[Pdns-users] Rectify QNAME issues

[Jason Tremblett]

Hi all,

We are having issues with the way that QNAME minimization works and would like to know if there is a way to improve our process to resolve the issue.

Backend: postgresql DB
Frontend: authoritative server
DNSSEC Enabled with NSEC3 Narrow (1 0 50 -)

Zone file contains 60k TXT records in the form (zone replaced with the.domain.com):

a.b.c.the.domain.com TXT "a.b.c text record"
b.b.c.the.domain.com TXT "b.b.c text record"
c.b.c.the.domain.com TXT "c.b.c text record"
d.e.f.the.domain.com TXT "d.e.f text record"
...

We use pdnsutil to upload the zone file, increase serial and rectify:

pdnsutil load-zone the.domain.com the.domain.com.zone
pdnsutil increase-serial the.domain.com
pdnsutil rectify-zone the.domain.com

Because of the large number of records, this process can take about 10 minutes from beginning to end.

With QNAME minimization, we are going to ask for the A record for c.the.domain.com as part of the chain of queries from the resolver.  Starting at 1 minute after the load-zone command we start getting a NXDOMAIN rather than a NOERROR as expected.  We have a 60 second cache so this seems likely to start the moment the zone file is loaded.  The NXDOMAIN continues until about 1 minute after rectify-zone is completed and then clears until the zone is loaded again.

Is there any way to improve the way this process is managed to prevent the NXDOMAIN responses completely?  It seems like even in the case of a smaller zone with less records the potential to get a NXDOMAIN for a non-cached entry could occur between the load-zone and rectify-zone (although obviously the window would be smaller).

Thanks for your input!

Jason Tremblett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250422/63f53fb2/attachment.htm>