[Pdns-dev] Possible bug in authoritative server CNAME to remote
domains?
Mark Zealey
Mark.Zealey at webfusion.com
Tue May 26 13:04:18 CEST 2009
A few more things to help debugging:
I enabled verbose debugging and changed line 801 to dump both target and
p->qdomain as below:
L<<Logger::Warning<<"Not authoritative for '"<< target<<"
"<<p->qdomain<<"', sending servfail to "<<
p->getRemote()<< (p->d.rd ? " (recursion was desired)" : "")
<<endl;
This produced the following output (from dig @10.15.11.4
blah.wfdnstestscript.me):
May 26 12:47:15 auth-dns-01 pdns[24029]: Remote 10.15.11.249 wants a
type CNAME (5) about 'blah.wfdnstestscript.me'
May 26 12:47:15 auth-dns-01 pdns[24029]: UeberBackend received question
for ANY of blah.wfdnstestscript.me
May 26 12:47:15 auth-dns-01 pdns[24029]: Query: 'Q
blah.wfdnstestscript.me IN ANY -1 10.15.11.249 0.0.0.0'
May 26 12:47:15 auth-dns-01 pdns[24029]: Ueber get() was called for a
ANY record
May 26 12:47:15 auth-dns-01 pdns[24029]: Found an answering backend -
will not try another one
May 26 12:47:15 auth-dns-01 pdns[24029]: Ueber get() was called for a
ANY record
May 26 12:47:15 auth-dns-01 pdns[24029]: UeberBackend reached end of
backends
May 26 12:47:15 auth-dns-01 pdns[24029]: Sending a packet to
10.15.11.249 (71 octets)
May 26 12:47:19 auth-dns-01 pdns[24029]: Received a packet 41 bytes long
from 10.15.11.249
May 26 12:47:19 auth-dns-01 pdns[24029]: DNSPacket copy constructor
called!
May 26 12:47:19 auth-dns-01 pdns[24029]: Distributor has 11 threads
available
May 26 12:47:19 auth-dns-01 pdns[24029]: Distributor misses a thread
(11<10), spawning new one
May 26 12:47:19 auth-dns-01 pdns[24029]: Remote 10.15.11.249 wants a
type A (1) about 'blah.wfdnstestscript.me'
May 26 12:47:19 auth-dns-01 pdns[24029]: UeberBackend received question
for ANY of blah.wfdnstestscript.me
May 26 12:47:19 auth-dns-01 pdns[24029]: Looping because of a CNAME to
www.blogware.com
May 26 12:47:19 auth-dns-01 pdns[24029]: UeberBackend received question
for ANY of www.blogware.com
May 26 12:47:19 auth-dns-01 pdns[24029]: Query: 'Q www.blogware.com
IN ANY -1 10.15.11.249 0.0.0.0'
May 26 12:47:19 auth-dns-01 pdns[24029]: Ueber get() was called for a
ANY record
May 26 12:47:19 auth-dns-01 pdns[24029]: UeberBackend reached end of
backends
May 26 12:47:19 auth-dns-01 pdns[24029]: UeberBackend received question
for ANY of www.blogware.com
May 26 12:47:19 auth-dns-01 pdns[24029]: Nothing found so far for
'www.blogware.com', do we even have authority over this domain?
