[Pdns-users] Workaround for PowerDNS Security Advisory 2014-02

bert hubert bert.hubert at netherlabs.nl
Thu Dec 18 18:11:54 UTC 2014


On Fri, Dec 12, 2014 at 09:23:16AM +0100, sthaug at nethelp.no wrote:
> > You can update auth-zones using 'rec_control reload-zones' at runtime
> > without restarting the recursor, which will discover new zones to be blocked
> > or no no longer blocked.
> 
> A couple of questions regarding reload-zones:

Hi Steinar,

Apologies for the late reply!

> - Is PowerDNS recursor meant to have a coherent cache? The observed
> behavior on my 3.6.2/FreeBSD 9.3 installation is that I have as many
> caches as I have threads (as configured with "threads=..." in
> recursor.conf). This is clearly visible on the TTL of the replies,
> e.g. (querying the recursor rapidly about the same A):

The cache is mostly coherent when pdns-distributes-queries is in use, but it
is not guaranteed to be that way. It turns out that not coordinating caches
actually improves performance. But with pdns-distributes-queries, the same
question always ends up at the same thread. This also increases performance
measurably (30%).

> - Is 'rec_control reload-zones' meant to reload zones defined with
> forward-zones-file= in recursor.conf? The observed behavior is that
> the change in forwarding only happens after TTL expires (and thus can
> happen at different times for different threads, see also the point
> above), e.g.:

We attempt to wipe the cache of specific records for authoritative zones. We
do not make an attempt to do a linear search of the cache for anything that
was previously forwarded (since our cache is not ordered that way, it would
be very expensive).

Is this an important usecase for you? If so, please let us know.

	Bert





More information about the Pdns-users mailing list