[Pdns-users] SERVFAIL on backend failure - is this possible?

Aki Tuomi cmouse at cmouse.fi
Wed Feb 26 09:43:25 UTC 2020 

This is a bug, please file an issue at
https://github.com/PowerDNS/pdns/issues

Aki

On 26.2.2020 11.24, Vytenis A wrote:
> UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500,
> and SOA returns 200.
>
> We would like to keep SOA record statically defined in our backend,
> and TXT is quered in DB. I guess pDNS treats remote DNS store as
> healthy if SOA is OK, ignoring subsequent request status.
>
> On Wed, Feb 26, 2020 at 10:55 AM Vytenis A <vytenis.adm at gmail.com> wrote:
>> Hi Aki!
>>
>> Ok, so I've implemented SOA into remote backend and dropped bind
>> completely. The only backend active now is "remote"
>>
>> If I provide invalid connection string to a closed port - I get
>> REFUSED, which is good
>>
>> But our concern is that our HTTP backend could start misbehaving
>> (returining 40x, 50x errors, invalid responses). During tests we
>> forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a
>> way to provide REFUSED/SERVFAIL in case http backend is misbehaving?
>>
>> On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi <cmouse at cmouse.fi> wrote:
>>> Hi!
>>>
>>> It is not really supported to split domains like this. You need to host
>>> the entire domain in remote backend.
>>>
>>> Aki
>>>
>>> On 26.2.2020 2.00, Vytenis A via Pdns-users wrote:
>>>> Hi Bert,
>>>>
>>>> Thanks for a prompt reply.
>>>>
>>>> This is currently on my local test VM, it's waay past midnight, I can
>>>> put it on resolvable domain tomorrow if this isn't helpful. Not sure
>>>> how to show you this exactly :)
>>>>
>>>> I'm using latest pDNS, using official repo:
>>>>
>>>> pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908
>>>>
>>>>
>>>> Two backends:
>>>>
>>>> # /etc/pdns/pdns.conf:
>>>>
>>>> config-dir=/etc/pdns
>>>> setuid=pdns
>>>> setgid=pdns
>>>> log-dns-details=yes
>>>> log-dns-queries=yes
>>>> loglevel=6
>>>> launch=bind,remote
>>>> bind-config=/etc/pdns/bind-files/named.conf
>>>> remote-connection-string=http:url=http://invalidhostname:99999
>>>>
>>>>
>>>> Static bind backend contains one zone, which contains SOA and one 'IN
>>>> NS' record only.
>>>>
>>>> http endpoint is serving TXT records exclusively, and all is well if
>>>> it's reachable: queries get resolved, nonexistent TXT records get
>>>> NXDOMAIN
>>>>
>>>> But if http endpoint is invalidated (as in example above ^) - I get
>>>> NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED,
>>>> which is somewhat the same as SERVFAIL afaik.
>>>>
>>>> bind backend is used to keep SOA out of "remote" backend, not 100%
>>>> sure it's the best way. We could implement entire zone in http backend
>>>> as a last resort.
>>>>
>>>> Thanks again!
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Feb 26, 2020 at 12:51 AM bert hubert <bert.hubert at powerdns.com> wrote:
>>>>> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote:
>>>>>> While trying to implement authoritative DNS server using "remote"
>>>>>> backend, I've stumbled into an issue when HTTP backend is unreachable
>>>>>> - PowerDNS is returning NXDOMAIN.
>>>>> Can you reproduce this for us so we can check? It is not supposed to ever
>>>>> happen. Please also let us know which version of PowerDNS you are using.
>>>>>
>>>>>> What I would like to achieve is return SERVFAIL in case my HTTP
>>>>>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend
>>>>>> could assist here?
>>>>> This is what should be happening.
>>>>>
>>>>>         Bert
>>>>>
>>
>>
>> --
>> Vytenis
>
>

More information about the Pdns-users mailing list