On Fri, May 1, 2015 at 11:50 AM, bert hubert <[email protected]> wrote:
> On Fri, May 01, 2015 at 11:13:22AM -0700, Mark Moseley wrote: > > Of all the things I cleaned up, one thing I *didn't* clean up a lot of > > records with trailing dots in the content field (for NS/MX/CNAME > records). > > This could easily confuse things. If PowerDNS chases a CNAME and it > encounters a trailing dot, it tries to look that one up in the database. If > it then does not find that, it could turn the whole packet into an NXDOMAIN > and cache that. > > Same thing with NS records and delegations etc. > > The query-cache might conceivably also cache lacking records with a > trailing > dot, but unsure. > > I'd suggest cleaning up all those trailing dots and seeing what happens. If > the problem persists we could spend more time on it. > > Ok, sounds good. I suspected (but have zero way to prove it) that somehow the trailing dot version (and there's no corresponding DNS record *with* the trailing dot in the db) was getting queried and was coming back NXDOMAIN but that when pdns went and looked in the cache for the no-trailing-dot version, it was seeing the trailing dot version (though no idea why that'd be the case). The interesting part is we've been running 3.4.2 for a while now (and 3.4.1 for quite some time before that), so what might've changed in between 3.4.2 and 3.4.4 (or 3.4.3 which we haven't tried). And then the *really* interesting part is why does it continue *after* we revert all the servers back to 3.4.2 for approximately the same amount of time as the TTLs? In my pcaps, I was almost expecting to see someone revalidating the broken hostnames with cruft in the query (control characters, or maybe 2 trailing dots or something weird). It was almost like cache poisoning without the cache :) And recursion is turned off on these, btw. > > We're in the middle of a big cleanup to eradicate these trailing dots and > > are back on 3.4.2 for the time being till we can get it done. But I was > > curious if a) this was a known issue; or b) anyone's seen it before, > since > > the trailing dots part could be a red herring. > > I have seen lots of weirdness with trailing dots, and above you can find > one > scenario where you could get an NXDOMAIN. Ok, good to know.
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
