[Pdns-users] Inability to query SOA after upgrade of bind9 primary server. Truncation issue?
Andy Smith
andy at strugglers.net
Fri Nov 18 01:31:25 UTC 2022
Hi,
I recently upgraded a Debian 9 / bind9 system to Debian 11, so that
would be bind9 package version 1:9.10.3.dfsg.P4-12.3+deb9u12 to
1:9.16.27-1~deb11u1. Ever since doing so, one particular zone is unable
to be transferred to any of the several PowerDNS secondary servers which
have not been changed in any way.
PDNS logs:
Nov 18 00:25:26 daiquiri pdns_server[32452]: While checking domain
freshness: Query to '2001:ba8:1f1:f085::53' for SOA of
'f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa' did not return a SOA
The baffling thing is that a "dig" for the SOA from that server works:
$ dig +short -t soa f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @2001:ba8:1f1:f085::53
ns0.ribenakid.me.uk. bind.ribenakid.me.uk. 1668670704 28800 14400 3600000 86400
I can also do an axfr from that host with "dig" and I can also force
PDNS to do an axfr which it successfully does.
This only happens with the zone
"f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa".
I did a tcpdump and captured the response to PowerDNS's SOA query, which
was indeed empty. I note that it had the truncated bit set, and yes,
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa is DNSSEC signed and doing "dig
+dnssec -t SOA …" confirms that it's of size 2293. However, there is no
retry over TCP from PowerDNS.
Clearly bind9 behaviour has changed, since that zone has been DNSSEC
signed for a long time and PDNS was fine with it; what's changed is the
bind9 version. But, I don't know if bind9 is wrong here or not! I've
asked about this in the bind9 community as well in case there are some
settings I should change there.
Now, the PDNS servers in use are out of support (it's on my TODO list…)
so before asking about this I did stand up a new 4.7 instance. That also
behaves the same ("did not return an SOA").
I ran this through the ISC EDNS compliance tester and it all came back
okay:
https://ednscomp.isc.org/ednscomp/a8c22e7194
I've attached a text dump from Wireshark of the relevant 4 packets. It
shows:
1) 85.119.80.222 (another IP on the same host as 2001:ba8:1f1:f085::53)
sending out a notify for "f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa"
to 172.104.29.216 (one of the PDNS secondary servers).
2) 172.104.29.216 response back to notify.
3) 172.104.29.216 query to 85.119.80.222 for SOA.
4) 85.119.80.222 empty response to 172.104.29.216.
Packet #4 shows the truncated bit.
Any insight into where the problem lies and how best to fix it would be
appreciated!
Thanks,
Andy
-------------- next part --------------
No. Time Source Destination Protocol Length Info
1 0.000000 85.119.80.222 172.104.29.216 DNS 160 Zone change notification 0xe40c SOA f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa SOA ns0.ribenakid.me.uk
Frame 1: 160 bytes on wire (1280 bits), 160 bytes captured (1280 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Nov 17, 2022 14:59:29.791115000 GMT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1668697169.791115000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 160 bytes (1280 bits)
Capture Length: 160 bytes (1280 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Precisio_00:04:86 (00:16:5e:00:04:86), Dst: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
Destination: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
Address: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Precisio_00:04:86 (00:16:5e:00:04:86)
Address: Precisio_00:04:86 (00:16:5e:00:04:86)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 85.119.80.222, Dst: 172.104.29.216
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 146
Identification: 0x70e4 (28900)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x98e1 [validation disabled]
[Header checksum status: Unverified]
Source: 85.119.80.222
Destination: 172.104.29.216
User Datagram Protocol, Src Port: 48859, Dst Port: 53
Source Port: 48859
Destination Port: 53
Length: 126
Checksum: 0x7125 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Domain Name System (query)
Transaction ID: 0xe40c
Flags: 0x2400 Zone change notification
0... .... .... .... = Response: Message is a query
.010 0... .... .... = Opcode: Zone change notification (4)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: type SOA, class IN
Name: f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
[Name Length: 40]
[Label Count: 18]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Answers
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: type SOA, class IN, mname ns0.ribenakid.me.uk
Name: f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 0
Data length: 48
Primary name server: ns0.ribenakid.me.uk
Responsible authority's mailbox: bind.ribenakid.me.uk
Serial Number: 1668670704
Refresh Interval: 28800 (8 hours)
Retry Interval: 14400 (4 hours)
Expire limit: 3600000 (41 days, 16 hours)
Minimum TTL: 86400 (1 day)
[Response In: 2]
No. Time Source Destination Protocol Length Info
2 0.075135 172.104.29.216 85.119.80.222 DNS 100 Zone change notification response 0xe40c SOA f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
Frame 2: 100 bytes on wire (800 bits), 100 bytes captured (800 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Nov 17, 2022 14:59:29.866250000 GMT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1668697169.866250000 seconds
[Time delta from previous captured frame: 0.075135000 seconds]
[Time delta from previous displayed frame: 0.075135000 seconds]
[Time since reference or first frame: 0.075135000 seconds]
Frame Number: 2
Frame Length: 100 bytes (800 bits)
