[Pdns-users] Very odd negative cache behaviour for world-gen.g.aaplimg.com

Remi Gacogne remi.gacogne at powerdns.com
Tue Oct 31 15:55:31 UTC 2017 

On 10/31/2017 04:41 PM, Matthias Cramer wrote:
> I found out that when I set dnssec to false the it seams to work much
> better. Also setting minimum-ttl-override to 60 helps a lot, even
> When dnssec is enabled but only on 3 of 4 resolvers.
> 
> Can you give me a hint how I can get all the queries you are looking
> for logged?

Ah right, this is caused by queries sent by the DNSSEC validation code
while trying to determine where the zone cuts are. The authoritative
servers for g.aaplimg.com, a.gslb.aaplimg.com and b.gslb.aaplimg.com,
answer with NXDOMAIN when we ask for world-gen.g.aaplimg.com|NS, which
is wrong.

$ dig NS world-gen.g.aaplimg.com @a.gslb.aaplimg.com. +dnssec

; <<>> DiG 9.11.2 <<>> NS world-gen.g.aaplimg.com @a.gslb.aaplimg.com.
+dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22623
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;world-gen.g.aaplimg.com.       IN      NS

;; AUTHORITY SECTION:
g.aaplimg.com.          60      IN      SOA     aad-dist.apple.com.
hostmaster.apple.com. 1509039331 1800 300 60480 60

;; Query time: 273 msec
;; SERVER: 17.253.201.8#53(17.253.201.8)
;; WHEN: Tue Oct 31 16:43:24 CET 2017
;; MSG SIZE  rcvd: 114


NXDOMAIN means that there is no record for g.aaplimg.com or anything
under, so we negatively cache this answer for 60s. Since we know that
other types exist for this domain, like A, the correct answer would be
NODATA.

Disabling DNSSEC validation only hides the issue, though. We don't ask
world-gen.g.aaplimg.com|NS right away so it looks fine, but as soon as
someone asks your recursors for world-gen.g.aaplimg.com|NS you'll have
the same issue. IMHO there is little we can do to fix it, these
authoritative servers need to be fixed.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20171031/cb58a742/attachment.sig>

More information about the Pdns-users mailing list