BIND backend does not expire a secondary zone when the SOA expire timer elapses

[jpmens]

• Program: Authoritative
• Issue type: Bug report

Short description

PowerDNS Authoritative with the BIND backend does not expire a secondary zone when the SOA expire timer elapses.

Environment

• Operating system: CentOS Linux 8
• Software version: 4.7.0-alpha0.192.master.g3f4b183ea
• Software source: repo.powerdns.com

Steps to reproduce

1. Configure pdns.conf

   daemon=no
   guardian=no
   launch=bind
   disable-syslog=yes
   log-dns-details=yes
   master=no
   slave=yes
   secondary=yes
   bind-config=/etc/pdns/named.conf
   disable-axfr=no
   setgid=pdns
   setuid=pdns
   server-id=pdns100b.dnslab.org

2. Configure named.conf

   zone "a1.dnslab.org" IN {
   type slave;
   masters { 192.168.55.191; };
   file "/etc/pdns/a1";
   };

3. Launch PowerDNS

   # pdns_server
   Jan 13 14:59:38 Loading '/usr/lib64/pdns/libbindbackend.so'
   Jan 13 14:59:38 This is a standalone pdns
   Jan 13 14:59:38 Listening on controlsocket in '/var/run/pdns/pdns.controlsocket'
   Jan 13 14:59:38 [bindbackend] Parsing 1 domain(s), will report when done
   Jan 13 14:59:38 [bindbackend] error at 2022-01-13 14:59:38 +0000 no file found for new slave domain 'a1.dnslab.org'. Has not been AXFR'd yet
   Jan 13 14:59:38 [bindbackend] Done parsing domains, 1 rejected, 1 new, 0 removed
   Jan 13 14:59:38 UDP server bound to 0.0.0.0:53
   Jan 13 14:59:38 UDP server bound to [::]:53
   Jan 13 14:59:38 TCP server bound to 0.0.0.0:53
   Jan 13 14:59:38 TCP server bound to [::]:53
   Jan 13 14:59:38 PowerDNS Authoritative Server 4.7.0-alpha0.192.master.g3f4b183ea (C) 2001-2022 PowerDNS.COM BV
   Jan 13 14:59:38 Using 64-bits mode. Built using gcc 8.5.0 20210514 (Red Hat 8.5.0-4) on Jan 13 2022 09:30:00 by root@428373f73c0e.
   Jan 13 14:59:38 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
   Jan 13 14:59:38 Not validating response for security status update, this is a non-release version
   Jan 13 14:59:38 Creating backend connection for TCP
   Jan 13 14:59:38 About to create 3 backend threads for UDP
   Jan 13 14:59:38 Primary/secondary communicator launching
   Jan 13 14:59:38 Done launching threads, ready to distribute questions
   Jan 13 14:59:38 Zone 'a1.dnslab.org' (/etc/pdns/a1) reloaded
   Jan 13 14:59:38 AXFR-in zone: 'a1.dnslab.org', primary: '192.168.55.191', zone committed with serial 5
   
   *** at this point I make the zone unavailable on the primary server
   
   Jan 13 15:03:38 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
   Jan 13 15:03:41 Received serial number updates for 0 zones, had 1 timeout
   Jan 13 15:03:41 Unable to retrieve SOA for a1.dnslab.org, this was the first time. NOTE: For every subsequent failed SOA check the domain will be suspended from freshness checks for 'num-errors x 60 seconds', with a maximum of 3600 seconds. Skipping SOA checks until 1642086281
   Jan 13 15:04:41 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
   Jan 13 15:04:44 Received serial number updates for 0 zones, had 1 timeout
   Jan 13 15:06:44 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
   Jan 13 15:06:47 Received serial number updates for 0 zones, had 1 timeout
   Jan 13 15:09:47 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
   Jan 13 15:09:50 Received serial number updates for 0 zones, had 1 timeout
   Jan 13 15:13:50 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
   Jan 13 15:13:53 Received serial number updates for 0 zones, had 1 timeout
   Jan 13 15:18:54 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
   Jan 13 15:18:57 Received serial number updates for 0 zones, had 1 timeout

4. Query the server

   $ TZ=UTC dig @192.168.164.149 a1.dnslab.org +multi +norec +nsid
   ; <<>> DiG 9.16.22 <<>> @192.168.164.149 a1.dnslab.org +multi +norec +nsid
   ; (1 server found)
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16493
   ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
   
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 1232
   ; NSID: 70 64 6e 73 31 30 30 62 2e 64 6e 73 6c 61 62 2e 6f 72 67 ("pdns100b.dnslab.org")
   ;; QUESTION SECTION:
   ;a1.dnslab.org.      IN A
   
   ;; AUTHORITY SECTION:
   a1.dnslab.org.       30 IN SOA mname.a1.dnslab.org. jp.a1.dnslab.org. (
               5          ; serial
               180        ; refresh (3 minutes)
               60         ; retry (1 minute)
               497        ; expire (8 minutes 17 seconds)
               30         ; minimum (30 seconds)
               )
   
   ;; Query time: 18 msec
   ;; SERVER: 192.168.164.149#53(192.168.164.149)
   ;; WHEN: Thu Jan 13 15:21:02 UTC 2022
   ;; MSG SIZE  rcvd: 110

Expected behaviour

I expected PowerDNS to expire the secondary zone, having it SERVFAIL or REFUSE queries to it. (BIND 9.16, Knot DNS 3.1.4, and NSD 4.3.8 report SERVFAIL)

Actual behaviour

The zone is not expired and continues being available for queries. The time elapsed between the diagnostic that the zone transfer was complete until I stopped the test was 19 minutes and 19 seconds.

[Habbie]

This is a deliberate design choice. Do you actually want the zone to expire?

[jpmens]

I wasn't expecting that question. :-)

I can't find any mention of this design choice or behavior in the documentation, so maybe I have to rename / resubmit this issue as a documentation enhancement?

It is very true that the fields have complicated and sometimes controversial meanings. Maybe all the more reason to mention that SOA expire isn't used in PowerDNS.

[Habbie]

I wasn't expecting that question. :-)

It turns out, most people were not expecting expiry!

I agree we either need to fix this (maybe) or document this well (my favourite choice).

[franklouwers]

Best to document all SOA fields and their (non-)use in PowerDNS.

[lelvisl]

@jpmens if you look at RFC - https://datatracker.ietf.org/doc/html/rfc1035#section-3.3.13

EXPIRE A 32 bit time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative.

This is really big problem for me, my case for example :

pdns with psql backend as master and 3x pdns as AXFR slaves. Before removing zone from master (via api), my app set expire, send notify, after this i remove zone. And i expect SERVFAIL or REFUSE for queries to slaves.