This is a bug, please file an issue at https://github.com/PowerDNS/pdns/issues
Aki On 26.2.2020 11.24, Vytenis A wrote: > UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500, > and SOA returns 200. > > We would like to keep SOA record statically defined in our backend, > and TXT is quered in DB. I guess pDNS treats remote DNS store as > healthy if SOA is OK, ignoring subsequent request status. > > On Wed, Feb 26, 2020 at 10:55 AM Vytenis A <vytenis....@gmail.com> wrote: >> Hi Aki! >> >> Ok, so I've implemented SOA into remote backend and dropped bind >> completely. The only backend active now is "remote" >> >> If I provide invalid connection string to a closed port - I get >> REFUSED, which is good >> >> But our concern is that our HTTP backend could start misbehaving >> (returining 40x, 50x errors, invalid responses). During tests we >> forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a >> way to provide REFUSED/SERVFAIL in case http backend is misbehaving? >> >> On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi <cmo...@cmouse.fi> wrote: >>> Hi! >>> >>> It is not really supported to split domains like this. You need to host >>> the entire domain in remote backend. >>> >>> Aki >>> >>> On 26.2.2020 2.00, Vytenis A via Pdns-users wrote: >>>> Hi Bert, >>>> >>>> Thanks for a prompt reply. >>>> >>>> This is currently on my local test VM, it's waay past midnight, I can >>>> put it on resolvable domain tomorrow if this isn't helpful. Not sure >>>> how to show you this exactly :) >>>> >>>> I'm using latest pDNS, using official repo: >>>> >>>> pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 >>>> >>>> >>>> Two backends: >>>> >>>> # /etc/pdns/pdns.conf: >>>> >>>> config-dir=/etc/pdns >>>> setuid=pdns >>>> setgid=pdns >>>> log-dns-details=yes >>>> log-dns-queries=yes >>>> loglevel=6 >>>> launch=bind,remote >>>> bind-config=/etc/pdns/bind-files/named.conf >>>> remote-connection-string=http:url=http://invalidhostname:99999 >>>> >>>> >>>> Static bind backend contains one zone, which contains SOA and one 'IN >>>> NS' record only. >>>> >>>> http endpoint is serving TXT records exclusively, and all is well if >>>> it's reachable: queries get resolved, nonexistent TXT records get >>>> NXDOMAIN >>>> >>>> But if http endpoint is invalidated (as in example above ^) - I get >>>> NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, >>>> which is somewhat the same as SERVFAIL afaik. >>>> >>>> bind backend is used to keep SOA out of "remote" backend, not 100% >>>> sure it's the best way. We could implement entire zone in http backend >>>> as a last resort. >>>> >>>> Thanks again! >>>> >>>> >>>> >>>> >>>> On Wed, Feb 26, 2020 at 12:51 AM bert hubert <bert.hub...@powerdns.com> >>>> wrote: >>>>> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: >>>>>> While trying to implement authoritative DNS server using "remote" >>>>>> backend, I've stumbled into an issue when HTTP backend is unreachable >>>>>> - PowerDNS is returning NXDOMAIN. >>>>> Can you reproduce this for us so we can check? It is not supposed to ever >>>>> happen. Please also let us know which version of PowerDNS you are using. >>>>> >>>>>> What I would like to achieve is return SERVFAIL in case my HTTP >>>>>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend >>>>>> could assist here? >>>>> This is what should be happening. >>>>> >>>>> Bert >>>>> >> >> >> -- >> Vytenis > > _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
