search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.67k stars 906 forks source link

auth: slave zone soa check does not use tcp if udp answer was truncated #10447

Open qvr opened 3 years ago

qvr commented 3 years ago

Short description

auth does not use tcp if slave zone soa check's udp answer was truncated

Environment

Steps to reproduce

  1. Have a slave zone for which the SOA udp query gets truncated
  2. auth reports While checking domain freshness: Query to '10.0.0.1' for SOA of 'slavetest.com' did not return a SOA
  3. Zone does not get transferred

Expected behaviour

auth should use TCP if UDP response was truncated

Actual behaviour

TCP is not used, slave zone does not get AXFR'd

Other information

-

klaus-nicat commented 2 years ago

We just get hit by the same problem. Customer primary uses DNSSEC with plenty of RRSIG. Hence, the slave checks receives "truncated". AFAIK this could be worked around by not setting the DO bit for slave checks, as then the RRSIGs would not be included. Is there a config option to not set DO bit for slave check? Or can I simply patch the DO bit away until there is a proper fix/workaround? Thanks

Habbie commented 2 years ago

The check uses DO on purpose, so that it can also notice signature refreshes that did not bump the serial. Right now the only way to drop the DO is to disable dnssec in your backend, which most likely is not what you want.

klaus-nicat commented 2 years ago

Indeed. I thought of adding an option to skip the checks for signature freshness. (Signature Freshness Checks are only needed as PowerDNS as this stateless serial bumping). If the primaries behave correct and increase the serial on RRSIG changes then this aditional checks can be disabled and it is not necessary to set the DO flag. Unless adding truncate support is on the way ...

Habbie commented 2 years ago

I think adding a flag to skip DO makes sense at this point.

klaus-nicat commented 1 year ago

Just for the records. We now use "check-signature-freshness=no" to avoid the truncated-issue. But know we have other problems. It seems several of our customers are using PDNS as master/signer and do not increase the serial (no INCEPTION configured). Hence, with these zones we now server stale RRSIGs. Hence, the problem was not solved with our workaround, but only moved to other customers.

So, PowerDNS really should support fallback to TCP on truncated SOA-Checks to prevent this issue.

(if the Master is Bind, using "minimal-responses yes;" on the Bind can help to mitigate the problem)

ttyS4 commented 1 year ago

fwiw. I was bitten by this for one of my personal domains. This one uses a secondary by my registrar with pdns and i have a primary (running on my server) which is doing bind inline-signing w/ dnssec-policy. It is doing double signatures (as bind does) when transitioning to a new ZSK thus the truncated response via UDP.

klaus-nicat commented 1 year ago

As a workaround you can try "minimal-responses yes" in Bind, that helped one of our customers.

ttyS4 commented 1 year ago

As a workaround you can try "minimal-responses yes" in Bind, that helped one of our customers.

Yup, spot on, just found that myself recently ;-).

Habbie commented 11 months ago

once we fix TC=1 handling, we should reduce the udp bufsize for the SOA check to 1232