<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=RU link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Good day!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Andrey Sedletsky, PJSC MGTS (Moscow City Telephone Network)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>One of our clients contacted us with a problem about the inability to resolve the resources of their zone through the DNS servers (pdns-recursor) of our network (mwscdn.ru ).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>In this case, the problem is of a floating nature.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>If you look at the server cache, you can see negative entries for NS servers in their zone when the resource is resolved topf66787c7.mwscdn.ru<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>(at the same time, the resource itself resolves successfully):<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>less pdns-cache | grep mwscdn.ru<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>topf66787c7.mwscdn.ru. 300 281 IN A 185.242.19.1 ; (Insecure) auth=1 zone=mwscdn.ru from=185.242.17.17 nm= rtag= ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ns1.mwscdn.ru. 86400 86381 IN A 185.242.16.16 ; (Indeterminate) auth=0 zone=ru from=193.232.156.17 nm= rtag= ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ns2.mwscdn.ru. 86400 86381 IN A 185.242.17.17 ; (Indeterminate) auth=0 zone=ru from=193.232.156.17 nm= rtag= ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>mwscdn.ru. 86400 86381 IN NS ns1.mwscdn.ru. ; (Insecure) auth=1 zone=mwscdn.ru from=185.242.17.17 nm= rtag= ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>mwscdn.ru. 86400 86381 IN NS ns2.mwscdn.ru. ; (Insecure) auth=1 zone=mwscdn.ru from=185.242.17.17 nm= rtag= ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>mwscdn.ru. 3600 3582 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. 2023110101 3600 600 604800 1800 ; (Indeterminate) auth=1 zone=mwscdn.ru from=185.242.16.16 nm= rtag= ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ns1.mwscdn.ru. 882 IN TYPE0 VIA mwscdn.ru. ; (Indeterminate) origttl=900 ss=0 <b><span style='background:yellow;mso-highlight:yellow'><----- negative</span></b><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>mwscdn.ru. 882 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. 2023110101 3600 600 604800 1800 ; (Indeterminate)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>ns2.mwscdn.ru. 881 IN TYPE0 VIA mwscdn.ru. ; (Indeterminate) origttl=900 ss=0 <b><span style='background:yellow;mso-highlight:yellow'><----- negative</span></b><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>mwscdn.ru. 881 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. 2023110101 3600 600 604800 1800 ; (Indeterminate)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>mwscdn.ru. 881 IN DS VIA ru. ; (Insecure) origttl=900 ss=0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>topf66787c7.mwscdn.ru. 281 A ; tag 0 udp<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The same is confirmed via the rec_control trace-regex:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>journalctl -u pdns-recursor --no-pager --since "2023-12-14 19:04:00" | grep "Dec 14 19:06:43"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: msg="Request" subsystem="webserver" level="0" prio="Info" tid="0" ts="1702570003.365" HTTPVersion="1.1" method="GET" remote="62.112.112.1:62242" respsize="20279" status="200" uniqueid="bab86c67-26f2-4286-9643-be086a804101" urlpath="/api/v1/servers/localhost/statistics"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: msg="Question" subsystem="syncres" level="0" prio="Info" tid="19" ts="1702570003.907" ecs="" mtid="15" proto="udp" qname="ns2.mwscdn.ru" qtype="A" remote="94.29.125.110:56823"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : no TA found for 'ns2.mwscdn.ru' among 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : no TA found for 'mwscdn.ru' among 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : no TA found for 'ru' among 1<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : got TA for '.'<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: QM ns2.mwscdn.ru.|A child=(empty): doResolve<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: Wants DNSSEC processing, auth data in query for A<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: Recursion not requested for 'ns2.mwscdn.ru|A', peeking at auth/forward zones<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: <span style='background:yellow;mso-highlight:yellow'>ns2.mwscdn.ru: Entire name 'ns2.mwscdn.ru' is negatively cached via 'mwscdn.ru' for another 895 seconds</span><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: updating validation state with negative cache content for ns2.mwscdn.ru to Indeterminate<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: QM ns2.mwscdn.ru.|A child=(empty): Step0 Found in cache<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Entries like "(Indeterminate)" seem to indicate problems with DNSSEC, but the client claims that he does not use DNSSEC, and that his zone is not signed.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Attempt to disable DNSSEC validation<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>dnssec=process-no-validate either<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>dnssec=off<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>doesn't change anything - NS servers get into a negative cache. It feels like DNSSEC validation is not disabled when settings are changed.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Please help us understand the cause of the problem.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Public Bug Tracker Info:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>System: Oracle Linux Server release 9.2 (5.15.0-101.103.2.1.el9uek.x86_64)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>PDNS Recursor version: pdns-recursor-4.8.4-1.el9.x86_64<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Installed: from repository via dnf.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>No DNSSEC.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>No backends.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>On another system (OL8), in an older version of PowerDNS Recursor (pdns-recursor-4.4.6-1 dns.8.x86_64), this problem does not reproduce:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 21:18:24 a975-icache02 pdns-recursor[2494258]: ns2.mwscdn.ru: Wants DNSSEC processing, auth data in query for A <--- There is a problem<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>-----<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Dec 14 21:47:20 a355-icache01 pdns_recursor[2613489]: ns2.mwscdn.ru: Wants DNSSEC processing, NO auth data in query for A <--- no problem<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thank you in advance.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Best regards,<o:p></o:p></span></p><p class=MsoNormal>Andrey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>