Thursday, 2015-01-29

*** openstackgerrit has quit IRC		00:21
*** openstackgerrit has joined #openstack-dns		00:21
*** ChanServ sets mode: +v openstackgerrit		00:21
*** penick has quit IRC		00:34
*** openstackgerrit has quit IRC		01:05
*** openstackgerrit has joined #openstack-dns		01:05
*** ChanServ sets mode: +v openstackgerrit		01:05
*** rmoe has quit IRC		01:19
*** rmoe has joined #openstack-dns		01:35
*** stanzgy has joined #openstack-dns		01:40
*** openstackgerrit has quit IRC		02:20
*** openstackgerrit has joined #openstack-dns		02:21
*** ChanServ sets mode: +v openstackgerrit		02:21
*** rjrjr_ has joined #openstack-dns		02:33
rjrjr_	i broke this down to be even simpler to see the problem - http://paste.openstack.org/show/163481/	02:34
rjrjr_	anyone have any ideas on why the pythonDNS code is returning an rcode of NOERROR but dig is showing NXDOMAIN?	02:35
rjrjr_	if someone can run this code locally and tell me if they are seeing NOERROR or NXDOMAIN, that would be very helpful to me.	02:36
rjrjr	timsim: REFUSED is not the correct result.	02:39
rjrjr	timsim: just read more about this. REFUSED is a bad code to return since it has another meaning (for example, you get REFUSED on a zone transfer if you don't have the proper TSIG key.)	02:54
*** rjrjr_ has quit IRC		02:59
*** openstackgerrit has quit IRC		03:20
*** openstackgerrit has joined #openstack-dns		03:20
*** ChanServ sets mode: +v openstackgerrit		03:20
*** richm has quit IRC		03:52
*** boris-42 has quit IRC		04:13
*** rjrjr_ has joined #openstack-dns		04:24
rjrjr_	okay, i can replicate the 'dig' behavior in the mdns code and the mdns code behavior in 'dig'. just not sure how we want to proceed here - http://paste.openstack.org/show/163508/	04:25
rjrjr_	i'm going to code mdns to look for NXDOMAIN or REFUSED rcodes for now. but we'll definitely want to look at this more closely.	04:26
*** timbyr_ has quit IRC		05:00
*** stanzgy has quit IRC		05:04
*** timbyr_ has joined #openstack-dns		05:13
*** stanzgy has joined #openstack-dns		05:17
*** nihilifer has joined #openstack-dns		06:10
*** timbyr_ has quit IRC		06:10
*** timbyr_ has joined #openstack-dns		06:19
*** nihilifer has quit IRC		06:56
*** nihilifer has joined #openstack-dns		06:58
*** timbyr_ has quit IRC		07:58
*** timbyr_ has joined #openstack-dns		08:15
*** chlong has quit IRC		08:36
*** kodokuu has joined #openstack-dns		08:36
*** jordanP has joined #openstack-dns		09:10
kodokuu	Is it possible to forward request like bind (forwarders) with pdns ?	09:15
ahu	for the recursor, yes, for authoritative not	09:26
kodokuu	ahu both can co-exist on same machine ?	09:29
ahu	yes	09:30
kodokuu	because i use pdns now but I'll be changing for bind	09:30
kodokuu	maybe^^	09:31
kodokuu	ok so when pdns can't resolv domain, recursor forward ?	09:32
ekarlso	yo	09:32
kodokuu	Hi	09:32
kodokuu	ekarlso Maybe eandersson will connect :)	09:38
kodokuu	or I create a bug on launchpad ?	09:38
ekarlso	:P	10:09
*** chlong has joined #openstack-dns		10:13
*** chlong has quit IRC		10:27
*** jordanP has quit IRC		10:41
*** chlong has joined #openstack-dns		10:44
*** stanzgy has quit IRC		10:51
*** untriaged-bot has joined #openstack-dns		11:03
untriaged-bot	Untriaged bugs so far:	11:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1412431	11:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1413024	11:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1289444	11:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1413806	11:03
untriaged-bot	https://bugs.launchpad.net/python-designateclient/+bug/1415560	11:03
