %1, %0"" : ""=m""( *pw ), ""=r""( r ): // outputs (%0, %1), the '+' constrain does not work relaiable with all GCC versions ""m"" ( *pw ), ""1""( dv ): // inputs (%3 == %1) ""cc"" // clobbers ); return r; } # else # error Your GCC is to old and no Arch override for __sync_fetch_and_add was given # endif #else static int atomic_exchange_and_add( unsigned int * pw, int dv ) { return __sync_fetch_and_add(pw, dv); } #endif }}} The upside of leaving the !__sync_fetch_and_add to the compiler buildin is that the compiler understands what you want to do, so for example if you do not use the return value it maybe can use another instruction.",anon 3, Release,344,Add an ipv6 transparent config option,auth,,enhancement,normal,ahu,reopened,2011-02-22T12:10:15+0100,2013-01-05T17:23:02+0100,"On ipv4 we set the ip_nonlocal_bind sysctl so that we can have the same pdns config across multiple servers even though some of them don't actually have interfaces for some of the addresses. Unfortunately there is not an option for this in linux on ipv6 so it would have to be implemented in the application itself. There is an IPV6_TRANSPARENT that can be set when creating the socket to have this behaviour. Could you add an ipv6-transparent-bind option to the config to allow this to happen? Thanks, Mark",anon 3, Release,349,slave domain needs checking - mass repeating,auth,3.0,defect,normal,ahu,new,2011-03-31T11:34:52+0200,2012-10-24T14:04:40+0200,"Hi, as already discussed on channel, there seems to be some incorrect timeout values for rechecking failed AXFR, even though slave-cycle-interval is set to a good value (like 86400). After doing an rndc reload on the master server, this was the first message: Mar 31 10:50:13 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:13 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:13 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Since then, it repeats every three seconds: Mar 31 10:50:16 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:17 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:17 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:20 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:20 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:20 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:23 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:24 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:24 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:27 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:27 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:27 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:30 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:31 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:31 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:34 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:35 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:35 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:38 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:38 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:38 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:41 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:42 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:42 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 10:50:45 s-dns pdns[4167]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 10:50:45 s-dns pdns[4167]: gmysql Connection successful Mar 31 10:50:45 s-dns pdns[4167]: 1 slave domain needs checking, 0 queued for AXFR and has yet not stopped: Mar 31 11:33:33 s-dns pdns[4730]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 11:33:33 s-dns pdns[4730]: gmysql Connection successful Mar 31 11:33:33 s-dns pdns[4730]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 11:33:36 s-dns pdns[4730]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 11:33:36 s-dns pdns[4730]: gmysql Connection successful Mar 31 11:33:36 s-dns pdns[4730]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 11:33:39 s-dns pdns[4730]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 11:33:40 s-dns pdns[4730]: gmysql Connection successful Mar 31 11:33:40 s-dns pdns[4730]: 1 slave domain needs checking, 0 queued for AXFR Mar 31 11:33:43 s-dns pdns[4730]: Received serial number updates for 0 zones, had 1 timeouts Mar 31 11:33:43 s-dns pdns[4730]: gmysql Connection successful Mar 31 11:33:43 s-dns pdns[4730]: 1 slave domain needs checking, 0 queued for AXFR It doesn't seem to reduce performance of the pdns itself, but it's blowing the logfile up and renders it unreadable.",anon 3, Release,354,debian squeeze 6.0.1 pdns-server pdns-backend-mysql: # in mysql password causes access denied,auth,3.2,defect,normal,ahu,new,2011-04-19T17:43:06+0200,2012-10-06T16:00:37+0200,"Hi, the special character # in a mysql-password stops the mysql-backend from successfully connecting to a working mysql server instance. pdns returns with ""Access denied"".",anon 3, Release,377,forwarding to recursor broken for delegated subzones in pdns-3.0,auth,3.2,defect,normal,ahu,new,2011-07-24T15:02:17+0200,2012-10-10T16:34:11+0200,"a) i have pdns-auth listening on *.53, and forwarding recursive queries to b) localhost:5300 where the pdns-recursor is running I am authoritative for zone example.com, but have delegated blah.example.com to someone else (this is with the bind backend running) with 2.9.22 pdns will recurse for blah.example.com with 3.0 it will only give me back the glue now I changed my setup so I don't have it happening: pdns-recursor on 127.0.0.1:53 and the auth on the external IPs.. 14:57 < Maik> If the behaviour is as described, that would seem to be a bug. Recursor forwarding is heavily deprecated, so it may have been missed in the RC phase. You can file a ticket at wiki.powerdns.com using the login info on the front page. Please confirm if you can reproduce this behaviour with pdns-3.0. The best solution to fix this would probably be to not allow pdns anymore to forward to a recursor ;-) 14:58 < Maik> See http://cr.yp.to/djbdns/separation.html for the deprecation. 14:59 < fets> it would be nice if the deprecation was actually in the pdns docs ;-) 15:00 < Maik> Oh, it would be nice if so many things were properly documented. ;-) ",anon 3, Release,379,feature request: dnswall-like functionality,recursor,3.5-recursor,enhancement,normal,ahu,new,2011-08-01T13:06:52+0200,2013-01-10T16:09:50+0100,"Hi, Maybe I didn't read the manual properly, but I don't think I've seen options to configure similair functionality to the following project & paper yet: https://code.google.com/p/google-dnswall/ Which is to prevent an external domains to point to IP-addresses behind the corporate or home firewall. It can potentionally be abused by a malicious website using browser/plugins to connect to internal infrastructure from with-in the browser: http://www.adambarth.com/papers/2009/jackson-barth-bortz-shao-boneh-tweb.pdf The idea is simple, just filter out any responses which include an internal IP-address. Probably it also needs an exception list for certain domains which are used internally. Hope this was useful",anon 3, Release,413,--enable-botan1.9 without botan libs should break at configure time,auth,3.0,defect,normal,ahu,new,2011-12-20T17:36:17+0100,2012-05-09T20:43:07+0200,"Hi, building pdns-3.1-pre.20111206.2310 on debian lenny. Configure: {{{ ./configure \ CC=""ccache gcc"" CXX=""ccache g++""\ --prefix=/usr \ --libexecdir='${prefix}/lib' \ --libdir='${prefix}/lib/powerdns' \ --sysconfdir=/etc/powerdns \ --infodir='${datadir}/info' \ --mandir='${datadir}/man' \ --with-pgsql-lib=/opt/postgresql/lib --with-pgsql-includes=/opt/postgresql/include \ --with-modules=""gmysql pdns geo"" \ --with-dynmodules="""" \ --without-lua \ --enable-botan1.9 --enable-cryptopp \ --enable-static-binaries }}} --enable-botan1.9 was errorneously not deleted since I want to build a minimal binary. ./configure should detect botan's absence. Instead, configure finishes fine and the actual build fails: {{{ ccache g++ -DHAVE_CONFIG_H -I. -I.. -Ibackends/bind -pthread -DSYSCONFDIR=\""/etc/powerdns\"" -DLIBDIR=\""/usr/lib/powerdns\"" -DLOCALSTATEDIR=\""/var/run\"" -Ibackends/bind -pthread -Iext/polarssl/include -D_GNU_SOURCE -Wall -O2 -MT botan19signers.o -MD -MP -MF .deps/botan19signers.Tpo -c -o botan19signers.o botan19signers.cc botan19signers.cc:2:25: error: botan/botan.h: No such file or directory botan19signers.cc:3:25: error: botan/ecdsa.h: No such file or directory }}} In my opinion, it should fail at configure time and not waste time on a build attempt ",anon 3, Release,418,Better specfile for 2.9.22,auth,2.9.22,enhancement,normal,ahu,new,2012-01-10T15:07:43+0100,2012-01-10T15:07:43+0100,"Please find attached a better pdns.spec file for powerdns building. To build using the specfile, you need a tar.gz file containing source tree in 'pdns-static-2.9.22' directory. ",anon 3, Release,419,using botan 1.8 causes dnssec signed zonetransfers to crash,auth,3.0,defect,normal,ahu,new,2012-01-10T20:41:41+0100,2012-05-09T20:25:01+0200,"botan 1.9 works fine It may be that we have to enable more threadsafety in 1.9 in some way. In botansigners.cc we supposedly do that, but perhaps not well enough.",ahu 3, Release,421,CNAMEs to external records don't resolve,auth,3.2,enhancement,normal,ahu,new,2012-01-23T17:24:08+0100,2012-11-30T14:33:58+0100,"We are running pdns-static release 3.0-1 and recursor release 3.3-1 and are using the pdns.conf settings listed below. We are having problems when trying to resolve a CNAME record that points to an external domain. For example we have a CNAME record with test1.example.com pointing to www.aol.com. When you do a look up on test1.example.com you get a connection timed out SERVFAIL. This is the same issue as ticket #212 that states that the issue was fixed in version 3.0. We would appreciate any help with this issue. Thank you. allow-axfr-ips=x.x.x.x allow-recursion=x.x.x.x config-dir=/etc/powerdns daemon=yes default-soa-name=production.example.com disable-axfr=no distributor-threads=10 guardian=yes launch=gmysql gmysql-host=localhost gmysql-user=pdns gmysql-password=xxxxx gmysql-dbname=powerdns lazy-recursion=yes local-address=x.x.x.x local-port=53 log-dns-details=yes log-failed-updates=yes logfile=/var/log/pdns.log logging-facility=0 loglevel=9 master=yes max-queue-length=20000 module-dir=/usr/lib/powerdns recursor=x.x.x.x setgid=pdns setuid=pdns socket-dir=/var/run version-string=powerdns",anon 3, Release,424,PowerDNS Recursor qa-latency statistic failures,recursor,3.4-pre,defect,normal,ahu,new,2012-02-08T11:46:22+0100,2012-02-08T11:46:22+0100,"In pdns_recursor.cc is this calculation for each user query: {{{ g_stats.avgLatencyUsec=(uint64_t)((1-0.0001)*g_stats.avgLatencyUsec + 0.0001*newLat); }}} This does not work if newLat<10000 (10ms). Because the uint64_t cast is cutting the decimal places and avgLatencyUsec retains its value minus 1/10000 of it. But it would work if avgLatencyUsec type is a double.[[BR]][[BR]] Another point is this condition: {{{ uint64_t newLat=(uint64_t)(spent*1000000); if(newLat < 1000000); // outliers of several minutes exist.. ... }}} This means that timeouts does never count because the default network-timeout is 1500ms. That's bad. We suggest this: {{{ uint64_t newLat=(uint64_t)(spent*1000000); newLat = min(newLat,(uint64_t)(g_networkTimeoutMsec*1000)); }}} And in this context we have a suggestion for a new Recursor setting: {{{ ::arg().set(""latency-statistic-size"",""Number of latency values to calculate the qa-latency average"")=""10000""; }}} With this option we can change the smoothing factor of the qa-latency value. Attached you will find our suggestions as a patch. It's probably faulty coded. But it works for us.",anon 3, Release,435,recursive lookup for delegation stops working,auth,3.0,defect,normal,ahu,new,2012-03-14T14:34:11+0100,2012-03-14T14:34:11+0100,"hi, I installed the 3.0-1.1 debian package. Some recusion with delegation went wrong. I have here two windows domain controllers with running dns for the windows domain stuff. I transfer this zone to my powerdns (dns.via.de, ns2.via.de). The powerdns ist auth. and rec. DNS server (I know bad idea but the history...). The Zone is dus.via.de and has an entry like: 442389 | 2070 | _msdcs.dus.via.de | NS | dc02.dus.via.de | 3600 | 10 | NULL | NULL | NULL | The pdns server has also the setting recursor=127.0.0.1 where the pdns-recursor is running. The recursor can: root@dns:[~] > host -t SRV _ldap._tcp.dc._msdcs.DUS.VIA.DE 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: _ldap._tcp.dc._msdcs.DUS.VIA.DE has SRV record 0 100 389 dc02.dus.via.de. _ldap._tcp.dc._msdcs.DUS.VIA.DE has SRV record 0 100 389 dc01.dus.via.de. root@dns:[~] > But the pdns-server can't. After downgrading to 2.9 all things run fine again. I must only comment gmysql-dnssec=no out cause 2.9 doesn't know it. ",anon 3, Release,436,do not strip binaries by default,component1,,defect,normal,somebody,new,2012-03-14T16:19:13+0100,2012-03-14T16:21:41+0100,"at least the the makefile for the recursor strips binaries by default. so every distributor needs to patch out those calls to get working debuginfo packages. could this default be changed?",anon 3, Release,440,Feature request: DNS Prefetching,recursor,3.5-recursor,enhancement,normal,ahu,new,2012-03-23T10:03:51+0100,2013-04-17T23:39:02+0200,"This is a feature request for DNS prefetching in PowerDNS Recursor. Attached is a proof of concept implementation. It seems to work. But it's hard to say whether it improves the average latency from the customer perspective. Prefetching simply ensures that popular domain names are always fresh in the Recursors cache. The attached patch already includes the patch suggestion from [http://wiki.powerdns.com/trac/ticket/438] which is a requirement for the prefetch proof of concept patch.",anon 3, Release,444,Wildcard on root domain '' does not work as expected,auth,3.2,defect,normal,ahu,new,2012-04-04T10:01:39+0200,2012-10-12T11:55:33+0200,"Wildcard queries for the root domain (domain.name='') do not work when using the gmysql backend, because pdns queries '*.' instead of '*' when trying to retrieve wildcard records from the database (see