Open Khoshnevis opened 1 week ago
You pastes are hard to read please add `` instead of
around the blocks.
rec_control show-yaml
not working is strange. Can you show the exact output of the command?
One thing I spotted is that you have logging.quiet
: False. That will generate a lot of logging.
Below is the converted recursor.conf I did locally (note you need to fix a few entries becuase the original was redacted).
# Start of converted recursor.yml based on /tmp/x.conf
dnssec:
aggressive_cache_min_nsec3_hit_ratio: 10000
aggressive_nsec_cache_size: 300000
validation: process
incoming:
allow_from:
- 127.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- ::1/128
- fc00::/7
- fe80::/10
distribution_load_factor: 1.25
distribution_pipe_buffer_size: 0
distributor_threads: 20
listen:
- 127.0.0.1
- 192.168.x.x
- ::1
max_concurrent_requests_per_tcp_connection: 20
max_tcp_clients: 1024
max_udp_queries_per_round: 65000
pdns_distributes_queries: true
port: 53
tcp_fast_open: 1
logging:
loglevel: 1
quiet: true
trace: no
outgoing:
dont_query:
- 127.0.0.0/8
- 10.0.0.0/8
- 100.64.0.0/10
- 169.254.0.0/16
- 192.168.0.0/16
- 172.16.0.0/12
- ::1/128
- fc00::/7
- fe80::/10
- 0.0.0.0/8
- 192.0.0.0/24
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 240.0.0.0/4
- ::/96
- ::ffff:0:0/96
- 100::/64
- 2001:db8::/32
network_timeout: 1600
source_address:
- x.x.x.x
tcp_fast_open_connect: true
udp_source_port_max: 65530
udp_source_port_min: 1024
packetcache:
disable: false
max_entries: 40000000
negative_ttl: 120
servfail_ttl: 0
shards: 4096
ttl: 86400
recordcache:
max_cache_bogus_ttl: 14400
max_entries: 10000000
max_negative_ttl: 7200
max_ttl: 86400
shards: 4096
recursor:
config_dir: /etc/powerdns
cpu_map: 0=0 1=1 2=2 3=3 4=4 5=5 6=6 7=7 8=8 9=9 10=10 11=11 12=12 13=13 14=14 15=15 16=16 17=17 18=18 19=19 20=20 21=21 22=22 23=23 24=24 25=25 26=26 27=27 28=28 29=29 30=30 31=31 32=32 33=33 34=34 35=35 36=36 37=37 38=38 39=39
forward_zones:
- zone: '[excluded'
recurse: false
forwarders: []
- zone: TLD]
recurse: false
forwarders:
- x.x.x.x
- x.x.x.x
forward_zones_recurse:
- zone: .
recurse: true
forwarders:
- 1.0.0.1
- 1.1.1.1
- 8.8.4.4
- 8.8.8.8
hint_file: /etc/powerdns/root.hints
max_mthreads: 4096
max_total_msec: 7600
qname_minimization: true
setgid: pdns
setuid: pdns
stack_cache_size: 512
stack_size: 1048576
threads: 40
version_string: Miu-Miu!
webservice:
address: 0.0.0.0
allow_from:
- 172.16.x.x/24
api_key: '[CENSORED]'
password: '[CENSORED]'
port: 8082
webserver: true
# Validation result: incoming.listen: value `192.168.x.x' is not an IP or IP:port combination
# End of converted /tmp/x.conf
#
root@[CENSORED]:/etc/powerdns# rec_control help
add-dont-throttle-names [N...] add names that are not allowed to be throttled
add-dont-throttle-netmasks [N...] add netmasks that are not allowed to be throttled
add-nta DOMAIN [REASON] add a Negative Trust Anchor for DOMAIN with the comment REASON
add-ta DOMAIN DSRECORD add a Trust Anchor for DOMAIN with data DSRECORD
current-queries show currently active queries
clear-dont-throttle-names [N...] remove names that are not allowed to be throttled. If N is '*', remove all
clear-dont-throttle-netmasks [N...] remove netmasks that are not allowed to be throttled. If N is '*', remove all
clear-nta [DOMAIN]... Clear the Negative Trust Anchor for DOMAINs, if no DOMAIN is specified, remove all
clear-ta [DOMAIN]... Clear the Trust Anchor for DOMAINs
dump-cache <filename> dump cache contents to the named file
dump-dot-probe-map <filename> dump the contents of the DoT probe map to the named file
dump-edns [status] <filename> dump EDNS status to the named file
dump-failedservers <filename> dump the failed servers to the named file
dump-non-resolving <filename> dump non-resolving nameservers addresses to the named file
dump-nsspeeds <filename> dump nsspeeds statistics to the named file
dump-saved-parent-ns-sets <filename>
dump saved parent ns sets that were successfully used as fallback
dump-rpz <zone name> <filename> dump the content of a RPZ zone to the named file
dump-throttlemap <filename> dump the contents of the throttle map to the named file
get [key1] [key2] .. get specific statistics
get-all get all statistics
get-dont-throttle-names get the list of names that are not allowed to be throttled
get-dont-throttle-netmasks get the list of netmasks that are not allowed to be throttled
get-ntas get all configured Negative Trust Anchors
get-tas get all configured Trust Anchors
get-parameter [key1] [key2] .. get configuration parameters
get-proxymapping-stats get proxy mapping statistics
