PowerDNS 3.0 came out in May of this year and I've been fucking around with it ever since, in between other things like the PoTTY upgrade, those crazy Chinese proxies, and replacing hardware on DinkNet.
I started running pdns in February of 2009 after my jerkwater ISP started "improving my online experience" by hijacking DNS
requests. Two years later I got on IPv6 through Hurricane Electric, but pdns 2.x couldn't handle it—or DNSSEC
for that matter—so an upgrade was inevitable.
Unfortunately, building pdns and pdns-recursor from scratch is an incredible pain in the ass. Sure, there are packaged binaries available, but I'm dealing with an older platform (Debian 4) that can't meet the prereqs.
One of those prereqs is Boost
version 1.35 or greater. Boost is a collection of fast-as-fuck C++ libraries. Or so they say. The PowerDNS people are Boost believers. Building it isn't too bad, but you have to forget everything you know about building from source.
But wait... according to the pdns-recursor docs...
You only need to download it, there is no need to compile.
This is absolutely, 100% TRUE. Well... 99% true. After you download it, you need to extract it (details!). After that all you need is a CXXFLAGS variable pointing to the source.
Quick and easy. For the recursor. Not so for the pdns authoritative server. You'll need to compile and install the libraries. Sucks to be you.
Once you realize and accept that Boost isn't "normal", compiling and installing it is easy. You run "./bootstrap.sh" and then "./b2 install" (or "./bjam install", depending on the version).
Aside from being Boost evangelists, the PowerDNS people also adore Lua
. There's a lot of that going around lately. You'll need version 5.1 and the development libraries. Lucky for me, 5.1 was current way back when Debian 4 came out, so I only had to install the packages.
After that, building pdns is relatively simple. For me, pdns has a lot more functionality than I actually want. And what I want is a caching-only slave server. I don't have any domains to be authoritative for. Everything on the inside is in the .local multicastdns domain, which is served up by Bonjour and avahi.
PowerDNS supports a number of database backends for holding authoritative data. Or, you can just use bind-like data files (pdns was originally designed as a drop-in replacement for bind).
So when you run ./configure, use --with-modules="" not --with-modules="bind", because it won't know what the fuck you're talking about.
After finally getting pdns to compile—I already had the v3 recursor installed—I decided to do some testing. This turned out to be difficult with version 2 running at the same time. At this point I realized I probably needed two DNS servers anyway, so I took my "lessons learned" and built another pdns server and recursor on Experimental V. Plus Boost. Plus Lua.
Testing was silly. One of the variables in the config file—which can only be named "pdns.conf" no matter how badly you want to change it—is called "config-dir" and it specifies the path to pdns.conf.
Think about that for two seconds and you'll realize the profound silliness of putting the path to the config file inside the config file itself. What is the point? How does it use a path in a file it can't find?
Here's a clue... check the manual page! DAMN! It's dated December 2002!
It's shit like this...
Once you get around obvious crap like that (use the --config-dir command line option) testing should go fine, and it did. After pdns was running on EXP V, I took my second round of lessons learned back to BOT House, where pdns 2.9 was running, and finally upgraded it to 3.0.
The final touch on the upgrade was to take Hurricane Electric's IPv6 DNS sever out of radvd.conf and put my own in.
When both servers were up and running, I had a sublime issue with DNSSEC. One server could retrieve dnssec records, but the other couldn't. After staring at both configs for an hour it came down to a setting in the recursor config called "query-local-address", which is the IPv4 address the recursor uses for sending recursive queries out to the Internet. It was set to "0.0.0.0" by default. After changing that to the server's "real" (RFC1918
) IPv4 address, there were no more issues with DNSSEC.
One minor issue remains: I can't get pdns to listen on the link local fe80::/10 address of either server. I works fine on the yes-I-know-it's-deprecated site local fec0::/10 addresses, as it does on the global IPv6 addresses (yes, since they only service the inside network they're firewalled).
In the end, it was way too much work.