Open qvr opened 3 years ago
We just get hit by the same problem. Customer primary uses DNSSEC with plenty of RRSIG. Hence, the slave checks receives "truncated". AFAIK this could be worked around by not setting the DO bit for slave checks, as then the RRSIGs would not be included. Is there a config option to not set DO bit for slave check? Or can I simply patch the DO bit away until there is a proper fix/workaround? Thanks
The check uses DO on purpose, so that it can also notice signature refreshes that did not bump the serial. Right now the only way to drop the DO is to disable dnssec in your backend, which most likely is not what you want.
Indeed. I thought of adding an option to skip the checks for signature freshness. (Signature Freshness Checks are only needed as PowerDNS as this stateless serial bumping). If the primaries behave correct and increase the serial on RRSIG changes then this aditional checks can be disabled and it is not necessary to set the DO flag. Unless adding truncate support is on the way ...
I think adding a flag to skip DO makes sense at this point.
Just for the records. We now use "check-signature-freshness=no" to avoid the truncated-issue. But know we have other problems. It seems several of our customers are using PDNS as master/signer and do not increase the serial (no INCEPTION configured). Hence, with these zones we now server stale RRSIGs. Hence, the problem was not solved with our workaround, but only moved to other customers.
So, PowerDNS really should support fallback to TCP on truncated SOA-Checks to prevent this issue.
(if the Master is Bind, using "minimal-responses yes;" on the Bind can help to mitigate the problem)
fwiw. I was bitten by this for one of my personal domains. This one uses a secondary by my registrar with pdns and i have a primary (running on my server) which is doing bind inline-signing w/ dnssec-policy. It is doing double signatures (as bind does) when transitioning to a new ZSK thus the truncated response via UDP.
As a workaround you can try "minimal-responses yes" in Bind, that helped one of our customers.
As a workaround you can try "minimal-responses yes" in Bind, that helped one of our customers.
Yup, spot on, just found that myself recently ;-).
once we fix TC=1 handling, we should reduce the udp bufsize for the SOA check to 1232
Short description
auth does not use tcp if slave zone soa check's udp answer was truncated
Environment
Steps to reproduce
While checking domain freshness: Query to '10.0.0.1' for SOA of 'slavetest.com' did not return a SOA
Expected behaviour
auth should use TCP if UDP response was truncated
Actual behaviour
TCP is not used, slave zone does not get AXFR'd
Other information
-