attached log). As a workaround, a wildcard record '*.' could be added to the database.",anon 3, Release,447,implement equivalent of BIND's transfer-source and notify-source,auth,3.2,enhancement,normal,ahu,new,2012-04-18T23:08:33+0200,2012-11-30T14:33:02+0100,"Please implement equivalent of bind's ""transfer-source"" and ""notify-source"" for both IPv4 and IPv6. Logic behind this would be: transfer-source ,... notify-source transfer-source would use addresses in given order, if first fails, it goes to the other one, etc... this should to be specified either globally or per-zone using domainmetadata. ",anon 3, Release,448,zone2sql --oracle SQL statements do not correspond to documented schema,auth,3.0,defect,normal,ahu,new,2012-04-19T16:13:25+0200,2012-06-03T16:06:02+0200,"When zone2sql is used with --oracle switch, the generated SQL code does not correspond to the schema as described in the official docummentation, specifically: CREATE TABLE records ( id number(11) not NULL, domain_id INT DEFAULT NULL REFERENCES Domains(ID) ON DELETE CASCADE, name VARCHAR(255) DEFAULT NULL, type VARCHAR(10) DEFAULT NULL, content VARCHAR2(4000) DEFAULT NULL, ttl INT DEFAULT NULL, prio INT DEFAULT NULL, change_date INT DEFAULT NULL, primary key (id) ); however, the zone2sql --oracle generates DML statements as follows (example scrubbed for privacy / security reasons): insert into Records (id,ZoneId, name,type,content,TimeToLive,Priority) select RECORDS_ID_SEQUENCE.nextval,id ,'host.subdomain.domain.tld', 'A', '1.2.3.4', 86400, 0 from Domains where name='subdomain.domain.tld' * ERROR at line 1: ORA-00904: ""PRIORITY"": invalid identifier from the schema above, it is apparent that there is a disconnect between what the documented schema is, and what zone2sql thinks should be in the schema. There might be more discrepancies between zone2sql and the documented Oracle schema.",anon 3, Release,454,Feature request: NOTIFY sending only to a list of IPs,auth,3.2,enhancement,normal,ahu,new,2012-05-02T15:34:39+0200,2012-11-30T14:32:36+0100,"When I use the authoritative component with bindbackend as master it sends NOTIFY messages to all IPs that are in NS records of their own zones. I would like to get a new feature in bindbackend (or in auth) that restricts the target of the NOTIFY messages to my list. I do not want to send them to all IPs of NS records.",anon 3, Release,466,please add include directive to configuration file parser,auth,3.2,enhancement,normal,ahu,new,2012-05-12T10:00:26+0200,2012-10-05T19:08:25+0200,"Debian is patching its pdns package to allow an include directive in the configuration. This has shown to be an extremely handy feature, and I would love to see this in PowerDNS upstream. Our patch is attached. Please note that this patch also patches pdnssec.cc, but I fear that this patch actually only adds a no-op configuration directive (unless pdnssec is using the same config file parser than pdns proper, in which case the directive probably works). Please consider applying our patch to PowerDNS upstream. Greetings Marc ",anon 3, Release,467,automatic removal of inactive slave zones,auth,3.2,enhancement,normal,ahu,new,2012-05-12T10:06:21+0200,2012-11-08T15:21:36+0100,"This is Debian Bug #376036, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=376036 Text follows: Especially on machines using supermasters, it would be awesome if pdns could run periodic checks on zones that it slaves and for which it has not received a notification in a configurable time, and remove the ones for which the master returns an error. Then I could just remove a domain from the supermaster and know that within a configurable time span, the superslave will also forget about it. ------ Forwarder's note: This should be configurable, so that the old behavior can be reinstated. Greetings Marc ",anon 3, Release,468,do not self-notify,auth,3.2,enhancement,normal,ahu,new,2012-05-12T10:10:31+0200,2012-11-08T15:20:36+0100,"Please apply https://github.com/cyclops1982/powerdns/tree/no-self-notify2 ",anon 3, Release,469,Please follow includes with bind-check-interval,auth,3.2,defect,normal,ahu,new,2012-05-12T10:14:19+0200,2012-10-10T16:03:34+0200,"This is Debian Bug #406468, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406468 Text follows: With using bind-check-interval, zones are automatically reloaded once their mtimes change. However, it's also possible to have $INCLUDE statements in a zonefile, and those are not chased. This means that one needs to touch the zone file itself to trigger a reload if you just change one of the included files. It'd be nice if the bind backend would maintain a list of files that were read during parsing of a zone file, and monitor them all for changes. I do realize though that normally the master file would be updated anyway for the serial, but in certain in-house situations that is not otherwise required. ",anon 3, Release,474,Improve error logging during AXFR,auth,3.2,enhancement,normal,ahu,new,2012-05-23T12:19:01+0200,2012-11-30T14:32:20+0100,"Currently AXFRs fail with no indication of what went wrong other than very vague notion of ""data problem"". Yet, pdnssec check-zone can provide in-detail description of the problem. Please consider changing the AXFR code to show detailed problem description as well. ",anon 3, Release,476,Add support for default ksk and zsk for config files,auth,3.2,enhancement,normal,ahu,new,2012-05-23T16:02:59+0200,2012-12-17T15:57:53+0100,"Allows one to use default-ksk-algorithms, default-ksk-size, default-zsk-algorithms, default-zsk-size in config file to define defaults for pdnssec secure-zone. ",anon 3, Release,479,Supermasters' operation clarification,documentation,3.1,enhancement,normal,ahu,new,2012-05-27T15:54:14+0200,2012-05-27T15:55:42+0200,"oracle backend documentation states: ""A supernotification will be accepted if an entry is found such that the notification came from ip and nameserver appears in an NS record for that zone."" For somebody configuring automatic provisioning of slaves for the first time, it is unclear whether the above paragraph refers to the supermaster or superslave. The documentation should explicitly state whether this entry is to be found in the superslave's or supermaster's ""supemasters"" table.",anon 3, Release,480,"Clarify differences between ""account"" and ""name"" in ""goracle"" and ""oracle"" backends",documentation,3.1,enhancement,normal,ahu,new,2012-05-27T16:16:33+0200,2012-05-27T16:16:33+0200,"Section 2.1, ""Supermaster automatic provisioning of slaves"" in the documentation states: ""So, to benefit from this feature, a backend needs to know about the IP address of the supermaster, and how PDNS will be listed in the set of NS records remotely, and the 'account' name of your supermaster. There is no need to fill the account name out but it does help keep track of where a domain comes from."" But in section 4., ""Oracle backend"", no mention is made of the ""account"" column; rather, there is a ""name"" column instead. The documentation in section 2.1 should explicitly mention that. To make matters even more confusing, the section 3.3 ""Oracle specifics"" does not explicitly state that this refers to the ""goracle"" backend; for someone perusing the documentation as a reference manual, rather than a cover-to-cover read, this can be misleading, especially if that person or persons are trying to configure pdns for the first time. In general, a distinction between ""goracle"" and ""oracle"" backends should be made very clear everywhere each is discussed, as it is unclear to new users that these are two completely different backends with different requirements. The documentation should not assume one understands the finer points of operating a pdns server, nor that one's powers of inference are indeed great.",anon 3, Release,481,Seperating KSK and ZSK to prevent compromise of KSK,auth,3.2,enhancement,normal,ahu,new,2012-05-30T14:10:09+0200,2012-11-30T13:36:29+0100,"As the KSK in terms records is just 2 records, the DNSKEY-record for the public key part of the KSK and the RRSIG over all the DNSKEY-records. If the RRSIG is added to the records-table, than the KSK private key does not have to be stored with the rest of the key material for other operations than changing keys. The KSK private key could be kept in the filesystem, a HSM or not be replicated when using a database as in hidden master-like setup or offline. It might not work with presigned because of ordering, but with presigned you might as well not even keep the cryptokeys table in the database. It should work in theory with something like NSEC3-narrow. I'm not sure about the other modes of DNSSEC operation PowerDNS supports.",anon 3, Release,482,High latency after upgrading to PowerDNS 3.1 Auth on FreeBSD,auth,3.2,defect,normal,ahu,new,2012-06-01T12:30:51+0200,2012-11-30T14:43:01+0100,"Hi, We're running PowerDNS for ages (still) on a particular FreeBSD 6.x machine. We never had 'high' latency, until I upgraded from 2.9.22.x -> 3.1 Latency went from ~ 200usec avg (which is also higher then our Linux VM's running 2.9.22.x did) to over > 1000 usec. Sometimes it even peaks now at > 51000 usec. I tried the same with 3.0, and that shows no increase in latency compared to 2.9.22.x Something seems a bit fishy for 3.1... We use the gpgsql backend by the way.",anon 3, Release,483,"pdns_control ""cycle"" command does not work",documentation,3.1,enhancement,normal,ahu,new,2012-06-03T15:51:02+0200,2012-09-20T15:17:06+0200,"As per the subject line, the manual page documents the ""cycle"" command, but running it produces an error in pdns_server: > pdns_control cycle Unknown command: 'CYCLE' > pdns_control version; pdns_control uptime 3.1 15 minutes",anon 3, Release,487,broken pdns_control,auth,3.2,defect,normal,ahu,new,2012-06-12T14:40:31+0200,2013-01-07T13:06:21+0100,"Sometimes our {{{ # pdns_control bind-reload-now }}} command does not work as expected. Instead of reloading the zone (or other commands), it shows the result from a earlier command. Example console output: {{{ # pdns_control show udp-queries 490145268 # pdns_control bind-reload-now test 490145323 # pdns_control bind-reload-now test 490145382 # pdns_control bind-reload-now test 490145463 # pdns_control bind-reload-now test test: parsed into memory at Tue Jun 12 14:25:50 2012 }}} Version (SVN 2012/02/15): {{{ Version: 3.1-pre, compiled on Feb 15 2012, 15:41:32 with gcc version 4.3.4 [gcc-4_3-branch revision 152973] }}} ",anon 3, Release,489,PowerDNS Bind backend doesn't transfer zones if it receives no notfy packet,auth,3.2,defect,normal,ahu,reopened,2012-06-14T10:37:39+0200,2013-03-15T14:06:34+0100,"Our PowerDNS Authoritative servers, configured as slave with Bind backend does not send a SOA requests to the master to check if the serial number has increased (refresh interval). AXFRs only seems to work because the master sends reliable notifies. After a notify the slaves sends the SOA request and does the zone transfer as usual. {{{ Version: 3.1-pre, compiled on Feb 15 2012, 15:41:32 with gcc version 4.3.4 [gcc-4_3-branch revision 152973] }}} {{{ config-dir=/etc/powerdns daemon=yes do-ipv6-additional-processing=yes launch=gmysql,bind,pipe bind-config=/etc/powerdns/bind/named.conf bind-check-interval=60 gmysql-user=xxxxxxxx gmysql-dbname=xxxxxxxx gmysql-password=xxxxxxxx gmysql-socket=/var/lib/mysql/mysql.sock lazy-recursion=no local-address=xxxxxxxxxxxxx,xxxxxxxxxxxxx,xxxxxxxxx local-ipv6=xxxxxxxxxxxxxxxxxxxxxx,xxxxxxxxxxxxxxxxxxxxxx,xxx master=yes max-tcp-connections=500 out-of-zone-additional-processing=no pipebackend-abi-version=1 pipe-command=/var/powerdns/pipe/pipebe pipe-timeout=20 query-cache-ttl=0 slave=yes version-string=anonymous trusted-notification-proxy=xxxxxxxxxxxx }}} ",anon 3, Release,493,"pdns_sec_ doesn't recognize ""include"" directive in pdns.conf",auth,3.2,enhancement,normal,ahu,new,2012-06-16T17:46:37+0200,2013-02-27T10:44:02+0100,"This is Debian Bug #656292, http://bugs.debian.org/656292 From: Puzzlet Chung Subject: Bug#656292: pdnssec doesn't recognize ""include"" directive in pdns.conf To: submit@bugs.debian.org Reply-To: Puzzlet Chung , 656292@bugs.debian.org Date: Wed, 18 Jan 2012 11:39:18 +0900 X-Debian-PR-Package: pdns-server Package: pdns-server Version: 3.0-1.1 pdnssec, a newly introduced tool in pdns 3.0, tries to find the backend configuration from pdns.conf. In Debian, by default, the backend configuration is specified by a separate file, (e.g. /etc/powerdns/pdns.d/pdns.local.gmysql,) the location of which is specified in pdns.conf by ""include"" directive: include=/etc/powerdns/pdns.d It seems that pdnssec doesn't recognize it. (When you concatenate the missing configuration to pdns.conf itself, it works fine.) # pdnssec rectify-zone example.com Error: No database backends configured for launch, unable to function",anon 3, Release,494,Please document path and name of pid file,documentation,3.1,enhancement,normal,ahu,new,2012-06-16T18:49:57+0200,2012-09-20T15:14:21+0200,"Hi, please document where powerdns writes its pid file, and how it is named. This is especially important when a --config-name is used. Googling for ""site:doc.powerdns.com pid"" gives a rather short list of (irrelevant) hits. ",anon 3, Release,495,"--with-modules=""ldap"" --enable-static-binaries bombs during configure",auth,3.2,defect,normal,ahu,new,2012-06-16T23:25:24+0200,2012-12-17T15:56:17+0100,"$ ./configure --with-modules=""ldap"" --with-dynmodules="""" --enable-static-binaries this fails, because it cannot find libldap: checking for ldap_set_option in -lldap... no configure: error: ldap library (libldap) not found Log contains: x86_64-linux-gnu-g++: error: unrecognized command line option '-all-static' otoh, the dynamic version: ./configure --with-modules="""" --with-dynmodules=""ldap"" configures just fine. ",anon 3, Release,505,pdnssec could automatically set sane SOA-EDIT values,auth,3.2,enhancement,normal,ahu,new,2012-06-27T12:20:56+0200,2012-12-17T15:57:00+0100,"Currently my workflow is as following: pdnssec secure-zone example.net pdnssec rectify-zone example.net pdnssec show-zone example.net Then I have to dive into the backend: mysql> select id from domains where name='example.net'; id = 99 mysql> insert into domainmetadata (domain_id, kind, content) values (99, 'SOA-EDIT', 'INCEPTION-EPOCH'); It would be great if pdnssec sets _some_ value for SOA-EDIT because I wouldn't be suprised that some people who setup DNSSEC, and after 9 days burst into tears. Also it saves me 2 extra lines of typing. ",anon 3, Release,506,better support for dual-stack master/slave setups,auth,3.2,enhancement,normal,ahu,new,2012-06-27T12:28:12+0200,2012-11-30T14:28:29+0100,"It would be nice if I could define a list of IP addresses that belong to a certain supermaster: INSERT INTO ""supermasters"" VALUES('94.142.241.53,2a02:898:52:1::1','ns1.6core.net','internal'); Now if the slave receives an NOTIFY from either of those IP addresses it could maybe do something like: INSERT INTO ""domains"" VALUES(4,'ring.nlnog.net','94.142.241.53,2a02:898:52:1::1',1340785399,'SLAVE',NULL,'internal'); This way I don't have to manually update the domains table after a slave receives the first notify. Also it prevents lots of errors in the syslog because after a notify has been received over IPv4, it will reject the notifies coming over IPv6 because at that point pdns-server doesn't look at the supermasters table any more. ",anon 3, Release,507,pdnssec should be used to show and modify domainmetadata,auth,3.2,enhancement,normal,ahu,new,2012-06-27T12:36:38+0200,2013-01-07T13:06:41+0100,"When dealing with pdns-server it would be nice if I don't ever have to dive into the backend manually but access all features through pdnssec. Maybe pdnssec can be extended with a command like 'set-meta'. Example: pdnssec set-meta example.net SOA-EDIT INCEPTION-EPOCH pdnssec show-meta example.net",anon 3, Release,510,Better specfile for 3.1,auth,3.2,enhancement,normal,ahu,new,2012-07-02T12:19:47+0200,2012-11-30T14:27:32+0100,Allows people to build their own rpms easier than with the existing one. Works with rpmbuild -tb pdns-3.1.tar.gz,anon 3, Release,512,check-zone does not check NS RDATA NSDNAME,auth,3.2,enhancement,normal,ahu,new,2012-07-02T15:44:07+0200,2013-01-07T13:07:04+0100,"If the content of an NS record is 'http://example.com/', check-zone does not complain. It should.",peter 3, Release,513,Fix for GSQL backend to enable multiple dnssec storage backends,auth,3.2,defect,normal,ahu,new,2012-07-03T10:53:03+0200,2012-10-10T16:35:40+0200,"Due to mistake in GSQL backend, one cannot use more than one storage for DNSSEC data. The patch included fixes this by checking whether the backend in question actually serves the domain, causing Ueberbackend to find correct backend for the domain. This allows to have multiple SQL backends with DNSSEC enabled. ",anon 3, Release,516,Inconsistent behaviour in pdnssec and pdns_control --config-name,auth,3.2,enhancement,normal,ahu,new,2012-07-04T16:50:23+0200,2012-11-30T14:27:13+0100," {{{ root@ns06:/etc/powerdns# pdnssec --config-name server check-zone shellz.nl Checked 24 records of 'shellz.nl', 0 errors root@ns06:/etc/powerdns# pdnssec --config-name=server check-zone shellz.nl Checked 24 records of 'shellz.nl', 0 errors }}} {{{ root@ns06:/etc/powerdns# pdns_control --config-name server notify shellz.nl Fatal error: Unable to connect to remote '/var/run/pdns.controlsocket': Connection refused root@ns06:/etc/powerdns# pdns_control --config-name=server notify shellz.nl Added to queue }}}",anon 3, Release,518,Option to quit after first zone with errors in pdnssec check-all-zones,auth,3.2,enhancement,normal,ahu,new,2012-07-06T13:42:09+0200,2013-01-07T13:07:12+0100,This would help in fixing zones one-by-one.,anon 3, Release,523,Bind backend does not return false for DNSSEC requests on domains it is not authoritative for,auth,3.2,defect,normal,ahu,new,2012-07-08T20:20:44+0200,2012-10-10T16:35:51+0200,"The bind backend has the same bug as gsql backends, not returning false for domains it is not authoritative for. Patch contained within this ticket fixes this by checking if backend is authoritative for the domain before doing anything else. ",anon 3, Release,527,oracle-dnssec support and fix for wrong return codes for oracle backend,auth,3.2,enhancement,normal,ahu,new,2012-07-10T23:05:22+0200,2012-11-30T14:03:23+0100,Patch contained replicates the features of gsql backend to have separate -auth queries for oracle-dnssec=yes. Also lets you disable dnssec if you are not ready for it. ,anon 3, Release,528,Provide better errors (AXFR),auth,3.2,enhancement,normal,ahu,new,2012-07-11T19:19:25+0200,2012-11-30T12:33:14+0100,"For a domain I get the following error when trying to AXFR: Unable to AXFR zone 'domein.nl' from remote 'ipv4 address' (resolver): AXFR chunk with a non-zero rcode 9 This is in the logs on the master. This could mean NOTAUTH or no access if I understand it correct (from Habbie).",anon 3, Release,531,PIPE backend should provide exact qtype,auth,3.2,enhancement,normal,ahu,new,2012-07-12T20:56:38+0200,2012-10-05T18:58:57+0200,"PowerDNS's PIPE backend receives queries addressed to it, mainly (only?) with a ''qtype'' of `ANY`. Some of us believe PowerDNS should hand over the exact ''qtype'' (e.g. `A`, `AAAA`, `MX`, etc.) so that the backend can decide whether or not it should reply to the request: * Some requests are computationally expensive and the PIPE backend might prefer not to answer them. * Some requests might be from particular addresses, and PIPE backend may prefer not to reply for specific ''qtype''s. In the case PowerDNS has actually received a ''qtype'' of `ANY`, it should obviously pass that in to PIPE. (This should also foreseen for the proposed SOCKET backend ticket:529 ) Regards, -JP",anon 3, Release,538,nproxy to pass original source IP to pdns,auth,3.2,enhancement,normal,ahu,new,2012-07-23T20:45:03+0200,2012-11-30T12:18:19+0100,"If pdns receives a notify directly, it compares this IP address against the master for the zone. If pdns receives a notify from nproxy, it only checks to see if the zone has a master, and not if the notify came from the master or not, because of course, nproxy doesn't forward this information to pdns. It would be nice if nproxy did forward along the original source IP address of the notify, possibly as a EDNS extension. Maybe: http://tools.ietf.org/html/draft-vandergaast-edns-client-ip-01",anon 3, Release,539,Add nproxy support into pdns.,auth,3.2,enhancement,normal,ahu,new,2012-07-23T20:53:06+0200,2012-11-30T12:18:06+0100,"In cases of using pdns with native replication, only the name server that talks directly do the master MySQL instance can write to the database, and is there for the only node that can execute a zone transfer from another DNS server. If this master server is behind a firewall, it can't get notifies directly, and nproxy is needed. It would be nice if nproxy & pdns could easily co-exist on the same machine / IP address. It is possible to do this with some IPTables rules, and putting nproxy on a different port number, but, it would be more desirable to have all of the functionality in one binary. This functionality could be enabled with a configuration option in pdns.conf that specified the IP address of the server to proxy the notifies to.",anon 3, Release,542,Compiler warning about void* cast on tcpreceiver.c,auth,3.2,defect,normal,ahu,new,2012-08-03T21:15:18+0200,2012-10-12T11:56:29+0200,"On line 921 you have if(pthread_create(&tid, 0, &doConnection, (void *)fd)) { this causes compiler warning about the cast. the warning goes away with C++ style cast: if(pthread_create(&tid, 0, &doConnection, reinterpret_cast(fd))) { ",anon 3, Release,544,Missing function when compiling mydnsbackend without gmysql backend (static / dynamic),auth,3.2,defect,normal,ahu,new,2012-08-08T00:11:29+0200,2012-11-30T14:40:49+0100,"The mydns backend requires a function in the gmysql code which causes it to fail when compiling both as a dynamic function: {{{ ./configure --with-dynmodules=""mydns"" }}} it also fails if you include gmysql as a dynamic module: {{{ ./configure --with-dynmodules=""mydns gmysql"" }}} The only way to get it to compile cleanly is if you compile them both as a static module: {{{ ./configure --with-module=""mydns gmysql"" }}} Here is the output when attempting to compile the mydns backend statically without the gmysql backend: {{{ ../modules/mydnsbackend/mydnsbackend.o: In function `MyDNSBackend': /usr/src/redhat/BUILD/pdns-3.1/modules/mydnsbackend/mydnsbackend.cc:51: undefined reference to `SMySQL::SMySQL(std::basic_string, std::allocator > const&, std::basic_string, std::allocator > const&, unsigned short, std::basic_string, std::allocator > const&, std::basic_string, std::allocator > const&, std::basic_string, std::allocator > const&)' /usr/src/redhat/BUILD/pdns-3.1/modules/mydnsbackend/mydnsbackend.cc:51: undefined reference to `SMySQL::SMySQL(std::basic_string, std::allocator > const&, std::basic_string, std::allocator > const&, unsigned short, std::basic_string, std::allocator > const&, std::basic_string, std::allocator > const&, std::basic_string, std::allocator > const&)' }}} ",anon 3, Release,545,pdnssec check-zone does not detect double-cname,auth,3.2,enhancement,normal,ahu,new,2012-08-08T12:29:55+0200,2013-01-07T13:07:29+0100,"check-zone doesn't detect double-cname records on zone. For example: name IN CNAME foo.bar.baz name IN cname bar.baz.foo",anon 3, Release,549,Implement scopebits to allow for cache-control through pipe-backend,auth,3.2,enhancement,normal,ahu,new,2012-08-12T13:54:02+0200,2012-10-05T18:58:26+0200,"Hello, as discussed on IRC a few days back it would be great if the scopebits parameter from the pipe backend would be implemented to allow cache control. I have implemented a pipe-backend that is geo-aware based on the clients IP address. It therefore gives different replies for the same query based on where it is coming from. This is incompatible with PowerDNS caching so I need to disable the cache which kills performance. The scopebits parameter seems to be a good way to give the pipe-backend more control over the behaviour of PowerDNS. If, for example, scopebits would be set to a non-zero value this would indicate that the pipe-reply is not globally valid and should therefore not be cached. If set to zero, the normal caching could apply. The details of implementation are probably a little more difficult than this but this would be my idea on how it could work.",anon 3, Release,551,Use of getSOA luabackend can result in use of uninitialized domain_id,auth,3.2,defect,normal,ahu,new,2012-08-13T21:54:10+0200,2012-10-08T08:51:24+0200,"I was trying this example: http://wiki.powerdns.com/trac/browser/trunk/pdns/modules/luabackend/test/powerdns-luabackend.lua With this in pdns.conf: launch=gpgsql,lua Then I added test.com also to my other backend, after which I noticed it that certain PostgreSQL queries included the wrong domain_id. This is probably because I didn't add a SOA-record in the database. Seems the example does not return a domain_id for getSOA which causes PowerDNS to use an uninitialized domain_id. I don't think this can cause any big problems as the queries that are involved also include the host in the query. It could maybe prevent PowerDNS from finding real data you'd expect to work because certain things do work. The problem is with the call to getAuth in PacketHandler::questionOrRecurse it expects a proper domain_id.",anon 3, Release,552,"Documentation suggestion: clarify ""cache-hits"" isn't (all) cache hits",documentation,3.4-pre,enhancement,normal,ahu,new,2012-08-14T13:57:10+0200,2012-09-20T14:22:03+0200,"On http://docs.powerdns.com/recursor-stats.html, please clarify that the ""cache-hits"" is actually cache-hits-for-reqs-not-caught-by-packet-cache. i know it's stated at other places, but one looks at the table, and reads the explanation there...",anon 3, Release,556,Prevent ambiguous database table fields for customized setups,auth,3.2,enhancement,normal,ahu,new,2012-08-16T15:12:40+0200,2012-11-30T12:15:29+0100,"In our setup, we have adapted the PowerDNS database structure a little. Two of the fields added are the field ''domains.active'' and ''records.active''. When trying to secure a zone (PowerDNS 3.1), there is a SQL error: {{{ # pdnssec secure-zone zone-to-be-secured.com Error: GSQLBackend unable to list keys: Failed to execute mysql_query, perhaps connection died? Err=1: Column 'active' in field list is ambiguous }}} Although one can argue about the use and risk of changing the database structure, I think it will improve the quality of the software in general by adding table names to field names in SQL queries. As a solution for our problem I will rename the field so that we can continue.",anon 3, Release,557,gmysql deadlock during parallel slaving,auth,3.2,defect,normal,ahu,new,2012-08-17T15:37:51+0200,2013-01-07T13:07:58+0100,"When slaving two zones at the same time (i.e. retrieval-threads>1), an innodb deadlock can occur. Details: {{{ 120817 15:32:59 *** (1) TRANSACTION: TRANSACTION 0 3832911, ACTIVE 0 sec, process no 23635, OS thread id 139807856740096 inserting mysql tables in use 1, locked 1 LOCK WAIT 3 lock struct(s), heap size 1216, 2 row lock(s), undo log entries 1 MySQL thread id 1984, query id 1447979 localhost root update insert into records (content,ttl,prio,type,domain_id,name,auth) values ('ns1.delegated.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400',3600,0,'SOA',5,'delegated.dnssec-parent.com', '1') *** (1) WAITING FOR THIS LOCK TO BE GRANTED: RECORD LOCKS space id 0 page no 29240 n bits 232 index `domain_id` of table `pdnstest2`.`records` trx id 0 3832911 lock_mode X insert intention waiting Record lock, heap no 1 PHYSICAL RECORD: n_fields 1; compact format; info bits 0 0: len 8; hex 73757072656d756d; asc supremum;; *** (2) TRANSACTION: TRANSACTION 0 3832878, ACTIVE 1 sec, process no 23635, OS thread id 139807674652416 inserting, thread declared inside InnoDB 500 mysql tables in use 1, locked 1 9 lock struct(s), heap size 1216, 167 row lock(s), undo log entries 163 MySQL thread id 1935, query id 1447981 localhost root update insert into records (content,ttl,prio,type,domain_id,name,auth) values ('A 8 3 120 20120830000000 20120816000000 21019 example.com. HWFpQ3quYHTfLKJ1z5rCuEW+gypiqwApCuDHAinGt4VWZkQmblv/UIPLERvNyHu5FiLSg6ocmDw1o8u9Ds9WVVi+bziW75WRgcP/b1B1QqGwxoR624nQ8uHstF++iIQyONS9Kxt8RStU1UNLj+2V69DlG0p+hTSBKNF6n9/oS40=',120,0,'RRSIG',1,'host-10055.example.com', '1') *** (2) HOLDS THE LOCK(S): RECORD LOCKS space id 0 page no 29240 n bits 72 index `domain_id` of table `pdnstest2`.