Packet cache preventing recursion

[josephmask]

• Program: Authoritative
• Issue type: Bug report

Short description

When pdns is configured with the allow-recursion setting, we are seeing that a request for recursion from a host that is not allowed recursion is being cached and improperly returned to a subsequent request from a host that is allowed recursion. Each time this happens it lasts as long as the duration specified in cache-ttl.

Environment

• Operating system: CentOS 6.8
• Software version: 4.0.3
• Software source: PowerDNS repository

Steps to reproduce

pdns.conf.txt

1. dig www.google.com from the host that is allowed recursion (10.0.14.22) and it works
2. dig www.google.com from a host that is not allowed recursion, and recursion is denied
3. dig www.google.com from the host that is allowed recursion (10.0.14.22) and recursion is denied
4. wait 60 seconds (cache-ttl) and try again from the host that is allowed recursion and it works again

Expected behaviour

Authoritative server would be consistent in its responses, allowing recursion for hosts where recursion is allowed, and denying it for hosts where recursion should not be allowed.

Actual behaviour

10.0.14.22:~# dig www.google.com @10.0.14.22

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6322
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 300 IN A 172.217.5.68

;; Query time: 40 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:47:44 2017
;; MSG SIZE rcvd: 48

10.0.0.206:~# dig www.google.com @10.0.14.22

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48763
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.google.com. IN A

;; Query time: 0 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:47:48 2017
;; MSG SIZE rcvd: 32

10.0.14.22:~# dig www.google.com @10.0.14.22

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32267
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.google.com. IN A

;; Query time: 0 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:47:54 2017
;; MSG SIZE rcvd: 32

10.0.14.22:~# dig www.google.com @10.0.14.22

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18863
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 234 IN A 172.217.5.68

;; Query time: 2 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:48:50 2017
;; MSG SIZE rcvd: 48

Other information

We tried a few different values for cache-ttl and the duration of the problematic behavior matched up with the cache-ttl value. As a workaround, we set cache-ttl to 0 and it prevented the problem from happening.

Usecase

Description

[Habbie]

#5132 should fix this, it will be part of 4.1.0. However, recursor and allow-recursion are gone in version 4.1.0. Sorry!