[Pdns-users] mwscdn.ru issue

Andrey Sedletsky asedletsky at spd-mgts.ru
Fri Dec 15 15:47:13 UTC 2023 

Good day!

Andrey Sedletsky, PJSC MGTS (Moscow City Telephone Network)

One of our clients contacted us with a problem about the inability to resolve the resources of their zone through the DNS servers (pdns-recursor) of our network (mwscdn.ru ).

In this case, the problem is of a floating nature.

If you look at the server cache, you can see negative entries for NS servers in their zone when the resource is resolved topf66787c7.mwscdn.ru

(at the same time, the resource itself resolves successfully):

 

less pdns-cache | grep mwscdn.ru

topf66787c7.mwscdn.ru. 300 281 IN A 185.242.19.1 ; (Insecure) auth=1 zone=mwscdn.ru from=185.242.17.17 nm= rtag= ss=0

ns1.mwscdn.ru. 86400 86381 IN A 185.242.16.16 ; (Indeterminate) auth=0 zone=ru from=193.232.156.17 nm= rtag= ss=0

ns2.mwscdn.ru. 86400 86381 IN A 185.242.17.17 ; (Indeterminate) auth=0 zone=ru from=193.232.156.17 nm= rtag= ss=0

mwscdn.ru. 86400 86381 IN NS ns1.mwscdn.ru. ; (Insecure) auth=1 zone=mwscdn.ru from=185.242.17.17 nm= rtag= ss=0

mwscdn.ru. 86400 86381 IN NS ns2.mwscdn.ru. ; (Insecure) auth=1 zone=mwscdn.ru from=185.242.17.17 nm= rtag= ss=0

mwscdn.ru. 3600 3582 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. 2023110101 3600 600 604800 1800 ; (Indeterminate) auth=1 zone=mwscdn.ru from=185.242.16.16 nm= rtag= ss=0

ns1.mwscdn.ru. 882 IN TYPE0 VIA mwscdn.ru. ; (Indeterminate) origttl=900 ss=0                             <----- negative

mwscdn.ru. 882 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. 2023110101 3600 600 604800 1800 ; (Indeterminate)

ns2.mwscdn.ru. 881 IN TYPE0 VIA mwscdn.ru. ; (Indeterminate) origttl=900 ss=0                             <----- negative

mwscdn.ru. 881 IN SOA ns1.mwscdn.ru. mwsdns.mts.ru. 2023110101 3600 600 604800 1800 ; (Indeterminate)

mwscdn.ru. 881 IN DS VIA ru. ; (Insecure) origttl=900 ss=0

topf66787c7.mwscdn.ru. 281 A ; tag 0 udp

 

The same is confirmed via the rec_control trace-regex:

 

journalctl -u pdns-recursor --no-pager --since "2023-12-14 19:04:00" | grep "Dec 14 19:06:43"

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: msg="Request" subsystem="webserver" level="0" prio="Info" tid="0" ts="1702570003.365" HTTPVersion="1.1" method="GET" remote="62.112.112.1:62242" respsize="20279" status="200" uniqueid="bab86c67-26f2-4286-9643-be086a804101" urlpath="/api/v1/servers/localhost/statistics"

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: msg="Question" subsystem="syncres" level="0" prio="Info" tid="19" ts="1702570003.907" ecs="" mtid="15" proto="udp" qname="ns2.mwscdn.ru" qtype="A" remote="94.29.125.110:56823"

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : no TA found for 'ns2.mwscdn.ru' among 1

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : no TA found for 'mwscdn.ru' among 1

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : no TA found for 'ru' among 1

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: : got TA for '.'

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: QM ns2.mwscdn.ru.|A child=(empty): doResolve

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: Wants DNSSEC processing, auth data in query for A

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: Recursion not requested for 'ns2.mwscdn.ru|A', peeking at auth/forward zones

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: Entire name 'ns2.mwscdn.ru' is negatively cached via 'mwscdn.ru' for another 895 seconds

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: ns2.mwscdn.ru: updating validation state with negative cache content for ns2.mwscdn.ru to Indeterminate

Dec 14 19:06:43 a975-icache02 pdns-recursor[2432895]: QM ns2.mwscdn.ru.|A child=(empty): Step0 Found in cache

 

Entries like "(Indeterminate)" seem to indicate problems with DNSSEC, but the client claims that he does not use DNSSEC, and that his zone is not signed.

Attempt to disable DNSSEC validation

dnssec=process-no-validate either

dnssec=off

doesn't change anything - NS servers get into a negative cache. It feels like DNSSEC validation is not disabled when settings are changed.

 

Please help us understand the cause of the problem.

 

Public Bug Tracker Info:

System: Oracle Linux Server release 9.2 (5.15.0-101.103.2.1.el9uek.x86_64)

PDNS Recursor version: pdns-recursor-4.8.4-1.el9.x86_64

Installed: from repository via dnf.

No DNSSEC.

No backends.

On another system (OL8), in an older version of PowerDNS Recursor (pdns-recursor-4.4.6-1 dns.8.x86_64), this problem does not reproduce:

Dec 14 21:18:24 a975-icache02 pdns-recursor[2494258]: ns2.mwscdn.ru: Wants DNSSEC processing, auth data in query for A                                                        <--- There is a problem

-----

Dec 14 21:47:20 a355-icache01 pdns_recursor[2613489]:  ns2.mwscdn.ru: Wants DNSSEC processing, NO auth data in query for A                                        <--- no problem

 

 

Thank you in advance.

 

Best regards,

Andrey

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20231215/116fc599/attachment.htm>

More information about the Pdns-users mailing list