[Pdns-users] PowerDNS: One Response Policy Zones refuses to update via IXFR -- always uses AXFR
Simon Forster
forster at deteque.com
Sun Sep 22 18:37:29 UTC 2019
Hi
We have a customer consuming a bunch of Response Policy Zones using PowerDNS. For all bar one, all is good. However, one zone (bogons.ip.dtq) refuses to update via IXFR. Every update is via AXFR.
In an attempt to troubleshoot, our engineer created a Docker image that ran PowerDNS Recursor 4.2.0 under Debian 9 (squeeze), the latest general release version. PowerDNS was pulled down from PowerDNS's repository rather than complied by us.
The lua-config-file entry in recursor.conf was modified to include a single lua file that contained a single rpzMaster declaration:
rpzMaster("199.168.90.51",
"bogons.ip.dtq",{defpol=Policy.NXDOMAIN,refresh=300})
The testing ended up producing the same errors as the customer’s (undocumented) setup:
Sep 21 20:36:55 Loading RPZ zone 'bogons.ip.dtq' from <redacted>
Sep 21 20:36:55 Loaded & indexed 418 policy records so far for RPZ zone 'bogons.ip.dtq'
Sep 21 20:36:56 Loaded & indexed 36887 policy records so far for RPZ zone 'bogons.ip.dtq'
Sep 21 20:36:56 Unable to load RPZ zone 'bogons.ip.dtq’ from '<redacted>': 'Unable to convert '1:0:0:0' to a netmask'. (Will try again in 300 seconds…)
The error message regarding '1:0:0:0’ was originally thought to be a problem parsing one record in the bogons.ip.dtq zone: "0.0.0.1::/64”. However, in testing this was manually redacted and it was confirmed that the CIDR no longer existed in the rpz zone data we push out. The error message persisted in the PowerDNS resolver logs.
Conclusions:
— The error has nothing to do with the CIDR 0.0.0.1::/64 being included in the zone.
— rpz parsing of RPZ zones has a bug. Our engineer points to IPv6 triggers.
— Our engineer doesn’t like PowerDNS’ logging. This last point probably is irrelevant to everyone except our engineer.
I’ve been something of a PowerDNS proponent but I’ve failed to gain traction internally. This is not helping my case. Is this a known issue?
TIA
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190922/90529aa8/attachment.sig>
More information about the Pdns-users
mailing list