auth bind supermasters: suggested doc improvements

[asperheim]

• Program: Authoritative
• Issue type: Bug report

Short description

When defining a bind backend (launch=bind) and configuring bind-supermaster-config=/var/lib/powerdns/supermaster.conf pdns does not use that path to look for supermasters. It looks in AT_FDCWD for a file named the same as the IP of the upstream master. When given the file, it moves on but does not process the file. This behaviour is undocumented, and some docs on how the supermaster file is formatted would be helpful.

anders@ns02:~$ sudo strace -f -t -e trace=file -p 9582 strace: Process 9582 attached with 11 threads [pid 9584] 22:54:25 openat(AT_FDCWD, "45.154.X.X", O_RDONLY) = -1 ENOENT (No such file or directory)

Environment

• Operating system: Ubuntu 20.04
• Software version:
• anders@ns02:~$ pdns_server --version Dec 30 23:22:42 PowerDNS Authoritative Server 4.7.3 (C) 2001-2022 PowerDNS.COM BV Dec 30 23:22:42 Using 64-bits mode. Built using gcc 9.4.0 on Dec 8 2022 19:07:37 by root@d3b286b272aa. Dec 30 23:22:42 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Dec 30 23:22:42 Features: libcrypto-ecdsa libcrypto-ed25519 libcrypto-ed448 libcrypto-eddsa libgeoip libmaxminddb lua lua-records PKCS#11 protobuf sodium curl DoT scrypt Dec 30 23:22:42 Built-in modules: Dec 30 23:22:42 Configured with: " '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--sysconfdir=/etc/powerdns' '--enable-systemd' '--with-systemd=/lib/systemd/system' '--with-dynmodules=bind ldap lmdb lua2 pipe gmysql godbc gpgsql gsqlite3 geoip remote tinydns' '--with-modules=' '--enable-ixfrdist' '--enable-tools' '--with-protobuf' '--enable-unit-tests' '--enable-lua-records' '--enable-experimental-pkcs11' '--enable-dns-over-tls' '--disable-silent-rules' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/pdns/pdns-4.7.3=. -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/pdns/pdns-4.7.3=. -fstack-protector-strong -Wformat -Werror=format-security'"
• Software source: Powerdns official repo

Conf files

bind.conf

launch=bind bind-config=/etc/powerdns/named.conf bind-supermaster-config=/var/lib/powerdns/supermaster.conf bind-supermaster-destdir=/var/lib/powerdns/zones.slave.d bind-supermasters=45.154.XX.XX

named.conf

include-dir=/etc/powerdns/pdns.d master=no slave=yes superslave=yes

Steps to reproduce

1. define bind backend
2. sudo pdns_control notify domain.tld on supermaster
3. tail log on superslave and behold epic failure

Expected behaviour

Accept some sort of list of supermasters and accept when notified by supermaster

Actual behaviour

Dec 30 23:14:47 ns02 pdns_server[30461]: Received NOTIFY for fiberverket.net from 45.154.XX.XX for which we are not authoritative, trying supermaster Dec 30 23:14:47 ns02 pdns_server[30461]: Unable to open supermasters file for read: No such file or directory Dec 30 23:14:47 ns02 pdns_server[30461]: Unable to find backend willing to host fiberverket.net for potential supermaster 45.154.XX.XX. Remote nameservers: Dec 30 23:14:47 ns02 pdns_server[30461]: ns.external-slave-dns-provider.tld Dec 30 23:14:47 ns02 pdns_server[30461]: ns2.domain.tld Dec 30 23:14:47 ns02 pdns_server[30461]: ns1.domain.tld

It makes no differences if /var/lib/powerdns/{supermaster.conf && zones.slave.d} are defined

Other information

[Habbie]

bind-supermasters=45.154.XX.XX

(1) please do not obfuscate relevant data, like you have done in many places in your report. Please update your ticket so that IPs and domain names are readable.

(2) that setting needs to point to a file, see https://doc.powerdns.com/authoritative/backends/bind.html#bind-supermasters

[Habbie]

As the docs clearly did not suffice for you, we'd love to hear what we could do better. Our favourite shape is a pull request, but I'll also take some text written by you, somebody who has just been bitten by the lack of clarity, in a comment here. Thanks!

[asperheim]

What really threw me off was the wording in the bind.conf file.

################################# # bind-supermasters List of IP-addresses of supermasters

This led me to believe that it was actually looking for the ips or subnets, as is the case in pdns.conf. Admittedly i should have caught on when it wanted the IP as a file, but hindsight is always 20/20.

Additionally, it would be nice to have an addition to https://doc.powerdns.com/authoritative/backends/bind.html#bind-supermasters that refers to what account means in this context. Examples are always a good thing, but "ip and account separated by a whitespace" should be pretty self explanatory.

But i got it working, but the lacking information, in the end, was in fact that the bind-supermasters args should be a file you have to create and fill.

So thanks for your awesome work on pdns, and for your little hint that solved my issue. :)