`records` trx id 0 3832878 lock_mode X Record lock, heap no 1 PHYSICAL RECORD: n_fields 1; compact format; info bits 0 0: len 8; hex 73757072656d756d; asc supremum;; *** (2) WAITING FOR THIS LOCK TO BE GRANTED: RECORD LOCKS space id 0 page no 29240 n bits 232 index `domain_id` of table `pdnstest2`.`records` trx id 0 3832878 lock_mode X insert intention waiting Record lock, heap no 1 PHYSICAL RECORD: n_fields 1; compact format; info bits 0 0: len 8; hex 73757072656d756d; asc supremum;; *** WE ROLL BACK TRANSACTION (1) }}} Presumably we can fix this by reordering some insert/update-queries. Should investigate.",peter 3, Release,562,bind-domain-status truncated,auth,3.1,defect,normal,ahu,new,2012-08-20T18:57:02+0200,2012-08-20T18:57:02+0200,"with more than ~2000 domains loaded, pdns_control bind-domain-status gets truncated: {{{ $ sudo ./pdns_control bind-domain-status | tail -3 6083.example.com: parsed into memory at Mon Aug 20 18:55:22 2012 6084.example.com: parsed into memory at Mon Aug 20 18:55:22 2012 6085.example.com: parsed into memory at Mon Aug 20 18:55: $ sudo ./pdns_control bind-domain-status | wc 1924 19239 126977 }}}",peter 3, Release,567,TSIG with modern algorithm,auth,3.2,enhancement,normal,ahu,new,2012-08-29T13:47:04+0200,2012-11-30T13:47:02+0100,Support for additional TSIG algorithms as specified in RFC 4635 (at least HMAC-SHA1 and HMAC-SHA256) would be quite useful.,anon 3, Release,568,Documentation doesn't readily have information about domain metadata other than in a MySQL/PostgreSQL database,documentation,3.1,defect,normal,ahu,new,2012-08-31T07:32:56+0200,2012-09-20T14:15:14+0200,"I recently set up DNSSEC for my domains, and I had trouble finding how to use SOA-EDIT with the BIND backend. I found the Domain Metadata section easily, and I found the table in the MySQL/PostgreSQL databases easily, but I didn't make the connection between the SQLite database that pdnssec uses and the table until I was told about it on IRC. It would be helpful for other users using pdnssec if this information was discussed on the domain metadata page, or at least discussed elsewhere and mentioned (through a link) on the domain metadata page.",anon 3, Release,572,powerdns is ignoring supplementary groups,auth,3.2,defect,normal,ahu,new,2012-09-05T16:21:26+0200,2012-11-30T14:40:10+0100,,anon 3, Release,573,Recursor Support for EDNS Client Subnet Draft,recursor,3.5-recursor,enhancement,normal,ahu,new,2012-09-06T14:26:48+0200,2013-01-10T16:11:34+0100,"This is a call for support of the Google/Verisign/Neustar draft in PowerDNS recursor. As you are already aware (because PowerDNS server already supports this draft) EDNS client subnet support adds the configurable sized Network Range of a recursive Server Client IP to the query it asks authoritative Servers thus enabling them to better suit the answer to the client IP rather than that of its recursive Server which may often reside in a different network, or even country or continent in extreme cases. Or as a friend just put it this could be handy ""for redirecting traffic to a local copy of the datacenter"" via ""an internal dns resolver for a global company"". http://www.afasterinternet.com/ http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-01",anon 3, Release,580,Destroy backends properly on pdns exit,auth,3.2,enhancement,normal,ahu,new,2012-09-17T09:39:23+0200,2013-01-04T16:12:10+0100,"Patch against Powerdns 3.1 (from the svn tag) I'm creating a backend that requires cleanup when the server is shut down. I've created a patch to delete all backends on server shutdown which should trigger their constructor. I'm seeing some issues with a crash as I'm not sure how to do this cleanly if we get multiple shutdown requests while backends are being destroyed or the UeberBackend tries to handle a packet while this is being done. I tried setting d_go to false which seems to work most of the time but while the server is still receiving packets there is still the potential it will bomb out rather than a clean shutdown. Even so it's probably cleaner than what there is at present. Mark Zealey",anon 3, Release,581,Allow getAuth() to be overridden,auth,3.2,enhancement,normal,ahu,new,2012-09-17T09:42:15+0200,2013-01-31T14:58:52+0100,"Patch against pdns-3.1 svn tag As discussed a month or two back over email there are certain situations in which getAuth() may want to be overridden by a backend for performance reasons. The attached patch converts getAuth() into a virtual backend function. The default is for no change in functionality. In my tests this leads to very significant performance improvements under certain situations (again see email thread for more details) Mark Zealey",anon 3, Release,585,Performance optimizations in dnswriter.cc,auth,3.2,enhancement,normal,ahu,new,2012-09-18T15:17:43+0200,2012-11-30T12:14:25+0100,"d_record is modified extensively using push_back()'s etc, however each one of those results in memory management changes as the vector increases. Putting a simple: d_record.reserve(1024); in DNSPacketWriter::DNSPacketWriter() results in a 5% performance increase however I'm not sure if there is a more intelligent way to estimate what the size of d_record would be. Mark Zealey",anon 3, Release,587,Initial notify using bind-backend not happening for new zones,auth,3.2,defect,normal,ahu,new,2012-09-21T13:46:33+0200,2012-12-17T15:48:03+0100,"Hi, Using bind-backend on our hidden master, we noticed that the initial notify to the slave's are not being sent. Bind normally sends a notify for all (new) zones to it's slaves on startup and will do that too for any newly created zones, however powerdns doesn't do that. Since we use supermaster functionality on the auth. servers, this breaks our setup. Wouter@Oxilion",anon 3, Release,588,pdnssec import-zone-key fails silently when backend is unavailable,auth,3.2,enhancement,normal,ahu,new,2012-09-28T16:45:22+0200,2012-11-30T13:46:06+0100,"There is a syslog message, but the CLI tool does not report failing to import the keys. In my situation, the gmysql query was misconfigured: $ pdnssec import-zone-key freecode.nl /etc/puppet/prod/modules/dns/files/keys/Kfreecode.nl.+005+44971.private zsk 5 Sep 28 15:47:40 shared pdns[31897]: Exiting because communicator thread died with error: Failed to execute mysql_query, perhaps connection died? Err=1: Table 'virtual.domainkeys' doesn't exist",anon 3, Release,589,No AA flag set when using 'classless in-addr delegation',auth,3.0,defect,normal,ahu,new,2012-10-02T12:21:16+0200,2012-10-10T16:18:29+0200,"We've setup 'classless in-addr delegation' (RFC2317), when resolving IP addresss on our authoritative server that are delegated, we've noticed that no authoritative answer is given (the AA flag isn't set). When resolving a IP address that isn't delegated, the AA flas is set. Example: {{{ ################## Authoritative Server: ################## C:\Users\bramb>dig -x 213.206.235.16 @ns.interconnect.nl ; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.16 @ns.interconnect.nl ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26058 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;16.235.206.213.in-addr.arpa. IN PTR ;; ANSWER SECTION: 16.235.206.213.in-addr.arpa. 3600 IN PTR mail.smtp-service.nl. ;; Query time: 19 msec ;; SERVER: 212.83.192.5#53(212.83.192.5) ;; WHEN: Tue Oct 02 12:09:37 2012 ;; MSG SIZE rcvd: 79 C:\Users\bramb>dig -x 213.206.235.226 @ns.interconnect.nl ; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.226 @ns.interconnect.nl ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33440 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;226.235.206.213.in-addr.arpa. IN PTR ;; ANSWER SECTION: 226.235.206.213.in-addr.arpa. 3600 IN CNAME 226.224-255.235.206.213.in-addr.arpa. ;; AUTHORITY SECTION: 224-255.235.206.213.in-addr.arpa. 3600 IN NS ns1.lemonweb.nl. 224-255.235.206.213.in-addr.arpa. 3600 IN NS ns2.lemonweb.be. 224-255.235.206.213.in-addr.arpa. 3600 IN NS ns3.lemonweb.eu. ;; Query time: 39 msec ;; SERVER: 212.83.192.5#53(212.83.192.5) ;; WHEN: Tue Oct 02 12:09:44 2012 ;; MSG SIZE rcvd: 159 ################## Non-authoritative Server: ################## C:\Users\bramb>dig -x 213.206.235.16 ; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.16 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3402 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;16.235.206.213.in-addr.arpa. IN PTR ;; ANSWER SECTION: 16.235.206.213.in-addr.arpa. 3494 IN PTR mail.smtp-service.nl. ;; Query time: 22 msec ;; SERVER: 213.207.64.11#53(213.207.64.11) ;; WHEN: Tue Oct 02 12:11:02 2012 ;; MSG SIZE rcvd: 90 C:\Users\bramb>dig -x 213.206.235.226 ; <<>> DiG 9.9.1-P2 <<>> -x 213.206.235.226 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34129 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;226.235.206.213.in-addr.arpa. IN PTR ;; ANSWER SECTION: 226.235.206.213.in-addr.arpa. 3600 IN CNAME 226.224-255.235.206.213.in-addr.arpa. 226.224-255.235.206.213.in-addr.arpa. 300 IN PTR lemon20.lemonweb.nl. ;; AUTHORITY SECTION: 224-255.235.206.213.in-addr.arpa. 300 IN NS ns1.lemonweb.nl. 224-255.235.206.213.in-addr.arpa. 300 IN NS ns2.lemonweb.be. 224-255.235.206.213.in-addr.arpa. 300 IN NS ns3.lemonweb.eu. ;; Query time: 47 msec ;; SERVER: 213.207.64.11#53(213.207.64.11) ;; WHEN: Tue Oct 02 12:11:05 2012 ;; MSG SIZE rcvd: 192 }}} When using the www.mxtoolbox.com's ptr lookup tool, you'll get the following message: Warning: Received Non-Authoritative (lame) Answer from: 'ns.interconnect.nl' The example at http://www.ripe.net/data-tools/dns/reverse-dns/how-to-set-up-reverse-delegation > Step 5 > Query Against an Authoritative Server, shows an AA flag is set.",anon 3, Release,590,feature request: forward-zones with forward and continue behaviour while recursing,recursor,,defect,normal,ahu,new,2012-10-02T18:34:43+0200,2012-10-02T18:34:43+0200,"Currently entries in forward-zones or forward-zones-file are acting as forward only. It might be a good idea to have them configurable as forward and continue. For example: On PDNS recursor R: forward-zones=22.172.in-addr.arpa,$IP_DNS_A On PDNS authoritative A in zone 23.172.in-addr.arpa: 42 NS $DNS_B On PDNS authoritative B exists zone 43.23.172.in-addr.arpa. Currently R responds only with NOERROR, delivering NS records, the request to A is just forwarded and the answer handed back to the client without further processing the NS records. To clarify things, the relevant parts of the IRC-Log: {{{ 15:13:40 < abraxxl> I have a recursor and two DNS servers. The recursor has an entry in forwarders for +foo.bar, DNS server A is authoritative for. In foo.bar are existing NS recor recurse because of the prefix ""+"" before foo.bar in forward zones file. Is my guess correct? 15:56:37 < abraxxl> forget my question it is nonsense, the recursion-desired bit is ignored by an authoritative server 15:57:26 < ZaphodB> abraxxl: with the + prefix the query for baz.foo.bar should be forwarded to the server you specified in the forward-zones-file but with the recursion desired bi 15:59:44 < ZaphodB> if you want to just handle this one domain by auth servers locally the 'regular' forwarding that does not set the recursion desired bit is for you need to make then this should become a regular recursive query again i think. 16:18:22 < abraxxl> ZaphodB: yes, I expect the recursor to ask DNS server A for baz.foo.bar: DNS A should answer with NS records and the recursor should ask DNS server B according 16:53:04 < Zugschlus> So, the real question of abraxxl is: When a recursor R asks an auth server A via forward.zones, and A answers with an referral to B, is the recursor supposed resolving process? 16:53:44 < ahu> forward zones 'only' injects a hard NS record for that exact domain 16:53:56 < ahu> however 16:54:00 < Zugschlus> so the recursor should recurse to B? 16:54:02 < ahu> it assumes that the answer it gets is 'done' 16:54:07 < ahu> no, it is not quite an NS record 16:54:08 < ahu> sorry 16:54:20 < ahu> it is a magic 'hard' NS record that says 'ask them and relay back the answer' 16:54:42 < Zugschlus> so the recursor will return the referral to the client which is of course not what the client expects? 