[Pdns-users] pdns-recursor suddenly started to answer with content from . zone instead of what is configured in forward.zones.

Thomas Mieslinger miesi at mail.com
Tue Sep 21 11:53:26 UTC 2021 

Hi,

we're experiencing the problem that pdns_recursor (4.3.5 and 4.5.1)
answers with the information from the . zone instead of what we have
configured in forward.zone.

Some configuration details (please name the setting you additionally
need to diagnose the problem further)

forward.zones:
...
+united.domain=172.19.254.20,172.19.254.21,172.19.254.22,172.19.254.23
... (it is a file with 344 lines)

nta.lua:
...
addNTA('united.domain')
addNTA('domain')
... (it is a file with 343 lines)

When freshly started or after `rec_control wipe-cache united.domain` the
answer is correct and like this:

$ dig united.domain
; <<>> DiG 9.16.20-RH <<>> united.domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11702
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;united.domain.			IN	A

;; ANSWER SECTION:
united.domain.		589	IN	A	10.76.121.36
united.domain.		589	IN	A	10.76.121.2
united.domain.		589	IN	A	10.76.121.4
united.domain.		589	IN	A	10.76.121.34

after a while (we don't know what it triggers), the answer starts to
look like this:

$ dig united.domain  +dnssec +multiline

; <<>> DiG 9.11.35-RedHat-9.11.35-1.fc33 <<>> united.domain +dnssec
+multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28509
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;united.domain.         IN A

;; AUTHORITY SECTION:
.                       80 IN SOA a.root-servers.net.
nstld.verisign-grs.com. (
                                 2021091700 ; serial
                                 1800       ; refresh (30 minutes)
                                 900        ; retry (15 minutes)
                                 604800     ; expire (1 week)
                                 86400      ; minimum (1 day)
                                 )
.                       80 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
dog.                    80 IN NSEC domains. NS DS RRSIG NSEC
.                       80 IN RRSIG SOA 8 0 86400 (
                                 20210930050000 20210917040000 26838 .

a8KnzPW3Psg0y/ViDhIggp5Eh90QtN3EePUWsVwiu4fl
    bLgBPP/4tI9xETkroVYwNweGpEZ+ikURMptxD/UKO9Jp
        xMTA1OEVCY7ZCAHpRJdCrnJTKA/CZ2OB663Qn3fm5jmn
            ulS6DEO/mpjbzOzuEABIejZ1TQoE4YKtsINAY+qWox4r
                n8A1pGbpcUDI5FcuYwVhIMoRN0DLH7lLMCfnS4ax8NWc
                    aEZng4MYjH4uoXO0eKjiFm7q+F6DmmJHFClnWNoBygR2
                        rOjzcBygTIQNbAw8hRrhL7IeK9DO1wn1/ElWo9ku0etV
                            2dPI7309bIwcb/FfcO8JmMnSG+ua1pswnA== )
.                       80 IN RRSIG NSEC 8 0 86400 (
                                 20210930050000 20210917040000 26838 .

IDuGEztug9Rw+kfmn8p5BtCI0HNsJZErAw8WU9z2P7WZ
   IE7HxhCGznO4mSXH+hSeCyHgK/zqBQF/yyFI+K3gHy0i
       90YNEWVLzJIpGNes2nWfMWmlKa0zBgnECnY8FIXiAkcC
           JOFvXjdBlnPo+9E/ArG5fmHx119k+GtnGv9rSovYA2l1
               SXG7kR5ZobPUokssWKwYWYqq/zGILeDPrYYe3Fod/HvF
                   w846BsxEQ+iZEmNNezp6cj2SUj+sjH4/jtjHrXkWEbTx
                       H7yQ4y7qMOYQ0AU47xU3PcZ2F4wJSFhrdKxKLtDL1lq0
                           JR7whIaHEwKcSfWQqXy0d4uckrRIHvsU5Q== )
dog.                    80 IN RRSIG NSEC 8 1 86400 (
                                 20210930050000 20210917040000 26838 .

ErJ0k73SHWxxeoKJaEYPtrsb7tOGlufC2RVzMt5MzA6W
    8k41/xa0rjXT3NYFdYg8pNQAqmKEuN7CET8j+TzUBgtW
        CiOTNXl9T8cZWHuy4fcAnJyUYVuWzIvt4cXtIr0DS+vG
            VpGnoRITsWcb1re7upzM5+vsqRudMwKjuFJ8gKic6m9f
                QX0F4h56Mlfr5orOD+lVqNT7AZFpEZeW+ci+szLjTI/L
                    HY2UeXet/DZcPdBxEZbCzl4kdymiOzTl7QEK9JU611OG
                        O5cAC/DAJjDM8nejs9G/eR9dcp/du94kuXc3n1kf2OIn
                            D7eHEx2AATDCN02rcJeKwhkr20SNMp+aAw== )


Activating trace-regex for united.domain gives the following output in
case of the second answer.

pdns_recursor[2094]: 1 [808808419/2] question for 'united.domain|A' from
10.76.173.43:50102
pdns_recursor[2094]: united.domain: Wants DNSSEC processing, auth data
in query for A
pdns_recursor[2094]: united.domain: Looking for CNAME cache hit of
'united.domain|CNAME'
pdns_recursor[2094]: united.domain: Looking for DNAME cache hit of
'united.domain|DNAME' or its ancestors
pdns_recursor[2094]: united.domain: No CNAME or DNAME cache hit of
'united.domain' found
pdns_recursor[2094]: united.domain: Entire name 'united.domain is
negatively cached via '.' for another 119 seconds
pdns_recursor[2094]: united.domain: updating validation state with
negative cache content for united.domain to Insecure

We have checked that 172.19.254.20 172.19.254.21 172.19.254.22
172.19.254.23 are answering for united.domain and were/are available all
the time.

Cheers Thomas

More information about the Pdns-users mailing list