[Pdns-users] out-of-bailiwick CNAME records

bert hubert bert.hubert at netherlabs.nl
Thu Jul 7 11:26:22 UTC 2011 

Hi Richard,

As a very quick fix, please set send-root-referral=lean
This works around the issue according to one user.

This issue is actually the second to last issue holding up the real 3.0
release.

Please let us know if 'send-root-referral=lean' fixes the problem for you.

	Bert

On Wed, Jul 06, 2011 at 04:18:30PM +0100, Richard Poole wrote:
> I've been trying out PowerDNS 3.0 and I've found a change in the handling
> of CNAME records which seems to break some recursors, including the
> PowerDNS recursor.
> 
> In 2.9.22.x3, the last release before 3.0, the behaviour when asked for
> a name which has an associated CNAME record pointing to a zone for which
> this nameserver is not authoritative is as follows: if the RD flag is set
> in the query, it gives SERVFAIL, does not set the AA flag, and returns
> only the single CNAME record in the ANSWER section with no AUTHORITY or
> ADDITIONAL records. If the RD flag is *not* set, it gives NOERROR, sets
> the AA flag, and returns the root server information in the AUTHORITY and
> ADDITIONAL sections along with the CNAME record in the ANSWER section. The
> pdns recursor does not set the RD flag so it sees the latter response,
> and makes its own queries to resolve the right-hand side of the CNAME
> record. It then returns the desired response to the original query which
> it was trying to resolve.
> 
> In 3.0rc2, the behaviour does not depend on the RD flag: it gives
> SERVFAIL, sets the AA flag, and returns only the single CNAME record. The
> latest svn snapshot modifies this behaviour to not set the AA flag but
> is otherwise the same. The pdns recursor, on seeing either of these
> responses, returns SERVFAIL and no ANSWER records to the original query.
> 
> I'm using recursor verion 3.2 but the changelogs don't seem to indicate
> a change between then and now.
> 
> The resulting effect is that when asking an authoritative pdns server
> through a pdns recursor, the usual case inside our network, these CNAME
> records don't work at all. I'm not sure which part of pdns is misbehaving
> here, either according to RFCs or to common practice, but I think one
> of them must be. I *think* it is the authoritative server that is in
> the wrong, because we had customers who are presumably behind different
> recursors reporting problems. I've now gone back to 2.9.22.x3 for live
> but I'd like to get to 3.0 because we want to offer DNSSEC to customers
> if we can. Any thoughts, anyone?
> 
> -- 
> Richard Poole
> System Administrator
> Heart Internet Ltd
> richard.poole at heartinternet.co.uk
> http://www.heartinternet.co.uk/
> Tel: 0845 644 7750
> Fax: 0845 644 7740
> 
> ******************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom
> they are addressed. If you are not the intended recipient you are
> not authorised to and must not disclose, copy, distribute, or
> retain this message or any part of it.
> 
> Heart Internet Ltd accepts no responsibility for information,
> errors or omissions in this email.
> ******************************************************************



> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list