[Pdns-users] strange failure when pdns-recursor/dig/EDNS0/ANY

Wed Jan 19 10:55:12 UTC 2011

Hello all,

I witnessed a problem in PowerDNS Recursor.

$ dig +short @72.52.104.74 version.bind chaos txt
"PowerDNS Recursor 3.3 $Id: pdns_recursor.cc 1712 2010-09-11 13:40:03Z ahu $"

$ dig @72.52.104.74 135.66.195.in-addr.arpa. any
;; Truncated, retrying in TCP mode.
;; Got bad packet: bad label type
2758 bytes
8b 76 81 80 00 01 00 13 00 00 00 08 03 31 33 35 
02 36 36 03 31 39 35 07 69 6e 2d 61 64 64 72 04 
etc, etc.

While... 8.8.8.8 and 99.99.99.99 and 157.157.157.157 act fine.

So I took a different domain:

$ dig @72.52.104.74 unicycle.net. any +noall +answer
shows only ns
$ dig @74.82.46.6 unicycle.net. any
;; Got bad packet: bad compression pointer
511 bytes
b5 f5 81 80 00 01 00 0d 00 00 00 01 08 75 6e 69 
63 79 63 6c 65 03 6e 65 74 00 00 ff 00 01 c0 0c 
etc.

So, again a different domain:

$ dig @72.52.104.74 unicycle.be. any
;; Got bad packet: bad label type
495 bytes
22 9c 83 80 00 01 00 0a 00 00 00 00 08 75 6e 69 
63 79 63 6c 65 02 62 65 00 00 ff 00 01 c0 0c 00 
etc.

While... 8.8.8.8 and 99.99.99.99 and 157.157.157.157 act fine.

So... again a diffent domain, but slowly just an A request:

$ dig @72.52.104.74 unicycle.vg. a
fine
$ dig @72.52.104.74 unicycle.vg. any
fine

I've repeated that... with a .fi

$ dig @72.52.104.74 unicycle.fi. a
fine
$ dig @72.52.104.74 unicycle.fi. any
fine

So then again another domain, straigt to the ANY query

srv19# dig @72.52.104.74 unicycle.es. any
;; Got bad packet: bad label type
493 bytes
df 75 83 80 00 01 00 08 00 00 00 00 08 75 6e 69 
63 79 63 6c 65 02 65 73 00 00 ff 00 01 c0 0c 00 
etc.

So far my conclusion is powerdns-resolver has an issue with
 the initial any request when there is EDNS0 needed,
 unless there was another RR queried before.
And it only shows up in the combi pdns-recursor/dig (FreeBSD DiG 9.5.2-P4 and OS-X DiG 9.4.3-P3),
 not in drill -t, and not in bind|unbound|other/dig.

If you'll need a list of DNSSEC or DNSCurve enabled domains (for large replies) to replicate my observations;
take the unicycle.tld ones from http://dns-lab.com/pub/dnscurve/registry-compatibility.lasso
but mind: non unicycle.tld domains listed there might be switched back to have no DNSCurve anymore.
Also here's a list of open powerdns-recursors, so if cached you can take another:

nameserver 72.52.104.74         ; tserv1,fmt2.ipv6.he.net. tserv3.fmt2.ipv6.he.net (here I have an anycast node)
nameserver 74.82.46.6           ; tserv22.tyo1.ipv6.he.net.
nameserver 209.51.161.14        ; tserv1.nyc4.ipv6.he.net.
nameserver 216.66.80.26         ; tserv5.lon1.ipv6.he.net.
nameserver 216.66.80.30         ; tserv1.fra1.ipv6.he.net. tserv6.fra1.ipv6.he.net.
nameserver 216.66.80.90         ; tserv24.sto1.ipv6.he.net.
nameserver 216.66.80.98         ; tserv23.zrh1.ipv6.he.net.
nameserver 216.66.22.2          ; tserv1.ash1.ipv6.he.net. tserv13.ash1.ipv6.he.net.
nameserver 216.66.38.58         ; tserv1.tor1.ipv6.he.net. tserv21.tor1.ipv6.he.net.
nameserver 216.218.221.6        ; tserv1.hkg1.ipv6.he.net. tserv20.hkg1.ipv6.he.net.
nameserver 216.218.226.238      ; tserv1.sea1.ipv6.he.net. tserv14.sea1.ipv6.he.net.
nameserver 2001:470:0:45::2     ; 1g-bge0.tserv3.fmt2.ipv6.he.net.
nameserver 2001:470:0:78::2     ; 1g-bge0.tserv8.dal1.ipv6.he.net.
nameserver 2001:470:0:7d::2     ; 1g-bge0.tserv11.ams1.ipv6.he.net.
nameserver 2001:470:0:8c::2     ; tserv12.mia1.ipv6.he.net.
nameserver 2001:470:0:c0::2     ; tserv21.tor1.ipv6.he.net

I still can't detereme wether the problem is in PowerDNS or dig.
though I'd rather know the reason of this behavour.

-- 

With kind regards,

Leo Vandewoestijne

<www.dns-lab.com>
<www.as50381.net>
 INOC-DBA: 50381