Patch: RRSIG-records for wildcard records in presigned zones with PowerDNS 3.1 auth (ticket 460)

Hi,

Please find attached a patch for the issue I rambled on about in ticket 460.

In short: when running a zone in presigned mode and querying a name for which only a matching *.domain.com
record exists, PowerDNS does not add an RRSIG record to the result. The attached patch lets PowerDNS add
the RRSIG record for the wildcard record with the same name as the original queried name, which is
identical to the records PowerDNS returns when doing live signing.

Kind regards,

--

-- 
Sebastiaan Hoogeveen
<s.hoogeveen <at> nederhost.nl>

_______________________________________________
Pdns-dev mailing list
Pdns-dev <at> mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev

PowerDNS Authoritative Server 3.1 has been released

Hi everybody,

PowerDNS Authoritative Server 3.1 is now available!

3.1 is the best version of the PowerDNS Authoratitive Server currently
available, and we recommend upgrading to it. Please read 
http://doc.powerdns.com/from3.0to3.1.html before you do, however!

If you are coming from 2.9.x, please read
http://doc.powerdns.com/upgrades.html#from2.9to3.0 in addition to the 3.0->3.1
notes.

Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-1 for full
release notes and all download links.

You can get PowerDNS 3.1 from:

http://downloads.powerdns.com/releases/pdns-3.1.tar.gz
http://downloads.powerdns.com/releases/deb/pdns-static_3.1-1_i386.deb
http://downloads.powerdns.com/releases/deb/pdns-static_3.1-1_amd64.deb
http://downloads.powerdns.com/releases/rpm/pdns-static-3.1-1.i386.rpm
http://downloads.powerdns.com/releases/rpm/pdns-static-3.1-1.x86_64.rpm

These files also come with GPG signatures (append .sig).

Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS
5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/

Please see http://doc.powerdns.com/changelog.html#changelog-auth-3-1 for full

lua script to synthesize AAAA record from A record

_______________________________________________
Pdns-dev mailing list
Pdns-dev <at> mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev

New feature request

Hi,

I made a question to pdns-user list about the AXFR notification of
bindbackend and they said I should send a feature request. I was
looking for a feature which can send Notify message not only to all
IPs of NS records in zones but also to a list of IPs. I want to
restrict the messages. How can I suggest this feature? I didn't find
this solution on Trac, I haven't got account to it.

Sincerely,
Tibor

UPDATED important security information for DNSSEC users

Dear PowerDNS Authoritative Server users,

Summary: DNSSEC keys generated with 3.1-RC1, RC2 and SVN builds between 
february 14th and april 28th may be weak.

Earlier this week the PolarSSL team released version 1.1.2 of their library.
This is a security release; their advisory is at
http://polarssl.org/trac/wiki/SecurityAdvisory201201

PolarSSL 1.1.1 (which has the defects described in the advisory) was imported
into PowerDNS SVN on february 14th, in revision 2396. This means that PowerDNS
3.0 was not using the affected version. We have confirmation from the PolarSSL
team that the version of PolarSSL used in PowerDNS 3.0 is free of these issues.

For PowerDNS, the issues in this advisory impact RSA key generation, which is
the default for pdnssec secure-zone.

PowerDNS 3.1-RC1 and RC2, and any build from SVN between revision 2396 and
2585, may be affected. If you have generated keys with any of these versions,
assuming they were built with PolarSSL, we recommend replacing those keys.
Make sure to replace your keys carefully (i.e. do a correct DNSSEC key
rollover) to avoid making your domain invisible to validating resolvers.

Our official static packages are built with both Botan and PolarSSL; when
both are present, PowerDNS prefers Botan. This means our static packages
for 3.1-RC1 and RC2 are not affected.

If you have done your own built of PowerDNS in the affected revision range,
run 'pdnssec test-algorithm'. If you see 'Botan RSA' alongside 'PolarSSL RSA',
your build is not affected as Botan will have been used to generate your keys.