16:54:44 < ahu> it does not then continue processing 16:54:59 < ahu> well, for the people we made this for, this solved their problem 16:55:07 < ahu> they wanted 'forward' 16:55:14 < ahu> they did not want 'insert NS records' 16:55:22 < ahu> so the use case is different 16:55:23 < Zugschlus> abraxxl seems to want ""forward and continue"" 16:55:37 < ahu> he wants a persistent stub zone I think 16:55:45 < Zugschlus> ouch, that's bind lingo 16:55:50 < ahu> yes 16:55:51 < ahu> ;-) 16:55:55 < Zugschlus> need to twist my brain to remember what that means 16:56:10 < ahu> I think it means what I said, 'insert a persistent NS record' 16:57:08 < Zugschlus> hm 16:57:23 < Zugschlus> So our recommendation to abraxxl would be: Insert more forward.zones entries 16:57:38 < Zugschlus> (and watch for debris if the people running the auth server change things) 16:57:58 < ahu> yeah, and author a really well written ticket 16:58:03 < ahu> with a feature request }}}",anon 3, Release,602,removed domains checked very often from slave,auth,3.2,defect,normal,ahu,new,2012-10-19T13:39:24+0200,2013-01-07T13:08:11+0100,"If a type=SLAVE domain has been removed from a master, and thus the SOA check returns rcode=9 or the like, the domain will be rechecked every slave cycle. Worse, slave-cycle-interval (default 60 seconds) can be interrupted by many events for single domains, but the wakeup will cause this recheck for all failing domains. Busy slaves might re-check their failed domains every few seconds because of this.",peter 3, Release,606,pdns_control/pdnssec increment-serial option,auth,3.2,enhancement,normal,ahu,new,2012-10-27T16:51:16+0200,2013-01-05T07:59:29+0100,"Hi, I really like the magic that the 'pdnssec rectify-zone [zone]' command brings. It moves the repetitive and error-prone DNSSEC-related tasks away from the user. A similarly repetitive task is updating a zone's serial number in the SOA record. This currently needs to be handled in the user's code, or in a backend-specific configuration (e.g. SQL triggers). I would like to request a 'increment-serial [zone]' option for pdnssec or pdns_control. The command would increment the serial number in the given zone's SOA record. This would leave the user with one thing less to wory about. Kind regards, Martin ",anon 3, Release,608,Adding command to pdns_control,auth,3.2,enhancement,normal,ahu,new,2012-11-01T01:11:47+0100,2012-11-28T19:00:01+0100,"Add the following commands to pdns_control: 1) pdns_control list_zone --type $type, where $type can be all (default), master or slave; this command return all zones managed by pdns of type $type 2) pdns_control delete $zone; this command will remove a zone (and all related records) from the backend These commands can be used to create scripts for zone managing, for example for removing zone from superslaves",anon 3, Release,617,"Patches related to RFC2606, RFC3849, RFC5737 and a small documentation improvement",documentation,3.2,enhancement,normal,ahu,new,2012-11-14T11:49:28+0100,2012-11-14T11:49:28+0100,"Attached are patches to improve the documentation. Most patches are caused by trying to follow RFC2606, RFC3849, RFC5737 and 1 is because I think an option in the documentation wasn't clear for new users (regarding the password for the connection at the gmysql backend). Reported/patches by Mark Scholten (SinnerG BV)",anon 3, Release,621,PowerDNS should have some way to increase SOA serial number easily,auth,3.2,enhancement,normal,ahu,new,2012-11-27T14:27:10+0100,2012-12-17T15:46:37+0100,,ahu 3, Release,622,High cpu usage after slave received mass notify,auth,3.2,defect,normal,ahu,new,2012-11-27T15:47:25+0100,2012-12-18T11:13:34+0100,"After having received a lot of notifies in a short time period, pdns will have high CPU-usage for the rest of its lifetime. Only way to resume to normal is to restart either pdns or mysql. It might only be triggered if the domains it receives notifies for are not yet known, and it is a superslave for them.",anon 3, Release,626,Speed up of the not-in-cache case.,recursor,3.5-recursor,enhancement,normal,ahu,new,2012-12-03T12:02:13+0100,2013-01-10T16:11:57+0100,"The Recursor resolves slow if one or more namserver of a zone are not responding. It sequential asks all servers of the NS rrset until one of them responds. The default network-timeout is 1000ms. For instance, if 2 nameservers are not responding, it can take more than 2 seconds to resolve.[[BR]][[BR]] The proposal now is to do the queries in parallel if the recursor has no NS information of the zone cached. If the first nameserver answer arrived, the recursor resumes the processing of the queried name and sends the answer as soon as possible. '''Afterwards''' it cares about the caching and rating (answer times) of the NS-RRs.",anon 3, Release,627,build of lua backend failed on centos (unable to detect lua libraries),auth,3.2,defect,normal,ahu,new,2012-12-03T13:24:03+0100,2013-03-01T10:20:26+0100,build of lua backend failed on centos (unable to detect lua libraries),anon 3, Release,632,support for group of nameservers in supermasters,auth,3.2,enhancement,normal,ahu,new,2012-12-06T09:11:33+0100,2013-03-01T10:20:10+0100,"At the moment, pdns has support for multiple master. You need to specify them comma-separated in domains.master. However, when you use supermaster functionality, this functionality is not available. This is especially an issue when you use dual stack (ipv4 and ipv6) because by definition you master has 2 ip's in this case. I see 2 possible solutions: 1) implement support for comma-seperated masters in supermasters.nameserver. On incoming supermaster notify you check for a match, and copy supermasters.nameserver content to domains.master. 2) Leave supermasters as is, but change the way you handle incoming notifies for non-masters: Instead of denying, first check if it is a supermaster by any chance. If so, add the nameserver to domains.master. I personally like option 1 the most. Sidenote: It would be nice if supermasters.nameserver and domains.master would have the same type. At the moment they don't according to http://doc.powerdns.com/generic-mypgsql-backends.html (VARCHAR(255) vs VARCHAR(128))",anon 3, Release,637,feature request: provide host/dig replacement based on pdns-recursor,recursor,3.5-recursor,enhancement,normal,ahu,new,2012-12-11T12:43:12+0100,2013-01-10T16:12:09+0100,"Other DNS software packages ship with their own debugging tools. BIND has host/dig, djbdns has dnsqr/dnstrace, unbound has unbound-host. A debugging tool based on pdns-recursor would enable users to completely rely on PowerDNS and not have any other DNS software involved in their setups which would be a great improvement.",anon 3, Release,640,add Conflicts: to pdns-static packages,auth,3.2,enhancement,normal,ahu,new,2012-12-13T14:45:07+0100,2012-12-17T15:54:48+0100,"Right now, people might accidentally install pdns-static next to Debian's pdns-server and pdns-backend-* while they intend to upgrade. A decent Conflicts:-line would prevent that.",peter 3, Release,641,doc.powerdns.com not in sync with man pages (pdnssec disable-dnssec),documentation,,defect,normal,ahu,new,2012-12-19T17:29:35+0100,2012-12-19T17:29:35+0100,"The docs on doc.powerdns.com do not mention the pdnssec disable-dnssec command (which is implemented, working, and described in the man pages). Following patch adds the missing content: {{{ --- pdns/docs/pdns.xml (revision 3002) +++ pdns/docs/pdns.xml (working copy) @@ -11577,6 +11577,14 @@ + disable-dnssec ZONE + + + Deactivate all keys and unset PRESIGNED in ZONE. + + + + export-zone-dnskey ZONE KEY-ID }}} ",anon 3, Release,646,Add some inlined comparison functions to QType,auth,3.2,enhancement,normal,ahu,new,2012-12-31T14:44:54+0100,2013-01-02T18:08:02+0100,"Here's a patch to simplify code a bit, allows you to do example: QType qt = ...; if( qt == QType::ANY ) ...; if( qt != QType::AXFR ) ...; afaik compiler should do this inlined without any function/class calls unlike the existing == operator which was not inlined. Mark",anon 3, Release,647,Add AM_SILENT_RULES to configure.ac,auth,3.2,enhancement,normal,ahu,new,2013-01-01T10:17:41+0100,2013-03-29T09:16:54+0100,"By adding this AM_SILENT_RULES([yes]) after AM_INIT_AUTOMAKE, one gets silent rules by default for Makefile. It can be overriden with ./configure --disable-silent-rules, or make V=1 This will cause compilation to look bit like this: {{{ CXX polarrsakeyinfra.o CXX md5.o CXX signingpipe.o CXX dnslabeltext.o CXX ednssubnet.o CC aescrypt.o CC aeskey.o }}} which is much easier to read, and easier to spot errors. ",anon 3, Release,648,Fix warnings on aeskey.c,auth,3.2,enhancement,normal,ahu,reopened,2013-01-01T10:32:59+0100,2013-03-26T18:17:45+0100,"Simple patch to fix warnings from aeskey.c. The problem with the current code is that the assigment is done within calling a function. By explicitly assigning the variable first, and then calling the function resolves the warning condition. ",anon 3, Release,650,Changes distributor code,auth,,enhancement,normal,ahu,new,2013-01-02T18:15:14+0100,2013-01-02T18:15:14+0100,"The attached patch changes the distributor code in the following ways: 1) Remove (as far as i can see) unused functions which allow for the fetching of the answer from an answers queue. I struggle to understand why this would ever be useful compared to having a callback; it also reduces code complexity and removes some locks. Also allows (2): 2) Split into 3 classes - the new ones being SingleThreadDistributor and MultiThreadDistributor - removes some of the conditional statements. It also means that in distributor-threads=1 mode, NO additional distributor threads are forked (unlike the existing code), and the class will also use less memory and generally be more efficient. This has been tested in that the pdns server starts up and answers questions correctly in both modes, it's more of an RFC attempt to clean up the code a bit. Mark",anon 3, Release,652,Change QType string/uint16 array to map,auth,,enhancement,normal,ahu,new,2013-01-03T11:42:15+0100,2013-01-14T11:42:27+0100,"Attached patch provides faster lookups of QType from/to strings by using a map. Mark",anon 3, Release,653,Fix compile errors/warnings for db2 and lua backend.,auth,3.2,defect,normal,ahu,new,2013-01-03T14:26:15+0100,2013-03-01T10:19:12+0100,"Fixes two unused variables from lua backend. Fixes includes for db2 backend",anon 3, Release,654,packetcache code very slow - Patch included,auth,,defect,normal,ahu,new,2013-01-03T14:28:11+0100,2013-01-03T14:28:11+0100,"Running tests with query cache shows a massive performance drop. For a certain backend (all compiled with -pg for gprof profiling), with 1 reciever/backend thread running over random entries for a subdomain, I get: No cache: 3500qps Cache & negcache enabled: 450qps Looking at the gprof output this is all because you are iterating the packetcache with a the CIBackwardsStringCompare function. The following patch changes packetcache to be stored reversed and provides a speedup to around 2500qps when enabled ie 5* performance improvement over existing packetcache. I've not updated the purge(match) function as I can't quite figure out how it's meant to work at the moment but I don't imagine that's too hard. I've also not fully tested this patch only verified the performance improvements. Because the cache still has a ~25% performance hit we probably won't be able to use it. Mark",anon 3, Release,655,"PowerDNS ""passthru-notify"" Patch Release",auth,3.2,enhancement,normal,ahu,new,2013-01-03T17:57:40+0100,2013-03-08T18:51:06+0100,"This patch will allow you to redirect PowerDNS notify messages away from neighboring NS servers to a ""passthru"" server. It is intended to fix notify/axfr behavior in anycast clusters of PowerDNS auth servers however it may be useful for other situations. The configuration option ""passthru-notify"" has been added to the pdns.conf parser. The option accepts multiple IPv4 and IPv6 address values. The patch was based of the latest stable release so we can contribute this to the PowerDNS community. It tested OK with the latest trunk as well (only a few offset warnings). The patch is expecting to find a ""pdns-3.1"" directory so if you name it something else use -p1 and patch from the root of the distribution. Patched servers carry a ""3.1-ptn"" in their version.bind by default. pdns.conf: ################################# # passthru-notify IP address we send notifications to # # passthru-notify=127.0.0.1, ::1 LATEST STABLE: ~$ patch -p0 < pdns-3.1-ptn.patch patching file pdns-3.1/configure.ac patching file pdns-3.1/pdns/common_startup.cc patching file pdns-3.1/pdns/mastercommunicator.cc patching file pdns-3.1/pdns/misc.cc patching file pdns-3.1/pdns/misc.hh patching file pdns-3.1/pdns/pdns.conf-dist TRUNK: ~/pdns-trunk$ patch -p1 < ../pdns-3.1-ptn.patch patching file configure.ac patching file pdns/common_startup.cc Hunk #1 succeeded at 121 (offset -1 lines). patching file pdns/mastercommunicator.cc patching file pdns/misc.cc Hunk #1 succeeded at 777 (offset 12 lines). patching file pdns/misc.hh Hunk #1 succeeded at 438 (offset 1 line). patching file pdns/pdns.conf-dist Version report: version.bind. 5 CH TXT ""Served by POWERDNS 3.1-ptn $Id: packethandler.cc 2631 2012-06-20 10:12:20Z peter $"" -- Ralph Covelli Hurricane Electric / AS6939 rcovelli@he.net ",anon 3, Release,656,Sign supermaster/superslave zone transfers with TSIG,auth,,enhancement,normal,ahu,new,2013-01-04T09:42:55+0100,2013-01-04T09:42:55+0100,"Add support for signing superslave transfers. Currently, TSIG key is assigned to zone. Because superslave creates zones when notified, it doesn't have any key to check signatures. IP-based security is not strong enough, especially when using DNSSEC (superslave then becomes the weak link - attacker could do MITM and put his own zones in authoritative server). ",anon 3, Release,658,Excessive memory new/deletes - SOAData,auth,,enhancement,normal,ahu,new,2013-01-04T12:12:55+0100,2013-01-04T12:27:49+0100,"Hi there, As part of some profiling I was doing I noticed that pdns is doing a *lot* of new/delete's on each query, to the point of on my system at least the highest cpu users according to perf top are malloc/free, and using google's tcmalloc provides some reasonably significant performance improvement. I'd estimate if you could eliminate most of these worst offenders, you could see a 20% performance improvement in powerdns. I used the following tool to profile memory usage for these reports: valgrind --tool=exp-dhat --show-top-n=200 I'm going to raise a few tickets now one for each area where we could see a performance improvement. The first area is with the storing/parsing of SOAData - serializeSOAData and fillSOAData. Many backends can probably provide you with SOAData just as a string that could be passed back directly to the client, however every time you split it up to fill the SOAData struct, parse the strings and then recombine them later. Perhaps turning this into a class which can handle things a bit more intellegently through accessors (ie store as a string unless access to a particular value is required) would be good - it would cut down on a large number of new/delete's each cycle. Mark",anon 3, Release,659,not all backends are being queried,auth,3.2,defect,normal,ahu,new,2013-01-04T13:39:56+0100,2013-01-07T13:09:18+0100,"it seems that since 3.1 not all backends are being queried anymore. e.g.: using geo backend first and gpgsql backend second the query will stop after finding a CNAME in the geo backend, even though the cname is within the same zone that powerdns is authoritative for. for details and example config please have a look at this thread: http://mailman.powerdns.com/pipermail/pdns-users/2013-January/009535.html",anon 3, Release,661,pipe backend massive slowness on multicore machines & fix,auth,,defect,normal,ahu,new,2013-01-04T16:04:26+0100,2013-01-14T11:44:11+0100,"I was doing some performance testing on our 32-way servers and discovered that in the