Open klaus-nicat opened 3 years ago
Software version: 4.5rc1
I assume you mean 4.5 alpha 1 :)
Software version: 4.5rc1
I assume you mean 4.5 alpha 1 :)
Honestly it is master a few days before alpha 1. Same behavior is also in 4.1.
So as discussed on IRC this might actually be correct behavior. Note the TC bit set on the answer. Basically the packet is > 64KB which means it exceed the maximum allowed size of a DNS packet over TCP (and any currently existing medium). RFC 1035 says:
TC TrunCation - specifies that this message was truncated
due to length greater than that permitted on the
transmission channel.
Hm, so there is no technical solution to this problem - it must be solved on the provisioning side. But maybe PowerDNS should log about this unsolvable problem? That would ease debugging.
Logging this would involve some refactoring, so I'm bumping it to 4.6 for now.
Short description
I have a test zone with heavy KSK rollover and "slow" cleanup of old keys. Hence, active KSKs are getting more and more. I know this is not a real life szenario but I think PDNS should handle it correctly.
In the beginning with several keys everthing was fine. Now the zone has >100 active KSKs and here is the problem:
Fetching DNSKEYs with DNSSEC is fine:
dig kskrollover-test.rc0-monitoring.dnssec-signiert.at DNSKEY @regtest-tst1.rcode0.net
But enabling DNSSEC gives just an empty NOERROR response:
I suspect some limit within PowerDNS or the DNS protocol, or just a bug? Anyway, PowerDNS should not return an empty NOERROR. It should for example return SERVFAIL oder some other code. Further, PowerDNS does not log an error.
Environment
Steps to reproduce
Expected behaviour
Returning the signatures or giving error
Actual behaviour
Returning empty NOERROR response