[Pdns-users] Powerdns authoritative with gmysql backend and wilcard not matching existent subdomains

tbn tbn at singularity.ro
Wed Sep 20 08:24:38 UTC 2017 

Hello,

    Please pardon if this has been discussed before. A google search
didn't turn up anything relevant. Also, this is my first post on a
mailing list, so please let me know if I'm out of conduct.

    I'm currently looking into PowerDNS to replace our current bind
authoritative servers, and it seems I've hit a bump along the way,
during testing.

    In my test environment I'm running PowerDNS Authoritative Server
4.0.4 from the PowerDNS website, with gmysql backend. I've created the
database using the schema.mysql.sql found in modules/gmyselbackend,
and populated with an 'example.com' domain:

[powerdns]> SELECT * FROM records;
+----+-----------+-----------------------+------+------------------------------------------------------+-------+------+-------------+----------+-----------+------+
| id | domain_id | name                  | type | content
                 | ttl   | prio | change_date | disabled | ordername |
auth |
+----+-----------+-----------------------+------+------------------------------------------------------+-------+------+-------------+----------+-----------+------+
|  1 |         1 | example.com           | SOA  | localhost
admin.example.com 1 10380 3600 604800 3600 | 86400 | NULL |
NULL |        0 | NULL      |    1 |
|  2 |         1 | example.com           | NS   | dns-us1.powerdns.net
                              | 86400 | NULL |        NULL |        0
| NULL      |    1 |
|  3 |         1 | example.com           | NS   | dns-eu1.powerdns.net
                              | 86400 | NULL |        NULL |        0
| NULL      |    1 |
|  4 |         1 | www.example.com       | A    | 192.0.2.10
                    |   120 | NULL |        NULL |        0 | NULL
 |    1 |
|  5 |         1 | mail.example.com      | A    | 192.0.2.12
                    |   120 | NULL |        NULL |        0 | NULL
 |    1 |
|  6 |         1 | localhost.example.com | A    | 127.0.0.1
                   |   120 | NULL |        NULL |        0 | NULL
|    1 |
|  7 |         1 | example.com           | MX   | mail.example.com
                          |   120 |   25 |        NULL |        0 |
NULL      |    1 |
+----+-----------+-----------------------+------+------------------------------------------------------+-------+------+-------------+----------+-----------+------+

    I wanted to test out the wildcard feature as well, since I've seen
that some domains hosted with us have wildcards created:
+----+-----------+-----------------------+------+------------------------------------------------------+-------+------+-------------+----------+-----------+------+
| id | domain_id | name                  | type | content
                 | ttl   | prio | change_date | disabled | ordername |
auth |
+----+-----------+-----------------------+------+------------------------------------------------------+-------+------+-------------+----------+-----------+------+
|  8 |         1 | *.example.com         | A    | 192.168.2.34
                      |   120 | NULL |        NULL |        0 | NULL
   |    1 |
+----+-----------+-----------------------+------+------------------------------------------------------+-------+------+-------------+----------+-----------+------+

    To find out if the wildcard is working correctly, I performed a
dig on something random:
----------------------------------------8<----------------------------------------
]~$ dig +short something.something.example.com @<pdns-test-server>
192.168.2.34
]~$
----------------------------------------8<----------------------------------------
    ..which returned the data correctly.

    However, when I've attempted to perform a dig on a
subdomain.something that matches something already existent in the
list of subdomains, it doesn't return anything. For example, I already
have 'www.example.com' as an Alias to 192.0.2.10. If I query for
'something.www.example.com' I get nothing:
----------------------------------------8<----------------------------------------
]~$ dig +short something.www.example.com @<pdns-test-server>
]~$
----------------------------------------8<----------------------------------------

    Querying without '+short':
----------------------------------------8<----------------------------------------
~$ dig something.www.example.com @<pdns-test-server>


; <<>> DiG 9.11.1-P3 <<>> something.www.example.com @<pdns-test-server>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38952
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;something.www.example.com.     IN      A

;; AUTHORITY SECTION:
example.com.            3600    IN      SOA     localhost.
admin.example.com. 1 10380 3600 604800 3600

;; Query time: 4 msec
;; SERVER: <pdns-test-server>#53(<pdns-test-server>)
;; WHEN: Wed Sep 20 10:58:29 EEST 2017
;; MSG SIZE  rcvd: 105
----------------------------------------8<----------------------------------------

    I've turned on mysql's query logging. From the logs, I can see the
following:
----------------------------------------8<----------------------------------------
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and type='SOA' and name='something.www.example.com'
137 Reset stmt
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and type='SOA' and name='www.example.com'
137 Reset stmt
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and type='SOA' and name='example.com'
137 Reset stmt
137 Prepare   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and type=? and name=? and domain_id=?
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and type='NS' and name='something.www.example.com' and
domain_id=1
137 Reset stmt
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and type='NS' and name='www.example.com' and domain_id=1
137 Reset stmt
137 Prepare   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and name=? and domain_id=?
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and name='something.www.example.com' and domain_id=1
137 Reset stmt
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and name='*.www.example.com' and domain_id=1
137 Reset stmt
137 Execute   SELECT
content,ttl,prio,type,domain_id,disabled,name,auth FROM records WHERE
disabled=0 and name='www.example.com' and domain_id=1
137 Reset stmt
137 Prepare   select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name=? and
domainmetadata.kind=?
137 Execute   select content from domains, domainmetadata where
domainmetadata.domain_id=domains.id and name='example.com' and
domainmetadata.kind='SOA-EDIT'
137 Reset stmt
----------------------------------------8<----------------------------------------

    From what I can tell, powerdns performs a SELECT with all
mentioned labels of the domain, and proceeds in stripping the
left-most label until it finds a match. However, if it catches a part
of the domain that already exists, it doesn't match the wildcard
anymore, nor the part of the domain that actually exists, but proceeds
for looking for a 'SOA-EDIT' in domainmetadata ?

    This query performs well in bind, so can anyone point if/what I'm
doing wrong here ?
    Also, can anyone try to reproduce this behaviour ?

Thank you!

Best regards,
-tbn

More information about the Pdns-users mailing list