search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.67k stars 906 forks source link

Auth: empty NOERROR response when there are too many KSKs #10478

Open klaus-nicat opened 3 years ago

klaus-nicat commented 3 years ago

Short description

I have a test zone with heavy KSK rollover and "slow" cleanup of old keys. Hence, active KSKs are getting more and more. I know this is not a real life szenario but I think PDNS should handle it correctly.

In the beginning with several keys everthing was fine. Now the zone has >100 active KSKs and here is the problem:

Fetching DNSKEYs with DNSSEC is fine: dig kskrollover-test.rc0-monitoring.dnssec-signiert.at DNSKEY @regtest-tst1.rcode0.net

But enabling DNSSEC gives just an empty NOERROR response:

dig kskrollover-test.rc0-monitoring.dnssec-signiert.at DNSKEY @regtest-tst1.rcode0.net +dnssec
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> kskrollover-test.rc0-monitoring.dnssec-signiert.at DNSKEY @regtest-tst1.rcode0.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18728
;; flags: qr aa tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1400
;; QUESTION SECTION:
;kskrollover-test.rc0-monitoring.dnssec-signiert.at. IN DNSKEY

;; Query time: 33 msec
;; SERVER: 83.136.32.80#53(83.136.32.80)
;; WHEN: Mon Jun 07 08:34:35 UTC 2021
;; MSG SIZE  rcvd: 79

I suspect some limit within PowerDNS or the DNS protocol, or just a bug? Anyway, PowerDNS should not return an empty NOERROR. It should for example return SERVFAIL oder some other code. Further, PowerDNS does not log an error.

Environment

Steps to reproduce

  1. Add 130 KSKs for a zone
  2. dig without "+dnssec"
  3. dig with "+dnssec"

Expected behaviour

Returning the signatures or giving error

Actual behaviour

Returning empty NOERROR response

Habbie commented 3 years ago

Software version: 4.5rc1

I assume you mean 4.5 alpha 1 :)

klaus-nicat commented 3 years ago

Software version: 4.5rc1

I assume you mean 4.5 alpha 1 :)

Honestly it is master a few days before alpha 1. Same behavior is also in 4.1.

RobinGeuze commented 3 years ago

So as discussed on IRC this might actually be correct behavior. Note the TC bit set on the answer. Basically the packet is > 64KB which means it exceed the maximum allowed size of a DNS packet over TCP (and any currently existing medium). RFC 1035 says:

TC              TrunCation - specifies that this message was truncated
                due to length greater than that permitted on the
                transmission channel.
klaus-nicat commented 3 years ago

Hm, so there is no technical solution to this problem - it must be solved on the provisioning side. But maybe PowerDNS should log about this unsolvable problem? That would ease debugging.

Habbie commented 3 years ago

Logging this would involve some refactoring, so I'm bumping it to 4.6 for now.