[Pdns-users] recursor: Possible bug in accepting / rejecting additional answers?

Paul Fletcher paul.fletcher at broadcom.com
Mon Aug 30 09:08:16 UTC 2021 

Thank you both; I do now at least understand why it's behaving as it is; I missed that the first response was actually from the com server, and therefore authoritative for adpclaims.com.

Obviously I support Frank's feature request, but unfortunately I'm not able to offer much in the way of "how".

Paul


On 30/08/2021, 09:54, "Pdns-users on behalf of Remi Gacogne via Pdns-users" <pdns-users-bounces at mailman.powerdns.com on behalf of pdns-users at mailman.powerdns.com> wrote:

    Hi,

    I think I have to clarify a bit here. The first question was why the 
    recursor doesn't accept the A records from the delegated name server’s 
    response. For the record I believe we are talking about this response, 
    received from one of the servers returned in the delegation from one of 
    the com name server:

    ;; QUESTION SECTION:
    ;solera.com.                    IN      MX

    ;; ANSWER SECTION:
    solera.com.             300     IN      MX      10 
    solera-com.mail.protection.outlook.com.

    ;; AUTHORITY SECTION:
    solera.com.             1800    IN      NS      dns2.adpclaims.com.
    solera.com.             1800    IN      NS      dns1.adpclaims.com.

    ;; ADDITIONAL SECTION:
    dns1.adpclaims.com.     1800    IN      A       170.76.174.203
    dns2.adpclaims.com.     1800    IN      A       170.76.174.204

    The recursor can accept the records in the answer and authority sections 
    because they are at or below solera.com, which we know this name server 
    to be authoritative for. The A records in the additional section are in 
    the adpclaims.com zone, and at this point we have no way of knowing 
    whether this server is authoritative for that zone so we _have_ to 
    reject them, otherwise we would open ourselves to a cache pollution 
    security issue.
    The A records in the response from the com name server were accepted 
    because adpclaims.com is below com, which we knew the name server to be 
    authoritative for.

    Then the second part, the one Frank has been answering below, is about 
    the recursor replacing the non-authoritative NS set with the 
    authoritative one. There is a long discussion about that on our issue 
    tracker [1]. Basically we follow rfc2181 section-5.4.1 and we believe 
    it's the right call, but we do agree with Frank that it would be nice to 
    be able to fall back to the non-authoritative NS set when that one is 
    clearly broken. We are trying to find a way to implement that without 
    opening ourselves to a security flaw, or making well-configured zones 
    bear the burden of broken ones. As always, suggestions and pull requests 
    are very welcome.

