[Pdns-users] DNSSEC and CNAME records results NXDOMAIN

Marijn marijn at egogo.nl
Fri Apr 22 19:50:36 UTC 2022


Thank you for investigating and pointing this out.
There was a zone with the domain name "." (just a dot), which caused the 
issue.
I removed this zone and now it seems to work.
Thank you very much for your help!

Klaus Darilion wrote on 2022-04-22 21:41:
> I think I have found the problem:
> 
> Your name server also has configured a root zone:
> 
> # dig @ns1.mijn.host. sdfdsafdsagdafdgsdgffg.dfdsafs
> 
> ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> @ns1.mijn.host.
> sdfdsafdsagdafdgsdgffg.dfdsafs
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55422
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;sdfdsafdsagdafdgsdgffg.dfdsafs.        IN      A
> 
> ;; AUTHORITY SECTION:
> .                       3600    IN      SOA     ns1.mijn.host.
> hostmaster. 1643556361 10800 3600 604800 3600
> 
> 
> PowerDNS has a feature (or bug) to follow CNAMEs if PowerDNS finds the
> target in its own zones. As your PowerDNS has also configured a root
> zone, this root zone matches for egogo.nl (and any other zone) and
> powerdns searches inside this root zone for the CNAME target. As the
> CNAME target is not found in the local root zone, NXDOMAIN is
> responded, and that may confuse resolvers to not follow the CNAME.
> 
> Hence, remove the root zone from your POwerDNS.
> 
> regards
> Klaus
> 
> 
> 
>> -----Ursprüngliche Nachricht-----
>> Von: Marijn <marijn at egogo.nl>
>> Gesendet: Freitag, 22. April 2022 19:18
>> An: Klaus Darilion <klaus.darilion at nic.at>; pdns-
>> users at mailman.powerdns.com
>> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
>> 
>> I fill the records with the API.
>> However when I check the SOA file (see below) it looks correct
>> (hostmaster.egogo.eu).
>> But with "dig @ns1.mijn.host. autodiscover.egogo.eu" it shows an
>> incorrect value.
>> 
>> MariaDB [powerdns]> SELECT * FROM domains WHERE id = 9644;
>> +------+----------+--------+------------+--------+-----------------+---------+
>> | id   | name     | master | last_check | type   | notified_serial |
>> account |
>> +------+----------+--------+------------+--------+-----------------+---------+
>> | 9644 | egogo.eu |        |       NULL | MASTER |      1650634625 |
>>      |
>> +------+----------+--------+------------+--------+-----------------+---------+
>> 1 row in set (0.00 sec)
>> 
>> MariaDB [powerdns]> SELECT * FROM records WHERE domain_id = 9644;
>> +---------+-----------+------------------------+-------+-----------------------------------
>> ----------------------------------+------+------+----------+---------------+------+
>> | id      | domain_id | name                   | type  | content
>>                                                      | ttl  | prio |
>> disabled | ordername     | auth |
>> +---------+-----------+------------------------+-------+-----------------------------------
>> ----------------------------------+------+------+----------+---------------+------+
>> | 7909392 |      9644 | egogo.eu               | NS    | ns1.mijn.host
>>                                                      | 3600 |    0 |
>>    0 |               |    1 |
>> | 7909393 |      9644 | egogo.eu               | NS    | ns2.mijn.host
>>                                                      | 3600 |    0 |
>>    0 |               |    1 |
>> | 7909394 |      9644 | egogo.eu               | NS    | ns3.mijn.host
>>                                                      | 3600 |    0 |
>>    0 |               |    1 |
>> | 7910921 |      9644 | autodiscover.egogo.eu  | CNAME |
>> autodiscover.outlook.com                                            |
>> 900 |    0 |        0 | autodiscover  |    1 |
>> | 7910922 |      9644 | autodiscover2.egogo.eu | CNAME | egogo.nl