*** untriaged-bot has quit IRC		11:03
*** kodokuu has quit IRC		11:23
*** chlong has quit IRC		11:39
*** MentalRay has joined #openstack-dns		11:59
*** MentalRay_ has joined #openstack-dns		11:59
*** MentalRay has quit IRC		12:01
*** MentalRay_ has quit IRC		12:01
*** chlong has joined #openstack-dns		12:06
*** mwagner_lap has quit IRC		12:47
*** boris-42 has joined #openstack-dns		13:31
*** kodokuu has joined #openstack-dns		13:37
*** jordanP has joined #openstack-dns		13:41
openstackgerrit	Endre Karlson proposed openstack/python-designateclient: Fix if checking on ttl for Create/Update commands https://review.openstack.org/151252	14:07
rjrjr	kiall: are you on?	14:12
*** mwagner_lap has joined #openstack-dns		14:12
*** nkinder has quit IRC		14:21
*** rjrjr_ has quit IRC		14:23
*** richm has joined #openstack-dns		14:33
*** jmcbride has joined #openstack-dns		14:42
*** jmcbride has quit IRC		14:42
*** jmcbride has joined #openstack-dns		14:43
Kiall	rjrjr: I am now	14:46
kodokuu	ahu No need recursor for forward, just recursor option with authoritative :)	14:49
ahu	ah, that works too	14:49
rjrjr	had problems getting BIND9 to create an NXDOMAIN, but have a solution.	14:51
rjrjr	http://paste.openstack.org/show/163508/	14:51
rjrjr	if i set the RD flag in MDNS when we send a query message, then BIND9 will respond with an NXDOMAIN, as long as recursion is not turned off. (it is on by default.)	14:52
rjrjr	in BIND9 9.7> if you turn of recursion, it responds with a REFUSED if the domain does not exist.	14:53
rjrjr	unfortunately, REFUSED can be caused by other things besides a domain not existing too.	14:54
rjrjr	so, looking for direction on how we want to do this.	14:54
Kiall	Interesting.. But, what happens when kodokuu's use cause is on? (Server is auth and recursive)	14:54
Kiall	I can't help but think we need to find a way to do a different check for different nameservers...	14:55
rjrjr	yeah, i put that in the pasteit.	14:55
rjrjr	if you read through it, at the end, i suggested we might want to move some of this logic to the backend drivers themselves.	14:56
Kiall	Ah - I missed that :)	14:56
rjrjr	that way, we encapsulate all the backend idiosyncracies in that driver.	14:56
Kiall	So - Lets say we add a backend method "has_zone" or something.. PM would call that, rather than mDNS.. that can be implemnted as whatever works for the DNS server.. e.g. PowerDNS it might check the database for a $zone-name entry, bind might do an RNDC call etc.. That somewhat falls over with targets vs namservers - but I think it's probably an acceptable tradeoff	14:58
rjrjr	REFUSED is a horrible response to a missing domain by the way.	14:58
rjrjr	mdns encapsulates the DNS protocol.	14:59
Kiall	Well, I'm not sure the DNS spec really lays out a proper (i.e. specific) response for that..	14:59
Kiall	rjrjr: right, I'm saying this doesn't need to use the DNS protocol	14:59
*** MentalRay has joined #openstack-dns		14:59
*** MentalRay_ has joined #openstack-dns		14:59
ahu	the spec is silent on how to deal with 'no such domain at all'	15:00
ahu	it is best to emulate closely what other servers do	15:00
rjrjr	the DNS spec does. NXDOMAIN.	15:00
ahu	no it doesn't	15:00
ahu	NXDOMAIN is is you know about the domain, but not about the specific question	15:01
ahu	if you just get a question for randomdomain.com about which you know nothing	15:01
ahu	the spec is not helpful	15:01
ahu	NXDOMAIN requires authority	15:01
Kiall	Yea - I'm not convinced there's a one size fits all approach to doing this :/	15:02
ahu	emulate exactly what NSD, Bind and PowerDNS do	15:03
ahu	is your best bet	15:03
ahu	we've varied our strategy over the years	15:03
*** paul_glass has joined #openstack-dns		15:03
ahu	you can configure it now	15:03
*** vinod1 has joined #openstack-dns		15:03
*** timsim has joined #openstack-dns		15:03
Kiall	Just for reference.. RFC1035's wording on NXDOMAIN:	15:04
Kiall	3 Name Error - Meaningful only for	15:04
Kiall	responses from an authoritative name	15:04
Kiall	server, this code signifies that the	15:04
Kiall	domain name referenced in the query does	15:04
Kiall	not exist.	15:04
