[Pdns-users] CNAME packetcache weirdness ?

Wouter de Jong wouter at widexs.nl
Thu Jul 8 23:02:01 UTC 2010


Hi,

We've noticed some weirdness regarding CNAME's on pdns-2.9.22.

Here's the thing :

We use the gpgsql backend.

When there is a domain that has a CNAME record pointing to an external
domain 
(eg. of which the DNS is not hosted by our nameservers) and where the record
is an A-record 
or a CNAME-record (eg. ghs.l.google.com or ghs.google.com), we get different
results when 
we perform a lookup with dig. (We started looking into this issue after we
got some complaints from customers 
that their clients sometimes could not visit their site that used such a
CNAME record).

This is what (I think) we should expect as a result for a dig query without
recursion :

* status: NOERROR & flags: qr aa
* result: cname-test1.as12573.net. IN CNAME ghs.google.com.

And this for a query with recursion (which is denied on our auth servers)

* status: SERVFAIL & flags: qr rd
* result: cname-test1.as12573.net. IN CNAME ghs.google.com.

When we execute for example :

for i in `gseq 1 50`; do echo "Executing dig#$i"; sleep 0.5; dig -4 +norec
-t A @ns2.widexs.net cname-test1.as12573.net.; done

we see the following happening :

Executing dig#16

; <<>> DiG 9.6.1-P1 <<>> -4 +norec -t A @ns2.widexs.net
cname-test1.as12573.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22048
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname-test1.as12573.net.       IN      A

;; ANSWER SECTION:
cname-test1.as12573.net. 3600   IN      CNAME   ghs.google.com.

;; Query time: 1 msec
;; SERVER: 212.204.207.192#53(212.204.207.192)
;; WHEN: Fri Jul  9 00:41:03 2010
;; MSG SIZE  rcvd: 69

Executing dig#17

; <<>> DiG 9.6.1-P1 <<>> -4 +norec -t A @ns2.widexs.net
cname-test1.as12573.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61188
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname-test1.as12573.net.       IN      A

;; ANSWER SECTION:
cname-test1.as12573.net. 3600   IN      CNAME   ghs.google.com.

;; Query time: 2 msec
;; SERVER: 212.204.207.192#53(212.204.207.192)
;; WHEN: Fri Jul  9 00:41:03 2010
;; MSG SIZE  rcvd: 69

Executing dig#18

; <<>> DiG 9.6.1-P1 <<>> -4 +norec -t A @ns2.widexs.net
cname-test1.as12573.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58857
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname-test1.as12573.net.       IN      A

;; ANSWER SECTION:
cname-test1.as12573.net. 3600   IN      CNAME   ghs.google.com.

;; Query time: 1 msec
;; SERVER: 212.204.207.192#53(212.204.207.192)
;; WHEN: Fri Jul  9 00:41:04 2010
;; MSG SIZE  rcvd: 69


And vice versa while executing 

for i in `gseq 1 50`; do echo "Executing dig#$i"; sleep 0.5; dig -4 +norec
-t A @ns2.widexs.net cname-test1.as12573.net.; done

we see :

Executing dig#16

; <<>> DiG 9.6.1-P1 <<>> -4 +rec -t A @ns2.widexs.net
cname-test1.as12573.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17904
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cname-test1.as12573.net.       IN      A

;; ANSWER SECTION:
cname-test1.as12573.net. 3600   IN      CNAME   ghs.google.com.

;; Query time: 1 msec
;; SERVER: 212.204.207.192#53(212.204.207.192)
;; WHEN: Fri Jul  9 00:46:43 2010
;; MSG SIZE  rcvd: 69

Executing dig#17

; <<>> DiG 9.6.1-P1 <<>> -4 +rec -t A @ns2.widexs.net
cname-test1.as12573.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52573
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cname-test1.as12573.net.       IN      A

;; ANSWER SECTION:
cname-test1.as12573.net. 3600   IN      CNAME   ghs.google.com.

;; Query time: 2 msec
;; SERVER: 212.204.207.192#53(212.204.207.192)
;; WHEN: Fri Jul  9 00:46:43 2010
;; MSG SIZE  rcvd: 69

Executing dig#18

; <<>> DiG 9.6.1-P1 <<>> -4 +rec -t A @ns2.widexs.net
cname-test1.as12573.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7623
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cname-test1.as12573.net.       IN      A

;; ANSWER SECTION:
cname-test1.as12573.net. 3600   IN      CNAME   ghs.google.com.

;; Query time: 1 msec
;; SERVER: 212.204.207.192#53(212.204.207.192)
;; WHEN: Fri Jul  9 00:46:44 2010
;; MSG SIZE  rcvd: 69



So as you can see, 'invalid' status SERVFAIL for a +norec query after a
while changes to the 
correct NOERROR status, and 'invalid' status NOERROR for a +rec query after
a while changes to 
the correct SERVFAIL status...

It seems related to the packetcache, because if we set the cache-ttl value
from 20 to 0 (no cache), 
the strange behaviour disappears and always give the same (correct) results
on all queries...

We use pdns-2.9.22-3.x86_64.rpm from epel, on CentOS 5.5 and a
source-compiled 2.9.22 on a FreeBSD 6 server.
Since we noticed this problem, I've now also applied commit 1344 due to
ticket 223, (send-root-referral=no was ignored), 
and that fixed that particular issue. And also commit 1407, but that doesn't
seem to help for this issue unfortunately...
So I currently have cache-ttl=0 set... but I hope it won't slow things down
too much.

Does anyone (Bert?) have a nice explanation for this, like whether this is
perhaps normal behaviour after all, 
and if it can have bad impact on (perhaps broken) resolvers ?

Thanks!

Regards,

Wouter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20100709/4c793cc2/attachment.bin>


More information about the Pdns-users mailing list