[Pdns-users] pdns/gmysql/slave for signed zone: records being mangled

Mark Huizer xaa+powerdns at dohd.org
Mon Jan 24 08:20:12 UTC 2011 

On 1/24/2011 0:04, powerdns at dns-lab.com wrote:
> On Sun, 23 Jan 2011, Mark Huizer wrote:
>
>> # DIG RRSIG @ns.example.com someentry.example.com
>>
> Keep in mind that the limit can sit in dig, not powerdns.
> Especially occurs at older version from a default OS install.
>
> So what about
> $ drill ns.example.com someentry.example.com rrsig
>

Thanks for the idea. Well, dig is not that old (DiG 9.6.1-P3), so that shouldn't be the problem.
Anyway, I used the same dig to connect to the master NS and received the correct answer there.

But OK, problems are never solved by being stubborn, so I'll install drill and give it a go...

% drill @master.example.com someentry.example.com rrsig

;; ANSWER SECTION:
someentry.example.com. 1800    IN      RRSIG   A 5 3 1800 20110223021519 20110124021519 17462 example.com. 0CpdHj0v40t+MBqr/ALIDxDE4MnRcbnAA9cyLjxgcWOS5lZk06v09Lb50IJcaTMJUwnXnP3sU+Lco/gn4ztUYsv/tTSi+Thvypb3R52eUvM0tqJmGj5ov+0PLCZgDWwcCiTpwNk8b4ADBdl9rbvvgGUNkh55JKsmbGCLQ1dNkr8= ;{id = 17462}
someentry.example.com. 1800    IN      RRSIG   HINFO 5 3 1800 20110223021519 20110124021519 17462 example.com. qnaSI5roSmODNfLQLdJjtUCV+3/odKOKEwQUzmD+Qme5w3BFCAUIKAg/AKLSp7uxnvK4TMfIK/upTKIwzQtwHR2UGTFQSpX5erLOUfYOwjdpU6TLcOExaAQj/b0SXI+SQY6w/1YsP5bxNh31WJ084W5rbXOMAcczNf8Jv4UxMIk= ;{id = 17462}


% drill @slave-pdns.example.com someentry.example.com rrsig

;; No packet received


Hm... that's weird. OK, checking the dig output a little further:

;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.

Further checking of the logs on the pdns server gives me

Jan 24 04:54:51 ns pdns[57639]: Exception building answer packet (Unknown record was stored incorrectly, need 3 fields, got 7: someotherentry.example.com. A HINFO MX AAAA RRSIG NSEC) sending out servfail

But still it does the slaving quite OK, all 'mainstream' records are OK, just RRSIG and DNSSEC gets changed.

When I have a few more minutes today, I will copy a few of the records from that slave domain to one of the master domains and see if it has the same behaviour, and I'll have a look at what happens with TXT records ending in =

So, again thanks for the effort, but my problem still remains, it seems

Mark

More information about the Pdns-users mailing list