You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When pdns is configured with the allow-recursion setting, we are seeing that a request for recursion from a host that is not allowed recursion is being cached and improperly returned to a subsequent request from a host that is allowed recursion. Each time this happens it lasts as long as the duration specified in cache-ttl.
dig www.google.com from the host that is allowed recursion (10.0.14.22) and it works
dig www.google.com from a host that is not allowed recursion, and recursion is denied
dig www.google.com from the host that is allowed recursion (10.0.14.22) and recursion is denied
wait 60 seconds (cache-ttl) and try again from the host that is allowed recursion and it works again
Expected behaviour
Authoritative server would be consistent in its responses, allowing recursion for hosts where recursion is allowed, and denying it for hosts where recursion should not be allowed.
We tried a few different values for cache-ttl and the duration of the problematic behavior matched up with the cache-ttl value. As a workaround, we set cache-ttl to 0 and it prevented the problem from happening.
Usecase
Description
The text was updated successfully, but these errors were encountered:
Short description
When pdns is configured with the allow-recursion setting, we are seeing that a request for recursion from a host that is not allowed recursion is being cached and improperly returned to a subsequent request from a host that is allowed recursion. Each time this happens it lasts as long as the duration specified in cache-ttl.
Environment
Steps to reproduce
pdns.conf.txt
Expected behaviour
Authoritative server would be consistent in its responses, allowing recursion for hosts where recursion is allowed, and denying it for hosts where recursion should not be allowed.
Actual behaviour
10.0.14.22:~# dig www.google.com @10.0.14.22
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6322
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 172.217.5.68
;; Query time: 40 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:47:44 2017
;; MSG SIZE rcvd: 48
10.0.0.206:~# dig www.google.com @10.0.14.22
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48763
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN A
;; Query time: 0 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:47:48 2017
;; MSG SIZE rcvd: 32
10.0.14.22:~# dig www.google.com @10.0.14.22
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32267
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.google.com. IN A
;; Query time: 0 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:47:54 2017
;; MSG SIZE rcvd: 32
10.0.14.22:~# dig www.google.com @10.0.14.22
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> www.google.com @10.0.14.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18863
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 234 IN A 172.217.5.68
;; Query time: 2 msec
;; SERVER: 10.0.14.22#53(10.0.14.22)
;; WHEN: Mon Apr 10 16:48:50 2017
;; MSG SIZE rcvd: 48
Other information
We tried a few different values for cache-ttl and the duration of the problematic behavior matched up with the cache-ttl value. As a workaround, we set cache-ttl to 0 and it prevented the problem from happening.
Usecase
Description
The text was updated successfully, but these errors were encountered: