[Pdns-users] DNSSEC and CNAME records results NXDOMAIN
Marijn
marijn at egogo.nl
Fri Apr 22 19:50:36 UTC 2022
Thank you for investigating and pointing this out.
There was a zone with the domain name "." (just a dot), which caused the
issue.
I removed this zone and now it seems to work.
Thank you very much for your help!
Klaus Darilion wrote on 2022-04-22 21:41:
> I think I have found the problem:
>
> Your name server also has configured a root zone:
>
> # dig @ns1.mijn.host. sdfdsafdsagdafdgsdgffg.dfdsafs
>
> ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> @ns1.mijn.host.
> sdfdsafdsagdafdgsdgffg.dfdsafs
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55422
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;sdfdsafdsagdafdgsdgffg.dfdsafs. IN A
>
> ;; AUTHORITY SECTION:
> . 3600 IN SOA ns1.mijn.host.
> hostmaster. 1643556361 10800 3600 604800 3600
>
>
> PowerDNS has a feature (or bug) to follow CNAMEs if PowerDNS finds the
> target in its own zones. As your PowerDNS has also configured a root
> zone, this root zone matches for egogo.nl (and any other zone) and
> powerdns searches inside this root zone for the CNAME target. As the
> CNAME target is not found in the local root zone, NXDOMAIN is
> responded, and that may confuse resolvers to not follow the CNAME.
>
> Hence, remove the root zone from your POwerDNS.
>
> regards
> Klaus
>
>
>
>> -----Ursprüngliche Nachricht-----
>> Von: Marijn <marijn at egogo.nl>
>> Gesendet: Freitag, 22. April 2022 19:18
>> An: Klaus Darilion <klaus.darilion at nic.at>; pdns-
>> users at mailman.powerdns.com
>> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
>>
>> I fill the records with the API.
>> However when I check the SOA file (see below) it looks correct
>> (hostmaster.egogo.eu).
>> But with "dig @ns1.mijn.host. autodiscover.egogo.eu" it shows an
>> incorrect value.
>>
>> MariaDB [powerdns]> SELECT * FROM domains WHERE id = 9644;
>> +------+----------+--------+------------+--------+-----------------+---------+
>> | id | name | master | last_check | type | notified_serial |
>> account |
>> +------+----------+--------+------------+--------+-----------------+---------+
>> | 9644 | egogo.eu | | NULL | MASTER | 1650634625 |
>> |
>> +------+----------+--------+------------+--------+-----------------+---------+
>> 1 row in set (0.00 sec)
>>
>> MariaDB [powerdns]> SELECT * FROM records WHERE domain_id = 9644;
>> +---------+-----------+------------------------+-------+-----------------------------------
>> ----------------------------------+------+------+----------+---------------+------+
>> | id | domain_id | name | type | content
>> | ttl | prio |
>> disabled | ordername | auth |
>> +---------+-----------+------------------------+-------+-----------------------------------
>> ----------------------------------+------+------+----------+---------------+------+
>> | 7909392 | 9644 | egogo.eu | NS | ns1.mijn.host
>> | 3600 | 0 |
>> 0 | | 1 |
>> | 7909393 | 9644 | egogo.eu | NS | ns2.mijn.host
>> | 3600 | 0 |
>> 0 | | 1 |
>> | 7909394 | 9644 | egogo.eu | NS | ns3.mijn.host
>> | 3600 | 0 |
>> 0 | | 1 |
>> | 7910921 | 9644 | autodiscover.egogo.eu | CNAME |
>> autodiscover.outlook.com |
>> 900 | 0 | 0 | autodiscover | 1 |
>> | 7910922 | 9644 | autodiscover2.egogo.eu | CNAME | egogo.nl
>> | 900 | 0 |