simple case where the test program returns the data straight away, about 80% of the time was being spent in the kernel in a spinlock. I've been debugging this looking at the coprocess code and discovered that this is due to the following line in coprocess.cc: setbuf(d_fp,0); // no buffering please, confuses select If this is removed, performance in my particular test case goes from 2000qps with powerdns running at about 2000% cpu to 10000qps with powerdns using about 300% cpu. Obviously the comment implies that this is not a permanent solution, I guess if the timeout is specified as 0 then the select code won't be executed and so you can disable the setbuf easily enough. However perhaps if the timeout is wanted you could set an alarm() rather than using select? Mark",anon 3, Release,663,query cache stringstream stuff is *slow*,auth,,defect,normal,ahu,new,2013-01-05T15:52:35+0100,2013-01-05T15:52:35+0100,"I have a backend on our 32-way box that does about 170kqps max. If i put the query cache in front of it it slows down massively (110kqps) even if I only ever hit one point in the query cache. This is all because of the binaryarchive and stringstream stuff in UeberBackend which handles the storage/retrieval of the rrsets. It even seems to be storing/retrieving stuff using locale for some reason. Is there a way to just store it in a known binary format using structs and memcpy or something? Mark",anon 3, Release,664,Patch: Fix nonblocking on receivers,auth,,defect,normal,ahu,new,2013-01-05T16:55:07+0100,2013-01-14T17:30:42+0100,"Two issues: 1) nonblocking is not set on udp6 sockets 2) udp4 tests to see if there is only 1 socket and then sets nonblocking, however if you have a udp4 and udp6 socket then it won't be set to nonblocking Mark",anon 3, Release,665,Patch: Switch ipv4 UDP listener to use ComboAddress,auth,,defect,normal,ahu,new,2013-01-05T17:00:44+0100,2013-01-05T17:01:11+0100,Switching ipv4 udp to use ComboAddress simplifies code and removes gethostbyname() call which is not re-entrant (not currently a problem but see next patch in the series) and whose use is not advised.,anon 3, Release,666,Allow SO_REUSEPORT,auth,3.2,enhancement,normal,ahu,new,2013-01-05T17:09:04+0100,2013-03-20T12:42:50+0100,"SO_REUSEPORT is available on various bsd operating systems as standard, and also as a linux kernel patch from Google. It allows 1) Running 2 powerdns processes concurrently so that you can restart powerdns without loosing any packets 2) (the main purpose for my writing this patch) On linux with a patched kernel removes contention from many threads using a socket. In my tests this improves performance with a packet cache from 300kqps to 1mqps If the SO_REUSEPORT call is available, the attached patch causes each receiver thread to open a new socket for connections which allows each thread (on linux) to operate at full speed rather than waiting on a slow socket. It should fail nicely ie if the call is not available at either compile time or run time it will just use the initially created socket. Mark ",anon 3, Release,667,no EDNS in recursor response to EDNS queries,recursor,3.5-recursor,enhancement,normal,ahu,new,2013-01-07T10:57:04+0100,2013-01-11T13:15:54+0100,"Like auth, recursor should report EDNS support in response to queries that have EDNS.",peter 3, Release,669,SERVFAIL on exceeded retargetcount has content,auth,3.2,enhancement,normal,ahu,new,2013-01-07T15:03:35+0100,2013-01-07T15:03:35+0100,"When we send SERVFAIL because there are more than 11 CNAMEs chained in an answer, we still include those CNAMEs in the response. This is useless and a waste of bandwidth.",peter 3, Release,672,Back-end changes by rectify-zone should NOTIFY slaves,auth,3.2,defect,normal,ahu,new,2013-01-10T09:50:17+0100,2013-01-10T09:56:25+0100,"When the back-end data for a zone is modified by 'rectify-zone' it should cause PowerDNS to NOTIFY the zone's slave servers (incl. SOA serial update) so that they XFR the new data. This is currently not the case. Tested with 3.2 rc4 -JP",anon 3, Release,674,gtm.xboxlive.com issue,recursor,3.4-pre,defect,normal,ahu,new,2013-01-10T16:16:31+0100,2013-01-11T10:26:00+0100,"Habbie's recursor-gtm branch has a testcase for an issue that popped up with gtm.xboxlive.com. The test succeeds because we use forward-zones instead of a fake root. Steps: * change regression tests from forward-zone to a fake root server * notice GTM test break * fix recursor so that GTM is no longer broken",peter 3, Release,675,d_algorithm should not be initialized from within signers,auth,3.2,defect,normal,ahu,new,2013-01-11T16:38:42+0100,2013-03-01T10:17:07+0100,"In ed25519signers.cc I've found that d_algorithm is initialized as an unsigned int, which destroys the value from dnssecinfra (??) Since this isn't hooked up yet I cannot show the exact error it will show, but should be similar to the "".. algo 0"" errors reported in #511",anon 3, Release,676,/etc/init.d/pdns-recursor Linux exit code,recursor,3.4-pre,defect,normal,ahu,new,2013-01-12T01:46:06+0100,2013-01-21T10:24:49+0100,"I've just installed the pdns-recursor x86_64 RPM (3.3-1) from the website, and noticed something odd when running the initscript: [root@hostname ~]# /etc/init.d/pdns-recursor status not running [root@hostname ~]# echo $? 0 Since compiling from source gives the same initscript, it follows that this behavior occurs there as well. Would you consider adding return codes to the default initscript (pdns-recursor.init.d)? Currently it looks like $? is getting passed to echo or test, and thus getting clobbered. For example, in lines 51-63: start) echo -n ""Starting PowerDNS recursing nameserver: "" if test ""$NOTRUNNING"" = ""0"" then echo ""already running"" else $pdns_server --daemon if test ""$?"" = ""0"" then echo ""started"" fi fi ;; Let me know if you'd like further clarification, or if I can be of assistance in patching the initscript. John Miller johnmill@brandeis.edu ",anon 3, Release,677,incorrect pdnssec exit codes,auth,3.2,defect,normal,ahu,new,2013-01-14T18:01:54+0100,2013-03-01T10:05:10+0100,"Some pdnssec actions result in incorrect exit codes. This patch fixes the following: {rectify-zone, show-zone, add-zone-key, disable-dnssec} on a non-existing exits with 1 instead of 0, and outputs an error message ""No such zone in the database"". disable-dnssec also exits with 1 when a non-secured zone is passed. secure-zone exits with 1 if any of the passed zones is non-existent. ",anon 3, Release,679,powerdns ignores valid nxdomains caused by nxdomain,recursor,3.4-pre,defect,normal,ahu,new,2013-01-18T19:26:16+0100,2013-03-01T10:04:56+0100,"Jan 18 19:23:54 [2] puppet-master.dataxu.net.: Resolved 'dataxu.net.' NS pdns4.ultradns.org. to: 199.7.69.1 Jan 18 19:23:54 [2] puppet-master.dataxu.net.: Trying IP 199.7.69.1:53, asking 'puppet-master.dataxu.net.|A' Jan 18 19:23:54 [2] puppet-master.dataxu.net.: Got 2 answers from pdns4.ultradns.org. (199.7.69.1), rcode=3, aa=1, in 9ms Submitting for: pdns4.ultradns.org., 1, 199.7.69.1, 9780 Jan 18 19:23:54 [2] puppet-master.dataxu.net.: accept answer 'puppet-master.dataxu.net.|CNAME|ops-puppet01.sldc.dataxu.net.' from 'dataxu.net.' nameservers? YES! Jan 18 19:23:54 [2] puppet-master.dataxu.net.: accept answer 'dataxu.net.|SOA|pdns2.ultradns.net. ops.dataxu.com. 2012122104 10800 3600 2592000 86400' from 'dataxu.net.' nameservers? YES! Jan 18 19:23:54 [2] puppet-master.dataxu.net.: determining status after receiving this packet Jan 18 19:23:54 [2] puppet-master.dataxu.net.: got negative caching indication for RECORD 'puppet-master.dataxu.net.' (accept=1), newtarget='ops-puppet01.sldc.dataxu.net.' Jan 18 19:23:54 [2] puppet-master.dataxu.net.: status=got a CNAME referral, starting over with ops-puppet01.sldc.dataxu.net. Jan 18 19:23:54 [2] ops-puppet01.sldc.dataxu.net.: Looking for CNAME cache hit of 'ops-puppet01.sldc.dataxu.net.|CNAME' Jan 18 19:23:54 [2] ops-puppet01.sldc.dataxu.net.: No CNAME cache hit of 'ops-puppet01.sldc.dataxu.net.|CNAME' found Jan 18 19:23:54 [2] ops-puppet01.sldc.dataxu.net.: Entire record 'ops-puppet01.sldc.dataxu.net.', is negatively cached via 'dataxu.net.' for another 3600 seconds Jan 18 19:23:54 [2] dataxu.net.: Found cache hit for SOA: pdns2.ultradns.net. ops.dataxu.com. 2012122104 10800 3600 2592000 86400[ttl=3600] Jan 18 19:23:54 [2] puppet-master.dataxu.net.: failed (res=3) ",ahu 3, Release,680,Please ship recursor.conf-dist as recursor.conf in recursor debian packages,recursor,3.5-recursor,task,normal,ahu,new,2013-01-21T01:40:45+0100,2013-01-21T10:24:12+0100,"Title says it all. Right now pdns-recursor_3.5-pre.20130119.3066-1_amd64.deb installs the config file as recursor.conf-dist, and I believe this is the wrong way for Debian systems. ",anon 3, Release,681,port auth socket binding code,recursor,3.5-recursor,enhancement,normal,ahu,new,2013-01-21T11:14:38+0100,2013-01-21T19:12:12+0100,Recursor needs the good stuff from http://bert-hubert.blogspot.nl/2012/10/on-binding-datagram-udp-sockets-to-any.html too,peter 3, Release,684,pdnssec check-zone,auth,3.2,enhancement,normal,ahu,new,2013-01-23T09:30:01+0100,2013-03-01T10:10:14+0100,"Some things I note about the pdnssec utility: * Trailing dot is noticed in MX but not in CNAME records. (Patch by Ruben, applied by Peter, I believe) * White space in A, AAAA, CNAME, etc. is not caught. This is not per-se a problem because PowerDNS ignores that when serving, I do believe it could easily be checked. (And by white space I even mean ^M and ^J ... #facepalm) * non-ASCII characters in, say, TXT records, should be indicated more clearly as probably being erroneous Regards, -JP",anon 3, Release,685,Make Recursor more robust against misconfigured nameservers,recursor,3.5-recursor,enhancement,normal,ahu,new,2013-01-23T14:23:59+0100,2013-01-24T12:36:17+0100,"The Recursor stopps processing in case of ""Refused"". But why not asking the other nameservers of the domain before giving up? Attached a patch to achieve this.",anon 3, Release,686,zone2sql does not add INSERT INTO domains when run without named.conf,auth,3.2,enhancement,normal,ahu,new,2013-01-24T15:51:41+0100,2013-01-24T15:53:20+0100,"I think the subject says it all: {{{ zone2sql --gmysql --zone-name=example.com --zone=example.com --transactions }} produces SQL INSERT statements for the records table, but not for domains.",anon 3, Release,688,add CAA type,auth,3.2,enhancement,normal,ahu,new,2013-01-29T10:57:37+0100,2013-01-29T10:57:37+0100,RFC6844,peter 3, Release,690,IPSECKEY type presumably incorrect,auth,3.2,defect,normal,ahu,new,2013-01-29T15:30:44+0100,2013-01-29T15:30:44+0100,rfc4025 2.3 mentions 3 gateway types; we seem to assume type 3 always,peter 3, Release,691,Optimization of backend queries,auth,3.2,enhancement,normal,ahu,new,2013-01-31T13:05:26+0100,2013-02-28T13:41:41+0100,"For the vast majority of queries, PacketHandler::getBestReferralNS() goes for all subdomains between the query and the SOA looking for an NS entry and then assuming nothing is found, an ANY lookup is performed in the same way. Given that for most backends a lookup is expensive it would make sense to merge the two bits of code so that it looks something like the following pseudo code: {{{ vector any_entry; vector ns_entry; do { if( any_entry ) if( ns_entry = do_ns_query ) break; else { any_entry = do_any_query; if( ns_entry = get_ns_entries( any_entry ) ) break; } } while(chopoff(subdomain) && not_reached_SOA) }}} Mark",anon 3, Release,692,Always include SOA in query,auth,3.2,enhancement,normal,ahu,new,2013-01-31T13:52:22+0100,2013-01-31T14:37:13+0100,"For the second time when writing a backend I forgot that an ANY query needs to return any SOA data as well. This is because we store our SOA's separately from our other DNS data in order to optimize zone lookups. According to Habbie MyDNS backend has the same bug. The attached patch basically forces an SOA to be included which is actually much more optimal than anything I can do in my backends as I don't have easy access to the knowledge of: * sd data structure; * is this query also an SOA meaning that if I answer it in the backend I have to do a number of additional lookups for information that is already available in the PacketHandler. Additionally, I notice that you are basically doing all the SOA setup anyway if there is anything looking like an SOA entry. So, all this patch does is strip out any SOA entries and then insert one if there should be. This seems to me to both potentially simplify backend code and fix up any user errors more accurately than the current code does. Mark",anon 3, Release,693,minor improvements to ueberbackend caching,auth,3.2,defect,normal,ahu,new,2013-01-31T15:36:55+0100,2013-01-31T15:36:55+0100,"See attached patch - removes number of static variables and makes them class, also optimizes if query cache is disabled. Mark",anon 3, Release,695,Kyoto Cabinet-based high performance DNS backend,auth,3.3,enhancement,normal,ahu,new,2013-01-31T23:05:01+0100,2013-01-31T23:05:01+0100,"Please see attached patch which provides a backend that has been tested to scale to many millions of zones (and tens of millions of records) with a very high query performance and scalability. It requires the getAuth() patches supplied in ticket 581. It also requires a number of my other submitted patches to achieve full performance. Performance numbers from a 32-way test box, pdns 3.2 with all caches disabled, receiver-threads set to 16 and distributor-threads 2. powerdns uses SO_REUSEPORT patch & SO_REUSEPORT patched linux 3.7.5 kernel on centos6. Database contains aprox 7m zones and 30m records. Queries from 32 processes on localhost, pdns runs on about 20-24 CPUs: {{{ very long random chains: 390kqps random subdomains of a known zone: 215kqps hits on a single A record: 220kqps hits CNAME redirect to A record in another zone (also stored locally): 170kqps }}} I'm not certain of the doc formatting that I have provided, also if you could check over the autoconf changes as I'm not 100% sure of them. Mark",anon 3, Release,699,Cygwin build issue (broken mysql_config check in configure),auth,3.2,defect,normal,ahu,new,2013-02-15T06:30:55+0100,2013-02-15T08:19:02+0100,"(COPY OF GitHub ISSUE #80) In cygwin (W7 x64), when trying to build pdns-3.2 with ./configure --enable-recursor --without-system-polarssl --without-mysql --without-pgsql --without-unixodbc, I get this error: checking for mysql_config... configure: error: mysql_config not found This error is because libmysqlclient-dev hasn't been installed - but it isn't needed anyway because of --without-mysql. Installing the library now gives the totally impossible error: checking for mysql_config... configure: error: not found",anon 3, Release,701,SOA serial is updated befor the signatures are renewed,auth,3.2,defect,normal,ahu,new,2013-02-22T09:06:06+0100,2013-02-22T09:06:06+0100,"After r2857 the serial (SOA-EDIT INCREMENT-WEEKS) is increased 1 hour before the new signatures are present. https://github.com/mind04/powerdns/commit/9d879e8a3b66954342674ed90e5503507de245e0 Kees",anon 3, Release,702,RRs omitted when large ZSKs are being used,auth,3.2,defect,normal,ahu,new,2013-02-22T09:12:51+0100,2013-03-14T15:30:05+0100,"When using large ZSKs RRs are being stripped from the answer. I could see the following different kinds of behavior against a 3.2 auth:[[BR]] 1. name does not exist in zone at all, queried via UDP: answer is truncated, dig switches to TCP, all fine -> correct behavior[[BR]] 2. name does exist in zone, type does not exist, queried via UDP: RRs are left out until the answer is small enough to not be truncated, no fallback to TCP[[BR]] 3. name does exist in zone, type does not exist, queried via TCP: RRs are left out until the answer is small enough to not be truncated via UDP[[BR]] Scenario 3 is working fine against a 3.1 auth, but scenario 1 and 2 are broken then.