[Pdns-users] pdns-recursor suddenly started to answer with content from . zone instead of what is configured in forward.zones.
Thomas Mieslinger
miesi at mail.com
Tue Sep 21 11:53:26 UTC 2021
Hi,
we're experiencing the problem that pdns_recursor (4.3.5 and 4.5.1)
answers with the information from the . zone instead of what we have
configured in forward.zone.
Some configuration details (please name the setting you additionally
need to diagnose the problem further)
forward.zones:
...
+united.domain=172.19.254.20,172.19.254.21,172.19.254.22,172.19.254.23
... (it is a file with 344 lines)
nta.lua:
...
addNTA('united.domain')
addNTA('domain')
... (it is a file with 343 lines)
When freshly started or after `rec_control wipe-cache united.domain` the
answer is correct and like this:
$ dig united.domain
; <<>> DiG 9.16.20-RH <<>> united.domain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11702
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;united.domain. IN A
;; ANSWER SECTION:
united.domain. 589 IN A 10.76.121.36
united.domain. 589 IN A 10.76.121.2
united.domain. 589 IN A 10.76.121.4
united.domain. 589 IN A 10.76.121.34
after a while (we don't know what it triggers), the answer starts to
look like this:
$ dig united.domain +dnssec +multiline
; <<>> DiG 9.11.35-RedHat-9.11.35-1.fc33 <<>> united.domain +dnssec
+multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28509
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;united.domain. IN A
;; AUTHORITY SECTION:
. 80 IN SOA a.root-servers.net.
nstld.verisign-grs.com. (
2021091700 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
. 80 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
dog. 80 IN NSEC domains. NS DS RRSIG NSEC
. 80 IN RRSIG SOA 8 0 86400 (
20210930050000 20210917040000 26838 .
a8KnzPW3Psg0y/ViDhIggp5Eh90QtN3EePUWsVwiu4fl
bLgBPP/4tI9xETkroVYwNweGpEZ+ikURMptxD/UKO9Jp
xMTA1OEVCY7ZCAHpRJdCrnJTKA/CZ2OB663Qn3fm5jmn
ulS6DEO/mpjbzOzuEABIejZ1TQoE4YKtsINAY+qWox4r
n8A1pGbpcUDI5FcuYwVhIMoRN0DLH7lLMCfnS4ax8NWc
aEZng4MYjH4uoXO0eKjiFm7q+F6DmmJHFClnWNoBygR2
rOjzcBygTIQNbAw8hRrhL7IeK9DO1wn1/ElWo9ku0etV
2dPI7309bIwcb/FfcO8JmMnSG+ua1pswnA== )
. 80 IN RRSIG NSEC 8 0 86400 (
20210930050000 20210917040000 26838 .
IDuGEztug9Rw+kfmn8p5BtCI0HNsJZErAw8WU9z2P7WZ
IE7HxhCGznO4mSXH+hSeCyHgK/zqBQF/yyFI+K3gHy0i
90YNEWVLzJIpGNes2nWfMWmlKa0zBgnECnY8FIXiAkcC
JOFvXjdBlnPo+9E/ArG5fmHx119k+GtnGv9rSovYA2l1
SXG7kR5ZobPUokssWKwYWYqq/zGILeDPrYYe3Fod/HvF
w846BsxEQ+iZEmNNezp6cj2SUj+sjH4/jtjHrXkWEbTx
H7yQ4y7qMOYQ0AU47xU3PcZ2F4wJSFhrdKxKLtDL1lq0
JR7whIaHEwKcSfWQqXy0d4uckrRIHvsU5Q== )
dog. 80 IN RRSIG NSEC 8 1 86400 (
20210930050000 20210917040000 26838 .
ErJ0k73SHWxxeoKJaEYPtrsb7tOGlufC2RVzMt5MzA6W
8k41/xa0rjXT3NYFdYg8pNQAqmKEuN7CET8j+TzUBgtW
CiOTNXl9T8cZWHuy4fcAnJyUYVuWzIvt4cXtIr0DS+vG
VpGnoRITsWcb1re7upzM5+vsqRudMwKjuFJ8gKic6m9f
QX0F4h56Mlfr5orOD+lVqNT7AZFpEZeW+ci+szLjTI/L
HY2UeXet/DZcPdBxEZbCzl4kdymiOzTl7QEK9JU611OG
O5cAC/DAJjDM8nejs9G/eR9dcp/du94kuXc3n1kf2OIn
D7eHEx2AATDCN02rcJeKwhkr20SNMp+aAw== )
Activating trace-regex for united.domain gives the following output in
case of the second answer.
pdns_recursor[2094]: 1 [808808419/2] question for 'united.domain|A' from
10.76.173.43:50102
pdns_recursor[2094]: united.domain: Wants DNSSEC processing, auth data
in query for A
pdns_recursor[2094]: united.domain: Looking for CNAME cache hit of
'united.domain|CNAME'
pdns_recursor[2094]: united.domain: Looking for DNAME cache hit of
'united.domain|DNAME' or its ancestors
pdns_recursor[2094]: united.domain: No CNAME or DNAME cache hit of
'united.domain' found
pdns_recursor[2094]: united.domain: Entire name 'united.domain is
negatively cached via '.' for another 119 seconds
pdns_recursor[2094]: united.domain: updating validation state with
negative cache content for united.domain to Insecure
We have checked that 172.19.254.20 172.19.254.21 172.19.254.22
172.19.254.23 are answering for united.domain and were/are available all
the time.
Cheers Thomas
More information about the Pdns-users
mailing list