Re: [Pdns-users] pdns-recursor - Recursor options to ignore when authoritative server does not set the AA bit in DNS reply

Thu, 16 Apr 2020 03:52:08 -0700 

On 15/04/2020 15:37, Caleb Bontrager via Pdns-users wrote:
The question I have is if there is a configuration ability to remove the AA bit requirement for resolution? 


I can't answer the specific question, but I tested that my own local 
pdns-recursor (4.3.0-1pdns.bionic) *is* able to resolve leg.mt.gov.


rec_control dump_cache says:

mt.gov. 86340 IN NS mtdnstri.mt.gov. ; (Indeterminate) auth=0
mt.gov. 86340 IN NS mtdnspri.mt.gov. ; (Indeterminate) auth=0
mt.gov. 86340 IN NS mtdnssec.mt.gov. ; (Indeterminate) auth=0
mtdnstri.mt.gov. 86340 IN A 161.7.129.10 ; (Indeterminate) auth=0
mtdnssec.mt.gov. 86340 IN A 161.7.38.11 ; (Indeterminate) auth=0
mtdnspri.mt.gov. 86340 IN A 161.7.38.10 ; (Indeterminate) auth=0
leg.mt.gov. 3540 IN A 161.7.35.124 ; (Indeterminate) auth=1
leg.mt.gov. 3540 A  ; tag 0

And the query log:


Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]  mt.gov: got NS record 
'mt.gov' -> 'mtdnstri.mt.gov.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]  mt.gov: got NS record 
'mt.gov' -> 'mtdnspri.mt.gov.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]  mt.gov: got NS record 
'mt.gov' -> 'mtdnssec.mt.gov.'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]  mt.gov: status=did not 
resolve, got 3 NS, looping to them
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A 
child=mt.gov: Step4 Resolve A result is No Error/0/2
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A 
child=mt.gov: Delegation seen, continue at step 1
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if 
we have NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: no 
valid/useful NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if 
we have NS in cache for 'mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with 
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnstri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within 
bailiwick: 1,  in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with 
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnspri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within 
bailiwick: 1,  in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with 
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnssec.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within 
bailiwick: 1,  in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: We have NS 
in cache for 'mt.gov' (flawedNSSet=0)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A 
child=mt.gov: Step1 Ancestor from cache is mt.gov.
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A 
child=leg.mt.gov: Step2 New child
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A 
child=leg.mt.gov: Step3 Going to do final resolve
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Wants 
DNSSEC processing, auth data in query for A
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Looking for 
CNAME cache hit of 'leg.mt.gov|CNAME'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Looking for 
DNAME cache hit of 'leg.mt.gov|DNAME' or its ancestors
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: No CNAME or 
DNAME cache hit of 'leg.mt.gov' found
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: No cache 
hit for 'leg.mt.gov|A', trying to find an appropriate NS record

Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : got TA for '.'

Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : setting cut state for 
. to Secure
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if 
we have NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: no 
valid/useful NS in cache for 'leg.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Checking if 
we have NS in cache for 'mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with 
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnstri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within 
bailiwick: 1,  in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with 
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnspri.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within 
bailiwick: 1,  in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: NS (with 
ip, or non-glue) in cache for 'mt.gov' -> 'mtdnssec.mt.gov'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: within 
bailiwick: 1,  in cache, ttl=86400
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: We have NS 
in cache for 'mt.gov' (flawedNSSet=0)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: initial 
validation status for leg.mt.gov is Indeterminate
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Cache 
consultations done, have 3 NS to contact
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov.: 
Nameservers: mtdnspri.mt.gov(0.00ms), mtdnssec.mt.gov(0.00ms), 
mtdnstri.mt.gov(0.00ms)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Trying to 
resolve NS 'mtdnspri.mt.gov' (1/3)
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]     QM 
mtdnspri.mt.gov.|A child=(empty): doResolve
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: Wants 
DNSSEC processing, NO auth data in query for A
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: 
Recursion not requested for 'mtdnspri.mt.gov|A', peeking at auth/forward 
zones
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: 
Looking for CNAME cache hit of 'mtdnspri.mt.gov|CNAME'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: 
Looking for DNAME cache hit of 'mtdnspri.mt.gov|DNAME' or its ancestors
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: No 
CNAME or DNAME cache hit of 'mtdnspri.mt.gov' found
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: Found 
cache hit for A: 161.7.38.10[ttl=86400]
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mtdnspri.mt.gov: 
updating validation state with cache content for mtdnspri.mt.gov to 
Indeterminate
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]     QM 
mtdnspri.mt.gov.|A child=(empty): Step0 Found in cache
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Resolved 
'mt.gov' NS mtdnspri.mt.gov to: 161.7.38.10
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Trying IP 
161.7.38.10:53, asking 'leg.mt.gov|A'
*Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: Got 2 
answers from mtdnspri.mt.gov (161.7.38.10), rcode=0 (No Error), aa=1, in 
128ms*
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: accept 
answer 'leg.mt.gov|A|161.7.35.124' from 'mt.gov' nameservers? ttl=3600, 
place=1 YES!
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: OPT answer 
'.' from 'mt.gov' nameservers
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : got initial zone 
status Indeterminate for record leg.mt.gov|A
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: determining 
status after receiving this packet
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: answer is 
in: resolved to '161.7.35.124|A'
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: status=got 
results, this level of recursion done
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] leg.mt.gov: validation 
status is Indeterminate
Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM leg.mt.gov.|A 
child=leg.mt.gov: Step3 Final resolve: No Error/1
Apr 16 10:18:43 cache2 pdns_recursor[19615]: 2 [1/1] answer to question 
'leg.mt.gov|A': 1 answers, 1 additional, took 3 packets, 226.077 netw 
ms, 247.328 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=0


The weird thing is, logs above are showing aa=1 in the response.


Using dig, I see the same as you - that the servers for this domain are 
all lame. aa=0, ra=1. Even the TTL decrements like a recursor.



$ dig +norec @mtdnstri.mt.gov. leg.mt.gov. a

; <<>> DiG 9.10.6 <<>> +norec @mtdnstri.mt.gov. leg.mt.gov. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12168
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;leg.mt.gov.            IN    A

;; ANSWER SECTION:
leg.mt.gov.        3579    IN    A    161.7.35.124

;; Query time: 118 msec
;; SERVER: 161.7.129.10#53(161.7.129.10)
;; WHEN: Thu Apr 16 10:56:19 BST 2020
;; MSG SIZE  rcvd: 55

$ dig +norec @mtdnstri.mt.gov. leg.mt.gov. a

; <<>> DiG 9.10.6 <<>> +norec @mtdnstri.mt.gov. leg.mt.gov. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61785
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;leg.mt.gov.            IN    A

;; ANSWER SECTION:
leg.mt.gov.        3574    IN    A    161.7.35.124

;; Query time: 117 msec
;; SERVER: 161.7.129.10#53(161.7.129.10)
;; WHEN: Thu Apr 16 10:56:24 BST 2020
;; MSG SIZE  rcvd: 55


Sometimes I see the TTL jump back up again - perhaps some sort of 
load-balancer in front of a bunch of recursive servers?


Next I try a tcpdump while pdns-recursor does its business:


10:29:18.479243 IP 10.12.255.54.54426 > 161.7.129.10.53: 11772 [1au] A? 
leg.mt.gov. (39)

    0x0000:  4500 0043 576a 4000 4011 b7eb 0a0c ff36 E..CWj@.@......6
    0x0010:  a107 810a d49a 0035 002f 2b95 2dfc 0000 .......5./+.-...
    0x0020:  0001 0000 0000 0001 036c 6567 026d 7403 .........leg.mt.
    0x0030:  676f 7600 0001 0001 0000 2904 d000 0080 gov.......).....
    0x0040:  0000 00                                  ...

10:29:18.596734 IP 161.7.129.10.53 > 10.12.255.54.54426: 11772*- 1/0/1 A 
161.7.35.124 (55)

    0x0000:  4550 0053 7c67 4000 f211 e08d a107 810a EP.S|g@.........
    0x0010:  0a0c ff36 0035 d49a 003f d4df 2dfc *8400* ...6.5...?..-...
    0x0020:  0001 0001 0000 0001 036c 6567 026d 7403 .........leg.mt.
    0x0030:  676f 7600 0001 0001 c00c 0001 0001 0000 gov.............
    0x0040:  0e10 0004 a107 237c 0000 2910 0000 0000 ......#|..).....
    0x0050:  0000 00                                  ...