May 26 12:47:19 auth-dns-01 pdns[24029]: Query: 'Q www.blogware.com
IN SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:19 auth-dns-01 pdns[24029]: Query: 'Q blogware.com
IN SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:19 auth-dns-01 pdns[24029]: Query: 'Q com IN
SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:19 auth-dns-01 pdns[24029]: Query: 'Q IN
SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:19 auth-dns-01 pdns[24029]: We're not authoritative
May 26 12:47:19 auth-dns-01 pdns[24029]: Adding SERVFAIL as we did not
followed a CNAME
May 26 12:47:19 auth-dns-01 pdns[24029]: Not authoritative for
'www.blogware.com blah.wfdnstestscript.me', sending servfail to
10.15.11.249 (recursion was desired)
May 26 12:47:19 auth-dns-01 pdns[24029]: Adding SERVFAIL
So, it must be because dig had the 'rd' flag. If I do the same query
with 'dig +norecurse @10.15.11.4 blah.wfdnstestscript.me.' then I get
this output:
May 26 12:47:56 auth-dns-01 pdns[24088]: Remote 10.15.11.249 wants a
type A (1) about 'blah.wfdnstestscript.me'
May 26 12:47:56 auth-dns-01 pdns[24088]: UeberBackend received question
for ANY of blah.wfdnstestscript.me
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q
blah.wfdnstestscript.me IN ANY -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: Ueber get() was called for a
ANY record
May 26 12:47:56 auth-dns-01 pdns[24088]: Found an answering backend -
will not try another one
May 26 12:47:56 auth-dns-01 pdns[24088]: Ueber get() was called for a
ANY record
May 26 12:47:56 auth-dns-01 pdns[24088]: UeberBackend reached end of
backends
May 26 12:47:56 auth-dns-01 pdns[24088]: Looping because of a CNAME to
www.blogware.com
May 26 12:47:56 auth-dns-01 pdns[24088]: UeberBackend received question
for ANY of www.blogware.com
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q www.blogware.com
IN ANY -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: Ueber get() was called for a
ANY record
May 26 12:47:56 auth-dns-01 pdns[24088]: UeberBackend reached end of
backends
May 26 12:47:56 auth-dns-01 pdns[24088]: UeberBackend received question
for ANY of www.blogware.com
May 26 12:47:56 auth-dns-01 pdns[24088]: Nothing found so far for
'www.blogware.com', do we even have authority over this domain?
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q www.blogware.com
IN SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q blogware.com
IN SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q com IN
SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q IN
SOA -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: We're not authoritative
May 26 12:47:56 auth-dns-01 pdns[24088]: This packet needs additional
processing!
May 26 12:47:56 auth-dns-01 pdns[24088]: UeberBackend received question
for A of a.root-servers.net
May 26 12:47:56 auth-dns-01 pdns[24088]: Query: 'Q
a.root-servers.net IN A -1 10.15.11.249 0.0.0.0'
May 26 12:47:56 auth-dns-01 pdns[24088]: Ueber get() was called for a A
record
...
Ie dig output is:
$ dig +norecurse @10.15.11.4 blah.wfdnstestscript.me.
; <<>> DiG 9.3.4-P1 <<>> +norecurse @10.15.11.4 blah.wfdnstestscript.me.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16316
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; QUESTION SECTION:
;blah.wfdnstestscript.me. IN A
;; ANSWER SECTION:
blah.wfdnstestscript.me. 86400 IN CNAME www.blogware.com.
;; AUTHORITY SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
i.root-servers.net. 3600000 IN A 192.36.148.17
j.root-servers.net. 3600000 IN A 192.58.128.30
k.root-servers.net. 3600000 IN A 193.0.14.129
l.root-servers.net. 3600000 IN A 198.32.64.12
m.root-servers.net. 3600000 IN A 202.12.27.33
;; Query time: 26 msec
;; SERVER: 10.15.11.4#53(10.15.11.4)
;; WHEN: Tue May 26 11:54:41 2009
;; MSG SIZE rcvd: 490
Which I suppose is correct, but it seems a bit weird to return the list
of root servers... (I have send-root-referral=no in config).
I still think there's a bug here, as it thinks it hasn't returned a
CNAME and behaves differently from our current server (returning
SERVFAIL).
--
Mark Zealey -- Shared Hosting Team Leader
Product Development * Webfusion
123-reg.co.uk, webfusion.co.uk, donhost.co.uk, supanames.co.uk
This mail is subject to http://www.gxn.net/disclaimer
More information about the Pdns-dev
mailing list