Re: [Pdns-users] stupid recursor question
You did not report back the results of the other 2 troubleshoot actions that Brian suggested (dig and tcpdump) These could hold clues to the cause of your problem. On Tue, 2022-12-06 at 14:33 -0500, Curtis Maurand via Pdns-users wrote: > OK, just did the upgrade and adjusted the tables accordingly. I > don't like the fact that the update clobbered the /etc/init.d/pdns > file. We don't all run distributions with systemd. Systemd is big > and buggy, not to mention the controtions one has to go through to > get things to work properly. My system is way more manageable without > it. More stable, too. I knew I needed to do upgrade, debian hasn't > upgraded the version in their repos. I added the powerdns repo to > the sources.list.d/pdns. I digress. I'm now running 4.7.2. It took > a few minutes to get the supermaster/superslave set up and working. > > Things are working from outside and pretty fast, too. It's internally > where things aren't working. the internal recursor is not resolving > anything that is hosted. wierd. > > --Curtis > > > > On 12/6/22 12:52, Brian Candler wrote: > > > > > On 06/12/2022 17:41, Curtis Maurand via Pdns-users wrote: > > > > > > > > You can use either xyonet.com or cybernexus.net > > And the pdns-auth server which you are referring to is > > ns1.xyonet.com or ns2.xyonet.com? Or is it neither of these, and > > is a hidden primary? > > FYI, ns2.xyonet.com is not responding at the moment. Also, ns1 is > > running PowerDNS Authoritative Server 4.4.1, which is end-of-life, > > so you ought to look at upgrading it. See > > https://repo.powerdns.com/ > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record
I do not, but I will try to get the message back, the reverse way this problem reached me :) I sure hope they do not have old F5's, though. Security wise I mean. On Fri, 2022-10-07 at 13:58 +0200, Peter van Dijk via Pdns-users wrote: > On Thu, 2022-09-22 at 09:27 +0200, Leeflangetje via Pdns-users wrote: > > dig @ns1 riecis.nl A > > If you happen to have a contact at RIEC/riecis, please point them to > https://www.sidn.nl/nieuws-en-blogs/agressief-cache-gebruik-levert-snelheidswinst-en-efficientie-op-voor-validerende-resolvers > > The failure you observed is a long standing problem with many domains > hosted on the minvenj.nl name servers. > > Kind regards, ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record
Thank you for digging into the issue with that domain :) The reason we never encountered this before the upgrade to 4.6 must be the change in default behaviour regarding dnssec , which went from "process-no-validate" to "process", I assume. (We came from 4.2) On Thu, 2022-09-22 at 10:26 +0200, abang--- via Pdns-users wrote: > True, TCP is broken as well. > > Am 22. September 2022 10:01:58 MESZ schrieb Otto Moerbeek > : > > On Thu, Sep 22, 2022 at 09:41:57AM +0200, abang--- via Pdns-users > > wrote: > > > > > The "NSEC3 proving non-existence" of this zone is broken. See > > > https://dnsviz.net/d/riecis.nl/dnssec/?rr=all=all=all=o > > > n=.= > > > > > > You can workaround this issue by setting a NTA for it on your > > > Recursors. It is recommended to inform the owner of the zone in > > > order to fix the root cause. > > > > > > Winfried > > > > > > > Agreed, but given my findings in the other post I'm not convinced > > it > > will solve *all* issues with that domain. > > > > -Otto > > > > > > > > > > > > > > Am 22. September 2022 09:27:20 MESZ schrieb Leeflangetje via > > > Pdns-users : > > > > Hi, > > > > > > > > Since we upgraded to pdns-recursor 4.6 we sometimes experience > > > > some > > > > weird behaviour with queries via pdns-recursor. > > > > > > > > Sometimes, when a previously queried record expires through > > > > it's TTL, > > > > the recursor does not provide an answer anymore, until it's > > > > restarted. > > > > > > > > Unfortunately I am not able to reproduce this. It happens > > > > occasionally. > > > > When it happens, we see this: > > > > > > > > Faulty server: > > > > > > > > dig @ns1 riecis.nl A > > > > > > > > ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A > > > > ; (1 server found) > > > > ;; global options: +cmd > > > > ;; Got answer: > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148 > > > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, > > > > ADDITIONAL: 