>>                                                      |  900 |    0 |
>>    0 | autodiscover2 |    1 |
>> | 7910923 |      9644 | *.egogo.eu             | A     | 54.36.54.239
>>                                                      |  900 |    0 |
>>    0 | *             |    1 |
>> | 7910924 |      9644 | egogo.eu               | MX    | mail.egogo.eu
>>                                                      |  900 |   10 |
>>    0 |               |    1 |
>> | 7910925 |      9644 | egogo.eu               | A     | 54.36.54.239
>>                                                      |  900 |    0 |
>>    0 |               |    1 |
>> | 7910926 |      9644 | egogo.eu               | SOA   | ns1.mijn.host
>> hostmaster.egogo.eu 1650634625 10800 3600 604800 3600 | 3600 |    0 |
>>      0 |               |    1 |
>> +---------+-----------+------------------------+-------+-----------------------------------
>> ----------------------------------+------+------+----------+---------------+------+
>> 9 rows in set (0.01 sec)
>> 
>> MariaDB [powerdns]> SELECT * FROM cryptokeys WHERE domain_id = 9644;
>> +------+-----------+-------+--------+-----------+-----------------------------------------
>> ---------------------------------------------------------------------------+
>> | id   | domain_id | flags | active | published | content
>> 
>>                     |
>> +------+-----------+-------+--------+-----------+-----------------------------------------
>> ---------------------------------------------------------------------------+
>> | 9603 |      9644 |   257 |      1 |         1 | Private-key-format:
>> v1.2
>> Algorithm: 13 (ECDSAP256SHA256)
>> PrivateKey: [HIDDEN]
>>   |
>> +------+-----------+-------+--------+-----------+-----------------------------------------
>> ---------------------------------------------------------------------------+
>> 1 row in set (0.00 sec)
>> 
>> MariaDB [powerdns]> SELECT * FROM domainmetadata WHERE domain_id =
>> 9644;
>> +-------+-----------+--------------+---------+
>> | id    | domain_id | kind         | content |
>> +-------+-----------+--------------+---------+
>> | 28902 |      9644 | API-RECTIFY  | 1       |
>> | 28901 |      9644 | SOA-EDIT-API | EPOCH   |
>> +-------+-----------+--------------+---------+
>> 2 rows in set (0.00 sec)
>> 
>> $ pdnsutil show-zone egogo.eu
>> This is a Master zone
>> Last SOA serial number we notified: 1650634625 == 1650634625 (serial 
>> in
>> the database)
>> Metadata items:
>> 	API-RECTIFY	1
>> 	SOA-EDIT-API	EPOCH
>> Zone has NSEC semantics
>> keys:
>> ID = 9603 (CSK), flags = 257, tag = 14759, algo = 13, bits = 256
>> Active	 Published  ( ECDSAP256SHA256 )
>> CSK DNSKEY = egogo.eu. IN DNSKEY 257 3 13 [HIDDEN] ; ( ECDSAP256SHA256
>> )
>> DS = egogo.eu. IN DS 14759 13 1
>> bc33e7dfe6ad30a0744c5f238d6acb8f0ffdfbd3
>> ; ( SHA1 digest )
>> DS = egogo.eu. IN DS 14759 13 2
>> 5b575f4eb351432995808a5c5a5e94d7459760c315248a344ec63c1f273c52f3 ; (
>> SHA256 digest )
>> DS = egogo.eu. IN DS 14759 13 4
>> 559f28bb6bf445611ddfc34d1c590f784c9472a6ff1a2adae36225c0f597343ce318
>> 990ed86531d49bfdad0e35fef6b0
>> ; ( SHA-384 digest )
>> 
>> 
>> $ pdnsutil list-zone egogo.eu
>> $ORIGIN .
>> *.egogo.eu	900	IN	A	54.36.54.239
>> autodiscover.egogo.eu	900	IN	CNAME
>> 	autodiscover.outlook.com.
>> autodiscover2.egogo.eu	900	IN	CNAME	egogo.nl.
>> egogo.eu	900	IN	A	54.36.54.239
>> egogo.eu	900	IN	MX	10 mail.egogo.eu.
>> egogo.eu	3600	IN	NS	ns1.mijn.host.
>> egogo.eu	3600	IN	NS	ns2.mijn.host.
>> egogo.eu	3600	IN	NS	ns3.mijn.host.
>> egogo.eu	3600	IN	SOA	ns1.mijn.host hostmaster.egogo.eu
>> 1650634625 10800
>> 3600 604800 3600
>> 
>> 
>> Klaus Darilion via Pdns-users schreef op 2022-04-22 18:59:
>> > And how do you fill records into the mysql db? Can you show the
>> > relevenat rows of the records and domains table?
