Bug#947347: marked as done (pdns-server: wrong server response to DS request for unsigned zone)

Debian Bug Tracking System Tue, 21 Jul 2020 17:19:16 -0700

Your message dated Wed, 22 Jul 2020 02:14:32 +0200
with message-id <[email protected]>
and subject line Re: Bug#947347: pdns-server: wrong server response to DS 
request for unsigned zone
has caused the Debian Bug report #947347,
regarding pdns-server: wrong server response to DS request for unsigned zone
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
947347: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947347
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: pdns-server
Version: 4.1.6-3
Severity: normal
Tags: upstream


A record SERVFAIL only with 8.8.8.8 for my unsigned subdomains.

We have unsigned zones example.org and subdomain.example.org. ns1-3.example.com
(debian buster, powerdns in superslave mode) is domain servers for those zones.

$ host -t A rr.subdomain.example.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host rr.subdomain.example.org not found: 2(SERVFAIL)


also

$ dig +trace subdomain.example.org ds

demonstrates a request loop :

...
subdomain.example.org.        3600    IN      NS      ns1.example.com.
subdomain.example.org.        3600    IN      NS      ns2.example.com.
subdomain.example.org.        3600    IN      NS      ns3.example.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 105 bytes from 123.45.67.89#53(ns3.example.com) in 81 ms
subdomain.example.org.        3600    IN      NS      ns1.example.com.
subdomain.example.org.        3600    IN      NS      ns2.example.com.
subdomain.example.org.        3600    IN      NS      ns3.example.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 105 bytes from 98.76.54.32#53(ns2.example.com) in 80 ms
subdomain.example.org.        3600    IN      NS      ns1.example.com.
subdomain.example.org.        3600    IN      NS      ns2.example.com.
subdomain.example.org.        3600    IN      NS      ns3.example.com.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups


We tested the powerdns based  DNS system for managing subdomains through the
API for CI/CD automation.

Recently, we found that the records of our subdomains are not resolved by
Google public resolver. It was a very unpleasant surprise.

I spent some time for investigate it and want to share the result.

The reason for this is that Google makes a DS request for the domain before
each request, but the powerdns in version 4.1 gives wrong answer for unsigned
domains.

In the upstream, this is fixed for version 4.2 -
https://github.com/PowerDNS/pdns/pull/6923.

I request to porting upstream fix to debian.



-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pdns-server depends on:
ii  adduser                         3.118
pn  libboost-program-options1.67.0  <none>
ii  libc6                           2.28-10
ii  libgcc1                         1:8.3.0-6
ii  liblua5.3-0                     5.3.3-1.1
ii  libsodium23                     1.0.17-1
ii  libsqlite3-0                    3.27.2-3
ii  libssl1.1                       1.1.1d-0+deb10u2
ii  libstdc++6                      8.3.0-6
ii  libsystemd0                     241-7~deb10u2

Versions of packages pdns-server recommends:
pn  pdns-backend-bind  <none>

Versions of packages pdns-server suggests:
pn  pdns-backend  <none>

--- End Message ---

--- Begin Message ---

Version: 4.3.0-2

* Andrey A. Lyubimets <[email protected]> [200722 00:12]:
[..]
> > After talking to upstream about this, it is more likely that your
> > zone has other problems that make 8.8.8.8 SERVFAIL.
> > Can you post a full reproduction scenario?
> 
> I could not reproduce this error today. But today I was able to find
> messages about similar problems: please look at
> https://groups.google.com/forum/#!topic/public-dns-discuss/jU2HcViB9zY and
> https://docs.google.com/document/d/1Bn2rmuWvHzIDnLz2Ag6DSSJHFWl69ASIUzpjxBUYE5Y/edit
> 
> I think Google has changed the behavior of the resolver.
> 
> Nevertheless, I hope that powerdns in a Buster  will handle correctly
> queries for DS records.

Well, I guess it does now (in bullseye) given you've suggested
-your- problem is fixed in 4.2, and we now ship 4.3.0.

Otherwise, the comment above still stands.

Best,
Chris

--- End Message ---

Bug#947347: marked as done (pdns-server: wrong server response to DS request for unsigned zone)

Reply via email to