rjrjr	this makes sense. as long as BIND9 is configured to contact an authoritative server (recursive yes;) then it can respond with a NXDOMAIN.	15:05
rjrjr	if you turn off recursion, it responds with REFUSED. which also makes sense.	15:06
rjrjr	and a NOERROR occurs if you don't ask the server the question properly (no RD) so it can get a response.	15:06
Kiall	But - That breaks the valid, if ill-advised, use case of the nameserver being both authoritative and recursive.. And.. Isn't guaranteed to be standard cross all nameservers	15:06
*** nkinder has joined #openstack-dns		15:07
rjrjr	i'm agreeing with you. just need to figure out how to get rndc to give us what we want.	15:07
Kiall	brb	15:08
jbratton	you can use rndc reload domain, it will give different response codes depending on if it knows about a zone	15:08
rjrjr	ahu: appreciate the insight.	15:11
rjrjr	jbratton: i will look into that.	15:11
jbratton	it's what I used for some code I wrote.. it's probably not the best way, but it is consistent	15:11
rjrjr	Kiall: can you tackle the powerDNS solution? we are going to fail gated without a BIND9 and powerDNS solution...	15:12
rjrjr	hmmm....	15:12
rjrjr	'rndc reload' has a huge caveat - https://kb.isc.org/article/AA-00640/0/Should-I-use-rndc-reconfig-or-rndc-reload-when-changing-my-nameserver-configuration-files.html	15:13
rjrjr	rackspace is not going to like that.	15:13
jbratton	well, I happen to run the nameservers for Rackspace :)	15:13
jbratton	as long as you do rndc reload domainname, it's okay	15:14
jbratton	but yeah, just an rndc reload by itself is very bad	15:14
rjrjr	are you okay with a frequent (and this could be frequent) 'rdnc reload <domain>'	15:14
Kiall	lol @ "<rjrjr> rackspace is not going to like that."	15:14
jbratton	how frequent are we talking about?	15:14
jbratton	I don't think it would be a problem, but it would be interesting to lab it out	15:15
Kiall	all domains created (or is it changed?) in the last N hours every N minutes.... reload seems like it'll be too heavy	15:15
Kiall	BUT - It's probably an acceptable interim check	15:15
jbratton	if it was created, I wouldn't have a problem with that.. but for changed, that could get very noisy	15:16
jbratton	but of course, everyone has their own use case	15:16
rjrjr	i'm still thinking we shouldn't abandon NXDOMAIN option.	15:16
jbratton	maybe NXDOMAIN \| REFUSED?	15:17
timsim	If you check for either NXDOMAIN or REFUSED maybe?	15:17
timsim	lol	15:17
rjrjr	i currently have that in the code.	15:17
jbratton	timsim: don't try to take credit for my ideas!	15:17
timsim	:P	15:17
rjrjr	but, you can create a REFUSED for other valid reasons too.	15:17
Kiall	actually - That's not a terrible idea? ahu what are the possible pdns returns for a query against a domain it doesn't host?	15:17
jbratton	you can also do that with NXDOMAIN unfortunately	15:17
rjrjr	which have nothing to do with whether or not a domain exists.	15:17
*** nihilifer has quit IRC		15:18
rjrjr	for example, you have allow-query { <tsig-key>;}; and the supplied TSIGkey is incorrect.	15:18
jbratton	maybe this is something where you just have to document how you intend it to be used, and if someone does some crazy BIND config, it's not supported	15:18
rjrjr	i thought we were going to add TSIGkey support at some point, which is why i brought it up.	15:19
Kiall	We could always inspect BIND's memory for the zone name ;)	15:19
jbratton	haha	15:19
rjrjr	BIND does offer a complex way of inducing NXDOMAIN on a response.	15:20
jbratton	to add a zone, are you using rndc addzone?	15:20
rjrjr	let me find the relevant documentation. just a second.	15:20
jbratton	because if you use rndc addzone, it generates a .nzf file in the running directory for BIND listing every zone it knows about	15:20
jbratton	and you could just search that file	15:20
timsim	jbratton: yep	15:20