Please let us know if you require assistance, of have further questions.

PolarSSL has been upgraded to 1.1.2 as of PowerDNS SVN revision 2586. Releases
and release candidates *after* 3.1-RC2 will include PolarSSL 1.1.2 as well.

Our apologies for the inconvenience.

Kind regards,
--

-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

important security information for DNSSEC users

Dear PowerDNS Authoritative Server users,

Summary: DNSSEC keys generated with 3.1-RC1, RC2 and SVN builds between 
february 14th and april 28th may be weak.

Earlier this week the PolarSSL team released version 1.1.2 of their library.
This is a security release; their advisory is at
http://polarssl.org/trac/wiki/SecurityAdvisory201201

For PowerDNS, the issues in this advisory impact RSA key generation, which is
the default for pdnssec secure-zone.

PolarSSL 1.1.1 (which has the defects described in the advisory) was imported
into PowerDNS SVN on february 14th, in revision 2396. This means that PowerDNS
3.0 was not using the affected version. We have confirmation from the PolarSSL
team that the version of PolarSSL used in PowerDNS 3.0 is free of these issues.

PowerDNS 3.1-RC1 and RC2, and any build from SVN between revision 2396 and
2585, are affected. If you have generated keys with any of these versions, we
recommend replacing those keys. Make sure to replace your keys carefully (i.e.
do a correct DNSSEC key rollover) to avoid making your domain invisible to
validating resolvers.

Please let us know if you require assistance, of have further questions.

PolarSSL has been upgraded to 1.1.2 as of PowerDNS SVN revision 2586. Releases
and release candidates *after* 3.1-RC2 will include PolarSSL 1.1.2 as well.

Our apologies for the inconvenience.

Kind regards,
--

-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

PowerDNS Authoritative Server 3.1 Release Candidate 2 available

Hi everybody,

Release Candidate 2 of the PowerDNS Authoritative Server 3.1 is available from:

http://powerdnssec.org/downloads/pdns-3.1-rc2.tar.gz
http://powerdnssec.org/downloads/packages/pdns-static-3.1rc2-1.i386.rpm
http://powerdnssec.org/downloads/packages/pdns-static-3.1rc2-1.x86_64.rpm
http://powerdnssec.org/downloads/packages/pdns-static_3.1-rc2-1_amd64.deb
http://powerdnssec.org/downloads/packages/pdns-static_3.1-rc2-1_i386.deb

Additionaly, Kees Monshouwer has kindly provided native builds for RHEL/CentOS
5 and 6 at http://www.monshouwer.eu/download/3rd_party/pdns-server/rc2/

You are cordially invited to (carefully) test this Release Candidate for
correct behaviour. Specifically, if you are using any backends other than
gmysql, gpgsql, gsqlite3 or bind, PLEASE test this candidate.

Full release notes, with clickable links, will be available from:
http://doc.powerdns.com/changelog.html#changelog-auth-3-1

Changes between RC1 and RC2:

* We imported the TinyDNS backend by Ruben d'Arco. Code mostly in commit 2559.
  See Section 15, “TinyDNS Backend”.

* Overriding C(XX)FLAGS is easier now. Problem pointed out by Jose Arthur
  Benetasso Villanova and others, fix suggested by Sten Spans. Patch in commit
  2533.  

* TSIG fixes: skip embedded spaces in keys (commit 2536), compute signatures
  correctly (by Ruben d'Arco in commit 2547),  

* nproxy, dnsscan and dnsdemog did not compile at all. Fixes in commit 2538,
  commit 2554.  

* We now allow unescaped tabs in TXT records. Fix in commit 2539.  

* SOA records no longer disappear during incoming transfers. Fix by Ruben
  d'Arco in commit 2540.  

* PowerDNS compiles on OS X (and other platforms that support our auth server
  but not the recursor) again, fix in commit 2566.  

* Cleanups related to warnings from gcc and valgrind in commit 2561, commit
  2562, commit 2565.  

