[Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

Otto Moerbeek otto at drijf.net
Thu Sep 22 07:56:13 UTC 2022 

When trying to check this domain I get an occasinal error:

$ dig  @1.1.1.1 riecis.nl   

; <<>> dig 9.10.8-P1 <<>> @1.1.1.1 riecis.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30228
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 3 (Stale Answer)
; EDE: 22 (No Reachable Authority): 74 69 6d 65 20 6c 69 6d 69 74 20
65 78 63 65 65 64 65 64 ("time limit exceeded")
;; QUESTION SECTION:
;riecis.nl.			IN	A

;; ANSWER SECTION:
riecis.nl.		0	IN	A	159.46.204.40

;; Query time: 859 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 22 09:46:26 CEST 2022
;; MSG SIZE  rcvd: 85

Same for 8.8.8.8

Also zonemaster.net not 100% happy with it.

Lookint at a --trace run I see:

Sep 22 09:51:02 [2] Nameserver ns2.minvenj.nl IPs:
159.46.194.12(0.00ms), 2a04:9a04:18ad:8a04::3:0(0.00ms)
Sep 22 09:51:02 [2] riecis.nl: Resolved 'riecis.nl' NS ns2.minvenj.nl
to: 159.46.194.12, 2a04:9a04:18ad:8a04::3:0
Sep 22 09:51:02 [2] riecis.nl: Trying IP 159.46.194.12:53, asking 'riecis.nl|A'
Sep 22 09:51:02 [2] riecis.nl: truncated bit set, over UDP
Sep 22 09:51:02 [2] riecis.nl: using TCP with 159.46.194.12:53
Sep 22 09:51:03 [1] riecis.nl: timeout resolving after 1857.92msec
over TCP
Sep 22 09:51:03 [1] riecis.nl: Trying IP 159.46.194.12:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: timeout resolving after 1538.18msec
over TCP
Sep 22 09:51:03 [2] riecis.nl: Trying IP
[2a04:9a04:18ad:8a04::3:0]:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: query throttled
2a04:9a04:18ad:8a04::3:0, riecis.nl; A
Sep 22 09:51:03 [2] riecis.nl: Trying to resolve NS 'ns1.minvenj.nl' (2/2)
Sep 22 09:51:03 [2] Nameserver ns1.minvenj.nl IPs:
2a04:9a04:18ad:8a04::2:0(920.59ms), 159.46.194.11(920.59ms)
Sep 22 09:51:03 [2] riecis.nl: Resolved 'riecis.nl' NS ns1.minvenj.nl
to: 2a04:9a04:18ad:8a04::2:0, 159.46.194.11
Sep 22 09:51:03 [2] riecis.nl: Trying IP
[2a04:9a04:18ad:8a04::2:0]:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: query throttled
2a04:9a04:18ad:8a04::2:0, riecis.nl; A
Sep 22 09:51:03 [2] riecis.nl: Trying IP 159.46.194.11:53, asking 'riecis.nl|A'
Sep 22 09:51:03 [2] riecis.nl: query throttled 159.46.194.11,
riecis.nl; A
Sep 22 09:51:03 [2] riecis.nl: Failed to resolve via any of the 2
offered NS at level 'riecis.nl'

Which confirms zonemaster's finding.

NOte that this does not happen all the time, but often enough.

Conclusion: the auths for riecis.nl are flakey. They (sometimes) respond with
TC=1 but fail to do TCP.

	-Otto


On Thu, Sep 22, 2022 at 09:27:20AM +0200, Leeflangetje via Pdns-users wrote:

> Hi,
> 
> Since we upgraded to pdns-recursor 4.6 we sometimes experience some
> weird behaviour with queries via pdns-recursor.
> 
> Sometimes, when a previously queried record expires through it's TTL,
> the recursor does not provide an answer anymore, until it's restarted.
> 
> Unfortunately I am not able to reproduce this. It happens occasionally.
> When it happens, we see this: 
> 
> Faulty server:
> 
> dig @ns1 riecis.nl A
> 
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;riecis.nl.         IN  A
> 
> ;; AUTHORITY SECTION:
> riecis.nl.      2828    IN  SOA ns1.minvenj.nl. hostmaster.solvinity.com. 2022010301 1800 300 604800 3600
> 
> ;; Query time: 2 msec
> ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> ;; WHEN: Tue Sep 20 12:16:55 CEST 2022
> ;; MSG SIZE  rcvd: 110
> 
> other server:
> 
> dig @ns2  riecis.nl A
> 
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;riecis.nl.         IN  A
> 
> ;; ANSWER SECTION:
> riecis.nl.      224 IN  A   159.46.204.40
> 
> ;; Query time: 1 msec
> ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> ;; WHEN: Tue Sep 20 12:17:03 CEST 2022
> ;; MSG SIZE  rcvd: 54
> 
> 
> We have a fairly simple configuration, just on what address and port to
>  listen on, to use the same address for outgoing queries, en a short li
> st of addresses that are allowed to query.
> 
> I have confirmed this problem upto and including version 4.6.3
> 
> Anyone an idea on how to approach this matter?
> 
> Regards
> 
> 
> 

> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list