If I decode the response I get:

2dfc = ident


8400 = flags: QR=1, opcode = 0000, AA=1, TC=0, RD=0; RA=0, Z=0, AD=0, 
CD=0, rcode=0000



Exactly what's expected from an authoritative server: Authoritative 
Answer=1, Recursion Available=0.


Now let me try the same with dig:

# dig +norec @161.7.129.10 leg.mt.gov. a


10:35:13.468482 IP 10.12.255.54.38387 > 161.7.129.10.53: 34722 [1au] A? 
leg.mt.gov. (51)

    0x0000:  4500 004f cb80 0000 4011 83c9 0a0c ff36 E..O....@......6
    0x0010:  a107 810a 95f3 0035 003b 2ba1 87a2 0020 .......5.;+.....
    0x0020:  0001 0000 0000 0001 036c 6567 026d 7403 .........leg.mt.
    0x0030:  676f 7600 0001 0001 0000 2910 0000 0000 gov.......).....
    0x0040:  0000 0c00 0a00 0880 3a8e d7cf 0707 14 ........:......

10:35:13.586436 IP 161.7.129.10.53 > 10.12.255.54.38387: 34722 1/0/1 A 
161.7.35.124 (55)

    0x0000:  4550 0053 2262 4000 f011 3c93 a107 810a EP.S"b@...<.....
    0x0010:  0a0c ff36 0035 95f3 003f bd6c 87a2 *8080* ...6.5...?.l....
    0x0020:  0001 0001 0000 0001 036c 6567 026d 7403 .........leg.mt.
    0x0030:  676f 7600 0001 0001 c00c 0001 0001 0000 gov.............
    0x0040:  0e04 0004 a107 237c 0000 2910 0000 0000 ......#|..).....
    0x0050:  0000 00                                  ...

Now I get:

87a2 = ident

8080 = flags: QR=1, RA=1

i.e. now it's responding just like a recursor!!


I notice the dig request has 0020 for flags, i.e. AD=1. I can fix that 
to make flags 0000:


# dig +norec +noad @161.7.129.10 leg.mt.gov. a


10:37:08.595577 IP 10.12.255.54.59200 > 161.7.129.10.53: 710 [1au] A? 
leg.mt.gov. (51)

    0x0000:  4500 004f f7db 0000 4011 576e 0a0c ff36 E..O....@.Wn...6
    0x0010:  a107 810a e740 0035 003b 2ba1 02c6 0000 .....@.5.;+.....
    0x0020:  0001 0000 0000 0001 036c 6567 026d 7403 .........leg.mt.
    0x0030:  676f 7600 0001 0001 0000 2910 0000 0000 gov.......).....
    0x0040:  0000 0c00 0a00 08e7 a9b0 0c46 4733 22 ...........FG3"

10:37:08.714776 IP 161.7.129.10.53 > 10.12.255.54.59200: 710 1/0/1 A 
161.7.35.124 (55)

    0x0000:  4550 0053 7930 4000 f211 e3c4 a107 810a EP.Sy0@.........
    0x0010:  0a0c ff36 0035 e740 003f f104 02c6 *8080* ...6.5.@.?......
    0x0020:  0001 0001 0000 0001 036c 6567 026d 7403 .........leg.mt.
    0x0030:  676f 7600 0001 0001 c00c 0001 0001 0000 gov.............
    0x0040:  0dfb 0004 a107 237c 0000 2910 0000 0000 ......#|..).....
    0x0050:  0000 00                                  ...

Gargh... it's still responding like a recursor!


It looks like there is some sort of wacky views mechanism on this 
server, which uses some weird attribute of the request to infer whether 
it's coming from a stub resolver or from a recursor (instead of just 
looking at the RD bit like it should).  But I don't have time to dig 
further - I'll hand this back to you.


You might want to try recursor 4.3.0 anyway, since that works for me.

Cheers,

Brian.


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users






















					Reply via email to