[Pdns-users] Records going missing in 3.4.4

Mark Moseley moseleymark at gmail.com
Fri May 1 19:24:52 UTC 2015


On Fri, May 1, 2015 at 11:50 AM, bert hubert <bert.hubert at powerdns.com>
wrote:

> On Fri, May 01, 2015 at 11:13:22AM -0700, Mark Moseley wrote:
> > Of all the things I cleaned up, one thing I *didn't* clean up a lot of
> > records with trailing dots in the content field (for NS/MX/CNAME
> records).
>
> This could easily confuse things. If PowerDNS chases a CNAME and it
> encounters a trailing dot, it tries to look that one up in the database. If
> it then does not find that, it could turn the whole packet into an NXDOMAIN
> and cache that.
>
> Same thing with NS records and delegations etc.
>
> The query-cache might conceivably also cache lacking records with a
> trailing
> dot, but unsure.
>
> I'd suggest cleaning up all those trailing dots and seeing what happens. If
> the problem persists we could spend more time on it.
>
>
Ok, sounds good.

I suspected (but have zero way to prove it) that somehow the trailing dot
version (and there's no corresponding DNS record *with* the trailing dot in
the db) was getting queried and was coming back NXDOMAIN but that when pdns
went and looked in the cache for the no-trailing-dot version, it was seeing
the trailing dot version (though no idea why that'd be the case).

The interesting part is we've been running 3.4.2 for a while now (and 3.4.1
for quite some time before that), so what might've changed in between 3.4.2
and 3.4.4 (or 3.4.3 which we haven't tried).

And then the *really* interesting part is why does it continue *after* we
revert all the servers back to 3.4.2 for approximately the same amount of
time as the TTLs? In my pcaps, I was almost expecting to see someone
revalidating the broken hostnames with cruft in the query (control
characters, or maybe 2 trailing dots or something weird). It was almost
like cache poisoning without the cache :)    And recursion is turned off on
these, btw.



> > We're in the middle of a big cleanup to eradicate these trailing dots and
> > are back on 3.4.2 for the time being till we can get it done. But I was
> > curious if a) this was a known issue; or b) anyone's seen it before,
> since
> > the trailing dots part could be a red herring.
>
> I have seen lots of weirdness with trailing dots, and above you can find
> one
> scenario where you could get an NXDOMAIN.


Ok, good to know.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20150501/1d8ced5a/attachment-0001.html>


More information about the Pdns-users mailing list