[[BR]] I ran these tests against a zone using a 8192 bit KSK and 4096 bit ZSK. It had been rectified with the 3.2 pdnssec binary before running the tests.",anon 3, Release,706,pdnssec add-zone-key and import-zone-key does not report key-id of added key,auth,3.2,enhancement,normal,ahu,new,2013-02-27T12:17:28+0100,2013-02-28T11:51:47+0100,"pdnssec add-zone-key and import-zone-key does not print key-id of recently added key, so it is quite difficult to do any further automatic processing concerning this key (for example deactivate key added with import-zone-key) printing key-id would made simple scripting much more simple :-)",nataraj 3, Release,707,pdnssec add-zone-key and import-zone-key does not allow to set active flag on creation,auth,3.2,defect,normal,ahu,new,2013-02-27T12:43:13+0100,2013-02-28T11:51:56+0100,"pdnssec add-zone-key creates an inactive key pdnssec import-zone-key creates an active key There is no option that allows to change this behavior. Moreover since pdnssec does not print key-id of added key, there is no chance to change active-status for just added key manually. ",nataraj 3, Release,716,Allow building of recursor in-tree,recursor,3.5-recursor,enhancement,normal,ahu,reopened,2013-03-11T19:35:19+0100,2013-03-26T19:59:32+0100,"This patch allows building the recursor with ""make -f Makefile-recursor"" without running dist-recursor first. This is most useful during development. ",anon 3, Release,722,Ability to notify PowerDNS with biind backed about new zone in named.conf,auth,3.2,enhancement,normal,ahu,new,2013-03-27T10:13:42+0100,2013-03-28T10:22:15+0100,"Hello, We have a very big named.conf (about 13 megabytes) with about 150 000 zones. If we add new zone, we need use pdns_control rediscovery for full file re-reading. It's perfomance killer. Will be fine if you add ability to load one zone manually: pdns_control bind-add-zone /etc/bind/newzone.com Thank you! My contacts: odintsov@fastvps.ru.",anon 3, Release,723,PowerDNS bind backend Exception: Unable to parse DNS TXT while TXT has non-latin symbol,auth,3.2,defect,normal,ahu,new,2013-03-27T10:51:46+0100,2013-03-28T10:21:50+0100,"Hello, We have buggy zone: {{{ $TTL 3600 lentewenc.com. IN SOA ns3.fastvps.ru. support.fastvps.ru. (2012031902 10800 3600 604800 86400) lentewenc.com. IN NS ns3.fastvps.ru. lentewenc.com. IN NS ns4.fastvps.ru. lentewenc.com. IN MX 10 mail lentewenc.com. IN A 78.46.192.210 www IN A 78.46.192.210 mail IN A 78.46.192.210 * IN A 78.46.192.210 lentewenc.com. IN TXT ""v=spf1 mx ip4:78.46.192.210 ?~@~Sall"" }}} As u can see, it's non ascii symbols in txt record. Bind output it as is: {{{ host -t txt lentewenc.com ns3.fastvps.ru Using domain server: Name: ns3.fastvps.ru Address: 46.4.4.96#53 Aliases: lentewenc.com descriptive text ""v=spf1 mx ip4:78.46.192.210 \226\128\147all"" }}} But powerdns produces error: Mar 27 13:27:06 ns1 pdns[494]: Exception: Unable to parse DNS TXT '""v=spf1 mx ip4:78.46.192.210 –all""' Mar 27 13:27:06 ns1 pdns[494]: Exception building answer packet (Unable to parse DNS TXT '""v=spf1 mx ip4:78.46.192.210 –all""') sending out servfail Could you fix it?",anon 3, Release,728,pdns has /usr/local/lib in the rpath even thought it was never specified at compile time,auth,3.2,defect,normal,ahu,new,2013-03-28T10:47:34+0100,2013-03-28T14:52:47+0100,"Hi, When compiling powerdns on 64-bit Arch Linux, I get the following errors from our package checker (""namcap""): pdns E: Insecure RPATH '/usr/local/lib' in file ('usr/sbin/pdns_server') pdns E: Insecure RPATH '/usr/local/lib' in file ('usr/bin/pdnssec') pdns E: Insecure RPATH '/usr/local/lib' in file ('usr/bin/dnsreplay') As you can see from the current [https://projects.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/pdns PKGBUILD], ""/usr/local"" is never passed to ./configure, only these options: ./configure \ --prefix=/usr \ --sysconfdir=/etc/powerdns \ --libexecdir=/usr/lib \ --libdir=/usr/lib/powerdns \ --mandir=/usr/share/man \ --with-modules="""" \ --with-dynmodules=""ldap pipe gmysql gpgsql gsqlite3 geo"" \ --disable-recursor \ --disable-static Arch Linux normally doesn't use /usr/local at all and the prefix is set to ""/usr"". I tried searching for ""/usr/local"" and replacing with ""/usr"" in configure and configure.ac, but the result was the same. These are used: linux 3.8.3 pdns 3.2 make 3.82 autoconf 2.69 automake 1.13.1 Unless I've missed a configuration option, /usr/local/lib should not be included in the rpath. Best regards, Alexander Rødseth",anon 3, Release,729,Fixes for goracle backend,auth,,defect,normal,ahu,new,2013-04-01T21:37:41+0200,2013-04-01T21:37:41+0200,"These fixes make goraclebackend at least work. It will not fix all problems, since some of the default SQLs in the module are incorrect, but it at least functions with basic dnssec and static records as native backend. ",anon 3, Release,731,recursor accepts unauth NOERROR into cache,recursor,3.5-recursor,defect,normal,ahu,reopened,2013-04-05T11:42:18+0200,2013-04-05T13:43:58+0200,"{{{ Apr 05 11:27:13 [2] allegro.pl.: Got 0 answers from gtmdc3.allegro.pl. (209.200.164.11), rcode=0, aa=0, in 30ms Apr 05 11:27:13 [2] allegro.pl.: determining status after receiving this packet Apr 05 11:27:13 [2] allegro.pl.: status=noerror, other types may exist, but we are done }}} This response has aa=0, offers no SOA, yet Recursor (both 3.3 and 3.5-RC4) accept it into the cache.",peter 3, Release,732,PowerDNS Bind backend with valid named.conf: Error in bind configuration '/etc/bind/named.conf' on line 1: syntax error,auth,3.2,defect,normal,ahu,new,2013-04-06T12:10:36+0200,2013-04-09T12:09:04+0200,"Hello, We have following issue with PDNS while we try pdn_control rediscover: Error in bind configuration '/etc/bind/named.conf' on line 1: syntax error But config fine, we checked it via full pdns restart: Apr 6 14:16:10 ns2 pdns[15978]: [bindbackend] Done parsing domains, 2 rejected, 162772 new, 0 removed After restart all works fine: pdns_control rediscover Ok Done parsing domains, 2 rejected, 0 new, 0 removed Logs: Apr 6 10:10:12 ns2 pdns[29063]: Error parsing bind configuration: Error in bind configuration '/etc/bind/named.conf' on line 1: syntax error ",anon 3, Release,733,pdns_control: Unknown command 'RETRIEVE',auth,3.1,defect,normal,ahu,new,2013-04-08T12:02:07+0200,2013-04-08T12:02:07+0200,"Hello, While trying to force a zone update, I used the command 'pdns_control retrieve example.com', this resulted in: # pdns_control retrieve example.com Unknown command 'RETRIEVE' The help command, ""pdns_control help"" hung. According to strace it was connecting to PDNS socket. At this time PDNS itself was working correctly. It was responding to queries. The logs do not show any issues or errors. Restarting pdns_server resolved the issue. pdns_control help works and also pdns_control retrieve worked like it should. I am using the guardian. I am using pdns Wheezy packages ",anon 3, Release,734,compilation ignores CONFIGDIR,recursor,3.5-recursor,defect,normal,ahu,new,2013-04-09T08:16:28+0200,2013-04-09T08:16:28+0200,CONFIGDIR in the recursor Makefile does not get compiled into the recursor at all.,peter 3, Release,736,Resolving CNAME answers from Lua hooks,recursor,3.5-recursor,enhancement,normal,ahu,new,2013-04-12T14:57:38+0200,2013-04-12T14:57:38+0200,"As Peter has advised us: We ask for a functionality, to resolve CNAMEs which are generated in a Lua hook. Currently it is possible to return CNAMEs from Lua hooks. But the answers are useless, because the corresponding RR is not added. So we have an answer which contains only the CNAME RR. ",anon 3, Release,737,recursor does not do additional processing,recursor,3.5-recursor,defect,normal,ahu,new,2013-04-16T16:49:46+0200,2013-04-16T16:49:46+0200,r3064 accidentally broke additional processing. We should probably just get rid of the two flags and the addCruft function.,peter 3, Release,738,the socket-listener thread in pdns_server dies,auth,3.2,defect,normal,ahu,new,2013-04-18T11:02:17+0200,2013-04-18T11:02:17+0200,"Pdns auth 3.2 on a 32bit Debian system, lost the thread in the guardian that listens on the socket to get pdns_control commands. A ""strace"" stops on the connect() call to the socket. A gdb ""thread apply all bt"" on the pdns_server process shows only 1 thread: {{{ (gdb) thread apply all bt Thread 1 (Thread 0xb772c6d0 (LWP 620)): #0 0xb78c7424 in __kernel_vsyscall () #1 0xb77c42a6 in nanosleep () from /lib/i686/cmov/libc.so.6 #2 0xb77c40d0 in sleep () from /lib/i686/cmov/libc.so.6 #3 0x082dd276 in ?? () #4 0x082dfebe in main () }}} ",anon 3, Release,743,pdnssec show-zone dose not show single non-active KSK,component1,,defect,normal,somebody,new,2013-04-22T15:06:34+0200,2013-04-22T15:08:37+0200,"I am using 'pdnssec show-zone' to get key_tag of the key to make sure that this key were properly removed from registry's zone. But when I do zone unsigning, I first deactivate the key then wait till all RRSIG dies in all caches, and then remove DS-record from zone, wait and then checks that that DS record disappeared in the registry's zone. To check that I need key_tag. But I can not get key_tag by 'pdnssec show-zone', because it says 'Zone is not secured' when there is no any active KSK there. This is true, zone is not secured, but there is an inactive key, and I want to list it. I will find a way to remember key_tag before I deactivate the key, but I think it will be good thing to have a tool that lists add, even inactive keys in the zone. May be with some note/warning that zone is not secured. May be it should do the same show-zone command. May be some other way... But I think users will need it. ",nataraj 3, Release,744,Enhance the output of pdnssec show-zone and add support for signature algorithm 4,auth,,enhancement,normal,ahu,new,2013-04-23T15:30:29+0200,2013-04-23T15:31:34+0200,This patch changes output of pdnssec show-zone to include information about algorithm names. It also adds support for algo 4 in DS generation. ,anon 3, Release,571,Unclear errormessage when securing zone when bind-dnssec-db cannot be found,auth,3.2,enhancement,trivial,ahu,new,2012-09-05T13:55:45+0200,2012-11-30T13:46:42+0100,"After setting up PowerDNS 3.1 (pdns-server-3.1-1.el6.MIND.x86_64), I tried to secure my first zone using pdnssec secure-zone, and got the warning: {{{ Failed to secure zone. Is your backend dnssec enabled? (set gsqlite3-dnssec, or gmysql-dnssec etc). Check this first. If you run with the BIND backend, make sure you have configured it to use DNSSEC with 'bind-dnssec-db' and 'pdnssec create-bind-db'! }}} I happily entered ""bind-dnssec-db"" in the config, and restarted, not giving any location for the DB at all which is how it's supposed to be (bind-dnssec-db=filename). I created a db with ""pdnssec create-bind-db test"" under the assumption that this location would somehow be internally communicated by the pdnssec command and the DB was created. Again, trying to secure the zone, I still got the same error. Perhaps it's better to give a warning about not being able to find the bind-dnssec-db file when securing a zone, instead of a warning about ""is your backend dnssec enabled?"" ",anon 3, Release,727,Unnecessary MySQL index is described as example in document.,documentation,,defect,trivial,ahu,new,2013-03-28T02:34:08+0100,2013-03-28T02:34:08+0100,"Document [http://doc.powerdns.com/html/configuring-db-connection.html#configuring-mysql] describes -- CREATE INDEX rec_name_index ON records(name); CREATE INDEX nametype_index ON records(name,type); -- But `rec_name` index isn't necessary, because `name` column is leftmost prefix of `nametype_index`.",anon 4, Release,429,pdns_control --current-config,auth,3.2,enhancement,minor,ahu,new,2012-02-15T09:57:27+0100,2012-11-30T14:33:34+0100,"Just like pdns_server --config provides a default configuration file for the authoritative server it might be worth it having the ability to dump the configuration variables and their values as currently used by the server via pdns_control in case people loose their pdns.conf file or when runtime configuration of these values is introduced. zaphodb@zaphods.net",anon 4, Release,445,Documentation could be more specific about OpenDBX,documentation,3.0,enhancement,minor,ahu,new,2012-04-09T18:21:23+0200,2012-04-09T18:21:23+0200,"The current official PowerDNS documentation links to OpenDBX wiki pages, which state: ""The OpenDBX backend is included in the PowerDNS source tree. Additionally, you can get the latest patches for the PowerDNS OpenDBX backend from the download page. You will also need the OpenDBX library to be able to use the OpenDBX backend."" which is unclear as to whether the OpenDBX library sources are included with PowerDNS or not. On operating systems which do not come with OpenDBX libraries by default, the determination of the fact that PowerDNS requires the OpenDBX libraries to be built as a prerequisite is one of trial and error. Section 11., ""OpenDBX backend"" could for example state that PowerDNS requires OpenDBX libraries to be built and installed before attempting to build PowerDNS, as PowerDNS built-in code needs to link with the OpenDBX libraries if that backend is selected.",anon 4, Release,535,pdnssec check-zone does not capture rfc1034 3.6.2 (3rd para) violation,auth,3.2,enhancement,minor,ahu,new,2012-07-18T10:37:15+0200,2013-01-07T13:07:22+0100,"Hi, pdnssec check-zone does not complain about CNAME's pointing to the zone name. This results in no SOA/NS responses. Wesley Hof. ",anon 4, Release,547,Have pdnssec check-zone check for conflicting hostnames,auth,3.2,enhancement,minor,ahu,new,2012-08-08T16:38:52+0200,2013-01-07T13:07:41+0100,"When there are overlapping zones in PDNS, eg. 