[Pdns-users] Issues with forward-zones-recurse
Otto Moerbeek
otto at drijf.net
Sat Jun 3 06:56:16 UTC 2023
On Fri, Jun 02, 2023 at 08:07:16PM -0300, Thiago G. Alencar via Pdns-users wrote:
> Hello,
>
> I have a strange situation. When the "forward-zones-recurse" option is
> activated, after the expiration of record type A in the cache, the next
> queries will have no response but will be NOERROR.
>
> In the log trace shows "Step0 found in cache" and completes the question
> without answer (without running the recursion)
>
> Tests done with both pdns version 4.6 and 4.8 of recursor.
>
> Has anyone ever had a problem like this?
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
This is something discussed on IRC yesterday. *This* report is pretty
useless, as it lacks full config and logs.
On IRC, (after you left), the issue was diagnosed as a case where
aggresive caching hits a problem, caused by an authoritiative sending
a wrong NSEC3 answer. The problem is this wrong answer lets the
recursor conclude certain records do not exist if aggressive caching
is enabled.
This can be worked around by setting aggressive-nsec-cache-size to 0.
The upcoming 4.9.0 versipon wil have a way to disable aggresisve
caching for NSEC3 only, still allowing it for the NSEC case.
Some background info: https://en.blog.nic.cz/2019/07/10/error-in-dnssec-implementation-on-f5-big-ip-load-balancers/
It is sad thet 4 years after this was written, buggy F5 load balancers
still cause issues for resolvers.
-Otto
More information about the Pdns-users
mailing list