[Pdns-users] pdns-recursor - Recursor options to ignore when authoritative server does not set the AA bit in DNS reply
Brian Candler
b.candler at pobox.com
Thu Apr 16 10:51:37 UTC 2020
On 15/04/2020 15:37, Caleb Bontrager via Pdns-users wrote:
> The question I have is if there is a configuration ability to remove
> the AA bit requirement for resolution?
I can't answer the specific question, but I tested that my own local
pdns-recursor (4.3.0-1pdns.bionic) *is* able to resolve leg.mt.gov.
rec_control dump_cache says:
mt.gov. 86340 IN NS mtdnstri.mt.gov. ; (Indeterminate) auth=0
mt.gov. 86340 IN NS mtdnspri.mt.gov. ; (Indeterminate) auth=0
mt.gov. 86340 IN NS mtdnssec.mt.gov. ; (Indeterminate) auth=0
mtdnstri.mt.gov. 86340 IN A 161.7.129.10 ; (Indeterminate) auth=0
mtdnssec.mt.gov. 86340 IN A 161.7.38.11 ; (Indeterminate) auth=0
mtdnspri.mt.gov. 86340 IN A 161.7.38.10 ; (Indeterminate) auth=0
leg.mt.gov. 3540 IN A 161.7.35.124 ; (Indeterminate) auth=1
leg.mt.gov. 3540 A ; tag 0
And the query log:
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov: got NS record
'mt.gov' -> 'mtdnstri.mt.gov.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov: got NS record
'mt.gov' -> 'mtdnspri.mt.gov.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov: got NS record
'mt.gov' -> 'mtdnssec.mt.gov.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov: status=did not
resolve, got 3 NS, looping to them
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A
child=mt.gov: Step4 Resolve A result is No Error/0/2
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A
child=mt.gov: Delegation seen, continue at step 1
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if
we have NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: no
valid/useful NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if
we have NS in cache for 'mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnstri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within
bailiwick: 1, in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnspri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within
bailiwick: 1, in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnssec.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within
bailiwick: 1, in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: We have NS
in cache for 'mt.gov' (flawedNSSet=0)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A
child=mt.gov: Step1 Ancestor from cache is mt.gov.
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A
child=leg.mt.gov: Step2 New child
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A
child=leg.mt.gov: Step3 Going to do final resolve
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Wants
DNSSEC processing, auth data in query for A
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Looking for
CNAME cache hit of 'leg.mt.gov|CNAME'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Looking for
DNAME cache hit of 'leg.mt.gov|DNAME' or its ancestors
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: No CNAME or
DNAME cache hit of 'leg.mt.gov' found
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: No cache
hit for 'leg.mt.gov|A', trying to find an appropriate NS record
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : got TA for '.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : setting cut state for
. to Secure
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if
we have NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: no
valid/useful NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if
we have NS in cache for 'mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnstri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within
bailiwick: 1, in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnspri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within
bailiwick: 1, in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnssec.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within
bailiwick: 1, in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: We have NS
in cache for 'mt.gov' (flawedNSSet=0)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: initial
validation status for leg.mt.gov is Indeterminate
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Cache
consultations done, have 3 NS to contact
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov.:
Nameservers: mtdnspri.mt.gov(0.00ms), mtdnssec.mt.gov(0.00ms),
mtdnstri.mt.gov(0.00ms)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Trying to
resolve NS 'mtdnspri.mt.gov' (1/3)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
mtdnspri.mt.gov.|A child=(empty): doResolve
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: Wants
DNSSEC processing, NO auth data in query for A
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov:
Recursion not requested for 'mtdnspri.mt.gov|A', peeking at auth/forward
zones
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov:
Looking for CNAME cache hit of 'mtdnspri.mt.gov|CNAME'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov:
Looking for DNAME cache hit of 'mtdnspri.mt.gov|DNAME' or its ancestors
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: No
CNAME or DNAME cache hit of 'mtdnspri.mt.gov' found
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: Found
cache hit for A: 161.7.38.10[ttl=86400]
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov:
updating validation state with cache content for mtdnspri.mt.gov to
Indeterminate
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
mtdnspri.mt.gov.|A child=(empty): Step0 Found in cache
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Resolved
'mt.gov' NS mtdnspri.mt.gov to: 161.7.38.10
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Trying IP
161.7.38.10:53, asking 'leg.mt.gov|A'
*Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Got 2
answers from mtdnspri.mt.gov (161.7.38.10), rcode=0 (No Error), aa=1, in
128ms*
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: accept
answer 'leg.mt.gov|A|161.7.35.124' from 'mt.gov' nameservers? ttl=3600,
place=1 YES!
