Bug#947347: pdns-server: wrong server response to DS request for unsigned zone

Wed, 25 Dec 2019 00:33:38 -0800 

Package: pdns-server
Version: 4.1.6-3
Severity: normal
Tags: upstream


A record SERVFAIL only with 8.8.8.8 for my unsigned subdomains.

We have unsigned zones example.org and subdomain.example.org. ns1-3.example.com
(debian buster, powerdns in superslave mode) is domain servers for those zones.

$ host -t A rr.subdomain.example.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host rr.subdomain.example.org not found: 2(SERVFAIL)


also

$ dig +trace subdomain.example.org ds

demonstrates a request loop :

...
subdomain.example.org.        3600    IN      NS      ns1.example.com.
subdomain.example.org.        3600    IN      NS      ns2.example.com.
subdomain.example.org.        3600    IN      NS      ns3.example.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 105 bytes from 123.45.67.89#53(ns3.example.com) in 81 ms
subdomain.example.org.        3600    IN      NS      ns1.example.com.
subdomain.example.org.        3600    IN      NS      ns2.example.com.
subdomain.example.org.        3600    IN      NS      ns3.example.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 105 bytes from 98.76.54.32#53(ns2.example.com) in 80 ms
subdomain.example.org.        3600    IN      NS      ns1.example.com.
subdomain.example.org.        3600    IN      NS      ns2.example.com.
subdomain.example.org.        3600    IN      NS      ns3.example.com.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups


We tested the powerdns based  DNS system for managing subdomains through the
API for CI/CD automation.

Recently, we found that the records of our subdomains are not resolved by
Google public resolver. It was a very unpleasant surprise.

I spent some time for investigate it and want to share the result.

The reason for this is that Google makes a DS request for the domain before
each request, but the powerdns in version 4.1 gives wrong answer for unsigned
domains.

In the upstream, this is fixed for version 4.2 -
https://github.com/PowerDNS/pdns/pull/6923.

I request to porting upstream fix to debian.



-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pdns-server depends on:
ii  adduser                         3.118
pn  libboost-program-options1.67.0  <none>
ii  libc6                           2.28-10
ii  libgcc1                         1:8.3.0-6
ii  liblua5.3-0                     5.3.3-1.1
ii  libsodium23                     1.0.17-1
ii  libsqlite3-0                    3.27.2-3
ii  libssl1.1                       1.1.1d-0+deb10u2
ii  libstdc++6                      8.3.0-6
ii  libsystemd0                     241-7~deb10u2

Versions of packages pdns-server recommends:
pn  pdns-backend-bind  <none>

Versions of packages pdns-server suggests:
pn  pdns-backend  <none>

Reply via email to