[Pdns-users] pdns_recursor failed to load rpz zone at startup

Øystein Viggen oystein.viggen at ntnu.no
Fri Jan 26 08:57:17 UTC 2018


Hi,

We've been running RPZ with powerdns recursor for a while.  The RPZ zone
is hosted on a BIND server, and slaved to the recursors using lua
rpzMaster().

This has worked fine, but when rebooting the servers last wednesday, one
of the recursors failed to slave the zone during startup.  The
surprising thing is that it then proceeded to NOT retry the transfer.
When we discovered the problem and restarted the recursor daemon, it
immediately slaved the zone and has been working perfectly again.

As far as I can see from logs and uptime, the BIND RPZ host was
available when the problematic server rebooted.

Logs (slightly redacted) :

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: PowerDNS comes with
ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to
redistribute it according to the terms of the GPL version 2.

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: Reading random entropy
from '/dev/urandom'

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: Enabling IPv6 transport
for outgoing queries

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: Loading RPZ zone
'aaa.bbb.ntnu.no' from [2001:700:300:aaaa::bbbb]:53

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: With TSIG key
'transfer' of algorithm 'hmac-md5'

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: Unable to load RPZ zone
'aaa.bbb.ntnu.no' from '2001:700:300:aaaa::bbbb': connect: Network is
unreachable

Jan 24 16:06:56 dnscache101 pdns_recursor[2071]: Done parsing 68
allow-from ranges from file '/etc/powerdns/recursor.allow' - overriding
'allow-from' setting


This is during bootup of the server, and knowing Ubuntu, I wouldn't be
at all surprised if the network wasn't /completely/ available at this
point.


Questions:

Is this expected behaviour, assuming that if the RPZ master isn't
available during startup, you've probably misconfigured something and
there's no point trying again?  Otherwise, could this be changed to
retrying again in X minutes?

Powerdns recursor version was 4.1.0.  Is this perhaps already fixed in
4.1.1?  (I didn't see anything indicating that in the changelog).


As said, this immediately started working again when restarting the
recursor daemon.  It failed in this way only on one of three similarly
configured servers.


Thanks,

Øystein


More information about the Pdns-users mailing list