Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
Issue: https://github.com/PowerDNS/pdns/issues/8866 If anyone has any ideas on how to workaround it - that would be great Thanks again! On Wed, Feb 26, 2020 at 11:43 AM Aki Tuomi wrote: > > This is a bug, please file an issue at > https://github.com/PowerDNS/pdns/issues > > Aki > > On 26.2.2020 11.24, Vytenis A wrote: > > UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500, > > and SOA returns 200. > > > > We would like to keep SOA record statically defined in our backend, > > and TXT is quered in DB. I guess pDNS treats remote DNS store as > > healthy if SOA is OK, ignoring subsequent request status. > > > > On Wed, Feb 26, 2020 at 10:55 AM Vytenis A wrote: > >> Hi Aki! > >> > >> Ok, so I've implemented SOA into remote backend and dropped bind > >> completely. The only backend active now is "remote" > >> > >> If I provide invalid connection string to a closed port - I get > >> REFUSED, which is good > >> > >> But our concern is that our HTTP backend could start misbehaving > >> (returining 40x, 50x errors, invalid responses). During tests we > >> forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a > >> way to provide REFUSED/SERVFAIL in case http backend is misbehaving? > >> > >> On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi wrote: > >>> Hi! > >>> > >>> It is not really supported to split domains like this. You need to host > >>> the entire domain in remote backend. > >>> > >>> Aki > >>> > >>> On 26.2.2020 2.00, Vytenis A via Pdns-users wrote: > Hi Bert, > > Thanks for a prompt reply. > > This is currently on my local test VM, it's waay past midnight, I can > put it on resolvable domain tomorrow if this isn't helpful. Not sure > how to show you this exactly :) > > I'm using latest pDNS, using official repo: > > pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 > > > Two backends: > > # /etc/pdns/pdns.conf: > > config-dir=/etc/pdns > setuid=pdns > setgid=pdns > log-dns-details=yes > log-dns-queries=yes > loglevel=6 > launch=bind,remote > bind-config=/etc/pdns/bind-files/named.conf > remote-connection-string=http:url=http://invalidhostname:9 > > > Static bind backend contains one zone, which contains SOA and one 'IN > NS' record only. > > http endpoint is serving TXT records exclusively, and all is well if > it's reachable: queries get resolved, nonexistent TXT records get > NXDOMAIN > > But if http endpoint is invalidated (as in example above ^) - I get > NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, > which is somewhat the same as SERVFAIL afaik. > > bind backend is used to keep SOA out of "remote" backend, not 100% > sure it's the best way. We could implement entire zone in http backend > as a last resort. > > Thanks again! > > > > > On Wed, Feb 26, 2020 at 12:51 AM bert hubert > wrote: > > On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users > > wrote: > >> While trying to implement authoritative DNS server using "remote" > >> backend, I've stumbled into an issue when HTTP backend is unreachable > >> - PowerDNS is returning NXDOMAIN. > > Can you reproduce this for us so we can check? It is not supposed to > > ever > > happen. Please also let us know which version of PowerDNS you are using. > > > >> What I would like to achieve is return SERVFAIL in case my HTTP > >> endpoint is unavailable. Is this possible? Maybe Lua fallback backend > >> could assist here? > > This is what should be happening. > > > > Bert > > > >> > >> > >> -- > >> Vytenis > > > > -- Vytenis ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
This is a bug, please file an issue at https://github.com/PowerDNS/pdns/issues Aki On 26.2.2020 11.24, Vytenis A wrote: > UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500, > and SOA returns 200. > > We would like to keep SOA record statically defined in our backend, > and TXT is quered in DB. I guess pDNS treats remote DNS store as > healthy if SOA is OK, ignoring subsequent request status. > > On Wed, Feb 26, 2020 at 10:55 AM Vytenis A wrote: >> Hi Aki! >> >> Ok, so I've implemented SOA into remote backend and dropped bind >> completely. The only backend active now is "remote" >> >> If I provide invalid connection string to a closed port - I get >> REFUSED, which is good >> >> But our concern is that our HTTP backend could start misbehaving >> (returining 40x, 50x