dnscontrol
dnscontrol copied to clipboard
StackExchange
AXFR+DDNS provider occasionally gets confused by a mix of AUTODNSSEC_ON and AUTODNSSEC_OFF
Describe the bug Using the AXFR+DDNS provider with a mix of both AUTODNSSEC_ON zones and AUTODNSSEC_OFF zones dnscontrol occasionally gets "confused", falsely producing the following warning.
Warning: AUTODNSSEC is disabled, but DNSKEY or RRSIG records were found in the AXFR answer!
For starters, here's my dnsconfig.js file.
var REG_NONE = NewRegistrar("none");
var DSP_AXFRDDNS = NewDnsProvider("axfrddns");
D("named-test.arrakis.se", REG_NONE, DnsProvider(DSP_AXFRDDNS),
AUTODNSSEC_ON,
NAMESERVER_TTL("24h"),
DefaultTTL("1h"),
NAMESERVER("halleck.arrakis.se."),
NAMESERVER("secondary.searrakis.dev."),
A("@", "85.119.82.123", TTL(14400)),
MX("@", 0, ".", TTL(14400)),
TXT("hello", "Hello Hello", TTL(300)),
TXT("zebra", "Hello World"),
);
D("c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa", REG_NONE, DnsProvider(DSP_AXFRDDNS),
AUTODNSSEC_OFF,
NAMESERVER_TTL("24h"),
DefaultTTL("1h"),
NAMESERVER("a.authns.bitfolk.co.uk."),
NAMESERVER("b.authns.bitfolk.com."),
NAMESERVER("c.authns.bitfolk.com."),
TXT("@", "Hello Admin"),
PTR("2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0", "halleck.arrakis.se."),
);
Running the preview commands against all (both) zones it will sometimes warn and sometimes not. Here are the two different outputs.
$ dnscontrol preview
CONCURRENTLY gathering 2 zone(s)
SERIALLY gathering 0 zone(s)
Waiting for concurrent gathering(s) to complete...Warning: AUTODNSSEC is disabled, but DNSKEY or RRSIG records were found in the AXFR answer!
DONE
******************** Domain: named-test.arrakis.se
******************** Domain: c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa
Done. 0 corrections.
$
$ dnscontrol preview
CONCURRENTLY gathering 2 zone(s)
SERIALLY gathering 0 zone(s)
Waiting for concurrent gathering(s) to complete...DONE
******************** Domain: named-test.arrakis.se
******************** Domain: c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa
Done. 0 corrections.
$
Yet if I use the --domains option to only target one zone at a time it's always all good.
$ dnscontrol preview --domains named-test.arrakis.se
CONCURRENTLY gathering 1 zone(s)
SERIALLY gathering 0 zone(s)
Waiting for concurrent gathering(s) to complete...DONE
******************** Domain: named-test.arrakis.se
Done. 0 corrections.
$
$ dnscontrol preview --domains c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa
CONCURRENTLY gathering 1 zone(s)
SERIALLY gathering 0 zone(s)
Waiting for concurrent gathering(s) to complete...DONE
******************** Domain: c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa
Done. 0 corrections.
$
No matter the number of attempts I've never managed to produce the warning when there's only one zone involved.
This being with DNSControl version 4.20.0.
$ dnscontrol version
DNSControl version 4.20.0
$
DNS Provider
- AXFRDDNS
This definitely appear to be related to the way DNSControl does concurrency, because if I turn off concurrency by setting --cmode none I never get the warning, despite lots and lots of attempts.
$ dnscontrol preview --cmode none
CONCURRENTLY gathering 0 zone(s)
SERIALLY gathering 2 zone(s)
Serially Gathering: "named-test.arrakis.se"
Serially Gathering: "c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa"
******************** Domain: named-test.arrakis.se
******************** Domain: c.8.0.1.0.0.1.1.a.0.a.2.ip6.arpa
Done. 0 corrections.
$
Looks like the transferKey and updateKey fields need to be per-domain (with locking around updates/reads)
// axfrddnsProvider stores the client info for the provider.
type axfrddnsProvider struct {
master string
updateMode string
transferServer string
transferMode string
nameservers []*models.Nameserver
transferKey *Key
updateKey *Key
hasDnssecRecords bool
}