1 > > > > > > > > ;; OPT PSEUDOSECTION: > > > > ; EDNS: version: 0, flags:; udp: 512 > > > > ;; QUESTION SECTION: > > > > ;riecis.nl. IN A > > > > > > > > ;; AUTHORITY SECTION: > > > > riecis.nl. 2828 IN SOA ns1.minvenj.nl. > > > > hostmaster.solvinity.com. 2022010301 1800 300 604800 3600 > > > > > > > > ;; Query time: 2 msec > > > > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) > > > > ;; WHEN: Tue Sep 20 12:16:55 CEST 2022 > > > > ;; MSG SIZE rcvd: 110 > > > > > > > > other server: > > > > > > > > dig @ns2 riecis.nl A > > > > > > > > ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A > > > > ; (1 server found) > > > > ;; global options: +cmd > > > > ;; Got answer: > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517 > > > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, > > > > ADDITIONAL: 1 > > > > > > > > ;; OPT PSEUDOSECTION: > > > > ; EDNS: version: 0, flags:; udp: 512 > > > > ;; QUESTION SECTION: > > > > ;riecis.nl. IN A > > > > > > > > ;; ANSWER SECTION: > > > > riecis.nl. 224 IN A 159.46.204.40 > > > > > > > > ;; Query time: 1 msec > > > > ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) > > > > ;; WHEN: Tue Sep 20 12:17:03 CEST 2022 > > > > ;; MSG SIZE rcvd: 54 > > > > > > > > > > > > We have a fairly simple configuration, just on what address and > > > > port to > > > > listen on, to use the same address for outgoing queries, en a > > > > short li > > > > st of addresses that are allowed to query. > > > > > > > > I have confirmed this problem upto and including version 4.6.3 > > > > > > > > Anyone an idea on how to approach this matter? > > > > > > > > Regards > > > > > > > > > > > > > > > > > > > > Pdns-users mailing list > > > Pdns-users@mailman.powerdns.com > > > https://mailman.powerdns.com/mailman/listinfo/pdns-users > > > > > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] pdns-recursor (4.6) empty response after expiration of the TTL of the cached record
Hi, Since we upgraded to pdns-recursor 4.6 we sometimes experience some weird behaviour with queries via pdns-recursor. Sometimes, when a previously queried record expires through it's TTL, the recursor does not provide an answer anymore, until it's restarted. Unfortunately I am not able to reproduce this. It happens occasionally. When it happens, we see this: Faulty server: dig @ns1 riecis.nl A ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns1 riecis.nl A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27148 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;riecis.nl. IN A ;; AUTHORITY SECTION: riecis.nl. 2828IN SOA ns1.minvenj.nl. hostmaster.solvinity.com. 2022010301 1800 300 604800 3600 ;; Query time: 2 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Tue Sep 20 12:16:55 CEST 2022 ;; MSG SIZE rcvd: 110 other server: dig @ns2 riecis.nl A ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @ns2 riecis.nl A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61517 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;riecis.nl. IN A ;; ANSWER SECTION: riecis.nl. 224 IN A 159.46.204.40 ;; Query time: 1 msec ;; SERVER: xxx.xxx.xxx.xxx#53(xxx.xxx.xxx.xxx) ;; WHEN: Tue Sep 20 12:17:03 CEST 2022 ;; MSG SIZE rcvd: 54 We have a fairly simple configuration, just on what address and port to listen on, to use the same address for outgoing queries, en a short li st of addresses that are allowed to query. I have confirmed this problem upto and including version 4.6.3 Anyone an idea on how to approach this matter? Regards ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Is the update protocol between supermaster and superslave pdnsversion agnostic?
Hi :) I have a setup with pretty old pdns servers (4.2). One hidden master that serves a number of internet-facing authorative servers which act as superslaves. I want to upgrade the lot to the latest version, but preferably without any downtime. One way to do that (hopefuly) is to upgrade each internet facing superslave over a period of time, and upgrade the hidden master as the last one. This will only work if the updates from the hidden master to the superslaves are also recognized and processed as usual , even when de superslaves run on a recent version (> 4.2) and the hidden master does not. Is this the case? Thank you for your time. Regards ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users