jbratton	then I'd just search the file	15:21
rjrjr	http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt	15:21
timsim	rjrjr: In that case, isn't failure acceptable? If you can't get at a server because of a bad tsigkey, all of your requests will fail.	15:21
rjrjr	timsim: i'm looking for a domain that doesn't exist, not one that fails.	15:21
timsim	Right, but if you have a bad TSIG key, you won't be able to do anything, so does it really matter? You won't be able to add/delete maybe even update zones?	15:23
rjrjr	i understand.	15:24
rjrjr	thinking...	15:24
*** jmcbride has quit IRC		15:25
rjrjr	i believe if we get a REFUSED, PM should attempt to do nothing.	15:25
rjrjr	in that case.	15:25
rjrjr	if we get a NXDOMAIN, pool manager should act appropriately.	15:25
rjrjr	what you are suggesting is if we get a REFUSED, we attempt to do something. that logic does not seem correct.	15:26
rjrjr	or maybe we don't care, attempt to do something, and it just fails...	15:27
timsim	If the only other case for getting a REFUSED is we have a bad TSIG key, than anything you're going to try and do is going to fail anyway, and you can act appropriately. But if you're not managing an authoritative bind9 server, you're always going to get refused, even when the zone doens't exist and you want to do something about that?	15:27
rjrjr	there are other ways to get a REFUSED i'm sure. that was just off the top of my head.	15:28
rjrjr	but, in the end, they all mean that the request could not be performed because it was REFUSED.	15:29
timsim	I suppose, but it seems like we should try to do the needful thing anyway, and if it fails, we can act appropriately.	15:29
rjrjr	the code currently checks for NXDOMAIN and REFUSED. i'll leave that for now then.	15:32
rjrjr	question: do we want a domain and records that are ACTIVE to transition to an ERROR state?	15:41
rjrjr	periodic sync runs, it finds a problem, can the state regress?	15:41
timsim	I think so, yeah.	15:42
timsim	Your other option is just try to fix the problem one time, and if that fails, you have to wait until the next periodic sync to find it again. I guess you could pop a Pool Manager cache item for it that hopefully gets looked at during Periodic recovery and is hidden from the user, but eh. Seems cleaner to reflect the true status of the zone.	15:43
rjrjr	okay, that is going to be a problem for another bug in either case. periodic sync needs some work, but i don't want to address all this in the current patch.	15:43
rjrjr	this patch is already turning out to be bigger than originally planned/thought.	15:44
timsim	Could you basically stop where you are, and add another patch to address some of the more periodic sync centered stuff?	15:48
vinod1	Kiall: I had a question on your add pretty_tox wrapper - https://review.openstack.org/#/c/149831/	15:51
Kiall	Sure	15:51
vinod1	When the tests pass I see {0} designate.tests.test_utils.TestUtils.test_load_schema [0.043505s] ... ok	15:51
vinod1	Is the leading {0} supposed to be replaced with something else?	15:51
Kiall	No - it's the worker # .. if you have 4 CPU cores, you split the test suite in 4 and run 1 per core..	15:52
Kiall	So, each test will be prefixed with a 0 - 3	15:52
vinod1	ah - ok makes sense	15:52
*** betsy has joined #openstack-dns		15:53
* Kiall hates security patches -_-		15:53
*** jmcbride has joined #openstack-dns		16:09
*** jmcbride has joined #openstack-dns		16:09
timsim	rjrjr: Take a look at my question on https://review.openstack.org/#/c/149428/ when you have a chance.	16:21
timsim	Something I'm noticing as I work my way through this list of 90's one hit wonders. They're all those songs that have a specific purpose, they've carved out a place in this world. MMMBop, Macarena, Jump Around, Ice Ice Baby, What Is Love, What's Up? I love it.	16:25