errors, invalid responses). During tests we >> forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a >> way to provide REFUSED/SERVFAIL in case http backend is misbehaving? >> >> On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi wrote: >>> Hi! >>> >>> It is not really supported to split domains like this. You need to host >>> the entire domain in remote backend. >>> >>> Aki >>> >>> On 26.2.2020 2.00, Vytenis A via Pdns-users wrote: Hi Bert, Thanks for a prompt reply. This is currently on my local test VM, it's waay past midnight, I can put it on resolvable domain tomorrow if this isn't helpful. Not sure how to show you this exactly :) I'm using latest pDNS, using official repo: pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 Two backends: # /etc/pdns/pdns.conf: config-dir=/etc/pdns setuid=pdns setgid=pdns log-dns-details=yes log-dns-queries=yes loglevel=6 launch=bind,remote bind-config=/etc/pdns/bind-files/named.conf remote-connection-string=http:url=http://invalidhostname:9 Static bind backend contains one zone, which contains SOA and one 'IN NS' record only. http endpoint is serving TXT records exclusively, and all is well if it's reachable: queries get resolved, nonexistent TXT records get NXDOMAIN But if http endpoint is invalidated (as in example above ^) - I get NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, which is somewhat the same as SERVFAIL afaik. bind backend is used to keep SOA out of "remote" backend, not 100% sure it's the best way. We could implement entire zone in http backend as a last resort. Thanks again! On Wed, Feb 26, 2020 at 12:51 AM bert hubert wrote: > On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: >> While trying to implement authoritative DNS server using "remote" >> backend, I've stumbled into an issue when HTTP backend is unreachable >> - PowerDNS is returning NXDOMAIN. > Can you reproduce this for us so we can check? It is not supposed to ever > happen. Please also let us know which version of PowerDNS you are using. > >> What I would like to achieve is return SERVFAIL in case my HTTP >> endpoint is unavailable. Is this possible? Maybe Lua fallback backend >> could assist here? > This is what should be happening. > > Bert > >> >> >> -- >> Vytenis > > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
UPDATE: pDNS returns NXDOMAIN only when TXT query returns HTTP 500, and SOA returns 200. We would like to keep SOA record statically defined in our backend, and TXT is quered in DB. I guess pDNS treats remote DNS store as healthy if SOA is OK, ignoring subsequent request status. On Wed, Feb 26, 2020 at 10:55 AM Vytenis A wrote: > > Hi Aki! > > Ok, so I've implemented SOA into remote backend and dropped bind > completely. The only backend active now is "remote" > > If I provide invalid connection string to a closed port - I get > REFUSED, which is good > > But our concern is that our HTTP backend could start misbehaving > (returining 40x, 50x errors, invalid responses). During tests we > forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a > way to provide REFUSED/SERVFAIL in case http backend is misbehaving? > > On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi wrote: > > > > Hi! > > > > It is not really supported to split domains like this. You need to host > > the entire domain in remote backend. > > > > Aki > > > > On 26.2.2020 2.00, Vytenis A via Pdns-users wrote: > > > Hi Bert, > > > > > > Thanks for a prompt reply. > > > > > > This is currently on my local test VM, it's waay past midnight, I can > > > put it on resolvable domain tomorrow if this isn't helpful. Not sure > > > how to show you this exactly :) > > > > > > I'm using latest pDNS, using official repo: > > > > > > pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 > > > > > > > > > Two backends: > > > > > > # /etc/pdns/pdns.conf: > > > > > > config-dir=/etc/pdns > > > setuid=pdns > > > setgid=pdns > > > log-dns-details=yes > > > log-dns-queries=yes > > > loglevel=6 > > > launch=bind,remote > > > bind-config=/etc/pdns/bind-files/named.conf > > > remote-connection-string=http:url=http://invalidhostname:9 > > > > > > > > > Static bind backend contains one zone, which contains SOA and one 'IN > > > NS' record only. > > > > > > http endpoint is serving TXT records exclusively, and all is well if > > > it's reachable: queries get resolved, nonexistent