On Fri, Jun 02, 2023 at 08:07:16PM -0300, Thiago G. Alencar via Pdns-users wrote:
> Hello, > > I have a strange situation. When the "forward-zones-recurse" option is > activated, after the expiration of record type A in the cache, the next > queries will have no response but will be NOERROR. > > In the log trace shows "Step0 found in cache" and completes the question > without answer (without running the recursion) > > Tests done with both pdns version 4.6 and 4.8 of recursor. > > Has anyone ever had a problem like this? > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users This is something discussed on IRC yesterday. *This* report is pretty useless, as it lacks full config and logs. On IRC, (after you left), the issue was diagnosed as a case where aggresive caching hits a problem, caused by an authoritiative sending a wrong NSEC3 answer. The problem is this wrong answer lets the recursor conclude certain records do not exist if aggressive caching is enabled. This can be worked around by setting aggressive-nsec-cache-size to 0. The upcoming 4.9.0 versipon wil have a way to disable aggresisve caching for NSEC3 only, still allowing it for the NSEC case. Some background info: https://en.blog.nic.cz/2019/07/10/error-in-dnssec-implementation-on-f5-big-ip-load-balancers/ It is sad thet 4 years after this was written, buggy F5 load balancers still cause issues for resolvers. -Otto _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
