[Pdns-users] pdns_recursors trusts addtional section where it better shouldn't

[Thomas Mieslinger]

On 17.02.17 10:58, bert hubert wrote:
> On Fri, Feb 17, 2017 at 10:49:08AM +0100, Thomas Mieslinger wrote:
>> ovh changed its MX A records and now my employers Mail relays can't send
>> email to ovh.
>
> Have you attempted to talk to OVH about their misconfiguration?

There is no misconfiguration at ovh.

> I ask this because the DNS Resolver community keeps getting asked to solve
> problems which are not ours. But it is easier to ask us to change.
>
> We (BIND, Unbound) keep running into broken F5 configurations for example,
> and yes, we can fix those with some special casing. But people always ask us
> because we are easier to talk to than the operators of the F5 machines.

In my experience operating F5 gtm is hard... ( but that is completely of 
topic.)

> And so the code in resolvers becomes ever more a set of exceptions and
> workarounds. And please know, every workaround breaks something else.
>
> So please ask OVH to fix their stuff.

They can't.

If verisign had a policy like denic or .fr, this mess would not be in 
the tld zone file.

>> Many many domains are wrongly delegated with wrong glue records in the tld
>> zone.
>
> Let us not encourage broken things to work well. Some pain is quite
> motivational to clean this up.

The pain is only felt by people who can't fix it.

>> I understand that this must have a performance impact but having the choice
>> between 1000s of customer calls a day "I can't send emails to ovh and it is
>> your fault" and buying some more recursor boxes, I clearly want more
>> recursor boxes and less disappointed customers.
>
> The disappointed customers may want to ask OVH why it is publishing the
> wrong IP addresses?

It is not ovh publishing wrong A records, it is glue from the tld zone.

The example domain is register with gandi.net, so gandi or their 
customer would need to update NS Records and glue. I can't fix it, ovh 
can't fix it.