[Pdns-users] SERVFAIL on backend failure - is this possible?

Wed Feb 26 10:53:51 UTC 2020

Issue: https://github.com/PowerDNS/pdns/issues/8866

If anyone has any ideas on how to workaround it - that would be great

Thanks again!

On Wed, Feb 26, 2020 at 11:43 AM Aki Tuomi <cmouse at cmouse.fi> wrote:
>
> This is a bug, please file an issue at
> https://github.com/PowerDNS/pdns/issues
>
> Aki
>
> On 26.2.2020 11.24, Vytenis A wrote:
> > UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500,
> > and SOA returns 200.
> >
> > We would like to keep SOA record statically defined in our backend,
> > and TXT is quered in DB. I guess pDNS treats remote DNS store as
> > healthy if SOA is OK, ignoring subsequent request status.
> >
> > On Wed, Feb 26, 2020 at 10:55 AM Vytenis A <vytenis.adm at gmail.com> wrote:
> >> Hi Aki!
> >>
> >> Ok, so I've implemented SOA into remote backend and dropped bind
> >> completely. The only backend active now is "remote"
> >>
> >> If I provide invalid connection string to a closed port - I get
> >> REFUSED, which is good
> >>
> >> But our concern is that our HTTP backend could start misbehaving
> >> (returining 40x, 50x errors, invalid responses). During tests we
> >> forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a
> >> way to provide REFUSED/SERVFAIL in case http backend is misbehaving?
> >>
> >> On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi <cmouse at cmouse.fi> wrote:
> >>> Hi!
> >>>
> >>> It is not really supported to split domains like this. You need to host
> >>> the entire domain in remote backend.
> >>>
> >>> Aki
> >>>
> >>> On 26.2.2020 2.00, Vytenis A via Pdns-users wrote:
> >>>> Hi Bert,
> >>>>
> >>>> Thanks for a prompt reply.
> >>>>
> >>>> This is currently on my local test VM, it's waay past midnight, I can
> >>>> put it on resolvable domain tomorrow if this isn't helpful. Not sure
> >>>> how to show you this exactly :)
> >>>>
> >>>> I'm using latest pDNS, using official repo:
> >>>>
> >>>> pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908
> >>>>
> >>>>
> >>>> Two backends:
> >>>>
> >>>> # /etc/pdns/pdns.conf:
> >>>>
> >>>> config-dir=/etc/pdns
> >>>> setuid=pdns
> >>>> setgid=pdns
> >>>> log-dns-details=yes
> >>>> log-dns-queries=yes
> >>>> loglevel=6
> >>>> launch=bind,remote
> >>>> bind-config=/etc/pdns/bind-files/named.conf
> >>>> remote-connection-string=http:url=http://invalidhostname:99999
> >>>>
> >>>>
> >>>> Static bind backend contains one zone, which contains SOA and one 'IN
> >>>> NS' record only.
> >>>>
> >>>> http endpoint is serving TXT records exclusively, and all is well if
> >>>> it's reachable: queries get resolved, nonexistent TXT records get
> >>>> NXDOMAIN
> >>>>
> >>>> But if http endpoint is invalidated (as in example above ^) - I get
> >>>> NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED,
> >>>> which is somewhat the same as SERVFAIL afaik.
> >>>>
> >>>> bind backend is used to keep SOA out of "remote" backend, not 100%
> >>>> sure it's the best way. We could implement entire zone in http backend
> >>>> as a last resort.
> >>>>
> >>>> Thanks again!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Feb 26, 2020 at 12:51 AM bert hubert <bert.hubert at powerdns.com> wrote:
> >>>>> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote:
> >>>>>> While trying to implement authoritative DNS server using "remote"
> >>>>>> backend, I've stumbled into an issue when HTTP backend is unreachable
> >>>>>> - PowerDNS is returning NXDOMAIN.
> >>>>> Can you reproduce this for us so we can check? It is not supposed to ever
> >>>>> happen. Please also let us know which version of PowerDNS you are using.
> >>>>>
> >>>>>> What I would like to achieve is return SERVFAIL in case my HTTP
> >>>>>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend
> >>>>>> could assist here?
> >>>>> This is what should be happening.
> >>>>>
> >>>>>         Bert
> >>>>>
> >>
> >>
> >> --
> >> Vytenis
> >
> >

-- 
Vytenis