<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Roboto;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:846141919;
mso-list-template-ids:1693891894;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1732078855;
mso-list-type:hybrid;
mso-list-template-ids:1881204378 830653712 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1945767427;
mso-list-template-ids:2040938536;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Hello,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>We are having problems with pdns-recursor when resolving an MX record for a domain whose delegation is partially mis-configured. Whilst that mis-configuration is clearly the trigger for the problem, the behaviour of pdns is tunring a small problem into a big one, when other recursors do not appear to do so.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Version: </span><span style='font-size:10.5pt;font-family:Roboto;color:#202124;background:white;mso-fareast-language:EN-GB'>4.5.5</span><span style='font-size:11.0pt;mso-fareast-language:EN-GB'> (also seen in earlier versions)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>OS: CentOS7<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>Description of the problem:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>Initial discovery of NS for the domain gets an answer from gtld-servers. The answer includes:<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo3'><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>4 NS names; two are in the domain itself, and two are in an unrelated zone. TTL=172800<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo3'><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>A records / IP addresses for those 4 names (one per name). TTL=172800<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>Two of the IP addresses are incorrect. The four name servers are cached, as are the four A records.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>Recursor then goes on to one of the name servers, for which it has a valid IP. (In fact the IP in the A record is for a different one of the name servers to the one which the initial answer said it was for, but it is nevertheless the IP of a valid name server for the domain). It queries the MX record, and gets back a response. The response includes<o:p></o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo3'><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>The MX record, with TTL=300<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo3'><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>2 NS servers (two of the four which were in the parent response). TTL=1800<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l1 level1 lfo3'><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>A records for those 2 servers. TTL=1800<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>This time the A records are correct. However, whilst recursor replaces the previous NS records in the cache, it does NOT replace the A records. In older versions it says<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>“Accept answer? NO!”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>In newer versions it says<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>“Removing record in the 3 section”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>So now if we look up the MX record again after its TTL has expired, recursor correctly identifies the names of the two name servers to use from cache. It then tries to resolve those to IPs, which it does by using the incorrect A records that were cached from the first response. And since they are not accessible, the query times out. Nothing works until the 1800 TTL on the name servers expires, at which point we go back to the start, getting 4 name servers and 4 IPs, two of which work and allow us to resolve the query this one time only.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>I don’t understand why the recursor accepted and cached the A records which it got in the response from the gtld-servers – even though the two important ones are in a different zone, with nothing to indicate that gtld-servers are authoritative for that zone; but it doesn’t accept the A records from the delegated name server’s response. Is there something we can do to alter this behaviour? If it either accepted them in both cases or rejected them in both cases, everything would work despite the slightly broken initial response. As I say, we don’t see this problem with other recursive resolvers.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>The domain is solera.com.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>Thanks for any pointers.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'>Paul<o:p></o:p></span></p></div></body></html>
<br>
<span style="background-color:rgb(255,255,255)"><font size="2">This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.</font></span>