search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.61k stars 900 forks source link

Unstable forwarding #5694

Closed saspol closed 4 years ago

saspol commented 6 years ago

Hello, Using pdns-resolver to distribute requests to 3 forwarders.

forward-zones-recurse=.=127.0.0.1:39323;127.0.0.1:53180;127.0.0.1:17849

First few min it works and later have many SERVFAIL on clients, even with manual check all forwarders is ok. Then found this is logs:

Sep 15 00:38:26 omahum pdns_recursor[24019]: Failed to update . records, RCODE=2
Sep 15 00:38:26 omahum pdns_recursor[24019]: message repeated 2 times: [ Failed to update . records, RCODE=2]
Sep 15 00:39:13 hostname pdns_recursor[24019]: Failed to update . records, RCODE=2
Sep 15 00:40:07 hostname pdns_recursor[24019]: Failed to update . records, RCODE=2
Sep 15 00:40:50 hostname pdns_recursor[24019]: Failed to update . records, RCODE=2
Sep 15 00:41:31 hostname pdns_recursor[24019]: Failed to update . records, RCODE=2
Sep 15 00:42:18 hostname pdns_recursor[24019]: Failed to update . records, RCODE=2

This is your check from previous messages:

$ dig +recurse NS . @111.222.333.444
dig: couldn't get address for '111.222.333.444': failure

I used dnsmasq before for same job and it works ok on same configuration. Any suggestion please?

PowerDNS Recursor 4.0.0-alpha2 (C) 2001-2016 PowerDNS.COM BV
rgacogne commented 6 years ago

You are using an unstable alpha version, please upgrade. You can find up-to-date packages at https://repo.powerdns.com if your distribution doesn't provide them.

saspol commented 6 years ago

Updated to latest version from git and now recursor starts but not proceed any query. Completely default configuration except forwarders. Forwarders is dnscrypt-proxy processes and they works fine by themselves.

Sep 15 04:59:06 PowerDNS Recursor 0.0.g4f1c981 (C) 2001-2017 PowerDNS.COM BV
Sep 15 04:59:06 Using 32-bits mode. Built using gcc 5.4.0 20160609 on Sep 15 2017 03:41:35 by 
Sep 15 04:59:06 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Sep 15 04:59:06 Reading random entropy from '/dev/urandom'
Sep 15 04:59:06 If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384
Sep 15 04:59:06 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable
Sep 15 04:59:06 Only allowing queries from: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10
Sep 15 04:59:06 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
Sep 15 04:59:06 PowerDNS Recursor itself will distribute queries over threads
Sep 15 04:59:06 Redirecting queries for zone '.' with recursion to: 127.0.0.1:10555, 127.0.0.1:36217, 127.0.0.1:26404
Sep 15 04:59:06 Inserting rfc 1918 private space zones
Sep 15 04:59:06 Listening for UDP queries on 192.168.98.51:53
Sep 15 04:59:06 Enabled TCP data-ready filter for (slight) DoS protection
Sep 15 04:59:06 Listening for TCP queries on 192.168.98.51:53
Sep 15 04:59:06 Raised soft limit on number of filedescriptors to 4121 to match max-mthreads and threads settings
Sep 15 04:59:06 Launching 3 threads
Sep 15 04:59:06 Done priming cache with root hints
Sep 15 04:59:06 Done priming cache with root hints
Sep 15 04:59:06 Done priming cache with root hints
Sep 15 04:59:06 Enabled 'epoll' multiplexer
Sep 15 04:59:09 Could not retrieve security status update for '0.0.g4f1c981' on 'recursor-0.0.g4f1c981.security-status.secpoll.powerdns.com', DNSSEC validation result was Bogus!
$uname -a
Linux 3.10.105-139 #1 SMP PREEMPT Thu Jun 1 11:16:09 UTC 2017 armv7l armv7l armv7l GNU/Linux

Any suggestion plz?

rgacogne commented 6 years ago

Thank you for upgrading. So it looks like the answers we get from the forward servers do not validate correctly. Would you mind restarting the recursor with trace=yes and posting the content of the log file?

omoerbeek commented 4 years ago

No response in more than 2 years.

mrgohin commented 2 years ago

The problem does exists in my setup right now.

Fresh installed Ubuntu 20.04.4 LTS with PowerDNS Auth & Rec 4.6.x and DNSdist 1.7.1

Public DNS Servers are:

Following log I can provide:

# journalctl -f
-- Logs begin at Fri 2022-04-29 22:01:26 UTC. --or dnsdist
Apr 30 00:54:09 alpha pdns-recursor[10675]: stats: 0/0/0 outgoing tcp/dot/idle connections, 0 queries running, 0 outgoing timeouts
Apr 30 00:54:09 alpha pdns-recursor[10675]: stats: 1 packet cache entries, 0% packet cache hits
Apr 30 00:54:09 alpha pdns-recursor[10675]: stats: thread 0 has been distributed 1 queries
Apr 30 00:54:09 alpha pdns-recursor[10675]: stats: thread 1 has been distributed 0 queries
Apr 30 00:54:09 alpha pdns-recursor[10675]: stats: tasks pushed/expired/queuesize: 0/0/0
Apr 30 00:54:10 alpha dnsdist[10709]: Marking downstream *.*.*.*:532 as 'down'
Apr 30 00:54:10 alpha systemd[1]: Started DNS Loadbalancer.
Apr 30 00:54:10 alpha dnsdist[10709]: Polled security status of version 1.7.1 at startup, no known issues reported: OK
Apr 30 00:54:11 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:12 alpha pdns-recursor[10675]: Exception while performing security poll: Server Failure while retrieving DNSKEY records for .
Apr 30 00:54:20 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:23 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:27 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:30 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:39 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:46 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2
Apr 30 00:54:56 alpha pdns-recursor[10675]: Failed to update root NS records, RCODE=2

yes it still does spam my log with these lines.

setharnold commented 2 years ago

Adding a comment to a five-year-old bug is not ideal; chances are good no one else will see this. (I only saw it because the handy irc bot..) (There is some pleasing symmetry with the "You are using an unstable alpha version" comment from earlier, though. Heh.)

mrgohin commented 2 years ago

I might agree about the five year old issue.

Unfortunately this is happening with stable 4.6 Software. I removed all alpha and beta versions from first server after the notice on IRC. On the secondary I installed from beginning the stable versions but both produce the same error.

phonedph1 commented 2 years ago

It's a bit annoying but it still works just fine with dnssec=off or the appropriate TA/NTAs, right? At least the latest code does for me.

A new feature will soon make the logging less noisy: The hint-file gained a special value no to indicate that no hint file should be processed. The hint processing code is also made less verbose.

mrgohin commented 2 years ago

I have to test it. I will give feedback on this.

Good to hear looking forward to it.