Hello Sebastian, On Nov 7, 2012, at 15:09 , Posner, Sebastian wrote:
>> The problem is that PowerDNS only asks the backend things, it >> does not know what is 'in' the backend. And while we can do >> certain tests to determine of data is correct, we can't do them all. > > Full ACK, but in this special case, pdns already IS actively > correcting the answer with normal queries; so one should think > this to be the case with *any* methods of accessing data through > pdns; or at least coherently not work around this error anywhere. > Or log it, for logfile-monitoring to find it and trigger human > corrective labour ;-) PowerDNS does not actively correct with normal queries. With normal queries, it first asks the backend for CNAME; it does not even ask for or see anything else. During AXFR however, we ask the backend for ALL data. No checking on this data happens except syntax (can't generate DNS records on the wire without parsing), deduplication (since this week, really) and some ordering for the signer thread. In other words, during AXFR this CNAME check would mean extra code, while during normal query processing it is free. The best weapon we currently have against bad zone data is pdnssec check-zone. Enhancement requests for check-zone are always welcome as tickets on wiki.powerdns.com - and if we ever do decide to add more checking/filtering to pdns_server, the check-zone checklist is the first thing we will look at! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ _______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-dev
