[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

[Thomas Mieslinger]

Hi,

ovh changed its MX A records and now my employers Mail relays can't send 
email to ovh.

This may sound unrelated to pdns_recursor but please read on:

Many many domains are wrongly delegated with wrong glue records in the 
tld zone. As of 2017-02-17 10:43:00 CET dig produces the following output:

dig @i.gtld-servers.net. bureauxdeventepro.com

; <<>> DiG 9.10.4-P5 <<>> @i.gtld-servers.net. bureauxdeventepro.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33279
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 8
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bureauxdeventepro.com.		IN	A

;; AUTHORITY SECTION:
bureauxdeventepro.com.	172800	IN	NS	mx4.ovh.net.
bureauxdeventepro.com.	172800	IN	NS	mx1.ovh.net.
bureauxdeventepro.com.	172800	IN	NS	mxb.ovh.net.
bureauxdeventepro.com.	172800	IN	NS	dns103.ovh.net.
bureauxdeventepro.com.	172800	IN	NS	ns103.ovh.net.

;; ADDITIONAL SECTION:
mx4.ovh.net.		172800	IN	A	213.186.33.74
mx1.ovh.net.		172800	IN	A	213.186.33.29
mxb.ovh.net.		172800	IN	A	213.186.37.81
dns103.ovh.net.		172800	IN	AAAA	2001:41d0:1:4a93::1
dns103.ovh.net.		172800	IN	A	213.251.188.147
ns103.ovh.net.		172800	IN	AAAA	2001:41d0:1:1993::1
ns103.ovh.net.		172800	IN	A	213.251.128.147

;; Query time: 9 msec
;; SERVER: 192.43.172.30#53(192.43.172.30)
;; WHEN: Fri Feb 17 10:43:40 CET 2017
;; MSG SIZE  rcvd: 288

The real IP address for mx1.ovh.net is 137.74.125.138. How can I make 
pdns_recursor to not store records from the additional section in the 
caches?

I understand that this must have a performance impact but having the 
choice between 1000s of customer calls a day "I can't send emails to ovh 
and it is your fault" and buying some more recursor boxes, I clearly 
want more recursor boxes and less disappointed customers.

Cheers Thomas