>> 0 | autodiscover2 | 1 |
>> | 7910923 | 9644 | *.egogo.eu | A | 54.36.54.239
>> | 900 | 0 |
>> 0 | * | 1 |
>> | 7910924 | 9644 | egogo.eu | MX | mail.egogo.eu
>> | 900 | 10 |
>> 0 | | 1 |
>> | 7910925 | 9644 | egogo.eu | A | 54.36.54.239
>> | 900 | 0 |
>> 0 | | 1 |
>> | 7910926 | 9644 | egogo.eu | SOA | ns1.mijn.host
>> hostmaster.egogo.eu 1650634625 10800 3600 604800 3600 | 3600 | 0 |
>> 0 | | 1 |
>> +---------+-----------+------------------------+-------+-----------------------------------
>> ----------------------------------+------+------+----------+---------------+------+
>> 9 rows in set (0.01 sec)
>>
>> MariaDB [powerdns]> SELECT * FROM cryptokeys WHERE domain_id = 9644;
>> +------+-----------+-------+--------+-----------+-----------------------------------------
>> ---------------------------------------------------------------------------+
>> | id | domain_id | flags | active | published | content
>>
>> |
>> +------+-----------+-------+--------+-----------+-----------------------------------------
>> ---------------------------------------------------------------------------+
>> | 9603 | 9644 | 257 | 1 | 1 | Private-key-format:
>> v1.2
>> Algorithm: 13 (ECDSAP256SHA256)
>> PrivateKey: [HIDDEN]
>> |
>> +------+-----------+-------+--------+-----------+-----------------------------------------
>> ---------------------------------------------------------------------------+
>> 1 row in set (0.00 sec)
>>
>> MariaDB [powerdns]> SELECT * FROM domainmetadata WHERE domain_id =
>> 9644;
>> +-------+-----------+--------------+---------+
>> | id | domain_id | kind | content |
>> +-------+-----------+--------------+---------+
>> | 28902 | 9644 | API-RECTIFY | 1 |
>> | 28901 | 9644 | SOA-EDIT-API | EPOCH |
>> +-------+-----------+--------------+---------+
>> 2 rows in set (0.00 sec)
>>
>> $ pdnsutil show-zone egogo.eu
>> This is a Master zone
>> Last SOA serial number we notified: 1650634625 == 1650634625 (serial
>> in
>> the database)
>> Metadata items:
>> API-RECTIFY 1
>> SOA-EDIT-API EPOCH
>> Zone has NSEC semantics
>> keys:
>> ID = 9603 (CSK), flags = 257, tag = 14759, algo = 13, bits = 256
>> Active Published ( ECDSAP256SHA256 )
>> CSK DNSKEY = egogo.eu. IN DNSKEY 257 3 13 [HIDDEN] ; ( ECDSAP256SHA256
>> )
>> DS = egogo.eu. IN DS 14759 13 1
>> bc33e7dfe6ad30a0744c5f238d6acb8f0ffdfbd3
>> ; ( SHA1 digest )
>> DS = egogo.eu. IN DS 14759 13 2
>> 5b575f4eb351432995808a5c5a5e94d7459760c315248a344ec63c1f273c52f3 ; (
>> SHA256 digest )
>> DS = egogo.eu. IN DS 14759 13 4
>> 559f28bb6bf445611ddfc34d1c590f784c9472a6ff1a2adae36225c0f597343ce318
>> 990ed86531d49bfdad0e35fef6b0
>> ; ( SHA-384 digest )
>>
>>
>> $ pdnsutil list-zone egogo.eu
>> $ORIGIN .
>> *.egogo.eu 900 IN A 54.36.54.239
>> autodiscover.egogo.eu 900 IN CNAME
>> autodiscover.outlook.com.
>> autodiscover2.egogo.eu 900 IN CNAME egogo.nl.
>> egogo.eu 900 IN A 54.36.54.239
>> egogo.eu 900 IN MX 10 mail.egogo.eu.
>> egogo.eu 3600 IN NS ns1.mijn.host.
>> egogo.eu 3600 IN NS ns2.mijn.host.
>> egogo.eu 3600 IN NS ns3.mijn.host.
>> egogo.eu 3600 IN SOA ns1.mijn.host hostmaster.egogo.eu
>> 1650634625 10800
>> 3600 604800 3600
>>
>>
>> Klaus Darilion via Pdns-users schreef op 2022-04-22 18:59:
>> > And how do you fill records into the mysql db? Can you show the
>> > relevenat rows of the records and domains table?
