exception building answer packet

classic Classic list List threaded Threaded
4 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

exception building answer packet

Steve Atkins
I'm using a postgresql backend, and I have several zones configured to use dnssec.

Queries for resource records that exist work perfectly. The verisign online checker says my dnssec is good.

If I query for a resource record that doesn't exist without using dnssec - either one where there are no RRs with a matching name or one where there are RRs with a matching name but none also have a matching type - I get the expected NXDOMAIN or NOERROR result.

If I run the same query with dnssec then I get a servfail.

With log level 9, and log-dns-details and log-dns-queries on, I get this in the log:

Mar 24 19:35:49 ns pdns[30538]: Remote 184.105.179.144 wants 'foo.blighty.com|A', do = 1, bufsize = 1680: packetcache MISS
Mar 24 19:35:49 ns pdns[30538]: Exception building answer packet (Unknown DNS type '.blighty.com') sending out servfail

I see this with version 3.4.6 and 3.4.8. It looks like someone else had a similar issue here: https://mailman.powerdns.com/pipermail/pdns-users/2015-October/011747.html

It's a new installation, but the data has been around for a few years. There are no custom SQL queries.

There is no record in the database with type '.blighty.com' - all non-null types are expected A, TXT, PTR, etc. There are some records where the type is null, though.

Clearly it's getting garbage from the database, but only when building a dnssec response where there are no matching RRs.

Before I set up a testbed server to work out what's going on, does any of this ring any bells with anyone?

Cheers,
  Steve

_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exception building answer packet

Steve Atkins
pdnssec rectify-zone makes the problem go away, which fixes it for me.

It feels like there's still an underlying bug somewhere in the dnssec sql or surrounding code, though.

Cheers,
  Steve

> On Mar 24, 2016, at 7:54 PM, Steve Atkins <[hidden email]> wrote:
>
> I'm using a postgresql backend, and I have several zones configured to use dnssec.
>
> Queries for resource records that exist work perfectly. The verisign online checker says my dnssec is good.
>
> If I query for a resource record that doesn't exist without using dnssec - either one where there are no RRs with a matching name or one where there are RRs with a matching name but none also have a matching type - I get the expected NXDOMAIN or NOERROR result.
>
> If I run the same query with dnssec then I get a servfail.
>
> With log level 9, and log-dns-details and log-dns-queries on, I get this in the log:
>
> Mar 24 19:35:49 ns pdns[30538]: Remote 184.105.179.144 wants 'foo.blighty.com|A', do = 1, bufsize = 1680: packetcache MISS
> Mar 24 19:35:49 ns pdns[30538]: Exception building answer packet (Unknown DNS type '.blighty.com') sending out servfail
>
> I see this with version 3.4.6 and 3.4.8. It looks like someone else had a similar issue here: https://mailman.powerdns.com/pipermail/pdns-users/2015-October/011747.html
>
> It's a new installation, but the data has been around for a few years. There are no custom SQL queries.
>
> There is no record in the database with type '.blighty.com' - all non-null types are expected A, TXT, PTR, etc. There are some records where the type is null, though.
>
> Clearly it's getting garbage from the database, but only when building a dnssec response where there are no matching RRs.
>
> Before I set up a testbed server to work out what's going on, does any of this ring any bells with anyone?
>
> Cheers,
>  Steve
>
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exception building answer packet

Peter van Dijk
Hello Steve,

do you still have the ‘broken’ database contents from before your
rectify? Those would be useful in figuring out whether there’s a bug!

Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

On 25 Mar 2016, at 4:07, Steve Atkins wrote:

