[MaraDNS list] How to get MaraDNS and Deadwood to talk to each other?

Joshua Kinard kumba at gentoo.org
Sun Mar 4 19:16:45 EST 2012 

On 03/04/2012 00:22, Sam Trenholme wrote:

>> This is a SQA regression that I run before making a Deadwood release;
>> if this regression fails, I don't make a Deadwood release until the
>> regression passes again.  This test passes both on "bare metal" and in
>> a OpenVZ virtual container.
> 
> Note to self:  This regression is actually broken.  While, if properly
> compiled, both MaraDNS and Deadwood can bind to and use IPv6 addresses
> like fd4d:6172:6144:4e53::1 and fd4d:6172:6144:4e53::2, the SQA
> regression no longer correctly tests for this.
> 
> MaraDNS needs to be compiled with special flags to use IPv6 and this
> SQA test was never correctly updated to use MaraDNS 2's new IPv6
> compile-time flags.
> 
> I should fix the IPv6 regressions one of these years.  I'm in no real
> hurry to do so.

Just so I understand, you're saying that Deadwood should bind to a ULA
address, but just the SQA regression is broken?  The only compile-time flags
that I can observe being passed for IPv6 is -DIPV6.

That said, though, I pinned the issue down to a little bit of PEBKAC and a
possible bug in Gentoo init scripts, or just the Kernel disabling binds
while duplicate address detection (DAD) is on-going.  My virtual machine
appears to boot up *too* fast for several services trying to bind to IPv6
(sshd and Deadwood), thus the binds are getting denied because the kernel
disallows binds to "tentative" addresses.  I have a workaround in place that
mitigates this.

So, that problem is solved.  Celebrate!



How about the interaction between MaraDNS and Deadwood?  I did find that the
one example of having Deadwood apply a different "root" for a private
network to work okay, but it seems like the two daemons should try to link
to each other in some format.  I believe PowerDNS allows for one to talk to
the other over IPv4, IPv6, or even a UNIX socket.  I am not certain of the
security implications of such a setup, however, and I know security is one
of your primary goals with MaraDNS.  But it would eliminate the need for
Deadwood selectively setting the AA bit, and instead just forward the
response it would get from MaraDNS.

Cheers,

-- 
Joshua Kinard
Gentoo/MIPS
kumba at gentoo.org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

More information about the list mailing list