On Sun, Sep 22, 2019 at 07:37:29PM +0100, Simon Forster wrote:
> Hi
>
> We have a customer consuming a bunch of Response Policy Zones using PowerDNS.
> For all bar one, all is good. However, one zone (bogons.ip.dtq) refuses to
> update via IXFR. Every update is via AXFR.
>
> In an attempt to troubleshoot, our engineer created a Docker image that ran
> PowerDNS Recursor 4.2.0 under Debian 9 (squeeze), the latest general release
> version. PowerDNS was pulled down from PowerDNS's repository rather than
> complied by us.
>
> The lua-config-file entry in recursor.conf was modified to include a single
> lua file that contained a single rpzMaster declaration:
>
> rpzMaster("199.168.90.51",
> "bogons.ip.dtq",{defpol=Policy.NXDOMAIN,refresh=300})
>
> The testing ended up producing the same errors as the customer’s
> (undocumented) setup:
>
> Sep 21 20:36:55 Loading RPZ zone 'bogons.ip.dtq' from <redacted>
> Sep 21 20:36:55 Loaded & indexed 418 policy records so far for RPZ zone
> 'bogons.ip.dtq'
> Sep 21 20:36:56 Loaded & indexed 36887 policy records so far for RPZ zone
> 'bogons.ip.dtq'
> Sep 21 20:36:56 Unable to load RPZ zone 'bogons.ip.dtq’ from '<redacted>':
> 'Unable to convert '1:0:0:0' to a netmask'. (Will try again in 300 seconds…)
>
> The error message regarding '1:0:0:0’ was originally thought to be a problem
> parsing one record in the bogons.ip.dtq zone: "0.0.0.1::/64”. However, in
> testing this was manually redacted and it was confirmed that the CIDR no
> longer existed in the rpz zone data we push out. The error message persisted
> in the PowerDNS resolver logs.
>
> Conclusions:
>
> — The error has nothing to do with the CIDR 0.0.0.1::/64 being included in
> the zone.
> — rpz parsing of RPZ zones has a bug. Our engineer points to IPv6 triggers.
> — Our engineer doesn’t like PowerDNS’ logging. This last point probably is
> irrelevant to everyone except our engineer.
>
> I’ve been something of a PowerDNS proponent but I’ve failed to gain traction
> internally. This is not helping my case. Is this a known issue?
>
> TIA
>
> Simon
Looking at the RPZ related issues in
https://github.com/PowerDNS/pdns/issues I don't see an obvious match.
Please file an issue and include all relevant (unredacted) data,
including the RPZ data so that reproductioin and further investigation
is possible.
-Otto
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
