pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

Bit World Computing - Michael Mertel
Hi,

I’am currently running the latest pdns-recursor 4.x master on Ubuntu 14.04.

I was wondering why an apt-get update cannot resolve repo.powerdns.com, but a ping is able to do so. This only happens if /etc/resolv.conf points to my recursor. If I use 8.8.8.8 as nameserver everything works as expected.

This is somewhat strange, because 8.8.8.8 is the forwarding dns for my local recursor.

Maybe it’s how the apt-get tries to resolve the name? The only thing I found was, that getent is not returning the correct results.

- with local recursor as nameserver
getent ahosts repo.powerdns.com
<nothing in return>, exit code is 2 (One or more supplied key could not be found in the database)


-with 8.8.8.8 as nameserver
188.166.116.224 STREAM repo1.powerdns.com
188.166.116.224 DGRAM  
188.166.116.224 RAW


Is this a known bug? Never had any trouble with the 3.7.3 release.

—Michael
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

Pieter Lexis-2
Hello Michael,

On Tue, 8 Mar 2016 16:32:26 +0100
Bit World Computing - Michael Mertel <[hidden email]> wrote:

> I was wondering why an apt-get update cannot resolve repo.powerdns.com, but a ping is able to do so. This only happens if /etc/resolv.conf points to my recursor. If I use 8.8.8.8 as nameserver everything works as expected.
>
> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my local recursor.

Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This will set the Recursion Desired-bit on the query sent out. Google sends SERVFAIL to clients without the RD-bit set.

If this is the case and you still have these issues, could you enable the `trace`[3] option and query your local resolver for repo.powerdns.com and email the traces?

> Maybe it’s how the apt-get tries to resolve the name? The only thing I found was, that getent is not returning the correct results.

apt, ping and getent all seem to use the getaddrinfo(3) call.

> Is this a known bug? Never had any trouble with the 3.7.3 release.

This is not a known bug. We'll await your test results.

Best regards,

Pieter

1 - https://doc.powerdns.com/md/recursor/settings/#forward-zones-recurse
2 - https://doc.powerdns.com/md/recursor/settings/#forward-zones
3 - https://doc.powerdns.com/md/recursor/settings/#trace

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

Pieter Lexis-2
Hi Michael,

Please keep replies on the mailinglist (mails reproduced below).

Judging by your log and some of my testing, I think you uncovered a bug in the DNSSEC implementation. Could you try this with `dnssec=off` in the recursor.conf?

Best regards,

Pieter

On Wed, 9 Mar 2016 07:46:49 +0100
Bit World Computing - Michael Mertel <[hidden email]> wrote:

> Hello Pieter,
>
> thanks for helping me out on this.
>
> > Am 08.03.2016 um 18:57 schrieb Pieter Lexis <[hidden email]>:
> >
> > Hello Michael,
> >
> > On Tue, 8 Mar 2016 16:32:26 +0100
> > Bit World Computing - Michael Mertel <[hidden email]> wrote:
> >
> >> I was wondering why an apt-get update cannot resolve repo.powerdns.com, but a ping is able to do so. This only happens if /etc/resolv.conf points to my recursor. If I use 8.8.8.8 as nameserver everything works as expected.
> >>
> >> This is somewhat strange, because 8.8.8.8 is the forwarding dns for my local recursor.
> >
> > Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This will set the Recursion Desired-bit on the query sent out. Google sends SERVFAIL to clients without the RD-bit set.
> >
> I currently use this forward statements in my recursor.conf:
>
> forward-zones-file=/etc/powerdns/forward-zones
> forward-zones-recurse=.=8.8.8.8
>
> The forward-zones file points to some internal nameservers, all 8.8.8.8 related is done through forward-zones-recurse.
>
>
> > If this is the case and you still have these issues, could you enable the `trace`[3] option and query your local resolver for repo.powerdns.com and email the traces?
> >
> I attached the trace log, hope it includes everything you need. I tried to kept the noise as low as possible, but some other systems queried the recursor as well.
>
> >> Maybe it’s how the apt-get tries to resolve the name? The only thing I found was, that getent is not returning the correct results.
> >
> > apt, ping and getent all seem to use the getaddrinfo(3) call.
> >
> I was 100% sure that a ping worked, but it do not work now, repo.powerdns.com is not resolving anywhere. repo1.powerdns.com is a different story:
>
> root@dns-1:/var/log# ping repo.powerdns.com
> ping: unknown host repo.powerdns.com
> root@dns-1:/var/log# getent hosts repo1.poerdns.com
> root@dns-1:/var/log# ping repo1.powerdns.com
> PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data.
> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 time=42.9 ms
> 64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 time=42.9 ms


On Wed, 9 Mar 2016 08:28:05 +0100
Bit World Computing - Michael Mertel <[hidden email]> wrote:

> Hi Pieter,
>
> sorry I overlooked a typo.
>
> root@dns-1:/var/log# getent  hosts repo.powerdns.com
> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com
> root@dns-1:/var/log# getent  hosts repo1.powerdns.com
> 2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com
>
> Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at all.
>
>
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

Bit World Computing - Michael Mertel
Hi Pieter,

dnssec=off did the trick indeed. Hope you can fix this, because dnssec was the reason I went to 4.x in the first place :)

If I can be of any help here, just let me know.