TXT records get > > > NXDOMAIN > > > > > > But if http endpoint is invalidated (as in example above ^) - I get > > > NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, > > > which is somewhat the same as SERVFAIL afaik. > > > > > > bind backend is used to keep SOA out of "remote" backend, not 100% > > > sure it's the best way. We could implement entire zone in http backend > > > as a last resort. > > > > > > Thanks again! > > > > > > > > > > > > > > > On Wed, Feb 26, 2020 at 12:51 AM bert hubert > > > wrote: > > >> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: > > >>> While trying to implement authoritative DNS server using "remote" > > >>> backend, I've stumbled into an issue when HTTP backend is unreachable > > >>> - PowerDNS is returning NXDOMAIN. > > >> Can you reproduce this for us so we can check? It is not supposed to ever > > >> happen. Please also let us know which version of PowerDNS you are using. > > >> > > >>> What I would like to achieve is return SERVFAIL in case my HTTP > > >>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend > > >>> could assist here? > > >> This is what should be happening. > > >> > > >> Bert > > >> > > > > > > > -- > Vytenis -- Vytenis ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
Hi Aki! Ok, so I've implemented SOA into remote backend and dropped bind completely. The only backend active now is "remote" If I provide invalid connection string to a closed port - I get REFUSED, which is good But our concern is that our HTTP backend could start misbehaving (returining 40x, 50x errors, invalid responses). During tests we forced HTTP 500 response, and got NXDOMAIN unfortunately. Is there a way to provide REFUSED/SERVFAIL in case http backend is misbehaving? On Wed, Feb 26, 2020 at 9:23 AM Aki Tuomi wrote: > > Hi! > > It is not really supported to split domains like this. You need to host > the entire domain in remote backend. > > Aki > > On 26.2.2020 2.00, Vytenis A via Pdns-users wrote: > > Hi Bert, > > > > Thanks for a prompt reply. > > > > This is currently on my local test VM, it's waay past midnight, I can > > put it on resolvable domain tomorrow if this isn't helpful. Not sure > > how to show you this exactly :) > > > > I'm using latest pDNS, using official repo: > > > > pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 > > > > > > Two backends: > > > > # /etc/pdns/pdns.conf: > > > > config-dir=/etc/pdns > > setuid=pdns > > setgid=pdns > > log-dns-details=yes > > log-dns-queries=yes > > loglevel=6 > > launch=bind,remote > > bind-config=/etc/pdns/bind-files/named.conf > > remote-connection-string=http:url=http://invalidhostname:9 > > > > > > Static bind backend contains one zone, which contains SOA and one 'IN > > NS' record only. > > > > http endpoint is serving TXT records exclusively, and all is well if > > it's reachable: queries get resolved, nonexistent TXT records get > > NXDOMAIN > > > > But if http endpoint is invalidated (as in example above ^) - I get > > NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, > > which is somewhat the same as SERVFAIL afaik. > > > > bind backend is used to keep SOA out of "remote" backend, not 100% > > sure it's the best way. We could implement entire zone in http backend > > as a last resort. > > > > Thanks again! > > > > > > > > > > On Wed, Feb 26, 2020 at 12:51 AM bert hubert > > wrote: > >> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: > >>> While trying to implement authoritative DNS server using "remote" > >>> backend, I've stumbled into an issue when HTTP backend is unreachable > >>> - PowerDNS is returning NXDOMAIN. > >> Can you reproduce this for us so we can check? It is not supposed to ever > >> happen. Please also let us know which version of PowerDNS you are using. > >> > >>> What I would like to achieve is return SERVFAIL in case my HTTP > >>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend > >>> could assist here? > >> This is what should be happening. > >> > >> Bert > >> > > -- Vytenis ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
