pdns icon indicating copy to clipboard operation
pdns copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS

BIND backend does not expire a secondary zone when the SOA expire timer elapses

Open jpmens opened this issue 3 years ago • 5 comments

  • Program: Authoritative
  • Issue type: Bug report

Short description

PowerDNS Authoritative with the BIND backend does not expire a secondary zone when the SOA expire timer elapses.

Environment

  • Operating system: CentOS Linux 8
  • Software version: 4.7.0-alpha0.192.master.g3f4b183ea
  • Software source: repo.powerdns.com

Steps to reproduce

  1. Configure pdns.conf 
    daemon=no
guardian=no
launch=bind
disable-syslog=yes
log-dns-details=yes
master=no
slave=yes
secondary=yes
bind-config=/etc/pdns/named.conf
disable-axfr=no
setgid=pdns
setuid=pdns
server-id=pdns100b.dnslab.org
  2. Configure named.conf 
    zone "a1.dnslab.org" IN {
	type slave;
	masters { 192.168.55.191; };
	file "/etc/pdns/a1";
};
  3. Launch PowerDNS 
    # pdns_server
Jan 13 14:59:38 Loading '/usr/lib64/pdns/libbindbackend.so'
Jan 13 14:59:38 This is a standalone pdns
Jan 13 14:59:38 Listening on controlsocket in '/var/run/pdns/pdns.controlsocket'
Jan 13 14:59:38 [bindbackend] Parsing 1 domain(s), will report when done
Jan 13 14:59:38 [bindbackend] error at 2022-01-13 14:59:38 +0000 no file found for new slave domain 'a1.dnslab.org'. Has not been AXFR'd yet
Jan 13 14:59:38 [bindbackend] Done parsing domains, 1 rejected, 1 new, 0 removed
Jan 13 14:59:38 UDP server bound to 0.0.0.0:53
Jan 13 14:59:38 UDP server bound to [::]:53
Jan 13 14:59:38 TCP server bound to 0.0.0.0:53
Jan 13 14:59:38 TCP server bound to [::]:53
Jan 13 14:59:38 PowerDNS Authoritative Server 4.7.0-alpha0.192.master.g3f4b183ea (C) 2001-2022 PowerDNS.COM BV
Jan 13 14:59:38 Using 64-bits mode. Built using gcc 8.5.0 20210514 (Red Hat 8.5.0-4) on Jan 13 2022 09:30:00 by root@428373f73c0e.
Jan 13 14:59:38 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jan 13 14:59:38 Not validating response for security status update, this is a non-release version
Jan 13 14:59:38 Creating backend connection for TCP
Jan 13 14:59:38 About to create 3 backend threads for UDP
Jan 13 14:59:38 Primary/secondary communicator launching
Jan 13 14:59:38 Done launching threads, ready to distribute questions
Jan 13 14:59:38 Zone 'a1.dnslab.org' (/etc/pdns/a1) reloaded
Jan 13 14:59:38 AXFR-in zone: 'a1.dnslab.org', primary: '192.168.55.191', zone committed with serial 5

 *** at this point I make the zone unavailable on the primary server

Jan 13 15:03:38 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
Jan 13 15:03:41 Received serial number updates for 0 zones, had 1 timeout
Jan 13 15:03:41 Unable to retrieve SOA for a1.dnslab.org, this was the first time. NOTE: For every subsequent failed SOA check the domain will be suspended from freshness checks for 'num-errors x 60 seconds', with a maximum of 3600 seconds. Skipping SOA checks until 1642086281
Jan 13 15:04:41 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
Jan 13 15:04:44 Received serial number updates for 0 zones, had 1 timeout
Jan 13 15:06:44 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
Jan 13 15:06:47 Received serial number updates for 0 zones, had 1 timeout
Jan 13 15:09:47 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
Jan 13 15:09:50 Received serial number updates for 0 zones, had 1 timeout
Jan 13 15:13:50 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
Jan 13 15:13:53 Received serial number updates for 0 zones, had 1 timeout
Jan 13 15:18:54 While checking domain freshness: Query to '192.168.55.191:53' for SOA of 'a1.dnslab.org' produced no results (RCode: Query Refused)
Jan 13 15:18:57 Received serial number updates for 0 zones, had 1 timeout
  4. Query the server 
    $ TZ=UTC dig @192.168.164.149 a1.dnslab.org +multi +norec +nsid
; <<>> DiG 9.16.22 <<>> @192.168.164.149 a1.dnslab.org +multi +norec +nsid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16493
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; NSID: 70 64 6e 73 31 30 30 62 2e 64 6e 73 6c 61 62 2e 6f 72 67 ("pdns100b.dnslab.org")
;; QUESTION SECTION:
;a1.dnslab.org.		IN A

;; AUTHORITY SECTION:
a1.dnslab.org.		30 IN SOA mname.a1.dnslab.org. jp.a1.dnslab.org. (
				5          ; serial
				180        ; refresh (3 minutes)
				60         ; retry (1 minute)
				497        ; expire (8 minutes 17 seconds)
				30         ; minimum (30 seconds)
				)

;; Query time: 18 msec
;; SERVER: 192.168.164.149#53(192.168.164.149)
;; WHEN: Thu Jan 13 15:21:02 UTC 2022
;; MSG SIZE  rcvd: 110

Expected behaviour

I expected PowerDNS to expire the secondary zone, having it SERVFAIL or REFUSE queries to it. (BIND 9.16, Knot DNS 3.1.4, and NSD 4.3.8 report SERVFAIL)

Actual behaviour

The zone is not expired and continues being available for queries. The time elapsed between the diagnostic that the zone transfer was complete until I stopped the test was 19 minutes and 19 seconds.

jpmens avatar Jan 13 '22 16:01 jpmens

This is a deliberate design choice. Do you actually want the zone to expire?

Habbie avatar Jan 13 '22 16:01 Habbie

I wasn't expecting that question. :-)

I can't find any mention of this design choice or behavior in the documentation, so maybe I have to rename / resubmit this issue as a documentation enhancement?

It is very true that the fields have complicated and sometimes controversial meanings. Maybe all the more reason to mention that SOA expire isn't used in PowerDNS.

jpmens avatar Jan 13 '22 16:01 jpmens

I wasn't expecting that question. :-)

It turns out, most people were not expecting expiry!

I agree we either need to fix this (maybe) or document this well (my favourite choice).

Habbie avatar Jan 13 '22 16:01 Habbie

Best to document all SOA fields and their (non-)use in PowerDNS.

franklouwers avatar Feb 04 '22 11:02 franklouwers

@jpmens if you look at RFC - https://datatracker.ietf.org/doc/html/rfc1035#section-3.3.13

EXPIRE A 32 bit time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative.

This is really big problem for me, my case for example :

pdns with psql backend as master and 3x pdns as AXFR slaves. Before removing zone from master (via api), my app set expire, send notify, after this i remove zone. And i expect SERVFAIL or REFUSE for queries to slaves.

lelvisl avatar Feb 17 '22 19:02 lelvisl