Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rec: NSEC3 aggressive cache does not work (for empty zones?) #13542

Closed
2 tasks done
pspacek opened this issue Nov 29, 2023 · 3 comments · Fixed by #13543
Closed
2 tasks done

rec: NSEC3 aggressive cache does not work (for empty zones?) #13542

pspacek opened this issue Nov 29, 2023 · 3 comments · Fixed by #13543

Comments

@pspacek
Copy link

pspacek commented Nov 29, 2023
edited
Loading

Short description

NSEC3 aggressive cache does not work for zones which have only apex and are otherwise empty.

Environment

  • Operating system: Arch Linux, x86_64
  • Software version: powerdns-recursor 4.9.1-3
  • Software source: Operating system repository

Steps to reproduce

  1. Recursor config:
dnssec=validate
dont-query=
local-address=127.0.0.1,::1
security-poll-suffix=
socket-dir=/tmp
  1. Test auth config:
  1. Add test IP address: sudo ip addr add 10.53.0.2 dev lo
  2. Run auth: named -g -c auth.conf
  3. Observe traffic to the test auth: tcpdump -n -i lo 'host 10.53.0.2 and port 53'
  4. Query for random names in the zone: dig @127.0.0.1 $RANDOM$RANDOM.local.testiscorg.ch.

Expected behaviour

Queries stop going out as soon as NSEC3 chain is received. (I.e. first NSEC3 answer because there is just one NSEC3 RR in the whole zone.)

Actual behaviour

Individual queries hit the auth.

Other information

Insane config like this does not help:

aggressive-nsec-cache-size=1G
aggressive-cache-min-nsec3-hit-ratio=100000
@pspacek pspacek changed the title rec: NSEC3 aggressive cache does not work for empty zones (apex only) rec: NSEC3 aggressive cache does not work (for empty zones?) Nov 29, 2023
@pspacek
Copy link
Author

pspacek commented Nov 29, 2023

Hmm, maybe I'm confusing myself. It thought it works for non-empty zones, but now I can't get it to work even for testiscorg.ch domain which has ~ 11 names in it. Weird.

@omoerbeek
Copy link
Member

1G is not interpreted as 1 gig (shame on us).

omoerbeek added a commit to omoerbeek/pdns that referenced this issue Nov 29, 2023
@omoerbeek
rec: a single NSEC3 record covering everything is a special case
c5b1f07 
Fixes PowerDNS#13542
omoerbeek added a commit to omoerbeek/pdns that referenced this issue Nov 29, 2023
@omoerbeek
rec: a single NSEC3 record covering everything is a special case
32057b3 
Fixes PowerDNS#13542
@omoerbeek omoerbeek mentioned this issue Nov 29, 2023
Merged
7 tasks
@omoerbeek
Copy link
Member

Thanks for the report! Fix in linked PR.

omoerbeek added a commit to omoerbeek/pdns that referenced this issue Dec 1, 2023
@omoerbeek
rec: a single NSEC3 record covering everything is a special case
257b23b 
Fixes PowerDNS#13542
omoerbeek added a commit to omoerbeek/pdns that referenced this issue Feb 14, 2024
@omoerbeek
rec: a single NSEC3 record covering everything is a special case
ee8f3e8 
Fixes PowerDNS#13542

(cherry picked from commit 257b23b)
omoerbeek added a commit to omoerbeek/pdns that referenced this issue Feb 26, 2024
@omoerbeek
rec: a single NSEC3 record covering everything is a special case
8e2f28a 
Fixes PowerDNS#13542

(cherry picked from commit 257b23b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

rec: a single NSEC3 record covering everything is a special case omoerbeek/pdns
2 participants
@omoerbeek @pspacek