[Pdns-users] Authoritative PDNS gives back non-authoritative Answers for records
Otto Moerbeek
otto at drijf.net
Sat Nov 2 07:19:38 UTC 2024
On Sat, Nov 02, 2024 at 08:04:19AM +0100, rob777 via Pdns-users wrote:
> Hi
>
> >AUTHORITY has nothing to do with wether the answer is authoritative. You
> need to look at the flags
>
> Yes I've realized that after more research that the aa flag is the real
> thing to look for.
>
> The pdns-recursor runs on port 53 on the server and forward the queries for
> the internal zone through the forward-zone file to the port 53 from the
> pdns authoritiative on the same server - like
>
> ...
> example1.mydomain.com=10.0.11.100:5300
> ...
>
> I found other posts in pdns mailings about the same with no answers:
> https://mailman.powerdns.com/pipermail/pdns-dev/2020-April/001775.html
> And then another one in a little bit of a different context but with
> someone replying at the end of the thread that this is an expected behavior
>
> ->
> https://pdns-users.mailman.powerdns.narkive.com/FjxQ55ou/recursor-pdns-authoritative-and-axfr-problem
>
> So from research i found two basic sides:
>
> a) some say this is the expected behavior and is correct
> b) others are worried about it too and are not sure whether if this is
> generates problems for some stuff or not
>
> So it leaves me guessing whether i have to care about it for my internal
> dns infrastructure (i'm pretty sure that it would not be a problem but not
> 100% sure)
Not setting the aa bit is by design. Only answers directly coming from
an authoritative server are supposed to set the aa bit. See
https://www.rfc-editor.org/rfc/rfc1035#section-4.1.1
For client it does not matter. It does matter only in recursor <->
authoritative server traffic.
-Otto
>
>
> > BTW, obfuscation isn't ever helpful for having people help on a mailing
> list [1]
>
> I agree - espeically if the obfuscation is not done in a proper way.
>
>
> Am Fr., 1. Nov. 2024 um 15:10 Uhr schrieb Jan-Piet Mens via Pdns-users <
> pdns-users at mailman.powerdns.com>:
>
> > >$ dig test.example1.mydomain.com @<ip-of-my secondary>
> > >; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu
> > >...
> > >;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> > >As you can see above "AUTHORITY: 0" is a none authoritative answer
> >
> > AUTHORITY has nothing to do with wether the answer is authoritative. You
> > need
> > to look at the flags: this query has RD (recursion desired) and RA
> > (recursion
> > available), meaning you are querying a recursive server and hence no AA
> > (authoritative
> > answer) in the flags.
> >
> > BTW, obfuscation isn't ever helpful for having people help on a mailing
> > list [1]
> >
> >
> > -JP
> >
> > [1]
> > https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open
> > _______________________________________________
> > Pdns-users mailing list
> > Pdns-users at mailman.powerdns.com
> > https://mailman.powerdns.com/mailman/listinfo/pdns-users
> >
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list