[Pdns-users] DNSSEC and CNAME records results NXDOMAIN

Klaus Darilion klaus.darilion at nic.at
Fri Apr 22 19:41:27 UTC 2022


I think I have found the problem:

Your name server also has configured a root zone:

# dig @ns1.mijn.host. sdfdsafdsagdafdgsdgffg.dfdsafs

; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> @ns1.mijn.host. sdfdsafdsagdafdgsdgffg.dfdsafs
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55422
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;sdfdsafdsagdafdgsdgffg.dfdsafs.        IN      A

;; AUTHORITY SECTION:
.                       3600    IN      SOA     ns1.mijn.host. hostmaster. 1643556361 10800 3600 604800 3600


PowerDNS has a feature (or bug) to follow CNAMEs if PowerDNS finds the target in its own zones. As your PowerDNS has also configured a root zone, this root zone matches for egogo.nl (and any other zone) and powerdns searches inside this root zone for the CNAME target. As the CNAME target is not found in the local root zone, NXDOMAIN is responded, and that may confuse resolvers to not follow the CNAME.

Hence, remove the root zone from your POwerDNS.

regards
Klaus



> -----Ursprüngliche Nachricht-----
> Von: Marijn <marijn at egogo.nl>
> Gesendet: Freitag, 22. April 2022 19:18
> An: Klaus Darilion <klaus.darilion at nic.at>; pdns-
> users at mailman.powerdns.com
> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> 
> I fill the records with the API.
> However when I check the SOA file (see below) it looks correct
> (hostmaster.egogo.eu).
> But with "dig @ns1.mijn.host. autodiscover.egogo.eu" it shows an
> incorrect value.
> 
> MariaDB [powerdns]> SELECT * FROM domains WHERE id = 9644;
> +------+----------+--------+------------+--------+-----------------+---------+
> | id   | name     | master | last_check | type   | notified_serial |
> account |
> +------+----------+--------+------------+--------+-----------------+---------+
> | 9644 | egogo.eu |        |       NULL | MASTER |      1650634625 |
>      |
> +------+----------+--------+------------+--------+-----------------+---------+
> 1 row in set (0.00 sec)
> 
> MariaDB [powerdns]> SELECT * FROM records WHERE domain_id = 9644;
> +---------+-----------+------------------------+-------+-----------------------------------
> ----------------------------------+------+------+----------+---------------+------+
> | id      | domain_id | name                   | type  | content
>                                                      | ttl  | prio |
> disabled | ordername     | auth |
> +---------+-----------+------------------------+-------+-----------------------------------
> ----------------------------------+------+------+----------+---------------+------+
> | 7909392 |      9644 | egogo.eu               | NS    | ns1.mijn.host
>                                                      | 3600 |    0 |
>    0 |               |    1 |
> | 7909393 |      9644 | egogo.eu               | NS    | ns2.mijn.host
>                                                      | 3600 |    0 |
>    0 |               |    1 |
> | 7909394 |      9644 | egogo.eu               | NS    | ns3.mijn.host
>                                                      | 3600 |    0 |
>    0 |               |    1 |
> | 7910921 |      9644 | autodiscover.egogo.eu  | CNAME |
> autodiscover.outlook.com                                            |
> 900 |    0 |        0 | autodiscover  |    1 |
> | 7910922 |      9644 | autodiscover2.egogo.eu | CNAME | egogo.nl
>                                                      |  900 |    0 |
>    0 | autodiscover2 |    1 |
> | 7910923 |      9644 | *.egogo.eu             | A     | 54.36.54.239
>                                                      |  900 |    0 |
>    0 | *             |    1 |
> | 7910924 |      9644 | egogo.eu               | MX    | mail.egogo.eu
>                                                      |  900 |   10 |
>    0 |               |    1 |
> | 7910925 |      9644 | egogo.eu               | A     | 54.36.54.239
>                                                      |  900 |    0 |
>    0 |               |    1 |
> | 7910926 |      9644 | egogo.eu               | SOA   | ns1.mijn.host
> hostmaster.egogo.eu 1650634625 10800 3600 604800 3600 | 3600 |    0 |
>      0 |               |    1 |
> +---------+-----------+------------------------+-------+-----------------------------------
> ----------------------------------+------+------+----------+---------------+------+
> 9 rows in set (0.01 sec)
> 
> MariaDB [powerdns]> SELECT * FROM cryptokeys WHERE domain_id = 9644;
> +------+-----------+-------+--------+-----------+-----------------------------------------
> ---------------------------------------------------------------------------+
> | id   | domain_id | flags | active | published | content
> 
>                     |
> +------+-----------+-------+--------+-----------+-----------------------------------------
> ---------------------------------------------------------------------------+
> | 9603 |      9644 |   257 |      1 |         1 | Private-key-format:
> v1.2
> Algorithm: 13 (ECDSAP256SHA256)
> PrivateKey: [HIDDEN]
>   |
> +------+-----------+-------+--------+-----------+-----------------------------------------