    [1]: https://github.com/PowerDNS/pdns/issues/10594

    Hope that helps,

    Remi

    On 8/30/21 9:55 AM, frank+pdns--- via Pdns-users wrote:
    > Hi Paul,
    > 
    > This is a design choice by PowerDNS, which is defendable: the domain is 
    > misconfigured and the RFCs don't clearly which option to take in such a 
    > case. Unfortunately, Google and Unbound toke a different option, so when 
    > the customer verifies against 8.8.8.8, it will just work. Also 
    > unfortunately, PowerDNS took the option of having the return depend on 
    > the state of cache, meaning that depending on the order you execute the 
    > queries in, you'll get a different result.
    > 
    > I've had long discussions with the core maintainers and discussion 
    > makers at PowerDNS, but – for now – they won't change this behaviour.
    > 
    > Kind Regards,
    > 
    > Frank
    > 
    > 
    > 
    >> On 28 Aug 2021, at 9:43 AM, Paul Fletcher via Pdns-users 
    >> <pdns-users at mailman.powerdns.com 
    >> <mailto:pdns-users at mailman.powerdns.com>> wrote:
    >>
    >> Hello,
    >> We are having problems with pdns-recursor when resolving an MX record 
    >> for a domain whose delegation is partially mis-configured.  Whilst 
    >> that mis-configuration is clearly the trigger for the problem, the 
    >> behaviour of pdns is tunring a small problem into a big one, when 
    >> other recursors do not appear to do so.
    >> Version:4.5.5(also seen in earlier versions)
    >> OS: CentOS7
    >> Description of the problem:
    >> Initial discovery of NS for the domain gets an answer from 
    >> gtld-servers.  The answer includes:
    >>
    >>   * 4 NS names; two are in the domain itself, and two are in an
    >>     unrelated zone.  TTL=172800
    >>   * A records / IP addresses for those 4 names (one per name).  TTL=172800
    >>
    >> Two of the IP addresses are incorrect.  The four name servers are 
    >> cached, as are the four A records.
    >> Recursor then goes on to one of the name servers, for which it has a 
    >> valid IP.  (In fact the IP in the A record is for a different one of 
    >> the name servers to the one which the initial answer said it was for, 
    >> but it is nevertheless the IP of a valid name server for the domain).  
    >> It queries the MX record, and gets back a response.  The response includes
    >>
    >>   * The MX record, with TTL=300
    >>   * 2 NS servers (two of the four which were in the parent response). 
    >>     TTL=1800
    >>   * A records for those 2 servers.  TTL=1800
    >>
    >> This time the A records are correct.  However, whilst recursor 
    >> replaces the previous NS records in the cache, it does NOT replace the 
    >> A records.  In older versions it says
    >> “Accept answer? NO!”
    >> In newer versions it says
    >> “Removing record  in the 3 section”
    >> So now if we look up the MX record again after its TTL has expired, 
    >> recursor correctly identifies the names of the two name servers to use 
    >> from cache.  It then tries to resolve those to IPs, which it does by 
    >> using the incorrect A records that were cached from the first 
    >> response.  And since they are not accessible, the query times out.  
    >> Nothing works until the 1800 TTL on the name servers expires, at which 
    >> point we go back to the start, getting 4 name servers and 4 IPs, two 
    >> of which work and allow us to resolve the query this one time only.
    >> I don’t understand why the recursor accepted and cached the A records 
    >> which it got in the response from the gtld-servers – even though the 
    >> two important ones are in a different zone, with nothing to indicate 
    >> that gtld-servers are authoritative for that zone; but it doesn’t 
    >> accept the A records from the delegated name server’s response.  Is 
    >> there something we can do to alter this behaviour?  If it either 
    >> accepted them in both cases or rejected them in both cases, everything 
    >> would work despite the slightly broken initial response.  As I say, we 
    >> don’t see this problem with other recursive resolvers.
    >> The domain issolera.com <http://solera.com/>.
    >> Thanks for any pointers.
    >> Paul
    >>
    >> This electronic communication and the information and any files 
    >> transmitted with it, or attached to it, are confidential and are 
    >> intended solely for the use of the individual or entity to whom it is 
    >> addressed and may contain information that is confidential, legally 
    >> privileged, protected by privacy laws, or otherwise restricted from 
    >> disclosure to anyone else. If you are not the intended recipient or 
    >> the person responsible for delivering the e-mail to the intended 
    >> recipient, you are hereby notified that any use, copying, 
    >> distributing, dissemination, forwarding, printing, or copying of this 
    >> e-mail is strictly prohibited. If you received this e-mail in error, 
    >> please return the e-mail to the sender, delete it from your computer, 
    >> and destroy any printed copy of 
    >> it._______________________________________________
    >> Pdns-users mailing list
    >> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
    >> https://mailman.powerdns.com/mailman/listinfo/pdns-users 
    >> <https://mailman.powerdns.com/mailman/listinfo/pdns-users>
    > 
    > Frank Louwers
    > PowerDNS Certified Consultant @ Kiwazo.be <http://Kiwazo.be>
    > 
    > 
    > 
    > 
    > 
    > _______________________________________________
    > Pdns-users mailing list
    > Pdns-users at mailman.powerdns.com
    > https://mailman.powerdns.com/mailman/listinfo/pdns-users
    > 


    _______________________________________________
    Pdns-users mailing list
    Pdns-users at mailman.powerdns.com
    https://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4212 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20210830/27e4ac3b/attachment.bin>

More information about the Pdns-users mailing list