Autosecondary SOA and NS checks aren't recursive and can't go through powerdns recursor

[nixargh]

• This is not a support question, I have read about opensource and will send support questions to the IRC channel, GitHub Discussions or the mailing list.
• I have read and understood the 'out in the open' support policy

• Program: Authoritative
• Issue type: Bug report

Short description

When secondary gets a new domain it makes SOA and NS queries to primary. As my auth primary is below dnsdist it is convenient to pass most of queries to recursor which sends queries for my domain to auth pdns server.
But pdns_server does these queries w/o recursion, so they don't pass.

I solve that using dnsdist rules to route NS and SOA requests to my domain directly to auth server, but still I can't see why these queries aren't recursive.

Environment

• Operating system: Ubuntu 24.04.1 LTS (6.8.0-49-generic)
• Software version: 4.8.3
• Software source: From noble/universe Ubuntu repository

Steps to reproduce

1. Add new zone.
2. Wait primary send notify.
3. Check log of secondary for line contains we are not authoritative, trying supermaster and further.

Expected behaviour

I expect SOA and NS check pass through recursor to auth.

Actual behaviour

SOA and NS check die at recursor as rd=0.

Other information

[hlindqvist]

Is there a reason why you would ever want dnsdist to direct these rd=0 queries to recursor?

You may want to consider filtering based on RDRule if you have one dnsdist instance in front of different types of services, or otherwise clarifying how/why this scenario makes sense.

[nixargh]

My point is that recursor is already aware of where to route my domain and others. So adding more rules to dnsdist I'm repeating the same rules that recursor already has.
Sorry for not mentioning, I have dnsdist, recursor and auth on the same server on primary and the same setup on secondary. Maybe that adds more sense :)
Maybe doing these queries recursive has some drawback hidden for me? But such behaviour is quite confusing, when pdns says that it can't resolve NS but I run dig and see that NS is resolvable indeed.

[hlindqvist]

My point is that recursor is already aware of where to route my domain and others. So adding more rules to dnsdist I'm repeating the same rules that recursor already has.

I was imagining something simple like this to have all the non-recursor stuff going to the right place:

addAction(NotRule(RDRule()), PoolAction('auth'))

Maybe doing these queries recursive has some drawback hidden for me? But such behaviour is quite confusing, when pdns says that it can't resolve NS but I run dig and see that NS is resolvable indeed.

Idk about this NS lookup specifically, but in the bigger picture autosecondary functionality is built around zone transfers, and for zone transfers in general there is a purpose to why the secondary queries the primary directly; you wouldn't want recursor to introduce caching for the SOA refresh check, and recursor won't work with the AXFR (/IXFR) either.

[nixargh]

wouldn't want recursor to introduce caching for the SOA refresh check

Good point, I was thinking that way but haven't reached a decision yet :)
Maybe at least it worth mentioning in the docs, that these requests are not recursive, so point them to primary auth directly.

[Habbie]

if you feel the docs are unclear about this, please send a Pull Request!

[nixargh]

if you feel the docs are unclear about this, please send a Pull Request!

Fair enough. I will, most likely :)

That is my current config to make it clear how I solved the issue. Looks good to me but maybe you see some mistakes and I'd better to test and think once more:

setLocal('10.0.0.2:53')
setACL({'127.0.0.0/8', '10.0.0.0/8'})

newServer({address='127.0.0.3:53', pool='authoritative', useProxyProtocol=true})
newServer({address='127.0.0.2:53', pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('10.0.0.0/8')

auth_domains = newSuffixMatchNode()
auth_domains:add("sub.mydomain.in")

addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction('authoritative'))
addAction(AndRule({SuffixMatchNodeRule(auth_domains), OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.NS)})}), PoolAction('authoritative'))

addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))

addAction(AllRule(), PoolAction('authoritative'))

[hlindqvist]

That is my current config to make it clear how I solved the issue. Looks good to me but maybe you see some mistakes and I'd better to test and think once more:

setLocal('10.0.0.2:53')
setACL({'127.0.0.0/8', '10.0.0.0/8'})

newServer({address='127.0.0.3:53', pool='authoritative', useProxyProtocol=true})
newServer({address='127.0.0.2:53', pool='recursor'})

recursive_ips = newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('10.0.0.0/8')

auth_domains = newSuffixMatchNode()
auth_domains:add("sub.mydomain.in")

addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), PoolAction('authoritative'))
addAction(AndRule({SuffixMatchNodeRule(auth_domains), OrRule({QTypeRule(DNSQType.SOA), QTypeRule(DNSQType.NS)})}), PoolAction('authoritative'))

addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))

addAction(AllRule(), PoolAction('authoritative'))

As there is no obvious benefit to sending non-RD queries to recursor, I still feel like just choosing pools based on RD (as I suggested earlier) would be way easier and cleaner.

Assuming that recursor itself has an ACL (maybe not, as useproxyprotocol isn't used for that pool? but maybe it could be?), even just something like this is probably enough(?):

setLocal('10.0.0.2:53')
setACL({'127.0.0.0/8', '10.0.0.0/8'})

newServer({address='127.0.0.3:53', pool='authoritative', useProxyProtocol=true})
newServer({address='127.0.0.2:53', pool='recursor'})

addAction(NotRule(RDRule()), PoolAction('authoritative'))
addAction(AllRule(), PoolAction('recursor'))

(Otherwise adding back just the recursive_ips portion ought to be enough to implement a recursor-specific ACL on the dnsdist end)

Just my two cents.

[nixargh]

recursor itself has an ACL (maybe not, as useproxyprotocol isn't used for that pool? but maybe it could be?)

It has since yesterday, so you are probably right that it allows to remove recursive_ips rule.

RDRule

Hm, I didn't get what it means before, now I'm going to check. Thank you.

[nixargh]

recursor itself has an ACL (maybe not, as useproxyprotocol isn't used for that pool? but maybe it could be?)

It has since yesterday, so you are probably right that it allows to remove recursive_ips rule.

RDRule

Hm, I didn't get what it means before, now I'm going to check. Thank you.

That config works perfect:

setLocal('10.0.0.2:53')
setACL({'127.0.0.0/8', '10.0.0.0/8'})

newServer({address='127.0.0.2:53', pool='recursor', useProxyProtocol=true})
newServer({address='127.0.0.3:53', pool='authoritative', useProxyProtocol=true})

addAction(NotRule(RDRule()), PoolAction('authoritative'))

addAction(AllRule(), PoolAction('recursor'))

And BTW, I've created the PR to add my 50 cent about autosecondary queries.