Capture Length: 100 bytes (800 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff), Dst: Precisio_00:04:86 (00:16:5e:00:04:86)
Destination: Precisio_00:04:86 (00:16:5e:00:04:86)
Address: Precisio_00:04:86 (00:16:5e:00:04:86)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
Address: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.104.29.216, Dst: 85.119.80.222
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 86
Identification: 0x015a (346)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 53
Protocol: UDP (17)
Header checksum: 0xd3a7 [validation disabled]
[Header checksum status: Unverified]
Source: 172.104.29.216
Destination: 85.119.80.222
User Datagram Protocol, Src Port: 53, Dst Port: 48859
Source Port: 53
Destination Port: 48859
Length: 66
Checksum: 0xe825 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Domain Name System (response)
Transaction ID: 0xe40c
Flags: 0xa400 Zone change notification response, No error
1... .... .... .... = Response: Message is a response
.010 0... .... .... = Opcode: Zone change notification (4)
.... .1.. .... .... = Authoritative: Server is an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: type SOA, class IN
Name: f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
[Name Length: 40]
[Label Count: 18]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
[Request In: 1]
[Time: 0.075135000 seconds]
No. Time Source Destination Protocol Length Info
3 0.786569 172.104.29.216 85.119.80.222 DNS 111 Standard query 0x8a61 SOA f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa OPT
Frame 3: 111 bytes on wire (888 bits), 111 bytes captured (888 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Nov 17, 2022 14:59:30.577684000 GMT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1668697170.577684000 seconds
[Time delta from previous captured frame: 0.711434000 seconds]
[Time delta from previous displayed frame: 0.711434000 seconds]
[Time since reference or first frame: 0.786569000 seconds]
Frame Number: 3
Frame Length: 111 bytes (888 bits)
Capture Length: 111 bytes (888 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff), Dst: Precisio_00:04:86 (00:16:5e:00:04:86)
Destination: Precisio_00:04:86 (00:16:5e:00:04:86)
Address: Precisio_00:04:86 (00:16:5e:00:04:86)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
Address: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.104.29.216, Dst: 85.119.80.222
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 97
Identification: 0x015d (349)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 53
Protocol: UDP (17)
Header checksum: 0xd399 [validation disabled]
[Header checksum status: Unverified]
Source: 172.104.29.216
Destination: 85.119.80.222
User Datagram Protocol, Src Port: 17071, Dst Port: 53
Source Port: 17071
Destination Port: 53
Length: 77
Checksum: 0x485c [unverified]
[Checksum Status: Unverified]
[Stream index: 1]
Domain Name System (query)
Transaction ID: 0x8a61
Flags: 0x0000 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: type SOA, class IN
Name: f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
[Name Length: 40]
[Label Count: 18]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 2800
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x8000
1... .... .... .... = DO bit: Accepts DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 0
[Response In: 4]
No. Time Source Destination Protocol Length Info
4 0.786910 85.119.80.222 172.104.29.216 DNS 111 Standard query response 0x8a61 SOA f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa OPT
Frame 4: 111 bytes on wire (888 bits), 111 bytes captured (888 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Nov 17, 2022 14:59:30.578025000 GMT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1668697170.578025000 seconds
[Time delta from previous captured frame: 0.000341000 seconds]
[Time delta from previous displayed frame: 0.000341000 seconds]
[Time since reference or first frame: 0.786910000 seconds]
Frame Number: 4
Frame Length: 111 bytes (888 bits)
Capture Length: 111 bytes (888 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Precisio_00:04:86 (00:16:5e:00:04:86), Dst: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
Destination: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
Address: fe:ff:ff:ff:ff:ff (fe:ff:ff:ff:ff:ff)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Precisio_00:04:86 (00:16:5e:00:04:86)
Address: Precisio_00:04:86 (00:16:5e:00:04:86)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 85.119.80.222, Dst: 172.104.29.216
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 97
Identification: 0x718a (29066)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x986c [validation disabled]
[Header checksum status: Unverified]
Source: 85.119.80.222
Destination: 172.104.29.216
User Datagram Protocol, Src Port: 53, Dst Port: 17071
Source Port: 53
Destination Port: 17071
Length: 77
Checksum: 0x70f4 [unverified]
[Checksum Status: Unverified]
[Stream index: 1]
Domain Name System (response)
Transaction ID: 0x8a61
Flags: 0x8600 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for domain
.... ..1. .... .... = Truncated: Message is truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa: type SOA, class IN
Name: f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa
[Name Length: 40]
[Label Count: 18]
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (41)
UDP payload size: 1232
Higher bits in extended RCODE: 0x00
EDNS0 version: 0
Z: 0x8000
1... .... .... .... = DO bit: Accepts DNSSEC security RRs
.000 0000 0000 0000 = Reserved: 0x0000
Data length: 0
[Request In: 3]
[Time: 0.000341000 seconds]
More information about the Pdns-users
mailing list