I've been trying out PowerDNS 3.0 and I've found a change in the handling of CNAME records which seems to break some recursors, including the PowerDNS recursor.
In 2.9.22.x3, the last release before 3.0, the behaviour when asked for a name which has an associated CNAME record pointing to a zone for which this nameserver is not authoritative is as follows: if the RD flag is set in the query, it gives SERVFAIL, does not set the AA flag, and returns only the single CNAME record in the ANSWER section with no AUTHORITY or ADDITIONAL records. If the RD flag is *not* set, it gives NOERROR, sets the AA flag, and returns the root server information in the AUTHORITY and ADDITIONAL sections along with the CNAME record in the ANSWER section. The pdns recursor does not set the RD flag so it sees the latter response, and makes its own queries to resolve the right-hand side of the CNAME record. It then returns the desired response to the original query which it was trying to resolve. In 3.0rc2, the behaviour does not depend on the RD flag: it gives SERVFAIL, sets the AA flag, and returns only the single CNAME record. The latest svn snapshot modifies this behaviour to not set the AA flag but is otherwise the same. The pdns recursor, on seeing either of these responses, returns SERVFAIL and no ANSWER records to the original query. I'm using recursor verion 3.2 but the changelogs don't seem to indicate a change between then and now. The resulting effect is that when asking an authoritative pdns server through a pdns recursor, the usual case inside our network, these CNAME records don't work at all. I'm not sure which part of pdns is misbehaving here, either according to RFCs or to common practice, but I think one of them must be. I *think* it is the authoritative server that is in the wrong, because we had customers who are presumably behind different recursors reporting problems. I've now gone back to 2.9.22.x3 for live but I'd like to get to 3.0 because we want to offer DNSSEC to customers if we can. Any thoughts, anyone? -- Richard Poole System Administrator Heart Internet Ltd [email protected] http://www.heartinternet.co.uk/ Tel: 0845 644 7750 Fax: 0845 644 7740 ****************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. Heart Internet Ltd accepts no responsibility for information, errors or omissions in this email. ******************************************************************
pgpOiVNJcjQzj.pgp
Description: PGP signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
