Multiple A records cause AXFR failure

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple A records cause AXFR failure

a b-38
I added two A records, as follows:

SQL> insert into records(id, zone_id, fqdn, content, type) values(16, (select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.2', 'A');

1 row created.

SQL> insert into records(id, zone_id, fqdn, content, type) values(66, (select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.3', 'A');

1 row created.

SQL> update zones set serial = 2015112208 where name = 'dmz';

1 row updated.

SQL> commit;

Commit complete.

As soon as I do that, AXFR no longer works:

Nov 22 11:12:45 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] 1 domain for which we are master needs notifications
Nov 22 11:12:55 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] Queued notification of domain 'dmz' to 172.16.2.5:53
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] AXFR of domain 'dmz' initiated by 172.16.2.5
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] TCP server is without backend connections in doAXFR, launching
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] Removed from notification list: 'dmz' to 172.16.2.5:53 (was acknowledged)
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] AXFR of domain 'dmz' allowed: client IP 172.16.2.5 is in per-domain ACL
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] TCP Connection Thread unable to answer a question because of a backend error, cycling
Nov 22 11:12:58 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] No master domains need notifications

Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.warning] 1 slave domain needs checking, 0 queued for AXFR
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.warning] Received serial number updates for 1 zones, had 0 timeouts
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.warning] Domain 'dmz' is stale, master serial 2015112209, our serial 0
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.error] Initiating transfer of 'dmz' from remote '172.16.2.4'
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.error] AXFR started for 'dmz'
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.error] Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver): Remote nameserver closed TCP connection

...what do the errors "TCP Connection Thread unable to answer a question because of a backend error, cycling",
and
"Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver): Remote nameserver closed TCP connection"
mean?

If I am doing something wrong, what is it?
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

Leen Besselink
Hi a b,

Based on your queries below, you seem to not be using the default table
schema and queries:

https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#regular-queries

Can you post your query configuration and schema ?

Seems to me it might be related to that.

Have a good day,
  Leen.

On 2015-11-22 11:26, a b wrote:

> I added two A records, as follows:
>
> SQL> insert into records(id, zone_id, fqdn, content, type) values(16,
> (select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.2',
> 'A');
>
> 1 row created.
>
> SQL> insert into records(id, zone_id, fqdn, content, type) values(66,
> (select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.3',
> 'A');
>
> 1 row created.
>
> SQL> update zones set serial = 2015112208 where name = 'dmz';
>
> 1 row updated.
>
> SQL> commit;
>
> Commit complete.
>
> As soon as I do that, AXFR no longer works:
>
> Nov 22 11:12:45 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.error] 1 domain for which we are master needs notifications
> Nov 22 11:12:55 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.warning] Queued notification of domain 'dmz' to 172.16.2.5:53
> Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.error] AXFR of domain 'dmz' initiated by 172.16.2.5
> Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.error] TCP server is without backend connections in doAXFR,
> launching
> Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.warning] Removed from notification list: 'dmz' to
> 172.16.2.5:53
> (was acknowledged)
> Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.warning] AXFR of domain 'dmz' allowed: client IP 172.16.2.5 is
> in per-domain ACL
> Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.error] TCP Connection Thread unable to answer a question
> because of a backend error, cycling
> Nov 22 11:12:58 supermaster.domain.tld pdns[4849]: [ID 702911
> local0.warning] No master domains need notifications
>
> Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> local0.warning] 1 slave domain needs checking, 0 queued for AXFR
> Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> local0.warning] Received serial number updates for 1 zones, had 0
> timeouts
> Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> local0.warning] Domain 'dmz' is stale, master serial 2015112209, our
> serial 0
> Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> local0.error] Initiating transfer of 'dmz' from remote '172.16.2.4'
> Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> local0.error] AXFR started for 'dmz'
> Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> local0.error] Unable to AXFR zone 'dmz' from remote '172.16.2.4'
> (resolver): Remote nameserver closed TCP connection
>
> ...what do the errors "TCP Connection Thread unable to answer a
> question because of a backend error, cycling",
> and
> "Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver):
> Remote nameserver closed TCP connection"
> mean?
>
> If I am doing something wrong, what is it?


_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

a b-38
> Based on your queries below, you seem to not be using the default table
> schema and queries:

> https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#regular-queries

>Can you post your query configuration and schema ?

That is because I am not using the "mypgsql", but the "oracle" backend:

https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#oracle-specifics
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

a b-38
> Based on your queries below, you seem to not be using the default table
> schema and queries:

> https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#regular-queries

>Can you post your query configuration and schema ?