>> > regards
>> > Klaus
>> >
>> >> -----Ursprüngliche Nachricht-----
>> >> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
>> >> Auftrag von Marijn via Pdns-users
>> >> Gesendet: Freitag, 22. April 2022 18:54
>> >> An: pdns-users at mailman.powerdns.com
>> >> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
>> >>
>> >> I have pdnsutil 4.5.4 running with MySQL backend and native MySQL
>> >> replication.
>> >>
>> >> In pdns.conf I have the following value. Maybe the @ doesn't work?
>> >>
>> >> default-soa-content=ns1.mijn.host hostmaster.@ 0 10800 3600 604800
>> >> 3600
>> >>
>> >> Klaus Darilion schreef op 2022-04-22 18:06:
>> >> > I do not see any difference of the two cases. But in any case,
>> >> > returning an answer AND nxdomain is just broken.
>> >> >
>> >> >
>> >> > # dig @ns1.mijn.host. autodiscover.egogo.eu
>> >> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62514
>> >> > ...
>> >> > ;; QUESTION SECTION:
>> >> > ;autodiscover.egogo.eu.         IN      A
>> >> >
>> >> > ;; ANSWER SECTION:
>> >> > autodiscover.egogo.eu.  900     IN      CNAME
>> >> > autodiscover.outlook.com.
>> >> >
>> >> > ;; AUTHORITY SECTION:
>> >> > .                       3600    IN      SOA     ns1.mijn.host.
>> >> > hostmaster. 1643556361 10800 3600 604800 3600
>> >> >
>> >> > this is a very broken setup. SOA reports "." = root zone.
>> >> >
>> >> > which pdns version/backend/ zone setup are you using?
>> >> >
>> >> > regards
>> >> > Klaus
>> >> >
>> >> >> -----Ursprüngliche Nachricht-----
>> >> >> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
>> >> >> Auftrag von Marijn via Pdns-users
>> >> >> Gesendet: Freitag, 22. April 2022 16:39
>> >> >> An: pdns-users at mailman.powerdns.com
>> >> >> Betreff: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
>> >> >>
>> >> >> I have PowerDNS 4.5.1 running.
>> >> >>
>> >> >> DNSSEC is working on the domain:
>> >> >> https://dnssec-analyzer.verisignlabs.com/egogo.eu
>> >> >>
>> >> >> ---
>> >> >>
>> >> >> But when I have DNSSEC active and I create a CNAME record, which
>> >> >> doesn't
>> >> >> have DNSSEC, I get a NXDOMAIN error.
>> >> >>
>> >> >> ```
>> >> >> $ dig CNAME autodiscover.egogo.eu +short
>> >> >> autodiscover.outlook.com.
>> >> >> ```
>> >> >>
>> >> >> Here you can see the error
>> >> >> https://dnssec-analyzer.verisignlabs.com/autodiscover.egogo.eu
>> >> >>
>> >> >> - Zone egogo.eu (83.96.241.95) returns NXDOMAIN for
>> >> >> autodiscover.egogo.eu
>> >> >> - No NSEC records in response
>> >> >>
>> >> >> ---
>> >> >>
>> >> >> When I create a CNAME record to a domain with DNSSEC, it's working.
>> >> >> ```
>> >> >> $ dig CNAME autodiscover2.egogo.eu +short
>> >> >> egogo.nl.
>> >> >> ```
>> >> >> https://dnssec-analyzer.verisignlabs.com/autodiscover2.egogo.eu
>> >> >> - No errors
>> >> >>
>> >> >> ---
>> >> >>
>> >> >> Why is DNSSEC not working with CNAME record
>> >> autodiscover.outlook.com?
>> >> >> Or could there be something wrong in my configuration?
>> >> >> _______________________________________________
>> >> >> Pdns-users mailing list
>> >> >> Pdns-users at mailman.powerdns.com
>> >> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> >> _______________________________________________
>> >> Pdns-users mailing list
>> >> Pdns-users at mailman.powerdns.com
>> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> > _______________________________________________
>> > Pdns-users mailing list
>> > Pdns-users at mailman.powerdns.com
>> > https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list