h3ndrk
commented
5 years ago Some progress: I've compiled with aggressive logging which shows that GSQLBackend::d_dnssecQueries is false. That should be true because of --gmysql-dnssec=yes.
Open h3ndrk opened 5 years ago
h3ndrk
commented
5 years ago Some progress: I've compiled with aggressive logging which shows that GSQLBackend::d_dnssecQueries is false. That should be true because of --gmysql-dnssec=yes.
h3ndrk
commented
5 years ago GSQLBackend::d_dnssecQueries is false because the configuration yields gmysql-dnssec=no by default (because it has #gmysql-dnssec=no in it, which is commented out, but the default is no).
Since I'm using pdnsutil inside the docker container via docker exec the command line arguments of the PowerDNS server are not available to executed commands (they are only using the default configuration). Furthermore pdnsutil does not have convinient options for overwriting such value. It simply uses the configuration at /etc/pdns/pdns.conf which yields no. (As a proof: When setting the value =yes in /etc/pdns/pdns.conf everything works in pdnsutil.)
The only way (I found) to enable DNSSEC for other commands without modifying the configuration /etc/pdns/pdns.conf is to mount a file e.g. /etc/pdns/conf.d/10-gmysql-dnssec.conf with the contents:
gmysql-dnssec=yes
psi-4ward
commented
5 years ago I think this is not a smooth way. Perhaps we could add some bootstrap-script to add the conf file when some env-vars are set or smth like this?
h3ndrk
commented
5 years ago It might be possible to translate cli arguments to configuration parameters by removing the ---prefix and then storing that in configuration files. Other commands would see that too. (Does this work for array- or map-arguments? Does this work with arguments with a space in between? This prefix transformation might not be trivial in bash...)
Another way would be to define additional configuration parameters (which is nearly the same as mounting a file). I don't like mixing the two possibilities (or giving the user both possibilities). Instead we should prefer one method.
psi-4ward
commented
5 years ago So you mean better to compile with yes flag? What does this mean for backward compat?
h3ndrk
commented
5 years ago No, I meant it in a more general way:
I think the overall problem is that commands executed inside the container (like pdnsutil) are unable to directly use the cli arguments. To address this I've proposed the transformation approach which would fix it in general (when someone needs another flag in the future we are prepared). But it is also a major and non-trivial change.
Also one could propose a change in the official pdnsutil binary so that it accepts the same cli arguments as the PowerDNS server.
We could also add a custom environment variable to place a configuration file for this particular issue only. Backward compatibility: Since the value is disabled by default and we will optionally enable it via the environment variable this should work most of the time. Problems might arise when we accidentally overwrite a configuration file.
This is related to #18, but I have a different issue:
I haven't modified the
pdns.conf(so it has#gmysql-dnssec=noin it, which is commented out). Then I pass the cli flag--gmysql-dnssec=yesto the container. The following output isps afxfrom inside the container:From inside the container I'm using
pdnsutilto enable DNSSEC for my zone which does not work:Maybe the last sentence is a hint?
I also ran:
Followed by another:
I'm using
psitrax/powerdns:4.1.10.What is the problem? Do you need more informations?
Thanks in advance!