On Tue, Sep 08, 2020 at 06:05:40AM +0000, Markus Ehrlicher via Pdns-users wrote:
> Hello together, > > can anyone reproduce this problem or should I open a ticket on github? I wanted to look into this, but I did not have time yet. Without looking at the code but knowing some details of the auth zone mechanism, I'm not surprised by what you are seeing. -Otto > > Thanks and best regards, > Markus > > Von: Markus Ehrlicher > Gesendet: Dienstag, 1. September 2020 11:53 > An: pdns-users@mailman.powerdns.com > Betreff: questions of understanding pdns-recursor with hosts-file > > Hello together, > > I'am a little confused about the "export-etc-hosts"-switch. I use latest > pdns-recursor in version 4.3.3 on Ubuntu 20.04. > Because of problems with firewall, NAT and external IPs, we have to redirect > some (not all) DNS-Entries to internal IPs instead of public available IPs. > For this purpose I installed this extra server, to insert the needed entries > in the hosts-file and activated "export-etc-hosts" in pdns-recursor.conf. > > Now my problem: if the root domain (in my example benchmaxx.de) is included > in this hosts-file, the recursor seems to feel authoritative for the whole > domain and trys to answers all other requests for subdomains from > benchmaxx.de (in my example test.benchmaxx.de) with NXDOMAIN. > Here are the logs for this behavior: > > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] question for > 'test.benchmaxx.de|A' from 10.10.2.26:45074 > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Wants > DNSSEC processing, auth data in query for A > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking > for CNAME cache hit of 'test.benchmaxx.de|CNAME' > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking > for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No CNAME > or DNAME cache hit of 'test.benchmaxx.de' found > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No cache > hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: initial > validation status for test.benchmaxx.de is Indeterminate > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Cache > consultations done, have 1 NS to contact > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Domain is > out-of-band > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: auth > storage has data, zone='benchmaxx.de' > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: accept > answer 'benchmaxx.de|SOA|localhost. root. 1 604800 86400 2419200 604800' from > 'benchmaxx.de' nameservers? ttl=7200, place=2 YES! - This answer was > retrieved from the local auth store. > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: > determining status after receiving this packet > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: got > negative caching indication for name 'test.benchmaxx.de' (accept=1), > newtarget='(empty)' > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: > status=NXDOMAIN, we are done (have negative SOA) > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: failed > (res=3) > Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] answer to question > 'test.benchmaxx.de|A': 0 answers, 0 additional, took 0 packets, 0 netw ms, 0 > tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3 > > If I comment out benchmaxx.de in the hosts-file, all is fine and the request > for test.benchmaxx.de is answered correctly: > > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] question for > 'test.benchmaxx.de|A' from 10.10.2.26:49295 > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants > DNSSEC processing, auth data in query for A > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking > for CNAME cache hit of 'test.benchmaxx.de|CNAME' > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking > for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME > or DNAME cache hit of 'test.benchmaxx.de' found > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache > hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial > validation status for test.benchmaxx.de is Indeterminate > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache > consultations done, have 1 NS to contact > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has > hardcoded nameservers > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: > Nameservers: +217.119.211.10:53(2.11ms), +217.119.214.10:53(2.93ms) > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved > '.' NS (empty) to: 217.119.211.10, 217.119.214.10 > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP > 217.119.211.10:53, asking 'test.benchmaxx.de|A' > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 > answers from (empty) (217.119.211.10), rcode=0 (No Error), aa=0, in 13ms > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept > answer 'test.benchmaxx.de|A|2.2.2.2' from '.' nameservers? ttl=3600, place=1 > YES! - This answer was received from a server we forward to. > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer > '.' from '.' nameservers > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: : got initial zone status > Indeterminate for record test.benchmaxx.de|A > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: > determining status after receiving this packet > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: answer is > in: resolved to '2.2.2.2|A' > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=got > results, this level of recursion done > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: validation > status is Indeterminate > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] answer to question > 'test.benchmaxx.de|A': 1 answers, 0 additional, took 1 packets, 13.069 netw > ms, 13.317 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] question for > 'test.benchmaxx.de|AAAA' from 10.10.2.26:33182 > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants > DNSSEC processing, auth data in query for AAAA > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking > for CNAME cache hit of 'test.benchmaxx.de|CNAME' > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking > for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME > or DNAME cache hit of 'test.benchmaxx.de' found > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache > hit for 'test.benchmaxx.de|AAAA', trying to find an appropriate NS record > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial > validation status for test.benchmaxx.de is Indeterminate > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache > consultations done, have 1 NS to contact > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has > hardcoded nameservers > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: > Nameservers: +217.119.214.10:53(2.93ms), +217.119.211.10:53(13.01ms) > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved > '.' NS (empty) to: 217.119.214.10, 217.119.211.10 > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP > 217.119.214.10:53, asking 'test.benchmaxx.de|AAAA' > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 > answers from (empty) (217.119.214.10), rcode=0 (No Error), aa=0, in 11ms > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept > answer 'benchmaxx.de|SOA|ns3.komsa.net. root.ns3.komsa.net. 2020090101 10800 > 3600 604800 3600' from '.' nameservers? ttl=3600, place=2 YES! - This answer > was received from a server we forward to. > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer > '.' from '.' nameservers > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: > determining status after receiving this packet > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: got > negative caching indication for 'test.benchmaxx.de|AAAA' > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: > status=noerror, other types may exist, but we are done (have negative SOA) > Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] answer to question > 'test.benchmaxx.de|AAAA': 0 answers, 0 additional, took 1 packets, 11.155 > netw ms, 11.244 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0 > > So my question is: is this behavior normal and intended? > > Thanks and best regards, > Markus > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users