* Solaris compatibility fixes by Ruben d'Arco, Juraj Lutter and others in
  commit 2548, commit 2552, commit 2553, commit 2560. Fixes for *BSD in commit
  2546.  

* pdns_control help would report 'version' twice, reported by Gerwin, fix in
  commit 2549.

Kind regards,
--

-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

TLSA RR Assigned

IANA has assigned the TLSA RR as 52.  This patch keeps qtype sorted but
leaves the method call in dnsrecords where it was.  Please apply before
the upcoming release.

Index: pdns/pdns/qtype.cc
===================================================================
--- pdns/pdns/qtype.cc	(revision 2566)
+++ pdns/pdns/qtype.cc	(working copy)
@@ -66,6 +66,7 @@
       insert("DNSKEY", 48);
       insert("NSEC3", 50);
       insert("NSEC3PARAM", 51);
+      insert("TLSA",52);
       insert("SPF",99);
       insert("IXFR",251);
       insert("AXFR",252);
@@ -75,7 +76,6 @@
       insert("CURL",258);
       insert("ADDR",259);
       insert("DLV",32769);
-      insert("TLSA",65468);
     }
 }

Index: pdns/pdns/dnsrecords.cc
===================================================================
--- pdns/pdns/dnsrecords.cc	(revision 2566)
+++ pdns/pdns/dnsrecords.cc	(working copy)
@@ -223,7 +223,7 @@
         	 conv.xfrBlob(d_certificate);
         	 )
 		 
-boilerplate_conv(TLSA, 65468, 
+boilerplate_conv(TLSA, 52, 
         	 conv.xfr8BitInt(d_certusage); 
         	 conv.xfr8BitInt(d_selector); 
         	 conv.xfr8BitInt(d_matchtype); 

-JimC
--

-- 
James Cloos <cloos <at> jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

pdns 3.1rc2 doesn't compile on OS X

Hi everyone,

With this configure command 3.0.1 compiles and works fine (for development anyway) on OS X Lion.  3.1rc2
aborts the compile with the error below.

Ask

$ ./configure --with-mysql-includes=/opt/local/include/mysql5
--with-mysql-lib=/opt/local/lib/mysql5 --with-boost=/opt/local --disable-recursor && make -j4

[....]

g++ -DHAVE_CONFIG_H -I. -I..  -Ibackends/bind -I/opt/local/include  
-DSYSCONFDIR=\"/usr/local/etc\" -DLIBDIR=\"/usr/local/lib\" -DLOCALSTATEDIR=\"/var/run\"
-Ibackends/bind    -Iext/polarssl-1.1.1/include -pthread -Wall -O2 -MT lua-pdns-recursor.o -MD -MP
-MF .deps/lua-pdns-recursor.Tpo -c -o lua-pdns-recursor.o lua-pdns-recursor.cc
In file included from mtasker.hh:27,
                 from syncres.hh:21,
                 from lua-pdns-recursor.cc:2:
/usr/include/ucontext.h:43:2: error: #error The deprecated ucontext routines require _XOPEN_SOURCE
to be defined
In file included from mtasker.hh:114,
                 from syncres.hh:21,
                 from lua-pdns-recursor.cc:2:
mtasker.cc: In member function ‘int MTasker<EventKey, EventVal>::sendEvent(const EventKey&,
const EventVal*)’:
mtasker.cc:239: error: there are no arguments to ‘swapcontext’ that depend on a template parameter,
so a declaration of ‘swapcontext’ must be available
mtasker.cc:239: error: (if you use ‘-fpermissive’, G++ will accept your code, but allowing the use of
an undeclared name is deprecated)
mtasker.cc: In member function ‘void MTasker<EventKey, EventVal>::makeThread(void (*)(void*), void*)’:
mtasker.cc:266: error: there are no arguments to ‘getcontext’ that depend on a template parameter,
so a declaration of ‘getcontext’ must be available
mtasker.cc:275: error: there are no arguments to ‘makecontext’ that depend on a template parameter,
so a declaration of ‘makecontext’ must be available
mtasker.cc: In member function ‘bool MTasker<EventKey, EventVal>::schedule(timeval*)’:
mtasker.cc:329: error: there are no arguments to ‘swapcontext’ that depend on a template parameter,
so a declaration of ‘swapcontext’ must be available
In file included from lua-pdns-recursor.cc:2:
syncres.hh: At global scope:
syncres.hh:385: error: thread-local storage not supported for this target
syncres.hh:449: error: thread-local storage not supported for this target
syncres.hh:450: error: thread-local storage not supported for this target
syncres.hh:452: error: thread-local storage not supported for this target
syncres.hh:523: error: thread-local storage not supported for this target
make[4]: *** [lua-pdns-recursor.o] Error 1