'example.com' and 'foo.example.com', and zone 'example.com' has record 'foo.example.com', the host 'foo.example.com' will fail DNSSEC validation. It would be helpful if pdnssec check-zone would log this.",anon 4, Release,554,please indicate generated files in source,auth,3.1,enhancement,minor,ahu,new,2012-08-15T17:45:07+0200,2012-08-19T21:49:54+0200,"Hi, as I just found out, pdns/backends/bind/dnslabeltext.cc is generated at build time. This freaks out build toolchains that check whether the build changed files that it shouldn't have changed. Please (1) either do not include generated source files in release tarballs and zap them on clean or (2) have the generated code contain comments that say that this is generated content and OK to change during build. Thanks from you friendly Debian packager. Greetings Marc ",anon 4, Release,607,pdnssec check-zone should check if double record types exists,auth,3.2,defect,minor,ahu,new,2012-10-31T10:17:33+0100,2013-01-07T13:08:22+0100,"Hi, yesterday we found a small issue if a duplicate a-record exists in the database. The master did (or did not) output a wrong RRSIG. THis was the result of a duplicate a-record (same name, content, ttl, etc). It would be nice if the pdnssec check-zone checked for this to make sure master-slave scenario's keep working and output the correct RRSIG.",anon 4, Release,624,HINFO with quoted values,auth,,defect,minor,ahu,new,2012-11-28T20:09:12+0100,2012-11-28T20:09:12+0100,"When I ran the example.com zone file from the regression tests through zone2sql the result for the HINFO record's content was '""abc"" ""def""' whereas I expected it to be 'abc def'. It seems this is allowed by the spec but it is contrary to how the documentation indicates the HINFO should be stored. I'm not sure how PowerDNS reacts to this data but it may not like it.",anon 4, Release,213,PowerDNS has a bogus concept of `valid DNS names' that gets in the way of correct answers for legitimate queries,auth,3.2,defect,normal,ahu,reopened,2008-12-21T05:05:27+0100,2012-12-17T16:14:28+0100,"Quoth RFC 1035, Section 3.1 Name space definitions: Although labels can contain any 8 bit values in octets that make up a label, it is strongly recommended that labels follow the preferred syntax described elsewhere in this memo, which is compatible with existing host naming conventions. When I query a PowerDNS server for a name in a zone for which it is not authoritative, if that name contains any octets whose US-ASCII interpretations are neither alphanumeric, dot, hyphen, underscore, slash, nor at-sign, then the PowerDNS server immediately returns a SERVFAIL response, rather than usefully returning NS records for the zone. This makes legitimate queries fail unless the agent performing the queries knows ahead of time what server is actually authoritative for the zone. The culprit, I believe, is packethandler.cc's validDNSName, and its use in questionOrRecurse. Anything that accidentally relies on the conditions of validDNSName, especially on names in zones for which the PowerDNS server is not authoritative, should be fixed, and questionOrRecurse should not respond with SERVFAIL.",anon 4, Release,470,over-sensitive when reporting retrieve/refresh faults,auth,2.9.21,enhancement,normal,ahu,new,2012-05-12T10:16:53+0200,2012-08-13T13:59:27+0200,"This is Debian bug #397360, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397360 Text follows: I have server B slave a bunch of zones from server A, and every 1-2 days, server B will complain: Error trying to retrieve/refresh 'my.zone.net': Timeout waiting for answer I just captured what's going on on A and B at the time with tcpdump: B: IP 82.197.162.59.14354 > 213.203.238.82.53: 38606 SOA? debian-system.info. (36) IP 82.197.162.59.19421 > 213.203.238.82.53: 53145 SOA? debian-system.info. (36) IP 213.203.238.82.53 > 82.197.162.59.19421: 53145*- 1/0/0 SOA[|domain] A: IP 82.197.162.59.14354 > 213.203.238.82.53: 38606 SOA? debian-system.info. (36) IP 213.203.238.82.53 > 82.197.162.59.14354: 38606*- 1/0/0 SOA[|domain] IP 82.197.162.59.19421 > 213.203.238.82.53: 53145 SOA? debian-system.info. (36) IP 213.203.238.82.53 > 82.197.162.59.19421: 53145*- 1/0/0 SOA[|domain] As you can see from the query IDs, B sent a query, A answered, but B did not get this answer (it's UDP after all...). B sends another request two seconds later, which A again answers; this time, the answer arrives. Nevertheless, B has written the above warning to the logs. I would suggest that it did not write this warning until 2-3 retries have failed. As it stands, I got the warning but the retrieve/refresh did actually work.",anon 4, Release,524,Dyndns-like functionality,auth,3.2,enhancement,normal,ahu,new,2012-07-08T21:28:35+0200,2012-12-17T16:04:44+0100,"As most of the free Dynamic-dns providers have gone AWOL or are charging for their dynamic DNS services, I was looking into setting up a service like that on my own nameserver. If powerDNS would be enhanced with a plugin/module/app that emulates the commonly used dyndns.org API (which basically is 1 HTTP GET with data as URL parameters), I would certainly use that over a paid ddns service. Also, I trust my own servers more than a dynamic DNS provider, who are in the position of doing potential MITM's. I have no clue as to the architecture of powerdns, so I can not imagine how trivial this is. I would assume a simple CGI-script would suffice, with minor configuration.",anon 4, Release,601,update rec_control commands in documentation,documentation,,enhancement,normal,ahu,new,2012-10-17T09:12:16+0200,2012-10-17T09:12:16+0200,"There is at least one command missing: reload-acls , which could be considered important if one would like to reload the ACL list without restarting the recursor. There may be other commands missing. Maybe a 'help' command to rec_control would be nice to show all the commands and a short description of each, and a reference to the documentation for more info.",anon 4, Release,689,Sometimes segmentation fault if starting with a faulty lua script,recursor,3.5-recursor,defect,normal,ahu,new,2013-01-29T11:01:31+0100,2013-02-28T13:39:09+0100,"Sometimes I get a segfault if I try to start pdns_recursor 3.5-rc1 (AND earlier) with a faulty lua script. To force the error, simply type {{{ echo x > test.lua /usr/sbin//pdns_recursor --daemon=no --lua-dns-script=test.lua --threads=8 }}} Try this many times and you will (hopefully) see. My system is a SLES11-SP2 x86_64. The Recursor was built at OBS: [https://build.opensuse.org/package/show?package=pdns-recursor&project=home%3Apaddg]",anon 4, Release,713,distributor-threads and receiver-threads have the same description in config file,auth,3.2,defect,normal,ahu,new,2013-03-05T20:22:13+0100,2013-03-19T09:51:29+0100,"But I bet they do something else :) I tried to find out what, but receiver-threads isn't documented. [ruben@odin ~/src/powerdns/pdns (master)]$ git grep -E '(receiver|distributor)-threads' pdns.conf-dist pdns.conf-dist:# distributor-threads Default number of Distributor (backend) threads to start pdns.conf-dist:# distributor-threads=3 pdns.conf-dist:# receiver-threads Default number of Distributor (backend) threads to start pdns.conf-dist:# receiver-threads=1",anon 5, Release,477,lua-pdns-recursor uses positive stack indexes,recursor,3.5-recursor,enhancement,minor,ahu,new,2012-05-25T18:40:04+0200,2013-01-10T16:10:35+0100,"Many lua_to* calls in lua-pdns-recursor.cc use positive stack indexes. These presume that the stack is in a known stable state. If any recursion is ever introduced, or if any method 'leaks' a stack entry, all these offsets break. These positive indexes also make some methods hard to use in other ways than originally intended. One could argue that this breakage makes stack leaks easy to catch; if that is deemed important, I would suggest checking stack size (lua_gettop) in some useful places.",peter 5, Release,115,Support for 8-bit domain names,auth,3.2,enhancement,normal,ahu,assigned,2006-12-17T01:37:16+0100,2012-10-05T16:14:38+0200,"PowerDNS should support 8-bit domain names, i.e. domains containing bytes with a value >127. Logically, the domain names stored in the backend database can be considered to be made up of Unicode characters (unless the backend database is unaware of character encoding, see below). The important question is what the desired wire encoding should be, i.e. to which character encoding domain names should be transformed when sending them on the wire or when comparing them to names received from the wire. This wire encoding could be determined from a configuration setting (either in the global PDNS config file or perhaps even as a field in the domains/zones table -- well, maybe not). As a fall-back, the backend database's native storage encoding could be used. For example, on a PostgreSQL database, this information can be read from the ""{{{server_encoding}}}"" run-time parameter: {{{ julian=# SHOW server_encoding; server_encoding ----------------- UTF8 (1 row) }}} (The main reason for falling back on the database server encoding for the wire encoding would be that the admin probably intended to express domain names in the database encoding.) However we definitely don't want to implement any recoding logic in PowerDNS, so this needs to be left to the database. Again, for example, PostgreSQL supports setting a ""{{{client_encoding}}}"" run-time parameter: {{{ julian=# SET client_encoding='UTF8'; SET julian=# SHOW client_encoding; client_encoding ----------------- UTF8 (1 row) }}} So, PDNS would read the desired wire encoding from its config file and instruct the database server to interpret input to be in that encoding and return query results in that encoding. Suppose, for example, that PDNS is configured with a PostgreSQL backend and a desired wire encoding of UTF-8. PDNS would connect to the PostgreSQL database and set a ""{{{client_encoding}}}"" of ""UTF8"". Then, when a query for the domain name {{{ \xE3\x81\x93\xE3\x82\x93\xE3\x81\xAB\xE3\x81\xA1\xE3\x81\xAF.example.com. }}} arrives, PDNS would pass that in a query to the PostgreSQL database. The database would interpret it as ""こんにちは.example.com"" (based on the configured client encoding) and execute the query. I'm sorry that I cannot offer much expertise with regard to other databases or LDAP. They always ''should'' store their data in ''some'' defined encoding, but some may be totally ignorant towards character encoding issues. And even if they have a clue, they may not offer recoding of data. In those cases, it should be acceptable for PDNS to just treat the data as opaque 8-bit strings. Finally, one might come to think that there is an issue when a DNS query has a domain name encoded in a different encoding than the PDNS server has stored. This is not actually an issue, though, because DNS doesn't know any concept of character encoding and treats everything as 8-bit opaque. Thus, if a query doesn't arrive in the same encoding in which the backend data is stored, then that 8-bit domain simply does not exist at the server and PDNS can safely return an empty answer (or whatever is appropriate).",anon 5, Release,340,Issues in http://doc.powerdns.com/recursor-stats.html,documentation,,defect,trivial,ahu,new,2011-02-10T17:45:14+0100,2011-02-10T17:45:14+0100,"- not mentioned in web page: - case-mismatches - edns-ping-(mis)matches - noedns-outqueries - noping-outqueries - throttled-outqueries - unreachables - is not printed by recursor 3.3 - max-mthread-stack - nsspeeds-entries and nssset-invalidations are in the wrong order ",anon 5, Release,348,"""pndssec set-nsec3"" should accept more than one domain",auth,3.2,enhancement,trivial,ahu,new,2011-03-30T20:33:26+0200,2012-11-30T14:34:14+0100,"Today, set-nsec3 accepts only a domain. Looking at ""pdnssec secure-zone"", I think that set-nsec3 should have the same behavior: accept more domains for a performance increase. It could be something like ""pdnssec set-nsec3 [DOMAIN 'PARAMS' [narrow]]... So, it could be called in that way: pdnssec set-nsec3 example1.com '1 1 1 aa' example2.com '1 1 1 ab' narrow example3.com '1 1 1 ac' narrow ",anon 4,milestone1 Release,642,Exception: Parsing record content should tell more about the record with problems,auth,3.2,enhancement,normal,ahu,new,2012-12-21T09:53:05+0100,2013-01-07T13:08:47+0100,"Today, I see a lot of errors in our logs. (Copied below [1]) With this error, it's very hard to find the record which causes the problem. We are using the Mysql-backend. 'pdnssec check-all-zones' reports no errors. I think it's a problem with an empty TXT record in the database. The exception should give some extra information like query with problems or the record id from the database. Additional to the above, the zone checker should give an error or warning on the records. [1]: Dec 21 09:25:29 ns2 pdns[32355]: Exception: Parsing record content: Data field in DNS should start with quote ("") at position 0 of '.' Dec 21 09:25:29 ns2 pdns[32355]: Exception building answer packet (Parsing record content: Data field in DNS should start with quote ("") at position 0 of '.') sending out servfail",anon