[Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record

Leeflangetje leeflangetje at gmail.com
Thu Sep 22 09:40:35 UTC 2022 

Thank you for digging into the issue with that domain :)

The reason we never encountered this before the upgrade to 4.6 must be
the change in default behaviour regarding dnssec , which went from
"process-no-validate"  to "process", I assume.
(We came from 4.2)


On Thu, 2022-09-22 at 10:26 +0200, abang--- via Pdns-users wrote:
> True, TCP is broken as well.
> 
> Am 22. September 2022 10:01:58 MESZ schrieb Otto Moerbeek
> <otto at drijf.net>:
> > On Thu, Sep 22, 2022 at 09:41:57AM +0200, abang--- via Pdns-users
> > wrote:
> > 
> > > The "NSEC3 proving non-existence" of this zone is broken. See
> > >  https://dnsviz.net/d/riecis.nl/dnssec/?rr=all&a=all&ds=all&doe=o
> > > n&ta=.&tk=
> > > 
> > > You can workaround this issue by setting a NTA for it on your
> > > Recursors. It is recommended to inform the owner of the zone in
> > > order to fix the root cause.
> > > 
> > > Winfried 
> > > 
> > 
> > Agreed, but given my findings in the other post I'm not convinced
> > it
> > will solve *all* issues with that domain.
> > 
> > -Otto
> > 
> > > 
> > > 
> > > 
> > > Am 22. September 2022 09:27:20 MESZ schrieb Leeflangetje via
> > > Pdns-users <pdns-users at mailman.powerdns.com>:
> > > > Hi,
> > > > 
> > > > Since we upgraded to pdns-recursor 4.6 we sometimes experience
> > > > some
> > > > weird behaviour with queries via pdns-recursor.
> > > > 
> > > > Sometimes, when a previously queried record expires through
> > > > it's TTL,
> > > > the recursor does not provide an answer anymore, until it's
> > > > restarted.
> > > > 
> > > > Unfortunately I am not able to reproduce this. It happens
> > > > occasionally.
> > > > When it happens, we see this: 
> > > > 
> > > > Faulty server:
> > > > 
> > > > dig @ns1 riecis.nl A
> > > > 
> > > > ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A
> > > > ; (1 server found)
> > > > ;; global options: +cmd
> > > > ;; Got answer:
> > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148
> > > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; OPT PSEUDOSECTION:
> > > > ; EDNS: version: 0, flags:; udp: 512
> > > > ;; QUESTION SECTION:
> > > > ;riecis.nl. IN A
> > > > 
> > > > ;; AUTHORITY SECTION:
> > > > riecis.nl. 2828 IN SOA ns1.minvenj.nl.
> > > > hostmaster.solvinity.com. 2022010301 1800 300 604800 3600
> > > > 
> > > > ;; Query time: 2 msec
> > > > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> > > > ;; WHEN: Tue Sep 20 12:16:55 CEST 2022
> > > > ;; MSG SIZE rcvd: 110
> > > > 
> > > > other server:
> > > > 
> > > > dig @ns2 riecis.nl A
> > > > 
> > > > ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A
> > > > ; (1 server found)
> > > > ;; global options: +cmd
> > > > ;; Got answer:
> > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517
> > > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; OPT PSEUDOSECTION:
> > > > ; EDNS: version: 0, flags:; udp: 512
> > > > ;; QUESTION SECTION:
> > > > ;riecis.nl. IN A
> > > > 
> > > > ;; ANSWER SECTION:
> > > > riecis.nl. 224 IN A 159.46.204.40
> > > > 
> > > > ;; Query time: 1 msec
> > > > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx)
> > > > ;; WHEN: Tue Sep 20 12:17:03 CEST 2022
> > > > ;; MSG SIZE rcvd: 54
> > > > 
> > > > 
> > > > We have a fairly simple configuration, just on what address and
> > > > port to
> > > >  listen on, to use the same address for outgoing queries, en a
> > > > short li
> > > > st of addresses that are allowed to query.
> > > > 
> > > > I have confirmed this problem upto and including version 4.6.3
> > > > 
> > > > Anyone an idea on how to approach this matter?
> > > > 
> > > > Regards
> > > > 
> > > > 
> > > > 
> > > 
> > 
> > > Pdns-users mailing list
> > > Pdns-users at mailman.powerdns.com
> > > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> > > 
> > 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20220922/e0f8d5c5/attachment.htm>

More information about the Pdns-users mailing list