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: OPT answer
'.' from 'mt.gov' nameservers
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : got initial zone
status Indeterminate for record leg.mt.gov|A
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: determining
status after receiving this packet
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: answer is
in: resolved to '161.7.35.124|A'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: status=got
results, this level of recursion done
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: validation
status is Indeterminate
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A
child=leg.mt.gov: Step3 Final resolve: No Error/1
Apr 16 10:18:43 cache2 pdns_recursor[19615]: 2 [1/1] answer to question
'leg.mt.gov|A': 1 answers, 1 additional, took 3 packets, 226.077 netw
ms, 247.328 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
The weird thing is, logs above are showing aa=1 in the response.
Using dig, I see the same as you - that the servers for this domain are
all lame. aa=0, ra=1. Even the TTL decrements like a recursor.
$ dig +norec @mtdnstri.mt.gov. leg.mt.gov. a
; <<>> DiG 9.10.6 <<>> +norec @mtdnstri.mt.gov. leg.mt.gov. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12168
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;leg.mt.gov. IN A
;; ANSWER SECTION:
leg.mt.gov. 3579 IN A 161.7.35.124
;; Query time: 118 msec
;; SERVER: 161.7.129.10#53(161.7.129.10)
;; WHEN: Thu Apr 16 10:56:19 BST 2020
;; MSG SIZE rcvd: 55
$ dig +norec @mtdnstri.mt.gov. leg.mt.gov. a
; <<>> DiG 9.10.6 <<>> +norec @mtdnstri.mt.gov. leg.mt.gov. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61785
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;leg.mt.gov. IN A
;; ANSWER SECTION:
leg.mt.gov. 3574 IN A 161.7.35.124
;; Query time: 117 msec
;; SERVER: 161.7.129.10#53(161.7.129.10)
;; WHEN: Thu Apr 16 10:56:24 BST 2020
;; MSG SIZE rcvd: 55
Sometimes I see the TTL jump back up again - perhaps some sort of
load-balancer in front of a bunch of recursive servers?
Next I try a tcpdump while pdns-recursor does its business:
10:29:18.479243 IP 10.12.255.54.54426 > 161.7.129.10.53: 11772 [1au] A?
leg.mt.gov. (39)
0x0000: 4500 0043 576a 4000 4011 b7eb 0a0c ff36 E..CWj at .@......6
0x0010: a107 810a d49a 0035 002f 2b95 2dfc 0000 .......5./+.-...
0x0020: 0001 0000 0000 0001 036c 6567 026d 7403 .........leg.mt.
0x0030: 676f 7600 0001 0001 0000 2904 d000 0080 gov.......).....
0x0040: 0000 00 ...
10:29:18.596734 IP 161.7.129.10.53 > 10.12.255.54.54426: 11772*- 1/0/1 A
161.7.35.124 (55)
0x0000: 4550 0053 7c67 4000 f211 e08d a107 810a EP.S|g at .........
0x0010: 0a0c ff36 0035 d49a 003f d4df 2dfc *8400* ...6.5...?..-...
0x0020: 0001 0001 0000 0001 036c 6567 026d 7403 .........leg.mt.
0x0030: 676f 7600 0001 0001 c00c 0001 0001 0000 gov.............
