pdns tries to add zone from supermaster twice if ipv4 and ipv6 supermasters are configured on superslave

[Perflyst]

• Program: Authoritative
• Issue type: Bug report

Short description

If PowerDNS is configured with v4 and v6 supermasters and receives a notify it tries to add the domain twice.

Environment

• Operating system: Debian Buster
• Software version: 4.3.0
• Software source: PowerDNS repository

Steps to reproduce

1. Configure a master and a slave with superslave=yes
2. Add domain to master
3. Add two rows in supermaste table on slave with both ipv4 and ipv6 of supermaster
4. Send notify to slave

Expected behaviour

Superslave accepts notify and adds new slave zone with ipv4 and ipv6 from master as master server.

Actual behaviour

Superslave accepts notify and adds new slave zone with ipv4 and ipv6 from master as master server. But it also tries to add it again with the IPv6 only.

Other information

Logs on slave:

Apr 22 18:02:01 ns2 pdns_server[30385]: Received NOTIFY for domain.net from 138.xx for which we are not authoritative
Apr 22 18:02:01 ns2 pdns_server[30385]: Received NOTIFY for domain.net from 2a01:xx for which we are not authoritative
Apr 22 18:02:02 ns2 pdns_server[30385]: Created new slave zone 'domain.net' from supermaster 138.xx
Apr 22 18:02:02 ns2 pdns_server[30385]: Database error trying to create domain.net for potential supermaster 2a01:xx: Database error trying to insert new domain 'domain.net.': Could not execute mysql statement: insert into domains (type,name,master,account,last_check,notified_serial) values(?,?,?,?,NULL,NULL): Duplicate entry 'domain.net' for key 'name_index'

supermasters table on slave

MariaDB [powerdns]> select * from supermasters;
+-----------------------+-----------------+---------+
| ip                    | nameserver      | account |
+-----------------------+-----------------+---------+
| 138.xx                | dns.xx.com      |         |
| 2a01:xx               | dns.xx.com      |         |
+-----------------------+-----------------+---------+

[Habbie]

If i'm not missing something, the supermaster checks happen in a single sequential thread (except for those coming in over TCP) so we should be able to fix this with a simple domain existence check.

[wiebeytec]

If i'm not missing something, the supermaster checks happen in a single sequential thread (except for those coming in over TCP) so we should be able to fix this with a simple domain existence check.

Doesn't that create race conditions? If you assume the master will alternatively use the IPv4 and IPv6 to do the transfer, one of them will win, and therefore the other lose. If the first zone was accepted from an IPv4 address, it can never be updated anymore once the server starts using IPv6, even if the supermaster was added as a second row to supermasters, this time with IPv6 address, because the IPs don't match.

Isn't the real fix to add an ip6 field to supermasters and a master6 to domains?

Or, the 'check if IP is allowed to do to AXFR' needs to expand its IP and look up related ones in supermasters:

• There are two supermasters: 1.2.3.4 and aa::ff
• The domain has master record 1.2.3.4, because that's where it came from at one point.
• aa:ff does a AXFR
• OLD: aa::ff != 1.2.3.4 -> reject
• NEW: aa::ff in select distinct s2.ip from supermasters as s1 inner join supermasters as s2 on s1.nameserver = s2.nameserver where s1.ip = 'aa::ff';. Disclaimer: there are some caveats when there are supermasters with the same IP but different nameserver values. I haven't fully analyzed the security implications.

[Habbie]

Isn't the real fix to add an ip6 field to supermasters and a master6 to domains?

We already have a generic solution for that - when adding a domain, we pick -all- IPs that have the same nameserver and account. This covers v4+v6 but also domains that have multiple v4 masters.

[wiebeytec]

Is that also in version 4.1.1-1 from Ubuntu 18.04? I still get

Received NOTIFY for example.nl from 2a01:1b0::snip which is not a master

After or before (it changes) the successful transfer over IPv4.

The IPv4 and IPv6 are both in the supermasters table.

[Habbie]

Is that also in version 4.1.1-1 from Ubuntu 18.04? I still get

I don't know. This is starting to look like a support question. I suggest upgrading, and then asking these questions on IRC or the pdns-users mailing list (see https://www.powerdns.com/opensource.html )