[HN Gopher] Migrating Mess with DNS to Use PowerDNS
___________________________________________________________________
Migrating Mess with DNS to Use PowerDNS
Author : hasheddan
Score : 74 points
Date : 2024-08-19 17:14 UTC (5 hours ago)
(HTM) web link (jvns.ca)
(TXT) w3m dump (jvns.ca)
| websap wrote:
| I've always enjoyed Julia's articles. I know she quit her job to
| do tech writing full time, but is that still true?
| chriscjcj wrote:
| Thank you very much for this wonderful experimental and
| educational tool.
|
| You mentioned about your previous version:
|
| > If there was a CNAME record for a domain name, it allowed you
| to create other records for that domain name, even if it
| shouldn't
|
| > you could create 2 different CNAME records for the same domain
| name, which shouldn't be allowed
|
| One suggestion... If someone makes a mistake and generates an
| error, it would be terrific if there were a more verbose
| explanation so the user may better understand why what they're
| trying to do won't work. I'm very much a conceptual learner. If I
| can understand why an error is an error, it puts me on a better
| path toward a more comprehensive understanding.
|
| Thanks again for all your work.
| jvns wrote:
| That's a great idea, thanks.
| e12e wrote:
| > Previously Mess With DNS was using a Postgres database. This
| was problematic because I only gave the Postgres machine 256MB of
| RAM, which meant that the database got OOM killed almost every
| single day. I never really worked out exactly why it got OOM
| killed every day, but that's how it was.
|
| Found this a little surprising - postgres is internet old - I'm
| pretty sure it was around at a time when physical servers might
| not have 256mb of ram?
|
| Seems this should be possible to tune down still? (I mean, maybe
| not. Postgres 16 isn't postgres 6, and maybe I'm just getting
| old..)
| joeig wrote:
| > Sometimes users will still get errors from PowerDNS directly,
| but I added some logging of all the errors that users see, so
| hopefully I can review them and add extra translations if there
| are other common errors that come up.
|
| I noticed that you are using our Go module to access the API. It
| is wonderful to see our work helping others build great software,
| especially for education. Thank you for that.
|
| Please note that the upstream API sometimes changes slightly
| between minor releases. For example, prior to v4.9, the error
| response for a non-existent server was "Not Found". Starting with
| v4.9, it changed to "Method Not Allowed".
|
| Unfortunately, error responses aren't always part of the API
| specification. I'm thinking about adding the most common cases to
| the module anyway.
| ChocolateGod wrote:
| Been using a PowerDNS cluster in production for about 5 years
| using a SQL backend for replication, absolutely zero issues, not
| a single crash, memory leak etc in that time. The only downside
| is the API has a single key and you can not generate more, but
| there are open source projects that can put the API behind a
| proxy with additional keys/ACL.
|
| Given it can read BIND files, surprised BIND is still the default
| in many places.
| quicksilver03 wrote:
| I wrote one such proxy, though mine is not open source: I found
| relatively easy working with zones and records, and a well-
| designed test suite helps building confidence that a key for an
| "account" A cannot read or write into "account" B.
|
| I'm putting "account" between quotes because it isn't a
| PowerDNS concept, there is just a lonely varchar column in the
| 'domains' table where one can store some account-related
| information. To handle TSIG keys I had to extend PowerDNS's
| data model to represent the association between a TSIG key and
| an "account".
| 8organicbits wrote:
| I think the limitation is that the API can't write BIND files,
| so databases are preferred.
|
| https://doc.powerdns.com/authoritative/backends/bind.html
| tlofreso wrote:
| I came across Bert Hubert during covid because of his incredible
| work on this article: https://berthub.eu/articles/posts/reverse-
| engineering-source...
|
| Long before Bert was writing articles on the source code of mRNA
| vaccines, he helped build PowerDNS. He talks about that in a
| three part series starting here:
| https://berthub.eu/articles/posts/history-of-powerdns-1999-2...
|
| A fascinating individual...
|
| https://fosstodon.org/@bert_hubert
|
| https://github.com/berthubert
|
| https://berthub.eu/
| LoganDark wrote:
| > I never really worked out exactly why it got OOM killed every
| day
|
| Probably you ran out of memory (and configured the database
| incorrectly).
| amanzi wrote:
| The section labelled "what I learned: it's okay for an API to
| duplicate information" is something I come across often in Django
| projects. Django views send a Python dictionary of data to the
| template processor to display the information. Often it's easier
| to massage the data into a more friendly format before sending it
| to the template, even if it means duplicating the info sent.
| 8organicbits wrote:
| Great write up. I'm using PowerDNS for
| https://www.getlocalcert.net/, which also makes heavy use of
| PowerDNS's HTTP API. I've been really happy with it. I need to
| check my code, but I remember planning to use the comment field
| of the records to map between application IDs and records in
| PowerDNS zones.
|
| You may be able to implement the logging by using a customization
| of the Sqlite backend, although I think PowerDNS caching may get
| in your way.
|
| I'll recommend the pipe backend to anyone looking to hack on DNS
| stuff. It's almost like a DNS lookup via a function in any
| programming language you choose. It takes a while to figure out
| how incoming queries are translated though.
|
| https://doc.powerdns.com/authoritative/backends/pipe.html
___________________________________________________________________
(page generated 2024-08-19 23:00 UTC)