[Pdns-users] Unresolvable domains with 3.1.1 and"auth-can-lower-ttl"

Darren Gamble darren.gamble at sjrb.ca
Tue Jun 13 22:02:00 UTC 2006


Good day,

Just to help out everyone, here's more information on this:

If we ask the CIRA (servers for .ca) about ipcc.ca, we get:

ipcc.ca.                86400   IN      NS      ns.ipcc.org.
ipcc.ca.                86400   IN      NS      ns2.ipcc.org.
ipcc.ca.                86400   IN      NS      ns3.ipcc.org.
ipcc.ca.                86400   IN      NS      ns3.oill.com.

If we ask one of their servers, it instead returns:

ipcc.ca.                1600    IN      NS      ns3.oill.com.
ipcc.ca.                1600    IN      NS      ns.ipcc.org.
ipcc.ca.                1600    IN      NS      ns3.ipcc.org.

But the pdns recursor will end up with the following in the cache, a
couple of seconds later:

ipcc.ca.                1598    IN      NS      ns.ipcc.org.
ipcc.ca.                1598    IN      NS      ns3.oill.com.
ipcc.ca.                1598    IN      NS      ns3.ipcc.org.
ipcc.ca.                86396   IN      NS      ns2.ipcc.org.

In this case, ns2.ipcc.org is nonresponsive.  Names will resolve at that
time, but 1600 seconds later, the powerdns recursor will be unable to
resolve names for this domain for the remainder of the day.  Then, it
will work again for another 1600 seconds, and so on.

Other caching software will end up with a set identical to the second
list here (i.e. the record will expire in 1600 seconds), and so those
users can consistently resolve information on the domain.

Yes, their domain is not configured the way it should be, but then
again, I am pretty sure that this resulting mismatch in TTLs is not
correct either, which causes the cached information to change over time.
Can the record even be expired piecemeal like this? ...

FYI,

============================
Darren Gamble
Planner, Regional Services
Shaw Cablesystems GP
630 - 3rd Avenue SW
Calgary, Alberta, Canada
T2P 4L4
(403) 781-4948
 

> -----Original Message-----
> From: Darren Gamble
> Sent: Tuesday, June 13, 2006 3:39 PM
> To: 'bert hubert'
> Cc: pdns-users at mailman.powerdns.com
> Subject: RE: [Pdns-users] Unresolvable domains with 3.1.1
and"auth-can-
> lower-ttl"
> 
> Hi Bert,
> 
> If by "real problems" you mean "powerdns servers can't resolve the
domain
> for two days at a time", then yes, it's a real problem.
> 
> Another domain was just discovered that has this issue,
"beanstream.com".
> It's pretty easy to reproduce the issue given a known domain.
> 
> I completely understand about not wanting to cater to broken domains,
but,
> in this case I am fairly certain that the powerdns behavior is not
> correct, in that different NS records for the same DNS name can't have
> differing TTLs (someone can step in here and correct me if I'm wrong).
I
> note that one can not even configure a BIND authoritative server to do
> this.
> 
> At any rate, this causes the cached list to change just by having time
> pass- and if that leaves it with a list of only nonresponsive and/or
> overloaded servers, all resolution on the domain breaks.  No other
caching
> software (that we've tried) behaves in this way, and thus aren't
affected
> by this situation.
> 
> Please let me know if more information is needed.  Thanks,
> 
> ============================
> Darren Gamble
> Planner, Regional Services
> Shaw Cablesystems GP
> 630 - 3rd Avenue SW
> Calgary, Alberta, Canada
> T2P 4L4
> (403) 781-4948
> 
> 
> > -----Original Message-----
> > From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> > bounces at mailman.powerdns.com] On Behalf Of bert hubert
> > Sent: Tuesday, June 13, 2006 3:21 PM
> > To: Darren Gamble
> > Cc: pdns-users at mailman.powerdns.com
> > Subject: Re: [Pdns-users] Unresolvable domains with 3.1.1
and"auth-can-
> > lower-ttl"
> >
> > On Tue, Jun 13, 2006 at 03:03:28PM -0600, Darren Gamble wrote:
> >
> > > records with the higher TTLs. If that server(s) is/are also not
> > > reachable- then the domain will be unresolvable until that NS
record
> > > expires.  When it does, this cycle will start again.  I believe
that
> > > different data for the same name is never supposed to have
differing
> TTL
> > > values anyway...
> >
> > Briefly, does it cause real problems? In other words, domains that
> cannot
> > be
> > reached? The thing is, catering from broken domains often causes
> problems
> > for non-broken domains.
> >
> > So far all other 3.1.1 problem reports have been resolved.
> >
> > Kind regards,
> >
> > bert hubert
> >
> >
> > --
> > http://www.PowerDNS.com      Open source, database driven DNS
Software
> > http://netherlabs.nl              Open and Closed source services
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > http://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list