> ---------------------------------------------------------------------------+
> 1 row in set (0.00 sec)
> 
> MariaDB [powerdns]> SELECT * FROM domainmetadata WHERE domain_id =
> 9644;
> +-------+-----------+--------------+---------+
> | id    | domain_id | kind         | content |
> +-------+-----------+--------------+---------+
> | 28902 |      9644 | API-RECTIFY  | 1       |
> | 28901 |      9644 | SOA-EDIT-API | EPOCH   |
> +-------+-----------+--------------+---------+
> 2 rows in set (0.00 sec)
> 
> $ pdnsutil show-zone egogo.eu
> This is a Master zone
> Last SOA serial number we notified: 1650634625 == 1650634625 (serial in
> the database)
> Metadata items:
> 	API-RECTIFY	1
> 	SOA-EDIT-API	EPOCH
> Zone has NSEC semantics
> keys:
> ID = 9603 (CSK), flags = 257, tag = 14759, algo = 13, bits = 256
> Active	 Published  ( ECDSAP256SHA256 )
> CSK DNSKEY = egogo.eu. IN DNSKEY 257 3 13 [HIDDEN] ; ( ECDSAP256SHA256
> )
> DS = egogo.eu. IN DS 14759 13 1
> bc33e7dfe6ad30a0744c5f238d6acb8f0ffdfbd3
> ; ( SHA1 digest )
> DS = egogo.eu. IN DS 14759 13 2
> 5b575f4eb351432995808a5c5a5e94d7459760c315248a344ec63c1f273c52f3 ; (
> SHA256 digest )
> DS = egogo.eu. IN DS 14759 13 4
> 559f28bb6bf445611ddfc34d1c590f784c9472a6ff1a2adae36225c0f597343ce318
> 990ed86531d49bfdad0e35fef6b0
> ; ( SHA-384 digest )
> 
> 
> $ pdnsutil list-zone egogo.eu
> $ORIGIN .
> *.egogo.eu	900	IN	A	54.36.54.239
> autodiscover.egogo.eu	900	IN	CNAME
> 	autodiscover.outlook.com.
> autodiscover2.egogo.eu	900	IN	CNAME	egogo.nl.
> egogo.eu	900	IN	A	54.36.54.239
> egogo.eu	900	IN	MX	10 mail.egogo.eu.
> egogo.eu	3600	IN	NS	ns1.mijn.host.
> egogo.eu	3600	IN	NS	ns2.mijn.host.
> egogo.eu	3600	IN	NS	ns3.mijn.host.
> egogo.eu	3600	IN	SOA	ns1.mijn.host hostmaster.egogo.eu
> 1650634625 10800
> 3600 604800 3600
> 
> 
> Klaus Darilion via Pdns-users schreef op 2022-04-22 18:59:
> > And how do you fill records into the mysql db? Can you show the
> > relevenat rows of the records and domains table?
> > regards
> > Klaus
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
> >> Auftrag von Marijn via Pdns-users
> >> Gesendet: Freitag, 22. April 2022 18:54
> >> An: pdns-users at mailman.powerdns.com
> >> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> >>
> >> I have pdnsutil 4.5.4 running with MySQL backend and native MySQL
> >> replication.
> >>
> >> In pdns.conf I have the following value. Maybe the @ doesn't work?
> >>
> >> default-soa-content=ns1.mijn.host hostmaster.@ 0 10800 3600 604800
> >> 3600
> >>
> >> Klaus Darilion schreef op 2022-04-22 18:06:
> >> > I do not see any difference of the two cases. But in any case,
> >> > returning an answer AND nxdomain is just broken.
> >> >
> >> >
> >> > # dig @ns1.mijn.host. autodiscover.egogo.eu
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62514
> >> > ...
> >> > ;; QUESTION SECTION:
> >> > ;autodiscover.egogo.eu.         IN      A
> >> >
> >> > ;; ANSWER SECTION:
> >> > autodiscover.egogo.eu.  900     IN      CNAME
> >> > autodiscover.outlook.com.
> >> >
> >> > ;; AUTHORITY SECTION:
> >> > .                       3600    IN      SOA     ns1.mijn.host.
> >> > hostmaster. 1643556361 10800 3600 604800 3600
> >> >
> >> > this is a very broken setup. SOA reports "." = root zone.
> >> >
> >> > which pdns version/backend/ zone setup are you using?
> >> >
> >> > regards
> >> > Klaus
> >> >
> >> >> -----Ursprüngliche Nachricht-----
> >> >> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
> >> >> Auftrag von Marijn via Pdns-users
> >> >> Gesendet: Freitag, 22. April 2022 16:39
> >> >> An: pdns-users at mailman.powerdns.com
> >> >> Betreff: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
> >> >>
> >> >> I have PowerDNS 4.5.1 running.
> >> >>
> >> >> DNSSEC is working on the domain:
> >> >> https://dnssec-analyzer.verisignlabs.com/egogo.eu
> >> >>
> >> >> ---
> >> >>
> >> >> But when I have DNSSEC active and I create a CNAME record, which
> >> >> doesn't
> >> >> have DNSSEC, I get a NXDOMAIN error.
> >> >>
> >> >> ```
> >> >> $ dig CNAME autodiscover.egogo.eu +short
> >> >> autodiscover.outlook.com.
> >> >> ```
> >> >>
> >> >> Here you can see the error
> >> >> https://dnssec-analyzer.verisignlabs.com/autodiscover.egogo.eu
> >> >>
> >> >> - Zone egogo.eu (83.96.241.95) returns NXDOMAIN for
> >> >> autodiscover.egogo.eu
> >> >> - No NSEC records in response
> >> >>
> >> >> ---
> >> >>
> >> >> When I create a CNAME record to a domain with DNSSEC, it's working.
> >> >> ```
> >> >> $ dig CNAME autodiscover2.egogo.eu +short
> >> >> egogo.nl.
> >> >> ```
> >> >> https://dnssec-analyzer.verisignlabs.com/autodiscover2.egogo.eu
> >> >> - No errors
> >> >>
> >> >> ---
> >> >>
> >> >> Why is DNSSEC not working with CNAME record
> >> autodiscover.outlook.com?
> >> >> Or could there be something wrong in my configuration?
> >> >> _______________________________________________
> >> >> Pdns-users mailing list
> >> >> Pdns-users at mailman.powerdns.com
> >> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >> _______________________________________________
> >> Pdns-users mailing list
> >> Pdns-users at mailman.powerdns.com
> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list