[Pdns-users] Recursor v3.2 and v3.3 malformed answer in case of big response from authoritative
Hi,
Last week I discovered an issue with recursor v3.2.
It appears to return a malformed answer to the client in case the data (incl.
additional data) exceeds the 65536 maximum (2 bytes length field).
An example real-life lookup which has this issue as a result is MX of
auinmeio.com.br
When asking one of the authoritative servers, dig yields (note ANSWER,
ADDITIONAL and MSG SIZE):
[thor@tns125 named]$ dig -t MX auinmeio.com.br @ns1.auinmeio.com.br
;; Truncated, retrying in TCP mode.
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -t MX auinmeio.com.br
@ns1.auinmeio.com.br
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 25661
;; flags: qr aa rd; QUERY: 1, ANSWER: 1569, AUTHORITY: 6, ADDITIONAL: 1376
;; QUESTION SECTION:
;auinmeio.com.br. IN MX
snip
;; Query time: 765 msec
;; SERVER: 65.98.112.162#53(65.98.112.162)
;; WHEN: Mon Apr 11 16:16:25 2011
;; MSG SIZE rcvd: 65531
When asking powerdns v3.3, dig yields (note ANSWER, ADDITIONAL and MSG SIZE):
[thor@tns125 named]$ dig -t MX auinmeio.com.br @195.130.158.234
;; Truncated, retrying in TCP mode.
;; Warning: Message parser reports malformed message packet.
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 -t MX auinmeio.com.br
@195.130.158.234
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 11531
;; flags: qr rd ra; QUERY: 1, ANSWER: 1569, AUTHORITY: 0, ADDITIONAL: 1569
;; QUESTION SECTION:
;auinmeio.com.br. IN MX
snip
;; Query time: 63 msec
;; SERVER: 195.130.158.234#53(195.130.158.234)
;; WHEN: Mon Apr 11 16:19:00 2011
;; MSG SIZE rcvd: 4427
From a packet trace, I see that the UDP answer is correct with 20 MX answered
in a truncated reponse.
The client then asks the same question via TCP:
Domain Name System (query)
[Response In: 8]
Length: 33
Transaction ID: 0x2648
Flags: 0x0100 (Standard query)
0... = Response: Message is a query
.000 0... = Opcode: Standard query (0)
..0. = Truncated: Message is not truncated
...1 = Recursion desired: Do query recursively
.0.. = Z: reserved (0)
...0 = Non-authenticated data OK: Non-authenticated data
is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
auinmeio.com.br: type MX, class IN
Name: auinmeio.com.br
Type: MX (Mail exchange)
Class: IN (0x0001)
And then powerdns answers with:
Domain Name System (response)
[Request In: 6]
[Time: 0.055456000 seconds]
Length: 4465
Transaction ID: 0x2648
Flags: 0x8180 (Standard query response, No error)
1... = Response: Message is a response
.000 0... = Opcode: Standard query (0)
.0.. = Authoritative: Server is not an authority for
domain
..0. = Truncated: Message is not truncated
...1 = Recursion desired: Do query recursively
1... = Recursion available: Server can do recursive
queries
.0.. = Z: reserved (0)
..0. = Answer authenticated: Answer/authority portion
was not authenticated by the server
= Reply code: No error (0)
Questions: 1
Answer RRs: 1569
Authority RRs: 0
Additional RRs: 1569
Queries
auinmeio.com.br: type MX, class IN
Name: auinmeio.com.br
Type: MX (Mail exchange)
Class: IN (0x0001)
Answers
auinmeio.com.br: type MX, class IN, preference 0, mx
pm02-58.auinmeio.com.br
Name: auinmeio.com.br
Type: MX (Mail exchange)
Class: IN (0x0001)
Time to live: 1 minute, 25 seconds
Data length: 12
Preference: 0
Mail exchange: pm02-58.auinmeio.com.br
snip
auinmeio.com.br: type MX, class IN
Name: auinmeio.com.br
Type: MX (Mail exchange)
Class: IN (0x0001)
Time to live: 1 minute, 25 seconds
Data length: 12
[Malformed Packet: DNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
[Malformed Packet: DNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Domain Name System (query)
Length: 1889
Transaction ID: 0x6c35
Flags: 0x372d (Unknown operation)
0... = Response: Message is a query
.011 0... = Opcode: Unknown (6)
..1. = Truncated: Message is truncated
...1 = Recursion desired: Do query
Re: [Pdns-users] Recursor v3.2 and v3.3 malformed answer in case of big response from authoritative
