[Pdns-users] out-of-bailiwick CNAME records

bert hubert bert.hubert at netherlabs.nl
Thu Jul 7 11:26:22 UTC 2011

Hi Richard,

As a very quick fix, please set send-root-referral=lean
This works around the issue according to one user.

This issue is actually the second to last issue holding up the real 3.0

Please let us know if 'send-root-referral=lean' fixes the problem for you.


On Wed, Jul 06, 2011 at 04:18:30PM +0100, Richard Poole wrote:
> I've been trying out PowerDNS 3.0 and I've found a change in the handling
> of CNAME records which seems to break some recursors, including the
> PowerDNS recursor.
> In 2.9.22.x3, the last release before 3.0, the behaviour when asked for
> a name which has an associated CNAME record pointing to a zone for which
> this nameserver is not authoritative is as follows: if the RD flag is set
> in the query, it gives SERVFAIL, does not set the AA flag, and returns
> only the single CNAME record in the ANSWER section with no AUTHORITY or
> ADDITIONAL records. If the RD flag is *not* set, it gives NOERROR, sets
> the AA flag, and returns the root server information in the AUTHORITY and
> ADDITIONAL sections along with the CNAME record in the ANSWER section. The
> pdns recursor does not set the RD flag so it sees the latter response,
> and makes its own queries to resolve the right-hand side of the CNAME
> record. It then returns the desired response to the original query which
> it was trying to resolve.
> In 3.0rc2, the behaviour does not depend on the RD flag: it gives
> SERVFAIL, sets the AA flag, and returns only the single CNAME record. The
> latest svn snapshot modifies this behaviour to not set the AA flag but
> is otherwise the same. The pdns recursor, on seeing either of these
> responses, returns SERVFAIL and no ANSWER records to the original query.
> I'm using recursor verion 3.2 but the changelogs don't seem to indicate
> a change between then and now.
> The resulting effect is that when asking an authoritative pdns server
> through a pdns recursor, the usual case inside our network, these CNAME
> records don't work at all. I'm not sure which part of pdns is misbehaving
> here, either according to RFCs or to common practice, but I think one
> of them must be. I *think* it is the authoritative server that is in
> the wrong, because we had customers who are presumably behind different
> recursors reporting problems. I've now gone back to 2.9.22.x3 for live
> but I'd like to get to 3.0 because we want to offer DNSSEC to customers
> if we can. Any thoughts, anyone?
> -- 
> Richard Poole
> System Administrator
> Heart Internet Ltd
> richard.poole at heartinternet.co.uk
> http://www.heartinternet.co.uk/
> Tel: 0845 644 7750
> Fax: 0845 644 7740
> ******************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom
> they are addressed. If you are not the intended recipient you are
> not authorised to and must not disclose, copy, distribute, or
> retain this message or any part of it.
> Heart Internet Ltd accepts no responsibility for information,
> errors or omissions in this email.
> ******************************************************************

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list