[Pdns-users] Problems with ANY query

bert hubert bert.hubert at netherlabs.nl
Wed Jul 16 18:57:27 UTC 2008 

On Wed, Jul 16, 2008 at 07:21:23PM +0200, Martijn Grendelman wrote:
> I have a problem with some PowerDNS servers, running 2.9.20 with gmysql
> backend, in particular with ANY queries. I get good results for some
> domains but not for others, and I have no idea why.

Hi Martijn,

First let me say 2.9.20 has many issues that are fixed in 2.9.21. In any
case 2.9.21 will behave differently with regards to the issue you are
seeing.

> For example,
> $ dig @ns6.ilse.nl chat.nl any

;; MSG SIZE  rcvd: 242

> works just fine, while
> $ dig @ns6.ilse.nl ilsemedia.nl any
> always returns:
> 
> ;; Warning: Message parser reports malformed message packet.
> ;; Truncated, retrying in TCP mode.

What is happening is that ns6.ilse.nl gets a 'recursion desired' query for
ilsemedia.nl. It can answer without recursion however, because the server is
authoritative for ilsemedia.nl. On answering, it discovers all the
ilsemedia.nl records do not fit in the standard 512 byte UDP packet, and it
sends back a truncated packet, with a flag that says 'ask over TCP'.

Then dig retries over TCP, and then something unfortunate happens. TCP
recursion desired queries are always handed over directily to the configured
resolver ('recursor=' in the configuration), without looking at the local
cache. And I think your recursor then fails to transfer all those records
over TCP.

> If I try the ANY query with 'dig +norecurse', it works!

That is correct. Luckily, the world at large will only ask +norecurse
questions. The only people that won't are the people you resolve for, so for
them it might be a problem.

> I just added a domain to the database, so the server is authoritative
> for it. The domain has not yet moved, so the 'real world' nameserver is
> in fact 'dns2.nettica.com'.
> 
> Now if I query the server for it (from somewhere on the net, from an IP
> that is NOT allowed to use recursion on this server):
> 
> $ dig @ns6.ilse.nl spullenbank.net any

Odd - more or less the same thing happens, a fallback to TCP, which causes
the entire query to go to the recursor. Are you 100.00% sure you don't allow
recursion for the world? Your server positively says it is willing to
recurse for me.

> I get the results from dns2.nettica.com! If I do:
> 
> $ dig +norecurse @ns6.ilse.nl spullenbank.net any
> 
> I get the results from ns6.ilse.nl

That is correct.

> I hope the problem is clear. It appears that PowerDNS is recursing on
> ANY queries (and not on other type queries), even though the client is
> not allowed to recurse AND the domain in question CAN be answered
> locally (and only when both of these conditions are met).
> 
> Is this is known issue with 2.9.20?

You might want to try with 2.9.21, but in general, mixing auth and resolver
operation on 1 IP address is filled with issues like these. This is
partially due to the PowerDNS design, partially due to the fundamentally
confusing nature of mixing both modes of operation.

I see two "bugs" in the above: 1) that TCP recursion desired packets aren't
filtered through the local database 2) that your server appears to be
willing to recurse for the whole world over TCP.

'2' might very well be solved in 2.9.21.

	Bert


-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the Pdns-users mailing list