0x0040: 0e10 0004 a107 237c 0000 2910 0000 0000 ......#|..).....
0x0050: 0000 00 ...
If I decode the response I get:
2dfc = ident
8400 = flags: QR=1, opcode = 0000, AA=1, TC=0, RD=0; RA=0, Z=0, AD=0,
CD=0, rcode=0000
Exactly what's expected from an authoritative server: Authoritative
Answer=1, Recursion Available=0.
Now let me try the same with dig:
# dig +norec @161.7.129.10 leg.mt.gov. a
10:35:13.468482 IP 10.12.255.54.38387 > 161.7.129.10.53: 34722 [1au] A?
leg.mt.gov. (51)
0x0000: 4500 004f cb80 0000 4011 83c9 0a0c ff36 E..O.... at ......6
0x0010: a107 810a 95f3 0035 003b 2ba1 87a2 0020 .......5.;+.....
0x0020: 0001 0000 0000 0001 036c 6567 026d 7403 .........leg.mt.
0x0030: 676f 7600 0001 0001 0000 2910 0000 0000 gov.......).....
0x0040: 0000 0c00 0a00 0880 3a8e d7cf 0707 14 ........:......
10:35:13.586436 IP 161.7.129.10.53 > 10.12.255.54.38387: 34722 1/0/1 A
161.7.35.124 (55)
0x0000: 4550 0053 2262 4000 f011 3c93 a107 810a EP.S"b at ...<.....
0x0010: 0a0c ff36 0035 95f3 003f bd6c 87a2 *8080* ...6.5...?.l....
0x0020: 0001 0001 0000 0001 036c 6567 026d 7403 .........leg.mt.
0x0030: 676f 7600 0001 0001 c00c 0001 0001 0000 gov.............
0x0040: 0e04 0004 a107 237c 0000 2910 0000 0000 ......#|..).....
0x0050: 0000 00 ...
Now I get:
87a2 = ident
8080 = flags: QR=1, RA=1
i.e. now it's responding just like a recursor!!
I notice the dig request has 0020 for flags, i.e. AD=1. I can fix that
to make flags 0000:
# dig +norec +noad @161.7.129.10 leg.mt.gov. a
10:37:08.595577 IP 10.12.255.54.59200 > 161.7.129.10.53: 710 [1au] A?
leg.mt.gov. (51)
0x0000: 4500 004f f7db 0000 4011 576e 0a0c ff36 E..O.... at .Wn...6
0x0010: a107 810a e740 0035 003b 2ba1 02c6 0000 ..... at .5.;+.....
0x0020: 0001 0000 0000 0001 036c 6567 026d 7403 .........leg.mt.
0x0030: 676f 7600 0001 0001 0000 2910 0000 0000 gov.......).....
0x0040: 0000 0c00 0a00 08e7 a9b0 0c46 4733 22 ...........FG3"
10:37:08.714776 IP 161.7.129.10.53 > 10.12.255.54.59200: 710 1/0/1 A
161.7.35.124 (55)
0x0000: 4550 0053 7930 4000 f211 e3c4 a107 810a EP.Sy0 at .........
0x0010: 0a0c ff36 0035 e740 003f f104 02c6 *8080* ...6.5. at .?......
0x0020: 0001 0001 0000 0001 036c 6567 026d 7403 .........leg.mt.
0x0030: 676f 7600 0001 0001 c00c 0001 0001 0000 gov.............
0x0040: 0dfb 0004 a107 237c 0000 2910 0000 0000 ......#|..).....
0x0050: 0000 00 ...
Gargh... it's still responding like a recursor!
It looks like there is some sort of wacky views mechanism on this
server, which uses some weird attribute of the request to infer whether
it's coming from a stub resolver or from a recursor (instead of just
looking at the RD bit like it should). But I don't have time to dig
further - I'll hand this back to you.
You might want to try recursor 4.3.0 anyway, since that works for me.
Cheers,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200416/253e0209/attachment-0001.htm>
More information about the Pdns-users
mailing list