search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.63k stars 904 forks source link

postresolve hook doesn't show the same data as a dig returns #4480

Open mzealey opened 8 years ago

mzealey commented 8 years ago

pdns 4.0.3 with udp-truncation-threshold=4000 and the following lua script:

function postresolve ( dq )
  for key,val in ipairs(dq:getRecords()) do
        pdnslog(val.name:toString() .. ": " .. val.type .. ": " .. val:getContent())
  end

  return false
end

A dig of a certain domain produces:

dig @127.0.0.1 usinfo.state.gov

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.0.1 usinfo.state.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65017
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;usinfo.state.gov.              IN      A

;; AUTHORITY SECTION:
state.gov.              658     IN      SOA     irmeedns001.state.gov. hostmaster.state.gov. 2943 10800 1080 2419200 900

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 16 10:18:49 UTC 2016
;; MSG SIZE  rcvd: 104

so 104 bytes however the lua script logs:

Sep 16 10:14:47 strongarm pdns_recursor[1308]: state.gov.: 6: irmeedns001.state.gov. hostmaster.state.gov. 2943 10800 1080 2419200 900
Sep 16 10:14:47 strongarm pdns_recursor[1308]: state.gov.: 46: SOA 8 2 10800 20170915182024 20160915172024 21598 state.gov. 02++wGL84hrWW17p7oJH9YBaJrM8Qa3lTts6SiNPCS0WXd5yRQKinTbGHUR5q8WYMSUdKcNjkEJ1a029lJhEv+ke1VJQJTr8E6JluKeCPRIWfo6fxrMCOq1BvC+QmmvTJQaICj33xHIS7gnr6w6AkP8dEfkHHXA+qJ7Yqx4XhS53AslAzsAg+4Aavisjq/Bco3JFXC5Vf3dO7U/+eS6/5weN4spWZwKXjTo2e3YB2kv0fwMAT6iFGqn75aE4qDuBbt4tHbwTSzXMXEgnUxc0ttrn3Vhs39Tz8U6fXfFTjBYR6o7YLtbmJjFdKqcKs4piU3tMeVufnLYYBMoUX3x1Ow==
Sep 16 10:14:47 strongarm pdns_recursor[1308]: SLH5SGBKP5PA2OBPFA1TATIR2925LRV1.state.gov.: 50: 1 0 10 08699567605de51d64 SM0U7DAR3M487JRVJG83UK5PK1P0S3NO
Sep 16 10:14:47 strongarm pdns_recursor[1308]: SLH5SGBKP5PA2OBPFA1TATIR2925LRV1.state.gov.: 46: NSEC3 8 3 900 20170713113638 20160713104647 21598 state.gov. oGuTWDwf7XcBheIECYkG76jeKo0IsqbG1JyFkxxky3fFj+k7eI+UQU3LQeyeUs2In8cVFpAmv+B9E6g/WlteECAGoJBVuGa9BmyUVR7u4MiQqrOT5IGCBzieysZrpdS6YN+OBiFxavHBkDvjgLHYnIO9/Ja9PY7em9UzCvPkECP2ykrByRaps+X7nODXt9uiw+NfXkm+GDjDV9E7vLqw0Bg2/y3i+U+05mlxLzCov8e9XjpARBHr8XPcW418NvUDdpB/Zu94cEodsS2GHpcIjHruccX3WDG9gLuOveL+DivNWMiiKDnG3IJF5bWWOAeAE2h4XDeYNJbrY7vB4QyOeg==
Sep 16 10:14:47 strongarm pdns_recursor[1308]: LJ4DLDE3EOHMOQVQGIUM5OLC4CH9VCEN.state.gov.: 50: 1 0 10 08699567605de51d64 LLGKBTIBOC1S77KU26EHFU43GH7846AE CNAME RRSIG
Sep 16 10:14:47 strongarm pdns_recursor[1308]: LJ4DLDE3EOHMOQVQGIUM5OLC4CH9VCEN.state.gov.: 46: NSEC3 8 3 900 20170713105521 20160713104638 21598 state.gov. 12chqgNezEkcwAX4bIKKePo6ea0Dz28HZAsBQP2VgBlNJMRS6OlempLbJiyJFG17ifszwXEhVckIk3rNipAFonimIslh5g1kcy2HxtAXfpuUcC0YlU/BZy9ovT7DORhlQoF+Krfw6wVm1xoLMY70PBP0ZfQ4bmf2ws0hbdp+fvHL5wBKo6DvL32YjcJz45G/IIEWVSX4E0PYHKQZ2j3MBNA/5OT8n6Fe7VmzjzgdLYQ0RIXKcqtf2q8Q+Nn20AQvnHN5CYVDX3kKPiGW0LTZ9ZCdYKufbWJv0LhqqzcbcL775Lz2ssy19a7v50D61clNDRlcuyn58fb0yIuaEbNJVA==
Sep 16 10:14:47 strongarm pdns_recursor[1308]: CVTVNSKDSDQ2KVS8PRARC6VK0QTRGRIO.state.gov.: 50: 1 0 10 08699567605de51d64 D0IUMVUVQOE5UI6E9E6U86HTD5OU8G1V A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM
Sep 16 10:14:47 strongarm pdns_recursor[1308]: CVTVNSKDSDQ2KVS8PRARC6VK0QTRGRIO.state.gov.: 46: NSEC3 8 3 900 20170713113422 20160713104854 21598 state.gov. qzmWphowXegxQ//NNR+P8USgkvoLhabsO15sFRTn+B76p81Ztjs+5KSRRycoftnXqawIgyFvOBnQhY9cjmdCPz3OJ/HI0saa17yUVtRlJckfhbTbcrmC/r8Q5CDi8hpokmGzVEDwUa5wpLl/q7KR6BnIHSSDC0qwVa8GgFex1t1RISCIwynlhvJPV11ViZvUQYrtK0+4Ak1h399GChgbXzO0uHMijAqldMPdxyjQ6/kX3fgJPpxqbsDgTcD6mgux9qR+eaKQLbf/8KA2S5s3Zbaffme2a1CkWO+gXDeH17YZwWSJf/19IiJu/R9iq3bjO06THCxmdQKVRlbk9jOhoQ==

I'm guessing this is perhaps more a documentation update explaining which types of records may in the postresolve but not given to the client rather than a bug as such, but I'm not totally sure.

mzealey commented 8 years ago

Same with www.first-online.com dnssec records again.

pieterlexis commented 8 years ago

This has to do with the fact that by default (with dnssec set to anything but 'off') ask for DNSSEC records (with +DO) from auths and cache that data, then call postresolve and then (possibly) validate and determine if the client actually wants DNSSEC records (i.e. NSEC and RRSIG). Maybe we should document this.