[Pdns-users] pdns recursor 3.2 cname resolution phenomenon

bert hubert bert.hubert at netherlabs.nl
Wed Sep 22 15:34:30 UTC 2010 

Thomas,

As discussed before, sending out an NXDOMAIN means just that, an NXDOMAIN.
Please don't do it. 

I don't think it would be a good idea to make PowerDNS "broken".

If you want to do it personally, apply this patch and recompile:

--- ../syncres.cc       2010-09-16 17:17:38.496153009 +0200
+++ syncres.cc  2010-09-22 17:30:37.506153002 +0200
@@ -1083,7 +1083,7 @@
         LOG<<prefix<<qname<<": status=got results, this level of recursion done"<<endl;
         return 0;
       }
-      if(lwr.d_rcode==RCode::NXDomain) {
+      if(lwr.d_rcode==RCode::NXDomain && newtarget.empty()) {
         LOG<<prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl;
         return RCode::NXDomain;
       }

It fixes your problem

Good luck!


On Wed, Sep 22, 2010 at 05:08:23PM +0200, Thomas Mieslinger wrote:
> Hi Bert,
> 
> an example is db686.XXX.de. From the authorative Nameserver
> you will get NXDomain and AUTHORTIY = 1, but internally
> db686.YYY.de is known.
> 
> Would you add an option to try recursing cnames even if an answer
> has the authority bit set?
> 
> Regards Thomas
> 
> On 09/22/10 04:54 PM, bert hubert wrote:
> >Thomas,
> >
> >Please provide real domain names, otherwise I can't test.
> >
> >Kind regards,
> >
> >Bert Hubert
> >
> >On Wed, Sep 22, 2010 at 04:53:22PM +0200, Thomas Mieslinger wrote:
> >>On 09/20/10 07:53 AM, bert hubert wrote:
> >>>On Mon, Sep 20, 2010 at 07:32:51AM +0200, Thomas Mieslinger wrote:
> >>>>we're using pdns recursor for out company internal name resolution.
> >>>>[..]
> >>>>containing answer has the NXDOMAIN Bit set.
> >>>
> >>>Can you elaborate a bit more? I think this issue is ""fixed"" in 3.3, which
> >>>[..]
> >>>Let me know if this solves your problem.
> >>
> >>Hi Bert,
> >>
> >>I installed pdns_recursor 3.3-rc3 from svn.powerdns.com. Sorry, my
> >>Problem isn't gone...
> >>
> >>I did some packet dumping ...
> >>
> >>dig db686.XXX.de @recursor
> >>
> >>tcpdump on the recursor:
> >>IP recursor.38240>  authdns.53: 19990 A? db686.XXX.de. (38)
> >>IP authdns.53>  recursor.38240: 19990 NXDomain*- 1/1/0 CNAME[|domain]
> >>
> >>The answer packet contains
> >>
> >>db686.XXX.de IN CNAME db686.YYY.de
> >>
> >>And has the AUTHORITY bit set.
> >>
> >>At this point I would like the recursor to try another resolution
> >>with db686.YYY.de but that would probably break the code and the
> >>idea behind DNS.
> >>
> >>So now, that I understood my problem, I don't think the code needs
> >>to be fixed :-(
> >>
> >>Regards Thomas
> >>
> >>--
> >>Thomas Mieslinger
> >>
> >>1&1 Internet AG - IT Operations Data Services Infrastructure
> >>Brauerstraße 48 · DE-76135 Karlsruhe
> >>Telefon: +49 721 91374 4404
> >>thomas.mieslinger at 1und1.de
> >>
> >>Amtsgericht Montabaur / HRB 6484
> >>Vorstände: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich,
> >>Thomas Gottschlich, Robert Hoffmann, Markus Huhn, Hans-Henning
> >>Kettler, Dr. Oliver Mauss, Jan Oetjen
> >>Aufsichtsratsvorsitzender: Michael Scheeren
> >>_______________________________________________
> >>Pdns-users mailing list
> >>Pdns-users at mailman.powerdns.com
> >>http://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> 
> -- 
> Thomas Mieslinger
> 
> 1&1 Internet AG - IT Operations Data Services Infrastructure
> Brauerstraße 48 · DE-76135 Karlsruhe
> Telefon: +49 721 91374 4404
> thomas.mieslinger at 1und1.de
> 
> Amtsgericht Montabaur / HRB 6484
> Vorstände: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich,
> Thomas Gottschlich, Robert Hoffmann, Markus Huhn, Hans-Henning
> Kettler, Dr. Oliver Mauss, Jan Oetjen
> Aufsichtsratsvorsitzender: Michael Scheeren
>

More information about the Pdns-users mailing list