[Pdns-dev] Possible bug in authoritative server CNAME to remote domains?

Mark Zealey Mark.Zealey at webfusion.com
Tue May 26 11:33:58 CEST 2009 

Hi, we're looking at migrating some of our dns over to powerdns, but I
believe I've come across a bug in the pdns auth server (v 2.9.22 but
also present in 2.9.21.1 I believe):

The correct response from our present servers:

$ dig @ns.hosteurope.com blah.wfdnstestscript.me.

; <<>> DiG 9.3.4-P1 <<>> @ns.hosteurope.com blah.wfdnstestscript.me.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39316
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blah.wfdnstestscript.me.       IN      A

;; ANSWER SECTION:
blah.wfdnstestscript.me. 86400  IN      CNAME   www.blogware.com.

;; Query time: 5 msec
;; SERVER: 212.67.202.2#53(212.67.202.2)
;; WHEN: Tue May 26 09:59:53 2009
;; MSG SIZE  rcvd: 71


However pdns returns:

$ dig @10.15.11.4 blah.wfdnstestscript.me.

; <<>> DiG 9.3.4-P1 <<>> @10.15.11.4 blah.wfdnstestscript.me.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38333
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blah.wfdnstestscript.me.       IN      A

;; ANSWER SECTION:
blah.wfdnstestscript.me. 86400  IN      CNAME   www.blogware.com.

;; Query time: 2 msec
;; SERVER: 10.15.11.4#53(10.15.11.4)
;; WHEN: Tue May 26 10:00:06 2009
;; MSG SIZE  rcvd: 71

ie it returns status SERVFAIL when it should actually be NOERROR. I'm
using the pipe backend (api v2) with:

skip-cname=no
recursor=no
allow-recursion=
send-root-referral=no

Pdns itself says:

May 26 11:01:55 auth-dns-01 pdns[22647]: Query: 'Q
blah.wfdnstestscript.me IN      ANY     -1      10.15.11.249    0.0.0.0'
May 26 11:01:55 auth-dns-01 pdns[22647]: Query: 'Q      www.blogware.com
IN      ANY     -1      10.15.11.249    0.0.0.0'
May 26 11:01:55 auth-dns-01 pdns[22647]: Query: 'Q      www.blogware.com
IN      SOA     -1      10.15.11.249    0.0.0.0'
May 26 11:01:55 auth-dns-01 pdns[22647]: Query: 'Q      blogware.com
IN      SOA     -1      10.15.11.249    0.0.0.0'
May 26 11:01:55 auth-dns-01 pdns[22647]: Query: 'Q      com     IN
SOA     -1      10.15.11.249    0.0.0.0'
May 26 11:01:55 auth-dns-01 pdns[22647]: Query: 'Q              IN
SOA     -1      10.15.11.249    0.0.0.0'
May 26 11:01:55 auth-dns-01 pdns[22647]: Not authoritative for
'www.blogware.com', sending servfail to 10.15.11.249 (recursion was
desired)

The response to the first Q is:
DATA    blah.wfdnstestscript.me IN      CNAME   86400   2726127
www.blogware.com
END

To the other queries, just:
END

However, in packethandler.cc:796:

    if(!weAuth) {
      DLOG(L<<Logger::Warning<<"We're not authoritative"<<endl);
      if(p->d.rd || target==p->qdomain) { // only servfail if we didn't
follow a CNAME

So it seems that even pdns comments thinks it shouldn't be sending the
SERVFAIL response in the external CNAME redirection case, however it is.

Thanks,

Mark


--
Mark Zealey -- Shared Hosting Team Leader
Product Development * Webfusion
123-reg.co.uk, webfusion.co.uk, donhost.co.uk, supanames.co.uk

This mail is subject to http://www.gxn.net/disclaimer

More information about the Pdns-dev mailing list