Hi! It is not really supported to split domains like this. You need to host the entire domain in remote backend. Aki On 26.2.2020 2.00, Vytenis A via Pdns-users wrote: > Hi Bert, > > Thanks for a prompt reply. > > This is currently on my local test VM, it's waay past midnight, I can > put it on resolvable domain tomorrow if this isn't helpful. Not sure > how to show you this exactly :) > > I'm using latest pDNS, using official repo: > > pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 > > > Two backends: > > # /etc/pdns/pdns.conf: > > config-dir=/etc/pdns > setuid=pdns > setgid=pdns > log-dns-details=yes > log-dns-queries=yes > loglevel=6 > launch=bind,remote > bind-config=/etc/pdns/bind-files/named.conf > remote-connection-string=http:url=http://invalidhostname:9 > > > Static bind backend contains one zone, which contains SOA and one 'IN > NS' record only. > > http endpoint is serving TXT records exclusively, and all is well if > it's reachable: queries get resolved, nonexistent TXT records get > NXDOMAIN > > But if http endpoint is invalidated (as in example above ^) - I get > NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, > which is somewhat the same as SERVFAIL afaik. > > bind backend is used to keep SOA out of "remote" backend, not 100% > sure it's the best way. We could implement entire zone in http backend > as a last resort. > > Thanks again! > > > > > On Wed, Feb 26, 2020 at 12:51 AM bert hubert wrote: >> On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: >>> While trying to implement authoritative DNS server using "remote" >>> backend, I've stumbled into an issue when HTTP backend is unreachable >>> - PowerDNS is returning NXDOMAIN. >> Can you reproduce this for us so we can check? It is not supposed to ever >> happen. Please also let us know which version of PowerDNS you are using. >> >>> What I would like to achieve is return SERVFAIL in case my HTTP >>> endpoint is unavailable. Is this possible? Maybe Lua fallback backend >>> could assist here? >> This is what should be happening. >> >> Bert >> > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
Hi Bert, Thanks for a prompt reply. This is currently on my local test VM, it's waay past midnight, I can put it on resolvable domain tomorrow if this isn't helpful. Not sure how to show you this exactly :) I'm using latest pDNS, using official repo: pdns-4.2.1-1pdns.el7.x86_64, CentOS 7.7.1908 Two backends: # /etc/pdns/pdns.conf: config-dir=/etc/pdns setuid=pdns setgid=pdns log-dns-details=yes log-dns-queries=yes loglevel=6 launch=bind,remote bind-config=/etc/pdns/bind-files/named.conf remote-connection-string=http:url=http://invalidhostname:9 Static bind backend contains one zone, which contains SOA and one 'IN NS' record only. http endpoint is serving TXT records exclusively, and all is well if it's reachable: queries get resolved, nonexistent TXT records get NXDOMAIN But if http endpoint is invalidated (as in example above ^) - I get NXDOMAIN. If I remove bind stuff out of pdns.conf - I get REFUSED, which is somewhat the same as SERVFAIL afaik. bind backend is used to keep SOA out of "remote" backend, not 100% sure it's the best way. We could implement entire zone in http backend as a last resort. Thanks again! On Wed, Feb 26, 2020 at 12:51 AM bert hubert wrote: > > On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: > > While trying to implement authoritative DNS server using "remote" > > backend, I've stumbled into an issue when HTTP backend is unreachable > > - PowerDNS is returning NXDOMAIN. > > Can you reproduce this for us so we can check? It is not supposed to ever > happen. Please also let us know which version of PowerDNS you are using. > > > What I would like to achieve is return SERVFAIL in case my HTTP > > endpoint is unavailable. Is this possible? Maybe Lua fallback backend > > could assist here? > > This is what should be happening. > > Bert > -- Vytenis ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] SERVFAIL on backend failure - is this possible?
On Wed, Feb 26, 2020 at 12:35:21AM +0200, Vytenis A via Pdns-users wrote: > While trying to implement authoritative DNS server using "remote" > backend, I've stumbled into an issue when HTTP backend is unreachable > - PowerDNS is returning NXDOMAIN. Can you reproduce this for us so we can check? It is not supposed to ever happen. Please also let us know which version of PowerDNS you are using. > What I would like to achieve is return SERVFAIL in case my HTTP > endpoint is unavailable. Is this possible? Maybe Lua fallback backend > could assist here? This is what should be happening. Bert ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
