[Pdns-users] PowerDNS: One Response Policy Zones refuses to update via IXFR -- always uses AXFR

Otto Moerbeek otto at drijf.net
Tue Sep 24 06:04:22 UTC 2019 

On Mon, Sep 23, 2019 at 07:07:32AM +0200, Otto Moerbeek wrote:

> On Sun, Sep 22, 2019 at 07:37:29PM +0100, Simon Forster wrote:
> 
> > Hi
> > 
> > We have a customer consuming a bunch of Response Policy Zones using PowerDNS. For all bar one, all is good. However, one zone (bogons.ip.dtq) refuses to update via IXFR. Every update is via AXFR.
> > 
> > In an attempt to troubleshoot, our engineer created a Docker image that ran PowerDNS Recursor 4.2.0 under Debian 9 (squeeze), the latest general release version. PowerDNS was pulled down from PowerDNS's repository rather than complied by us.
> > 
> > The lua-config-file entry in recursor.conf was modified to include a single lua file that contained a single rpzMaster declaration:
> > 
> >     rpzMaster("199.168.90.51",
> > "bogons.ip.dtq",{defpol=Policy.NXDOMAIN,refresh=300})
> > 
> > The testing ended up producing the same errors as the customer’s (undocumented) setup:
> > 
> > Sep 21 20:36:55 Loading RPZ zone 'bogons.ip.dtq' from <redacted>
> > Sep 21 20:36:55 Loaded & indexed 418 policy records so far for RPZ zone 'bogons.ip.dtq'
> > Sep 21 20:36:56 Loaded & indexed 36887 policy records so far for RPZ zone 'bogons.ip.dtq'
> > Sep 21 20:36:56 Unable to load RPZ zone 'bogons.ip.dtq’ from '<redacted>': 'Unable to convert '1:0:0:0' to a netmask'. (Will try again in 300 seconds…)
> > 
> > The error message regarding '1:0:0:0’  was originally thought to be a problem parsing one record in the bogons.ip.dtq zone: "0.0.0.1::/64”. However, in testing this was manually redacted and it was confirmed that the CIDR no longer existed in the rpz zone data we push out. The error message persisted in the PowerDNS resolver logs.
> > 
> > Conclusions:
> > 
> > — The error has nothing to do with the CIDR 0.0.0.1::/64 being included in the zone.
> > — rpz parsing of RPZ zones has a bug. Our engineer points to IPv6 triggers.
> > — Our engineer doesn’t like PowerDNS’ logging. This last point probably is irrelevant to everyone except our engineer.
> > 
> > I’ve been something of a PowerDNS proponent but I’ve failed to gain traction internally. This is not helping my case. Is this a known issue?
> > 
> > TIA
> > 
> > Simon
> 
> Looking at the RPZ related issues in
> https://github.com/PowerDNS/pdns/issues I don't see an obvious match.
> 
> Please file an issue and include all relevant (unredacted) data,
> including the RPZ data so that reproductioin and further investigation
> is possible.

See https://github.com/PowerDNS/pdns/pull/8340

	-Otto

More information about the Pdns-users mailing list