On Tue, Sep 08, 2020 at 06:05:40AM +0000, Markus Ehrlicher via Pdns-users wrote:

> Hello together,
> 
> can anyone reproduce this problem or should I open a ticket on github?

I wanted to look into this, but I did not have time yet. Without
looking at the code but knowing some details of the auth zone mechanism,
I'm not surprised by what you are seeing.

        -Otto
> 
> Thanks and best regards,
> Markus
> 
> Von: Markus Ehrlicher
> Gesendet: Dienstag, 1. September 2020 11:53
> An: pdns-users@mailman.powerdns.com
> Betreff: questions of understanding pdns-recursor with hosts-file
> 
> Hello together,
> 
> I'am a little confused about the "export-etc-hosts"-switch. I use latest 
> pdns-recursor in version 4.3.3 on Ubuntu 20.04.
> Because of problems with firewall, NAT and external IPs, we have to redirect 
> some (not all) DNS-Entries to internal IPs instead of public available IPs. 
> For this purpose I installed this extra server, to insert the needed entries 
> in the hosts-file and activated "export-etc-hosts" in pdns-recursor.conf.
> 
> Now my problem: if the root domain (in my example benchmaxx.de) is included 
> in this hosts-file, the recursor seems to feel authoritative for the whole 
> domain and trys to answers all other requests for subdomains from 
> benchmaxx.de (in my example test.benchmaxx.de) with NXDOMAIN.
> Here are the logs for this behavior:
> 
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] question for 
> 'test.benchmaxx.de|A' from 10.10.2.26:45074
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Wants 
> DNSSEC processing, auth data in query for A
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking 
> for CNAME cache hit of 'test.benchmaxx.de|CNAME'
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Looking 
> for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No CNAME 
> or DNAME cache hit of 'test.benchmaxx.de' found
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: No cache 
> hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: initial 
> validation status for test.benchmaxx.de is Indeterminate
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Cache 
> consultations done, have 1 NS to contact
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: Domain is 
> out-of-band
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: auth 
> storage has data, zone='benchmaxx.de'
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: accept 
> answer 'benchmaxx.de|SOA|localhost. root. 1 604800 86400 2419200 604800' from 
> 'benchmaxx.de' nameservers? ttl=7200, place=2 YES! - This answer was 
> retrieved from the local auth store.
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: 
> determining status after receiving this packet
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: got 
> negative caching indication for name 'test.benchmaxx.de' (accept=1), 
> newtarget='(empty)'
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: 
> status=NXDOMAIN, we are done (have negative SOA)
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: test.benchmaxx.de: failed 
> (res=3)
> Sep 01 11:37:51 dmz-ns1 pdns_recursor[1454639]: 3 [6/1] answer to question 
> 'test.benchmaxx.de|A': 0 answers, 0 additional, took 0 packets, 0 netw ms, 0 
> tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=3
> 
> If I comment out benchmaxx.de in the hosts-file, all is fine and the request 
> for test.benchmaxx.de is answered correctly:
> 
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] question for 
> 'test.benchmaxx.de|A' from 10.10.2.26:49295
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants 
> DNSSEC processing, auth data in query for A
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking 
> for CNAME cache hit of 'test.benchmaxx.de|CNAME'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking 
> for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME 
> or DNAME cache hit of 'test.benchmaxx.de' found
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache 
> hit for 'test.benchmaxx.de|A', trying to find an appropriate NS record
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial 
> validation status for test.benchmaxx.de is Indeterminate
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache 
> consultations done, have 1 NS to contact
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has 
> hardcoded nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: 
> Nameservers: +217.119.211.10:53(2.11ms), +217.119.214.10:53(2.93ms)
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved 
> '.' NS (empty) to: 217.119.211.10, 217.119.214.10
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 
> 217.119.211.10:53, asking 'test.benchmaxx.de|A'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 
> answers from (empty) (217.119.211.10), rcode=0 (No Error), aa=0, in 13ms
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept 
> answer 'test.benchmaxx.de|A|2.2.2.2' from '.' nameservers? ttl=3600, place=1 
> YES! - This answer was received from a server we forward to.
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer 
> '.' from '.' nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: : got initial zone status 
> Indeterminate for record test.benchmaxx.de|A
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: 
> determining status after receiving this packet
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: answer is 
> in: resolved to '2.2.2.2|A'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: status=got 
> results, this level of recursion done
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: validation 
> status is Indeterminate
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [1/1] answer to question 
> 'test.benchmaxx.de|A': 1 answers, 0 additional, took 1 packets, 13.069 netw 
> ms, 13.317 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] question for 
> 'test.benchmaxx.de|AAAA' from 10.10.2.26:33182
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Wants 
> DNSSEC processing, auth data in query for AAAA
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking 
> for CNAME cache hit of 'test.benchmaxx.de|CNAME'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Looking 
> for DNAME cache hit of 'test.benchmaxx.de|DNAME' or its ancestors
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No CNAME 
> or DNAME cache hit of 'test.benchmaxx.de' found
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: No cache 
> hit for 'test.benchmaxx.de|AAAA', trying to find an appropriate NS record
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: initial 
> validation status for test.benchmaxx.de is Indeterminate
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Cache 
> consultations done, have 1 NS to contact
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Domain has 
> hardcoded nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de.: 
> Nameservers: +217.119.214.10:53(2.93ms), +217.119.211.10:53(13.01ms)
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Resolved 
> '.' NS (empty) to: 217.119.214.10, 217.119.211.10
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Trying IP 
> 217.119.214.10:53, asking 'test.benchmaxx.de|AAAA'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: Got 2 
> answers from (empty) (217.119.214.10), rcode=0 (No Error), aa=0, in 11ms
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: accept 
> answer 'benchmaxx.de|SOA|ns3.komsa.net. root.ns3.komsa.net. 2020090101 10800 
> 3600 604800 3600' from '.' nameservers? ttl=3600, place=2 YES! - This answer 
> was received from a server we forward to.
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: OPT answer 
> '.' from '.' nameservers
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: 
> determining status after receiving this packet
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: got 
> negative caching indication for 'test.benchmaxx.de|AAAA'
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: test.benchmaxx.de: 
> status=noerror, other types may exist, but we are done (have negative SOA)
> Sep 01 11:38:10 dmz-ns1 pdns_recursor[1454675]: 3 [2/1] answer to question 
> 'test.benchmaxx.de|AAAA': 0 answers, 0 additional, took 1 packets, 11.155 
> netw ms, 11.244 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0
> 
> So my question is: is this behavior normal and intended?
> 
> Thanks and best regards,
> Markus

> _______________________________________________
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to