Best regards.
 
Am 09.03.2016 um 10:05 schrieb Pieter Lexis <[hidden email]>:

Hi Michael,

Please keep replies on the mailinglist (mails reproduced below).

Judging by your log and some of my testing, I think you uncovered a bug in the DNSSEC implementation. Could you try this with `dnssec=off` in the recursor.conf?

Best regards,

Pieter

On Wed, 9 Mar 2016 07:46:49 +0100
Bit World Computing - Michael Mertel <[hidden email]> wrote:

Hello Pieter,

thanks for helping me out on this.

Am 08.03.2016 um 18:57 schrieb Pieter Lexis <[hidden email]>:

Hello Michael,

On Tue, 8 Mar 2016 16:32:26 +0100
Bit World Computing - Michael Mertel <[hidden email]> wrote:

I was wondering why an apt-get update cannot resolve repo.powerdns.com, but a ping is able to do so. This only happens if /etc/resolv.conf points to my recursor. If I use 8.8.8.8 as nameserver everything works as expected.

This is somewhat strange, because 8.8.8.8 is the forwarding dns for my local recursor.

Do you use the `forward-zones-recurse`[1] or the `forward-zones`[2] option? When forwarding to google (8.8.8.8), the `forward-zone-recurse` option is needed (i.e. `forward-zones-recurse=.=8.8.8.8` in your recursor.conf). This will set the Recursion Desired-bit on the query sent out. Google sends SERVFAIL to clients without the RD-bit set.

I currently use this forward statements in my recursor.conf:

forward-zones-file=/etc/powerdns/forward-zones
forward-zones-recurse=.=8.8.8.8

The forward-zones file points to some internal nameservers, all 8.8.8.8 related is done through forward-zones-recurse.


If this is the case and you still have these issues, could you enable the `trace`[3] option and query your local resolver for repo.powerdns.com and email the traces?

I attached the trace log, hope it includes everything you need. I tried to kept the noise as low as possible, but some other systems queried the recursor as well.

Maybe it’s how the apt-get tries to resolve the name? The only thing I found was, that getent is not returning the correct results.

apt, ping and getent all seem to use the getaddrinfo(3) call.

I was 100% sure that a ping worked, but it do not work now, repo.powerdns.com is not resolving anywhere. repo1.powerdns.com is a different story:

root@dns-1:/var/log# ping repo.powerdns.com
ping: unknown host repo.powerdns.com
root@dns-1:/var/log# getent hosts repo1.poerdns.com
root@dns-1:/var/log# ping repo1.powerdns.com
PING repo1.powerdns.com (188.166.116.224) 56(84) bytes of data.
64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=1 ttl=58 time=42.9 ms
64 bytes from repo1.powerdns.com (188.166.116.224): icmp_seq=2 ttl=58 time=42.9 ms


On Wed, 9 Mar 2016 08:28:05 +0100
Bit World Computing - Michael Mertel <[hidden email]> wrote:

Hi Pieter,

sorry I overlooked a typo.

root@dns-1:/var/log# getent  hosts repo.powerdns.com
2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com repo.powerdns.com
root@dns-1:/var/log# getent  hosts repo1.powerdns.com
2a03:b0c0:2:d0::4a4:6001 repo1.powerdns.com

Does this mean my recursor is preferring ipv6 over ipv4. I don’t use ipv6 at all.


-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com



--
IT-Security Lösungen von DELL SonicWALL und Sophos von Ihrem zertifizierten Partner Bit World Computing.




Michael Mertel
Inhaber / company owner


Bit World Computing e.K.
Wredestraße 18
97082 Wuerzburg
Deutschland / Germany

Fon: +49 (0)931 45335-0
Fax: +49 (0)931 45335-99

E-Mail: [hidden email]
GoogleTalk / Skype: bwc.michael
Web: http://www.bwc.de

Amtsgericht Wuerzburg HRA 4937, Ust-ID DE155288065
Geschäftsführer / company owner: Michael Mertel


BWC ... one bit ahead ... since 1993





_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Reply | Threaded
Open this post in threaded view
|

Re: pdns-recursor 0.0.759g02abb90-1 (4.0 master) vs. getent?

Thiago Farina


On Wed, Mar 9, 2016 at 7:18 AM, Bit World Computing - Michael Mertel <[hidden email]> wrote:
Hi Pieter,

dnssec=off did the trick indeed. Hope you can fix this, because dnssec was the reason I went to 4.x in the first place :)

Could you file a bug in https://github.com/PowerDNS/pdns/issues/new if there isn't one already?

-- 
Thiago Farina

_______________________________________________
Pdns-users mailing list
[hidden email]
http://mailman.powerdns.com/mailman/listinfo/pdns-users