[Pdns-users] Unresolvable domains with 3.1.1 and"auth-can-lower-ttl"

Darren Gamble darren.gamble at sjrb.ca
Wed Jun 14 12:19:45 UTC 2006 

Good day,

Sorry for the spam, but, we just wanted to add that in our research we
found the relevant RFC section.

Section 5.2 of RFC 2181 indeed states that the TTLs of a RRset should
always be the same, specifically noting that the situation we've run
into will happen: 'This can, however, cause partial replies (not marked
"truncated") from a caching server, where the TTLs for some but not all
the RRs in the RRSet have expired.'

The section seems geared towards preventing authoritative servers from
returning a RRset in this way- it's probably improper for a caching
server to mash two RRsets together like PowerDNS is doing here.

Having PowerDNS just replace the RRset with the new set when it "lowers
the TTL" is probably the proper way to handle this, which would also be
the expected behavior.

FYI,

============================
Darren Gamble
Planner, Regional Services
Shaw Cablesystems GP
630 - 3rd Avenue SW
Calgary, Alberta, Canada
T2P 4L4
(403) 781-4948
 

> -----Original Message-----
> From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> bounces at mailman.powerdns.com] On Behalf Of Darren Gamble
> Sent: Tuesday, June 13, 2006 4:02 PM
> To: bert hubert
> Cc: pdns-users at mailman.powerdns.com
> Subject: RE: [Pdns-users] Unresolvable domains with 3.1.1
and"auth-can-
> lower-ttl"
> 
> Good day,
> 
> Just to help out everyone, here's more information on this:
> 
> If we ask the CIRA (servers for .ca) about ipcc.ca, we get:
> 
> ipcc.ca.                86400   IN      NS      ns.ipcc.org.
> ipcc.ca.                86400   IN      NS      ns2.ipcc.org.
> ipcc.ca.                86400   IN      NS      ns3.ipcc.org.
> ipcc.ca.                86400   IN      NS      ns3.oill.com.
> 
> If we ask one of their servers, it instead returns:
> 
> ipcc.ca.                1600    IN      NS      ns3.oill.com.
> ipcc.ca.                1600    IN      NS      ns.ipcc.org.
> ipcc.ca.                1600    IN      NS      ns3.ipcc.org.
> 
> But the pdns recursor will end up with the following in the cache, a
> couple of seconds later:
> 
> ipcc.ca.                1598    IN      NS      ns.ipcc.org.
> ipcc.ca.                1598    IN      NS      ns3.oill.com.
> ipcc.ca.                1598    IN      NS      ns3.ipcc.org.
> ipcc.ca.                86396   IN      NS      ns2.ipcc.org.
> 
> In this case, ns2.ipcc.org is nonresponsive.  Names will resolve at
that
> time, but 1600 seconds later, the powerdns recursor will be unable to
> resolve names for this domain for the remainder of the day.  Then, it
> will work again for another 1600 seconds, and so on.
> 
> Other caching software will end up with a set identical to the second
> list here (i.e. the record will expire in 1600 seconds), and so those
> users can consistently resolve information on the domain.
> 
> Yes, their domain is not configured the way it should be, but then
> again, I am pretty sure that this resulting mismatch in TTLs is not
> correct either, which causes the cached information to change over
time.
> Can the record even be expired piecemeal like this? ...
> 
> FYI,
> 
> ============================
> Darren Gamble
> Planner, Regional Services
> Shaw Cablesystems GP
> 630 - 3rd Avenue SW
> Calgary, Alberta, Canada
> T2P 4L4
> (403) 781-4948
> 
> 
> > -----Original Message-----
> > From: Darren Gamble
> > Sent: Tuesday, June 13, 2006 3:39 PM
> > To: 'bert hubert'
> > Cc: pdns-users at mailman.powerdns.com
> > Subject: RE: [Pdns-users] Unresolvable domains with 3.1.1
> and"auth-can-
> > lower-ttl"
> >
> > Hi Bert,
> >
> > If by "real problems" you mean "powerdns servers can't resolve the
> domain
> > for two days at a time", then yes, it's a real problem.
> >
> > Another domain was just discovered that has this issue,
> "beanstream.com".
> > It's pretty easy to reproduce the issue given a known domain.
> >
> > I completely understand about not wanting to cater to broken
domains,
> but,
> > in this case I am fairly certain that the powerdns behavior is not
> > correct, in that different NS records for the same DNS name can't
have
> > differing TTLs (someone can step in here and correct me if I'm
wrong).
> I
> > note that one can not even configure a BIND authoritative server to
do
> > this.
> >
> > At any rate, this causes the cached list to change just by having
time
> > pass- and if that leaves it with a list of only nonresponsive and/or
> > overloaded servers, all resolution on the domain breaks.  No other
> caching
> > software (that we've tried) behaves in this way, and thus aren't
> affected
> > by this situation.
> >
> > Please let me know if more information is needed.  Thanks,
> >
> > ============================
> > Darren Gamble
> > Planner, Regional Services
> > Shaw Cablesystems GP
> > 630 - 3rd Avenue SW
> > Calgary, Alberta, Canada
> > T2P 4L4
> > (403) 781-4948
> >
> >
> > > -----Original Message-----
> > > From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> > > bounces at mailman.powerdns.com] On Behalf Of bert hubert
> > > Sent: Tuesday, June 13, 2006 3:21 PM
> > > To: Darren Gamble
> > > Cc: pdns-users at mailman.powerdns.com
> > > Subject: Re: [Pdns-users] Unresolvable domains with 3.1.1
> and"auth-can-
> > > lower-ttl"
> > >
> > > On Tue, Jun 13, 2006 at 03:03:28PM -0600, Darren Gamble wrote:
> > >
> > > > records with the higher TTLs. If that server(s) is/are also not
> > > > reachable- then the domain will be unresolvable until that NS
> record
> > > > expires.  When it does, this cycle will start again.  I believe
> that
> > > > different data for the same name is never supposed to have
> differing
> > TTL
> > > > values anyway...
> > >
> > > Briefly, does it cause real problems? In other words, domains that
> > cannot
> > > be
> > > reached? The thing is, catering from broken domains often causes
> > problems
> > > for non-broken domains.
> > >
> > > So far all other 3.1.1 problem reports have been resolved.
> > >
> > > Kind regards,
> > >
> > > bert hubert
> > >
> > >
> > > --
> > > http://www.PowerDNS.com      Open source, database driven DNS
> Software
> > > http://netherlabs.nl              Open and Closed source services
> > > _______________________________________________
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> > > http://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list