On Mon, Sep 23, 2019 at 07:07:32AM +0200, Otto Moerbeek wrote:
> On Sun, Sep 22, 2019 at 07:37:29PM +0100, Simon Forster wrote:
>
> > Hi
> >
> > We have a customer consuming a bunch of Response Policy Zones using
> > PowerDNS. For all bar one, all is good. However, one zone (bogons.ip.dtq)
> > refuses to update via IXFR. Every update is via AXFR.
> >
> > In an attempt to troubleshoot, our engineer created a Docker image that ran
> > PowerDNS Recursor 4.2.0 under Debian 9 (squeeze), the latest general
> > release version. PowerDNS was pulled down from PowerDNS's repository rather
> > than complied by us.
> >
> > The lua-config-file entry in recursor.conf was modified to include a single
> > lua file that contained a single rpzMaster declaration:
> >
> > rpzMaster("199.168.90.51",
> > "bogons.ip.dtq",{defpol=Policy.NXDOMAIN,refresh=300})
> >
> > The testing ended up producing the same errors as the customer’s
> > (undocumented) setup:
> >
> > Sep 21 20:36:55 Loading RPZ zone 'bogons.ip.dtq' from <redacted>
> > Sep 21 20:36:55 Loaded & indexed 418 policy records so far for RPZ zone
> > 'bogons.ip.dtq'
> > Sep 21 20:36:56 Loaded & indexed 36887 policy records so far for RPZ zone
> > 'bogons.ip.dtq'
> > Sep 21 20:36:56 Unable to load RPZ zone 'bogons.ip.dtq’ from '<redacted>':
> > 'Unable to convert '1:0:0:0' to a netmask'. (Will try again in 300 seconds…)
> >
> > The error message regarding '1:0:0:0’ was originally thought to be a
> > problem parsing one record in the bogons.ip.dtq zone: "0.0.0.1::/64”.
> > However, in testing this was manually redacted and it was confirmed that
> > the CIDR no longer existed in the rpz zone data we push out. The error
> > message persisted in the PowerDNS resolver logs.
> >
> > Conclusions:
> >
> > — The error has nothing to do with the CIDR 0.0.0.1::/64 being included in
> > the zone.
> > — rpz parsing of RPZ zones has a bug. Our engineer points to IPv6 triggers.
> > — Our engineer doesn’t like PowerDNS’ logging. This last point probably is
> > irrelevant to everyone except our engineer.
> >
> > I’ve been something of a PowerDNS proponent but I’ve failed to gain
> > traction internally. This is not helping my case. Is this a known issue?
> >
> > TIA
> >
> > Simon
>
> Looking at the RPZ related issues in
> https://github.com/PowerDNS/pdns/issues I don't see an obvious match.
>
> Please file an issue and include all relevant (unredacted) data,
> including the RPZ data so that reproductioin and further investigation
> is possible.
See https://github.com/PowerDNS/pdns/pull/8340
-Otto
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