Actually, this describes my schema much better:

https://doc.powerdns.com/md/authoritative/backend-oracle/
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

Aki Tuomi
In reply to this post by Leen Besselink
You can also try pdnssec check-zone zonename to find out why it's broken.

It works even if you aren't using dnssec.

Aki

On Sun, Nov 22, 2015 at 11:37:25AM +0100, [hidden email] wrote:

> Hi a b,
>
> Based on your queries below, you seem to not be using the default
> table schema and queries:
>
> https://doc.powerdns.com/md/authoritative/backend-generic-mypgsql/#regular-queries
>
> Can you post your query configuration and schema ?
>
> Seems to me it might be related to that.
>
> Have a good day,
>  Leen.
>
> On 2015-11-22 11:26, a b wrote:
> >I added two A records, as follows:
> >
> >SQL> insert into records(id, zone_id, fqdn, content, type) values(16,
> >(select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.2',
> >'A');
> >
> >1 row created.
> >
> >SQL> insert into records(id, zone_id, fqdn, content, type) values(66,
> >(select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.3',
> >'A');
> >
> >1 row created.
> >
> >SQL> update zones set serial = 2015112208 where name = 'dmz';
> >
> >1 row updated.
> >
> >SQL> commit;
> >
> >Commit complete.
> >
> >As soon as I do that, AXFR no longer works:
> >
> >Nov 22 11:12:45 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.error] 1 domain for which we are master needs notifications
> >Nov 22 11:12:55 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.warning] Queued notification of domain 'dmz' to 172.16.2.5:53
> >Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.error] AXFR of domain 'dmz' initiated by 172.16.2.5
> >Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.error] TCP server is without backend connections in doAXFR,
> >launching
> >Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.warning] Removed from notification list: 'dmz' to
> >172.16.2.5:53
> >(was acknowledged)
> >Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.warning] AXFR of domain 'dmz' allowed: client IP 172.16.2.5 is
> >in per-domain ACL
> >Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.error] TCP Connection Thread unable to answer a question
> >because of a backend error, cycling
> >Nov 22 11:12:58 supermaster.domain.tld pdns[4849]: [ID 702911
> >local0.warning] No master domains need notifications
> >
> >Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> >local0.warning] 1 slave domain needs checking, 0 queued for AXFR
> >Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> >local0.warning] Received serial number updates for 1 zones, had 0
> >timeouts
> >Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> >local0.warning] Domain 'dmz' is stale, master serial 2015112209, our
> >serial 0
> >Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> >local0.error] Initiating transfer of 'dmz' from remote '172.16.2.4'
> >Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> >local0.error] AXFR started for 'dmz'
> >Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911
> >local0.error] Unable to AXFR zone 'dmz' from remote '172.16.2.4'
> >(resolver): Remote nameserver closed TCP connection
> >
> >...what do the errors "TCP Connection Thread unable to answer a
> >question because of a backend error, cycling",
> >and
> >"Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver):
> >Remote nameserver closed TCP connection"
> >mean?
> >
> >If I am doing something wrong, what is it?
>
>
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

a b-38
Good idea!

pdnssec check-zone dmz
Error: Received NULL where a value was expected

SQL> delete from records where (id = 16 or id = 66);

2 rows deleted.

SQL>  update zones set serial = 2015112209 where name = 'dmz';

1 row updated.

SQL> commit;

Commit complete.

# pdnssec check-zone dmz
Checked 18 records of 'dmz', 0 errors, 0 warnings.

...So my A record INSERT's are wrong?
________________________________________
From: [hidden email] [[hidden email]] on behalf of Aki Tuomi [[hidden email]]
Sent: Sunday, November 22, 2015 12:01
To: [hidden email]
Cc: [hidden email]
Subject: Re: [Pdns-users] Multiple A records cause AXFR failure

You can also try pdnssec check-zone zonename to find out why it's broken.

It works even if you aren't using dnssec.

Aki
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

Leen Besselink
On 2015-11-22 12:19, a b wrote:

> Good idea!
>
> pdnssec check-zone dmz
> Error: Received NULL where a value was expected
>
> SQL> delete from records where (id = 16 or id = 66);
>
> 2 rows deleted.
>
> SQL>  update zones set serial = 2015112209 where name = 'dmz';
>
> 1 row updated.
>
> SQL> commit;
>
> Commit complete.
>
> # pdnssec check-zone dmz
> Checked 18 records of 'dmz', 0 errors, 0 warnings.
>
> ...So my A record INSERT's are wrong?

Ahh, so it's Oracle, yeah I should have known from the SQL> prompt.

