PowerDNS secondary servers receive empty SOA response for particular zone. Truncation issue?

Andy Smith andy at strugglers.net
Fri Nov 18 01:14:27 UTC 2022 

Hi,

I recently upgraded a Debian 9 / bind9 system to Debian 11, so that
would be package version 1:9.10.3.dfsg.P4-12.3+deb9u12 to
1:9.16.27-1~deb11u1. Ever since doing so, one particular zone is unable
to be transferred to any of the several PowerDNS secondary servers.

What happens is that a NOTIFY is sent out, PowerDNS sees it and queries
for SOA and logs this:

Nov 18 00:25:26 daiquiri pdns_server[32452]: While checking domain freshness: Query to '2001:ba8:1f1:f085::53' for SOA of 'f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa' did not return a SOA

This is a little baffling because "dig" on that host does produce the
expected results:

$ dig +short -t soa f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @2001:ba8:1f1:f085::53
ns0.ribenakid.me.uk. bind.ribenakid.me.uk. 1668670704 28800 14400 3600000 86400

I can also do an axfr from that host with "dig" and I can also force
PDNS to do an axfr which it successfully does.

This is not happening with any of the other zones, just
f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa.

Now, it could of course be a PDNS issue, but I did a tcpdump and saw an
empty response packet go back, so it seems like my bind9 is doing
something strange. I don't find any relevant log entries, nothing at all
after the sending of the NOTIFY is logged in fact.

Attached is empty-soa.txt, the text dump of the pcap of 4 packets. It
shows:

1) 85.119.80.222 (another IP on the same host as 2001:ba8:1f1:f085::53)
   sending out a notify for "f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa"
   to 172.104.29.216 (one of the PDNS secondary servers).

2) 172.104.29.216 response back toxp notify.

3) 172.104.29.216 query to 85.119.80.222 for SOA.

4) 85.119.80.222 empty response to 172.104.29.216.

Now, I DID notice that packet #4 has truncated bit set, and there is no
follow up query from 172.104.29.216 over TCP. Probably the reason why
this is seen with only this zone is that it's DNSSEC whereas most of the
iother zones aren't. A "dig +dnssec -t soa" is size 2293.

So perhaps it is PDNS not handling truncated response properly?

Thing is, this zone has been DNSSEC signed for a very long time and
PowerDNS was fine with querying SOA before I upgraded bind9. The PDNS
versions haven't changed, but even the latest stable version of PowerDNS
auth server is seeing the same thing. But I will also ask about this in
the PDNS community.

I did an EDNS compliance check and it all came back okay:
https://ednscomp.isc.org/ednscomp/a8c22e7194

Any insight would be appreciated!

THanks,
Andy

More information about the bind-users mailing list