[Pdns-dev] Weird behaviour / CNAME vs. other data in AXFR
Peter van Dijk
peter.van.dijk at netherlabs.nl
Wed Nov 7 18:59:07 CET 2012
Hello Sebastian,
On Nov 7, 2012, at 15:09 , Posner, Sebastian wrote:
>> The problem is that PowerDNS only asks the backend things, it
>> does not know what is 'in' the backend. And while we can do
>> certain tests to determine of data is correct, we can't do them all.
>
> Full ACK, but in this special case, pdns already IS actively
> correcting the answer with normal queries; so one should think
> this to be the case with *any* methods of accessing data through
> pdns; or at least coherently not work around this error anywhere.
> Or log it, for logfile-monitoring to find it and trigger human
> corrective labour ;-)
PowerDNS does not actively correct with normal queries. With normal
queries, it first asks the backend for CNAME; it does not even ask for or
see anything else. During AXFR however, we ask the backend for ALL
data. No checking on this data happens except syntax (can't generate
DNS records on the wire without parsing), deduplication (since this week,
really) and some ordering for the signer thread.
In other words, during AXFR this CNAME check would mean extra code,
while during normal query processing it is free.
The best weapon we currently have against bad zone data is pdnssec
check-zone. Enhancement requests for check-zone are always welcome
as tickets on wiki.powerdns.com - and if we ever do decide to add more
checking/filtering to pdns_server, the check-zone checklist is the first
thing we will look at!
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
More information about the Pdns-dev
mailing list