I didn't know the Oracle backend uses other table names, an euh..
interesting choice.

Never really looked at the Oracle backend code, so I had a quick look.

Maybe you don't have any TTLs (you didn't have them in the insert
query) ?

It seems that would trigger an error:
https://github.com/PowerDNS/pdns/blob/master/modules/oraclebackend/oraclebackend.cc#L999

Maybe add a check like the example ?:
https://github.com/PowerDNS/pdns/blob/master/modules/oraclebackend/schema.oracle.sql#L121



_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

a b-38
In reply to this post by a b-38
I did not INSERT TTL values for the A records, and had it not been for "another pair of eyes" scrutinizing what I did, I would be running around in circles for who knows how long.

What drove this home is when I looked at all the other A records I added way, way back... and they all had TTL values.

Thank you. This is why I love the this mailing list.
________________________________________
From: Philippe [[hidden email]]
Sent: Sunday, November 22, 2015 13:30
To: a b
Subject: AW: [Pdns-users] Multiple A records cause AXFR failure

May be a stupid question, but did you try to add a TTL to your insert-query?


-------- Urspr√ľngliche Nachricht --------
Von: a b
Datum:22.11.2015 11:26 (GMT+01:00)
An: [hidden email]
Betreff: [Pdns-users] Multiple A records cause AXFR failure

I added two A records, as follows:

SQL> insert into records(id, zone_id, fqdn, content, type) values(16, (select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.2', 'A');

1 row created.

SQL> insert into records(id, zone_id, fqdn, content, type) values(66, (select id from zones where name = 'dmz'), 'ntp.dmz', '172.16.2.3', 'A');

1 row created.

SQL> update zones set serial = 2015112208 where name = 'dmz';

1 row updated.

SQL> commit;

Commit complete.

As soon as I do that, AXFR no longer works:

Nov 22 11:12:45 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] 1 domain for which we are master needs notifications
Nov 22 11:12:55 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] Queued notification of domain 'dmz' to 172.16.2.5:53
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] AXFR of domain 'dmz' initiated by 172.16.2.5
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] TCP server is without backend connections in doAXFR, launching
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] Removed from notification list: 'dmz' to 172.16.2.5:53 (was acknowledged)
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] AXFR of domain 'dmz' allowed: client IP 172.16.2.5 is in per-domain ACL
Nov 22 11:12:56 supermaster.domain.tld pdns[4849]: [ID 702911 local0.error] TCP Connection Thread unable to answer a question because of a backend error, cycling
Nov 22 11:12:58 supermaster.domain.tld pdns[4849]: [ID 702911 local0.warning] No master domains need notifications

Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.warning] 1 slave domain needs checking, 0 queued for AXFR
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.warning] Received serial number updates for 1 zones, had 0 timeouts
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.warning] Domain 'dmz' is stale, master serial 2015112209, our serial 0
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.error] Initiating transfer of 'dmz' from remote '172.16.2.4'
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.error] AXFR started for 'dmz'
Nov 22 11:12:56 superslave.domain.tld pdns[3656]: [ID 702911 local0.error] Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver): Remote nameserver closed TCP connection

...what do the errors "TCP Connection Thread unable to answer a question because of a backend error, cycling",
and
"Unable to AXFR zone 'dmz' from remote '172.16.2.4' (resolver): Remote nameserver closed TCP connection"
mean?

If I am doing something wrong, what is it?
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple A records cause AXFR failure

a b-38
In reply to this post by Leen Besselink
If I recall correctly, every backend has its own schema.
Unfortunately, this is not immediately obvious when one starts using pdns.
The good news is, the "oracle" backend gets some serious abuse, it's well tested, rock solid in its operation, and in my opinion, the schema is optimized for it.

You are also correct, missing TTL's is the solution.
________________________________________
From: [hidden email] [[hidden email]] on behalf of [hidden email] [[hidden email]]
Sent: Sunday, November 22, 2015 13:35
To: [hidden email]
Subject: Re: [Pdns-users] Multiple A records cause AXFR failure

Ahh, so it's Oracle, yeah I should have known from the SQL> prompt.

I didn't know the Oracle backend uses other table names, an euh..
interesting choice.

Never really looked at the Oracle backend code, so I had a quick look.

Maybe you don't have any TTLs (you didn't have them in the insert
query) ?

It seems that would trigger an error:
https://github.com/PowerDNS/pdns/blob/master/modules/oraclebackend/oraclebackend.cc#L999

Maybe add a check like the example ?:
https://github.com/PowerDNS/pdns/blob/master/modules/oraclebackend/schema.oracle.sql#L121

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users