On Mon, Apr 11, 2011 at 04:53:16PM +0200, Thor Spruyt wrote: Last week I discovered an issue with recursor v3.2. This is probably fixed in 3.3.1: Discovered by John J and Robin J, the PowerDNS Recursor did not process packets that were truncated in mid-record, and also did not act on the 'truncated' (TC) flag in that case. This broke a very small number of domains, most of them served by very old versions of the PowerDNS Authoritative Server. Fix in commit 1740. 3.3.1 has not been formally released, but is in wide production and can be found on http://svn.powerdns.com/snapshots/pdns-recursor-3.3.1.tar.bz2 3.3.1 here resolves auinmeio.com.br|MX just fine, although it takes a stunning 193 packets (!!). However, it does end up delivering a slightly weird answer, which we are investigating (trailing bytes). Can you open a ticket on http://wiki.powerdns.com? thanks! ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] strange answers from pdns 3.0-rc1 with recursor=8.8.8.8
I'm using pdns-3.0-rc1 if i dig www.clodo.ru on 188.127.244.30 like: dig @188.127.244.30 www.clodo.ru A first answer is correct: cc00:~ # dig @188.127.244.30 www.clodo.ru A ; DiG 9.5.0-P2 @188.127.244.30 www.clodo.ru A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53151 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.clodo.ru. IN A ;; ANSWER SECTION: www.clodo.ru. 21335 IN CNAME clodo.ru. clodo.ru. 21335 IN A 188.127.236.5 clodo.ru. 21335 IN A 188.127.236.4 ;; Query time: 0 msec ;; SERVER: 188.127.244.30#53(188.127.244.30) ;; WHEN: Mon Apr 11 19:41:55 2011 ;; MSG SIZE rcvd: 76 But second is incorrect: cc00:~ # dig @188.127.244.30 www.clodo.ru A ; DiG 9.5.0-P2 @188.127.244.30 www.clodo.ru A ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51682 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.clodo.ru. IN A ;; Query time: 0 msec ;; SERVER: 188.127.244.30#53(188.127.244.30) ;; WHEN: Mon Apr 11 19:43:22 2011 ;; MSG SIZE rcvd: 30 If i wait some time (about some seconds) next answer is correct, but after that i get incorrect answers... But if i dig from recursor - all answers is correct at any time config file: allow-axfr-ips=77.221.141.148/32,77.221.143.26/32,188.127.241.48/32,188.127.244.30/32,188.127.236.4/32,188.127.236.5/32,89.249.18.119/32 allow-recursion=0.0.0.0/0 allow-recursion-override=no chroot=/var/lib/powerdns distributor-threads=2 fancy-records=yes launch=gpgsql gpgsql-host=127.0.0.1 gpgsql-user=dns gpgsql-password=dns gpgsql-dbname=dns gpgsql-port=5432 lazy-recursion=yes local-address=188.127.244.30 local-port=53 log-dns-details=on log-failed-updates=yes loglevel=9 master=yes max-queue-length=1 max-tcp-connections=100 out-of-zone-additional-processing=yes query-local-address=188.127.244.30 query-logging=yes queue-limit=3500 recursor=8.8.8.8 send-root-referral=yes setgid=pdns setuid=pdns skip-cname=no -- Vasiliy G Tolstov v.tols...@selfip.ru Selfip.Ru ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] strange answers from pdns 3.0-rc1 with recursor=8.8.8.8
On Mon, 2011-04-11 at 19:45 +0400, Vasiliy G Tolstov wrote: I'm using pdns-3.0-rc1 if i dig www.clodo.ru on 188.127.244.30 like: dig @188.127.244.30 www.clodo.ru A In gpgsql database this domain does not exists. pdns log contains: 2011-04-11T19:43:21.026760+04:00 selfip pdns[30873]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name=E'www.clodo.ru' 2011-04-11T19:43:21.026865+04:00 selfip pdns[30873]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name=E'clodo.ru' 2011-04-11T19:43:21.027272+04:00 selfip pdns[30873]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name=E'ru' 2011-04-11T19:43:21.027630+04:00 selfip pdns[30873]: Query: select content,ttl,prio,type,domain_id,name from records where type='SOA' and name=E'' 2011-04-11T19:43:21.883582+04:00 selfip pdns_recursor[30671]: 0 question answered from packet cache from 188.127.236.5 2011-04-11T19:43:21.883612+04:00 selfip pdns_recursor[30671]: 1 question answered from packet cache from 188.127.236.5 2011-04-11T19:43:21.883956+04:00 selfip pdns_recursor[30671]: 1 question answered from packet cache from 188.127.236.5 2011-04-11T19:43:21.883977+04:00 selfip pdns_recursor[30671]: 0 question answered from packet cache from 188.127.236.5 2011-04-11T19:43:25.221649+04:00 selfip pdns_recursor[30671]: 0 question answered from packet cache from 188.127.236.4 2011-04-11T19:43:25.221676+04:00 selfip pdns_recursor[30671]: 1 question answered from packet cache from 188.127.236.4 2011-04-11T19:43:25.88+04:00 selfip pdns_recursor[30671]: 1 question answered from packet cache from 188.127.236.4 2011-04-11T19:43:25.222307+04:00 selfip pdns_recursor[30671]: 0 question answered from packet cache from 188.127.236.4 -- Vasiliy G Tolstov v.tols...@selfip.ru Selfip.Ru ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
