[Pdns-users] PowerDNS: One Response Policy Zones refuses to update via IXFR -- always uses AXFR

Sun, 22 Sep 2019 11:37:43 -0700 

Hi

We have a customer consuming a bunch of Response Policy Zones using PowerDNS. 
For all bar one, all is good. However, one zone (bogons.ip.dtq) refuses to 
update via IXFR. Every update is via AXFR.

In an attempt to troubleshoot, our engineer created a Docker image that ran 
PowerDNS Recursor 4.2.0 under Debian 9 (squeeze), the latest general release 
version. PowerDNS was pulled down from PowerDNS's repository rather than 
complied by us.

The lua-config-file entry in recursor.conf was modified to include a single lua 
file that contained a single rpzMaster declaration:

    rpzMaster("199.168.90.51",
"bogons.ip.dtq",{defpol=Policy.NXDOMAIN,refresh=300})

The testing ended up producing the same errors as the customer’s (undocumented) 
setup:

Sep 21 20:36:55 Loading RPZ zone 'bogons.ip.dtq' from <redacted>
Sep 21 20:36:55 Loaded & indexed 418 policy records so far for RPZ zone 
'bogons.ip.dtq'
Sep 21 20:36:56 Loaded & indexed 36887 policy records so far for RPZ zone 
'bogons.ip.dtq'
Sep 21 20:36:56 Unable to load RPZ zone 'bogons.ip.dtq’ from '<redacted>': 
'Unable to convert '1:0:0:0' to a netmask'. (Will try again in 300 seconds…)

The error message regarding '1:0:0:0’  was originally thought to be a problem 
parsing one record in the bogons.ip.dtq zone: "0.0.0.1::/64”. However, in 
testing this was manually redacted and it was confirmed that the CIDR no longer 
existed in the rpz zone data we push out. The error message persisted in the 
PowerDNS resolver logs.

Conclusions:

— The error has nothing to do with the CIDR 0.0.0.1::/64 being included in the 
zone.
— rpz parsing of RPZ zones has a bug. Our engineer points to IPv6 triggers.
— Our engineer doesn’t like PowerDNS’ logging. This last point probably is 
irrelevant to everyone except our engineer.

I’ve been something of a PowerDNS proponent but I’ve failed to gain traction 
internally. This is not helping my case. Is this a known issue?

TIA

Simon

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to