[Pdns-users] CNAME lookup failure PDNS 2.9.22/PDNS Recursor 3.3.1

ktm at rice.edu ktm at rice.edu
Wed Mar 21 13:24:45 UTC 2012 

Hi Peter,

I guess I just do not understand. I added a similar CNAME record
in our domain pointing to the same name domains.tumblr.com and
here is what I get for the lookup:

> dig +norec a wombat1.rice.edu @ns1.rice.edu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> +norec a wombat1.rice.edu @ns1.rice.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36391
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;wombat1.rice.edu.		IN	A

;; ANSWER SECTION:
wombat1.rice.edu.	3600	IN	CNAME	domains.tumblr.com.

;; AUTHORITY SECTION:
.			518400	IN	NS	a.root-servers.net.
.			518400	IN	NS	b.root-servers.net.
.			518400	IN	NS	c.root-servers.net.
.			518400	IN	NS	d.root-servers.net.
.			518400	IN	NS	e.root-servers.net.
.			518400	IN	NS	f.root-servers.net.
.			518400	IN	NS	g.root-servers.net.
.			518400	IN	NS	h.root-servers.net.
.			518400	IN	NS	i.root-servers.net.
.			518400	IN	NS	j.root-servers.net.
.			518400	IN	NS	k.root-servers.net.
.			518400	IN	NS	l.root-servers.net.
.			518400	IN	NS	m.root-servers.net.

;; Query time: 1 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Wed Mar 21 08:14:18 2012
;; MSG SIZE  rcvd: 277

Note, it still does not return the A record IP address. I thought that
the DNS lookup is to restart using the new value returned from the
CNAME record, but in this case, it does not. The other noise in the
authority section was me trying with send-root-referrals=lean.

It does not sent NXDOMAIN in this case. If I instead remove the +norecurse
option I get:

> dig a wombat1.rice.edu @ns1.rice.edu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> a wombat1.rice.edu @ns1.rice.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 577
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;wombat1.rice.edu.		IN	A

;; AUTHORITY SECTION:
rice.edu.		2699	IN	SOA	ns1.rice.edu. hostmaster.rice.edu. 2012030284 10800 900 3600000 3600

;; Query time: 1 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Wed Mar 21 08:22:46 2012
;; MSG SIZE  rcvd: 85

Which is still returning NXDOMAIN, even though the A record for domains.tumblr.com
does exist:

> dig a domains.tumblr.com @ns1.rice.edu

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> a domains.tumblr.com @ns1.rice.edu
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29239
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domains.tumblr.com.		IN	A

;; ANSWER SECTION:
domains.tumblr.com.	600	IN	A	66.6.44.4

;; Query time: 9 msec
;; SERVER: 128.42.209.32#53(128.42.209.32)
;; WHEN: Wed Mar 21 08:23:50 2012
;; MSG SIZE  rcvd: 52

Why doesn't the recursor restart with the CNAME results?

Regards,
Ken

On Wed, Mar 21, 2012 at 11:22:17AM +0100, Peter van Dijk wrote:
> Hello Ken,
> 
> On Mar 20, 2012, at 19:10 , ktm at rice.edu wrote:
> 
> > I am investigating a CNAME resolution problem using
> > PDNS Recursor 3.3.1. Here is the lookup that fails:
> > 
> >> nslookup blog.mythandsymbol.com
> > Server:		127.0.0.1
> > Address:	127.0.0.1#53
> > 
> > ** server can't find blog.mythandsymbol.com: NXDOMAIN
> 
> Recursor is returning NXDOMAIN because that's what ns1-3.dreamhost.com, the auths for mythandsymbol.com, are returning:
> 
> $ dig +norec a blog.mythandsymbol.com @ns1.dreamhost.com
> ; <<>> DiG 9.7.0-P1 <<>> +norec a blog.mythandsymbol.com @ns1.dreamhost.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40440
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;blog.mythandsymbol.com.                IN      A
> 
> ;; ANSWER SECTION:
> blog.mythandsymbol.com. 14400   IN      CNAME   domains.tumblr.com.
> 
> ;; AUTHORITY SECTION:
> tumblr.com.             14400   IN      SOA     ns1.dreamhost.com. hostmaster.dreamhost.com. 2011092301 21293 1800 1814400 14400
> 
> ;; Query time: 168 msec
> ;; SERVER: 66.33.206.206#53(66.33.206.206)
> ;; WHEN: Wed Mar 21 11:20:51 2012
> ;; MSG SIZE  rcvd: 130
> 
> 
> They are returning NXDOMAIN because somebody configured tumblr.com as a zone in their name server, without adding a 'domains' name in it. Recursor 3.4-pre and newer (and perhaps 3.3) compensate for this misconfiguration, older versions do not.
> 
> I suggest contacting dream host to have them get rid of tumblr.com; I also suggest upgrading your recursor because there are many more misconfigured domains like this one out there.
> 
> Kind regards,
> Peter van Dijk
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>

More information about the Pdns-users mailing list