>> > regards
>> > Klaus
>> >
>> >> -----Ursprüngliche Nachricht-----
>> >> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
>> >> Auftrag von Marijn via Pdns-users
>> >> Gesendet: Freitag, 22. April 2022 18:54
>> >> An: pdns-users at mailman.powerdns.com
>> >> Betreff: Re: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
>> >>
>> >> I have pdnsutil 4.5.4 running with MySQL backend and native MySQL
>> >> replication.
>> >>
>> >> In pdns.conf I have the following value. Maybe the @ doesn't work?
>> >>
>> >> default-soa-content=ns1.mijn.host hostmaster.@ 0 10800 3600 604800
>> >> 3600
>> >>
>> >> Klaus Darilion schreef op 2022-04-22 18:06:
>> >> > I do not see any difference of the two cases. But in any case,
>> >> > returning an answer AND nxdomain is just broken.
>> >> >
>> >> >
>> >> > # dig @ns1.mijn.host. autodiscover.egogo.eu
>> >> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62514
>> >> > ...
>> >> > ;; QUESTION SECTION:
>> >> > ;autodiscover.egogo.eu. IN A
>> >> >
>> >> > ;; ANSWER SECTION:
>> >> > autodiscover.egogo.eu. 900 IN CNAME
>> >> > autodiscover.outlook.com.
>> >> >
>> >> > ;; AUTHORITY SECTION:
>> >> > . 3600 IN SOA ns1.mijn.host.
>> >> > hostmaster. 1643556361 10800 3600 604800 3600
>> >> >
>> >> > this is a very broken setup. SOA reports "." = root zone.
>> >> >
>> >> > which pdns version/backend/ zone setup are you using?
>> >> >
>> >> > regards
>> >> > Klaus
>> >> >
>> >> >> -----Ursprüngliche Nachricht-----
>> >> >> Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im
>> >> >> Auftrag von Marijn via Pdns-users
>> >> >> Gesendet: Freitag, 22. April 2022 16:39
>> >> >> An: pdns-users at mailman.powerdns.com
>> >> >> Betreff: [Pdns-users] DNSSEC and CNAME records results NXDOMAIN
>> >> >>
>> >> >> I have PowerDNS 4.5.1 running.
>> >> >>
>> >> >> DNSSEC is working on the domain:
>> >> >> https://dnssec-analyzer.verisignlabs.com/egogo.eu
>> >> >>
>> >> >> ---
>> >> >>
>> >> >> But when I have DNSSEC active and I create a CNAME record, which
>> >> >> doesn't
>> >> >> have DNSSEC, I get a NXDOMAIN error.
>> >> >>
>> >> >> ```
>> >> >> $ dig CNAME autodiscover.egogo.eu +short
>> >> >> autodiscover.outlook.com.
>> >> >> ```
>> >> >>
>> >> >> Here you can see the error
>> >> >> https://dnssec-analyzer.verisignlabs.com/autodiscover.egogo.eu
>> >> >>
>> >> >> - Zone egogo.eu (83.96.241.95) returns NXDOMAIN for
>> >> >> autodiscover.egogo.eu
>> >> >> - No NSEC records in response
>> >> >>
>> >> >> ---
>> >> >>
>> >> >> When I create a CNAME record to a domain with DNSSEC, it's working.
>> >> >> ```
>> >> >> $ dig CNAME autodiscover2.egogo.eu +short
>> >> >> egogo.nl.
>> >> >> ```
>> >> >> https://dnssec-analyzer.verisignlabs.com/autodiscover2.egogo.eu
>> >> >> - No errors
>> >> >>
>> >> >> ---
>> >> >>
>> >> >> Why is DNSSEC not working with CNAME record
>> >> autodiscover.outlook.com?
>> >> >> Or could there be something wrong in my configuration?
>> >> >> _______________________________________________
>> >> >> Pdns-users mailing list
>> >> >> Pdns-users at mailman.powerdns.com
>> >> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> >> _______________________________________________
>> >> Pdns-users mailing list
>> >> Pdns-users at mailman.powerdns.com
>> >> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>> > _______________________________________________
>> > Pdns-users mailing list
>> > Pdns-users at mailman.powerdns.com
>> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list