I’ve said similar before but I’m just so impressed with Julia Evans as a technologist and technology writer/blogger: from very humble beginnings the scope and sophistication and arc of growing expertise is a masterclass in how to become a legend via putting in the work: and in an age of so many bytes on how to take shortcuts this is exactly the kind of role model we need.
In this particular instance I recall the post about DNS some years ago and the callback is amply enriched.
Keep it up @jvns. You hold us all to a high standard.
> Sometimes users will still get errors from PowerDNS directly, but I added some logging of all the errors that users see, so hopefully I can review them and add extra translations if there are other common errors that come up.
I noticed that you are using our Go module to access the API. It is wonderful to see our work helping others build great software, especially for education. Thank you for that.
Please note that the upstream API sometimes changes slightly between minor releases. For example, prior to v4.9, the error response for a non-existent server was "Not Found". Starting with v4.9, it changed to "Method Not Allowed".
Unfortunately, error responses aren't always part of the API specification. I'm thinking about adding the most common cases to the module anyway.
Thank you very much for this wonderful experimental and educational tool.
You mentioned about your previous version:
> If there was a CNAME record for a domain name, it allowed you to create other records for that domain name, even if it shouldn’t
> you could create 2 different CNAME records for the same domain name, which shouldn’t be allowed
One suggestion... If someone makes a mistake and generates an error, it would be terrific if there were a more verbose explanation so the user may better understand why what they're trying to do won't work. I'm very much a conceptual learner. If I can understand why an error is an error, it puts me on a better path toward a more comprehensive understanding.
> Previously Mess With DNS was using a Postgres database. This was problematic because I only gave the Postgres machine 256MB of RAM, which meant that the database got OOM killed almost every single day. I never really worked out exactly why it got OOM killed every day, but that’s how it was.
Found this a little surprising - postgres is internet old - I'm pretty sure it was around at a time when physical servers might not have 256mb of ram?
Seems this should be possible to tune down still? (I mean, maybe not. Postgres 16 isn't postgres 6, and maybe I'm just getting old..)
The section labelled "what I learned: it’s okay for an API to duplicate information" is something I come across often in Django projects. Django views send a Python dictionary of data to the template processor to display the information. Often it's easier to massage the data into a more friendly format before sending it to the template, even if it means duplicating the info sent.
Yep. There’s certainly a balance to strike, especially on projects with a larger number of people working on them. But I generally find that you want to do at least MOST of your data processing outside of your template.
Been using a PowerDNS cluster in production for about 5 years using a SQL backend for replication, absolutely zero issues, not a single crash, memory leak etc in that time. The only downside is the API has a single key and you can not generate more, but there are open source projects that can put the API behind a proxy with additional keys/ACL.
Given it can read BIND files, surprised BIND is still the default in many places.
I wrote one such proxy, though mine is not open source: I found relatively easy working with zones and records, and a well-designed test suite helps building confidence that a key for an "account" A cannot read or write into "account" B.
I'm putting "account" between quotes because it isn't a PowerDNS concept, there is just a lonely varchar column in the 'domains' table where one can store some account-related information. To handle TSIG keys I had to extend PowerDNS's data model to represent the association between a TSIG key and an "account".
Great write up. I'm using PowerDNS for https://www.getlocalcert.net/, which also makes heavy use of PowerDNS's HTTP API. I've been really happy with it. I need to check my code, but I remember planning to use the comment field of the records to map between application IDs and records in PowerDNS zones.
You may be able to implement the logging by using a customization of the Sqlite backend, although I think PowerDNS caching may get in your way.
I'll recommend the pipe backend to anyone looking to hack on DNS stuff. It's almost like a DNS lookup via a function in any programming language you choose. It takes a while to figure out how incoming queries are translated though.
getlocalcert looks interesting. For custom domains, what would the value prop be vs using a registrar's API? Discloser: I run TakingNames.io which is a domain seller focused on providing a low-friction API.
Great question. My first pass at the project was looking to conform to the ACME DNS API [1]. There are some tools for cert management that use that API, so it gave me broad tool support with very little effort. The getlocalcert subdomains don't permit user modification of A, MX, or CNAME records on the public DNS; you've got to do that with a private DNS server you provide.
I may consider extending the service to allow A/AAAA records to private IP ranges, and then I'd need a more full featured API, but this far there hasn't been demand for the feature.
Hit me up on email if you want to chat more (in profile), we're solving some similar problems.
> i quit my job just over 5 years ago to explain computer things (https://jvns.ca/blog/2019/09/13/a-year-explaining-computer-t...). I had no idea if I would like being my own boss but ultimately it's been really cool and I'm happy to have this weird job writing zines about computers.
I personally prefer CoreDNS given its open nature (CNCF) and being written in Go but I'm a little biased :) There's probably a case to made for PowerDNS if you need to run something business critical on it and require support to be available with tight SLO. Also CoreDNS doesn't do recursive queries by default but there's an out-of-tree plugin wrapping libunbound[0] - its use-case is more of being a highly-configurable/programmable authoritative server.
I use it as a caching proxy on my homeprod nodes. I want docker containers to be able to query Tailscale's MagicDNS without using host-mode networking everywhere. My config is really simple, just forward .ts.net to 100.100.100.100 and otherwise forward to NextDNS.
How’s Nextdns been? I’ve been using pihole for ages but i’m not too impressed by how much latency I have hitting my home network for dns when far from home. I use Tailscale to vpn on demand when off my home WiFi and route dns thru my pihole vm. Considering relocating it to a VPS but then I started to think maybe nextdns will be less painful to manage and offer better performance. I have decent upload speed (50mbit) but the latency over cellular isn’t the best.
In this particular instance I recall the post about DNS some years ago and the callback is amply enriched.
Keep it up @jvns. You hold us all to a high standard.