endian.h patch for SunOS (Solaris)

> - sys/endian.h needs to be included instead of endian.h on NetBSD
> (similar to FreeBSD and OpenBSD) in ext/polarssl-1.1./library/net.c:
>
> diff -ur pdns-3.1-rc1.20120327.2539.orig/pdns/ext/polarssl-1.1.1/library/net.c pdns-3.1-rc1.20120327.2539/pdns/ext/polarssl-1.1.1/library/net.c
> --- pdns-3.1-rc1.20120327.2539.orig/pdns/ext/polarssl-1.1.1/library/net.c 2012-03-27
21:55:08.000000000 +0100
> +++ pdns-3.1-rc1.20120327.2539/pdns/ext/polarssl-1.1.1/library/net.c 2012-04-01
13:39:56.000000000 +0100
> @@ -59,7 +59,7 @@
> #include <netdb.h>
> #include <errno.h>
>
> -#if defined(__FreeBSD__) || defined(__OpenBSD__)
> +#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__)
> #include <sys/endian.h>
> #elif defined(__APPLE__)
> #include <machine/endian.h>

...And here is a patch for SunOS 5.10 (Solaris 10) for the above, (also as an attachment to this e-mail):

--- pdns/ext/polarssl/library/net.c.orig        Mon Apr  2 13:38:22 2012
+++ pdns/ext/polarssl/library/net.c     Mon Apr  2 13:39:31 2012
@@ -59,6 +59,8 @@
 #include <sys/endian.h>
 #elif defined(__APPLE__)
 #include <machine/endian.h>
+#elif defined(sun)
+#include <sys/isa_defs.h>
 #else
 #include <endian.h>
 #endif

 		 	   		  

--- pdns/ext/polarssl/library/net.c.orig        Mon Apr  2 13:38:22 2012
+++ pdns/ext/polarssl/library/net.c     Mon Apr  2 13:39:31 2012
@@ -59,6 +59,8 @@
 #include <sys/endian.h>
 #elif defined(__APPLE__)
 #include <machine/endian.h>
+#elif defined(sun)
+#include <sys/isa_defs.h>
 #else
 #include <endian.h>
 #endif

_______________________________________________
Pdns-dev mailing list
Pdns-dev <at> mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-dev

Documentation on matters of OpenDBX

While trying to build pdns-3.0.1, it appears, from reading the responses on this mailing list, that it is
recommended to use the OpenDBX backend to connect to various databases. The PowerDNS documentation
states that the content on OpenDBX might be inaccurate or outdated and links to OpenDBX's own page with
less than clear instructions ("go here", "patch that", no step by step documentation) are not of much help
other than as general guidelines.

The problem initially encountered is that the wording implies that OpenDBX is bundled with the pdns
archive, and I think it would be helpful to explicitly state in the PowerDNS's documentation that on those
operating systems which do not come with OpenDBX by default, OpenDBX libraries must first be built and
installed before attempting to run ./configure with the opendbx backend. As things stand right now, the
process involves trial and error to finally reach that conclusion.

Is it OK to open a ticket for updating the PowerDNS documentation?