> pdnssec rectify-zone makes the problem go away, which fixes it for me.
>
> It feels like there's still an underlying bug somewhere in the dnssec
> sql or surrounding code, though.
>
> Cheers,
>   Steve
>
>> On Mar 24, 2016, at 7:54 PM, Steve Atkins <[hidden email]> wrote:
>>
>> I'm using a postgresql backend, and I have several zones configured
>> to use dnssec.
>>
>> Queries for resource records that exist work perfectly. The verisign
>> online checker says my dnssec is good.
>>
>> If I query for a resource record that doesn't exist without using
>> dnssec - either one where there are no RRs with a matching name or
>> one where there are RRs with a matching name but none also have a
>> matching type - I get the expected NXDOMAIN or NOERROR result.
>>
>> If I run the same query with dnssec then I get a servfail.
>>
>> With log level 9, and log-dns-details and log-dns-queries on, I get
>> this in the log:
>>
>> Mar 24 19:35:49 ns pdns[30538]: Remote 184.105.179.144 wants
>> 'foo.blighty.com|A', do = 1, bufsize = 1680: packetcache MISS
>> Mar 24 19:35:49 ns pdns[30538]: Exception building answer packet
>> (Unknown DNS type '.blighty.com') sending out servfail
>>
>> I see this with version 3.4.6 and 3.4.8. It looks like someone else
>> had a similar issue here:
>> https://mailman.powerdns.com/pipermail/pdns-users/2015-October/011747.html
>>
>> It's a new installation, but the data has been around for a few
>> years. There are no custom SQL queries.
>>
>> There is no record in the database with type '.blighty.com' - all
>> non-null types are expected A, TXT, PTR, etc. There are some records
>> where the type is null, though.
>>
>> Clearly it's getting garbage from the database, but only when
>> building a dnssec response where there are no matching RRs.
>>
>> Before I set up a testbed server to work out what's going on, does
>> any of this ring any bells with anyone?
>>
>> Cheers,
>>  Steve
>>
>> _______________________________________________
>> Pdns-users mailing list
>> [hidden email]
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: exception building answer packet

Steve Atkins

> On Mar 25, 2016, at 7:15 AM, Peter van Dijk <[hidden email]> wrote:
>
> Hello Steve,
>
> do you still have the ‘broken’ database contents from before your rectify? Those would be useful in figuring out whether there’s a bug!

I have several backups that might have that data. I'm planning on building a test server and loading them up to see if I can replicate the problem. If I get a test case I'll share.

Cheers,
  Steve

>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
>
> On 25 Mar 2016, at 4:07, Steve Atkins wrote:
>
>> pdnssec rectify-zone makes the problem go away, which fixes it for me.
>>
>> It feels like there's still an underlying bug somewhere in the dnssec sql or surrounding code, though.
>>
>> Cheers,
>>  Steve
>>
>>> On Mar 24, 2016, at 7:54 PM, Steve Atkins <[hidden email]> wrote:
>>>
>>> I'm using a postgresql backend, and I have several zones configured to use dnssec.
>>>
>>> Queries for resource records that exist work perfectly. The verisign online checker says my dnssec is good.
>>>
>>> If I query for a resource record that doesn't exist without using dnssec - either one where there are no RRs with a matching name or one where there are RRs with a matching name but none also have a matching type - I get the expected NXDOMAIN or NOERROR result.
>>>
>>> If I run the same query with dnssec then I get a servfail.
>>>
>>> With log level 9, and log-dns-details and log-dns-queries on, I get this in the log:
>>>
>>> Mar 24 19:35:49 ns pdns[30538]: Remote 184.105.179.144 wants 'foo.blighty.com|A', do = 1, bufsize = 1680: packetcache MISS
>>> Mar 24 19:35:49 ns pdns[30538]: Exception building answer packet (Unknown DNS type '.blighty.com') sending out servfail
>>>
>>> I see this with version 3.4.6 and 3.4.8. It looks like someone else had a similar issue here: https://mailman.powerdns.com/pipermail/pdns-users/2015-October/011747.html
>>>
>>> It's a new installation, but the data has been around for a few years. There are no custom SQL queries.
>>>
>>> There is no record in the database with type '.blighty.com' - all non-null types are expected A, TXT, PTR, etc. There are some records where the type is null, though.
>>>
>>> Clearly it's getting garbage from the database, but only when building a dnssec response where there are no matching RRs.
>>>
>>> Before I set up a testbed server to work out what's going on, does any of this ring any bells with anyone?
>>>
>>> Cheers,
>>> Steve
>>>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> [hidden email]
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>> _______________________________________________
>> Pdns-users mailing list
>> [hidden email]
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> _______________________________________________
> Pdns-users mailing list
> [hidden email]
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Loading...