*** kodokuu has quit IRC		16:30
*** untriaged-bot has joined #openstack-dns		17:03
untriaged-bot	Untriaged bugs so far:	17:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1412431	17:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1413024	17:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1289444	17:03
untriaged-bot	https://bugs.launchpad.net/designate/+bug/1413806	17:03
untriaged-bot	https://bugs.launchpad.net/python-designateclient/+bug/1415560	17:03
*** untriaged-bot has quit IRC		17:03
*** vinod2 has joined #openstack-dns		17:07
*** rmoe has quit IRC		17:08
*** vinod1 has quit IRC		17:09
*** jmcbride has quit IRC		17:11
*** jmcbride has joined #openstack-dns		17:13
*** penick has joined #openstack-dns		17:24
*** MentalRay has quit IRC		17:25
*** MentalRay_ has quit IRC		17:25
*** rmoe has joined #openstack-dns		17:34
*** jordanP has quit IRC		17:37
*** MentalRay_ has joined #openstack-dns		17:37
*** MentalRay has joined #openstack-dns		17:37
*** penick has quit IRC		18:02
*** vinod2 has quit IRC		18:02
*** timbyr_ has quit IRC		18:06
*** timbyr_ has joined #openstack-dns		18:08
*** MentalRay has quit IRC		18:23
*** MentalRay_ has quit IRC		18:23
*** jmcbride has quit IRC		18:39
*** jmcbride has joined #openstack-dns		18:40
*** openstackgerrit has quit IRC		18:50
*** openstackgerrit has joined #openstack-dns		18:51
*** ChanServ sets mode: +v openstackgerrit		18:51
*** mwagner_lap has quit IRC		18:53
*** penick has joined #openstack-dns		19:05
*** nkinder has quit IRC		19:10
openstackgerrit	Kiall Mac Innes proposed openstack/designate: WIP: Add Healthcheck middleware https://review.openstack.org/151358	19:32
*** rmoe_ has joined #openstack-dns		19:51
*** mikal_ has joined #openstack-dns		19:55
*** rmoe has quit IRC		19:56
*** mikal has quit IRC		19:56
*** jmcbride has quit IRC		20:00
*** openstackgerrit has quit IRC		20:04
*** openstackgerrit has joined #openstack-dns		20:04
*** ChanServ sets mode: +v openstackgerrit		20:04
*** jmcbride has joined #openstack-dns		20:07
*** jmcbride has quit IRC		20:10
*** mwagner_lap has joined #openstack-dns		20:21
*** penick has quit IRC		20:26
*** jmcbride has joined #openstack-dns		20:34
*** jmcbride has quit IRC		20:35
*** jmcbride has joined #openstack-dns		20:35
*** jmcbride has quit IRC		20:36
*** jmcbride1 has joined #openstack-dns		20:36
*** penick has joined #openstack-dns		20:42
*** jmcbride1 has quit IRC		20:47
*** penick has quit IRC		20:51
*** vinod1 has joined #openstack-dns		20:52
*** jmcbride has joined #openstack-dns		20:52
*** jmcbride has quit IRC		20:56
*** penick has joined #openstack-dns		20:59
*** penick has quit IRC		21:06
*** jmcbride has joined #openstack-dns		21:16
*** penick has joined #openstack-dns		21:20
*** penick has quit IRC		21:21
*** jmcbride has quit IRC		21:22
*** jmcbride has joined #openstack-dns		21:22
*** mwagner_lap has quit IRC		21:24
*** jmcbride has quit IRC		21:39
*** jmcbride has joined #openstack-dns		21:45
*** penick has joined #openstack-dns		21:54
*** nkinder has joined #openstack-dns		21:55
*** chlong has quit IRC		22:08
*** vinod1 has quit IRC		22:23
*** penick has quit IRC		22:37
*** penick has joined #openstack-dns		22:39
*** paul_glass has quit IRC		22:40
*** crc32 has joined #openstack-dns		22:51
*** openstackgerrit has quit IRC		22:51
*** openstackgerrit has joined #openstack-dns		22:51
*** ChanServ sets mode: +v openstackgerrit		22:51
*** timsim has quit IRC		23:02
*** crc32 has quit IRC		23:24
*** vinod1 has joined #openstack-dns		23:25
*** vinod1 has quit IRC		23:25
*** vinod1 has joined #openstack-dns		23:25
*** crc32 has joined #openstack-dns		23:27
*** vinod2 has joined #openstack-dns		23:35
*** vinod1 has quit IRC		23:39
*** vinod2 has quit IRC		23:39
*** vinod1 has joined #openstack-dns		23:39
*** jmcbride has quit IRC		23:49
*** chlong has joined #openstack-dns		23:53

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!