get-qtypelist get QType statistics
notice: queries from cache aren't being counted yet
get-remotelogger-stats get remote logger statistics
hash-password [work-factor] ask for a password then return the hashed version
help get this list
list-dnssec-algos list supported DNSSEC algorithms
ping check that all threads are alive
quit stop the recursor daemon
quit-nicely stop the recursor daemon nicely
reload-acls reload ACLS
reload-lua-script [filename] (re)load Lua script
reload-lua-config [filename] (re)load Lua configuration file
reload-zones reload all auth and forward zones
set-ecs-minimum-ttl value set ecs-minimum-ttl-override
set-max-aggr-nsec-cache-size value set new maximum aggressive NSEC cache size
set-max-cache-entries value set new maximum record cache size
set-max-packetcache-entries val set new maximum packet cache size
set-minimum-ttl value set minimum-ttl-override
set-carbon-server set a carbon server for telemetry
set-dnssec-log-bogus SETTING enable (SETTING=yes) or disable (SETTING=no) logging of DNSSEC validation failures
set-event-trace-enabled SETTING set logging of event trace messages, 0 = disabled, 1 = protobuf, 2 = log file, 3 = both
show-yaml [file] show yaml config derived from old-style config
trace-regex [regex file] emit resolution trace for matching queries (no arguments clears tracing)
top-largeanswer-remotes show top remotes receiving large answers
top-queries show top queries
top-pub-queries show top queries grouped by public suffix list
top-remotes show top remotes
top-timeouts show top downstream timeouts
top-servfail-queries show top queries receiving servfail answers
top-bogus-queries show top queries validating as bogus
top-pub-servfail-queries show top queries receiving servfail answers grouped by public suffix list
top-pub-bogus-queries show top queries validating as bogus grouped by public suffix list
top-servfail-remotes show top remotes receiving servfail answers
top-bogus-remotes show top remotes receiving bogus answers
unload-lua-script unload Lua script
version return Recursor version number
wipe-cache domain0 [domain1] .. wipe domain data from cache
wipe-cache-typed type domain0 [domain1] .. wipe domain data with qtype from cache
root@[CENSORED]:/etc/powerdns# rec_control show-yaml Unknown command 'show-yaml', try 'help'
What does rec_control --version
show? I think you did not update rec_control
.
root@[CENSORED]:/etc/powerdns# rec_control --version
rec_control version 5.1.1
root@[CENSORED]:/etc/powerdns#
This is very puzzling, the only thing that I can think of is that your sources are not up to date. Can you try running a published version from repo.powerdns.com
?
Thank you for your suggestion. I'll consider trying the published version from repo.powerdns.com to confirm.
However, even if we set aside the show-yaml issue, I’m still seeing dnsdist marking the recursor as "up" and "down" when using the recursor.yml config, but everything works perfectly when I switch back to the recursor.conf format.
Could the intermittent "up and down" behavior in dnsdist with the YAML config also be related to issues from the compiled version? or do you think the issue lies elsewhere in the configuration or handling of the YAML format?
I’d appreciate any insights on this, as the behavior difference between the two formats is also very puzzling.
Your own compiled version of rec_control
shows unexplained behaviour, so lets try to reproduce with an officially published version first and then diagnose further (if needed).
Thank you for your time and assistance. I’ll go ahead and try with the officially published version first, and I’ll reach out again if further diagnosis is needed.
Thanks again!
Short description
When using dnsdist (1.9.6) with pdns-recursor (5.1.1), everything works fine with the .conf configuration format. However, when switching to the YAML configuration format for pdns-recursor, dnsdist intermittently marks the recursor as "up" and "down", and the number of SERVFAIL responses increases. Reverting back to the .conf format resolves the issue.
Environment
Steps to reproduce
Expected behaviour
dnsdist should consistently mark the pdns-recursor as "up" when using the YAML configuration, similar to the behavior observed with the .conf configuration format. The number of SERVFAIL responses should remain low.
Actual behaviour
dnsdist intermittently marks the pdns-recursor as "up" and "down" when using the YAML configuration. There is a significant increase in SERVFAIL responses.
Other information
dnsdist.conf:
recursor.yml:
recursor.conf: