Running pdns-recursor 4.2.1, I'm encountering an issue where the pdns-recursor returns a SERVFAIL to the client on domains that are resolvable by pretty much any public DNS resolver - Level3, Google, OpenDNS, Comcast, etc.
I understand from tracing the query (rec_control trace-regex) and from reading that the default behavior of pdns-recursor is that if it receives a response that does not have the AA bit set, the answer is discarded and the next authoritative server for the domain is tried. This seems like a very reasonable default behavior and obvious from the recursor trace logs. In reading https://github.com/PowerDNS/pdns/issues/8513, it appears the current ability in handling this is to configure forward-zones or forward-zones-recurse to treat the zone as a recursing zone and not require the AA bit set in replies. Obviously, this is less than desirable when the upstream dns server is external and the authoritative server addresses may change at any time without warning or coordination. The question I have is if there is a configuration ability to remove the AA bit requirement for resolution? Or is the forward-zone configuration the only option available to handle this scenario? Of course other than the offending operator correcting their configuration. Recursor trace output below... Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: accept answer 'mtdnstri.mt.gov|A|161.7.129.10' from 'gov' nameservers? ttl=86400, place=3 YES! Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: accept answer 'mtdnspri.mt.gov|A|161.7.38.10' from 'gov' nameservers? ttl=86400, place=3 YES! Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: accept answer 'mtdnssec.mt.gov|A|161.7.38.11' from 'gov' nameservers? ttl=86400, place=3 YES! Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT answer '.' from 'gov' nameservers Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone status Indeterminate for record mtdnssec.mt.gov|A Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone status Indeterminate for record mtdnspri.mt.gov|A Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone status Indeterminate for record mtdnstri.mt.gov|A Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] : got initial zone status Indeterminate for record mt.gov|NS Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: determining status after receiving this packet Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: got NS record 'mt.gov' -> 'mtdnstri.mt.gov.' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: got NS record 'mt.gov' -> 'mtdnspri.mt.gov.' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: got NS record 'mt.gov' -> 'mtdnssec.mt.gov.' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: status=did not resolve, got 3 NS, looping to them Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov.: Nameservers: mtdnstri.mt.gov(16.59ms), mtdnspri.mt.gov(24.33ms), mtdnssec.mt.gov(24.83ms) Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying to resolve NS 'mtdnstri.mt.gov' (1/3) Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: Wants NO DNSSEC processing, NO auth data in query for A Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: Looking for CNAME cache hit of 'mtdnstri.mt.gov|CNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: Looking for DNAME cache hit of 'gov|DNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: Looking for DNAME cache hit of 'mt.gov|DNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: No CNAME or DNAME cache hit of 'mtdnstri.mt.gov' found Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: Found cache hit for A: 161.7.129.10[ttl=86400] Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnstri.mt.gov: updating validation state with cache content for mtdnstri.mt.gov to Indeterminate Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Resolved 'mt.gov' NS mtdnstri.mt.gov to: 161.7.129.10 Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying IP 161.7.129.10:53, asking 'leg.mt.gov|A' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Got 2 answers from mtdnstri.mt.gov (161.7.129.10), rcode=0 (No Error), aa=0, in 54ms Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] Removing record ' leg.mt.gov|A|161.7.35.124' in the answer section without the AA bit set received from mt.gov Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT answer '.' from 'mt.gov' nameservers Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: determining status after receiving this packet Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying to resolve NS 'mtdnspri.mt.gov' (2/3) Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: Wants NO DNSSEC processing, NO auth data in query for A Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: Looking for CNAME cache hit of 'mtdnspri.mt.gov|CNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: Looking for DNAME cache hit of 'gov|DNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: Looking for DNAME cache hit of 'mt.gov|DNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: No CNAME or DNAME cache hit of 'mtdnspri.mt.gov' found Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: Found cache hit for A: 161.7.38.10[ttl=86400] Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnspri.mt.gov: updating validation state with cache content for mtdnspri.mt.gov to Indeterminate Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Resolved 'mt.gov' NS mtdnspri.mt.gov to: 161.7.38.10 Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying IP 161.7.38.10:53, asking 'leg.mt.gov|A' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Got 2 answers from mtdnspri.mt.gov (161.7.38.10), rcode=0 (No Error), aa=0, in 81ms Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] Removing record ' leg.mt.gov|A|161.7.35.124' in the answer section without the AA bit set received from mt.gov Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT answer '.' from 'mt.gov' nameservers Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: determining status after receiving this packet Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying to resolve NS 'mtdnssec.mt.gov' (3/3) Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: Wants NO DNSSEC processing, NO auth data in query for A Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: Looking for CNAME cache hit of 'mtdnssec.mt.gov|CNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: Looking for DNAME cache hit of 'gov|DNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: Looking for DNAME cache hit of 'mt.gov|DNAME' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: No CNAME or DNAME cache hit of 'mtdnssec.mt.gov' found Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: Found cache hit for A: 161.7.38.11[ttl=86399] Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] mtdnssec.mt.gov: updating validation state with cache content for mtdnssec.mt.gov to Indeterminate Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Resolved 'mt.gov' NS mtdnssec.mt.gov to: 161.7.38.11 Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Trying IP 161.7.38.11:53, asking 'leg.mt.gov|A' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Got 2 answers from mtdnssec.mt.gov (161.7.38.11), rcode=0 (No Error), aa=0, in 81ms Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] Removing record ' leg.mt.gov|A|161.7.35.124' in the answer section without the AA bit set received from mt.gov Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: OPT answer '.' from 'mt.gov' nameservers Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: determining status after receiving this packet Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: Failed to resolve via any of the 3 offered NS at level 'mt.gov' Apr 15 10:18:49 pdnsrbtest pdns_recursor[18430]: [2547] leg.mt.gov: failed (res=-1) I appreciate any guidance. Best, --Caleb Caleb Bontrager Milford, DE
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
