[Pdns-users] pdns-recursor and amazon cloudfront

Peter van Dijk peter.van.dijk at netherlabs.nl
Tue Dec 11 21:39:48 UTC 2012 

Hello Mario,

On Dec 11, 2012, at 17:25 , Mario Caruso wrote:
> I thought that this was an issue just for the host and nslookup 
> utilities, because they are fooled by the NXDOMAIN flag, so I 
> tried to make a different test : 
> 
> I logged in a test server , edited resolv.conf to use one of the 
> pdns servers and used wget to download http://static.creativepark.it
> what I expected was to be able to download the page, instead 
> I got another error:

> static.creativepark.it is an alias for d3fshx1vqqth2b.cloudfront.net.
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.58
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.100
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.103
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.134
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.148
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.166
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.208
> d3fshx1vqqth2b.cloudfront.net has address 205.251.209.32
> -------------------------------------------------------
> 
> I'm really puzzled by the situation, is there anybody that is having 
> the same behaviour ? or that is aware of this weird thing with 
> cloudfront ? 


The name servers for creativepark.it are misconfigured:
; <<>> DiG 9.9.0 <<>> a static.creativepark.it @ns3.dns4userver.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30755
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;static.creativepark.it.		IN	A

;; ANSWER SECTION:
static.creativepark.it.	3600	IN	CNAME	d3fshx1vqqth2b.cloudfront.net.

;; AUTHORITY SECTION:
.			3600	IN	SOA	2010101200. hostmaster. 0 10800 3600 604800 3600


They claim NXDOMAIN on static.creativepark.it, because somebody configured a root zone
in their authoritative config. This is an error. However, recursors *should* ignore this NXDOMAIN
and try to follow the chain nonetheless.

Recursor 3.2 and 3.3, to my recollection, get confused by the NXDOMAIN. Indeed, this has
been fixed in SVN.

So, to recap:
- the issue is not with cloudfront
- the creativepark.it name servers are misconfigured
- older recursors get confused by this
- current SVN recursor has no trouble with it

I cannot judge whether ticket #598 is actually related to this.

Kind regards,
-- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

More information about the Pdns-users mailing list