PowerDNS and a strange NXDomain

Question

Allow me first to set the scene.

We used to use Bind9, but ditched it in favour of PowerDNS, because, frankly, Bind sucks.

We have a "primary" zone in our DNS master. london.wibblesplat.com There's other zones too, oob.london.wibblesplat.com

The majority of addresses in the non-oob zone are in the range 192.168.0.0/16. The IP of the dns-1 server is 192.168.123.140. (I'm not sure if this is relevant).

I wanted to add some out-of-band (oob) access IPs to the oob.london.wibblesplat.com zone in the range 172.16.254.0/24

This is what's in the database that drives powerdns.

    powerdns=# select * from records where name like '%switch%';
   id   | domain_id |                        name                        | type |    content    | ttl  | prio | change_date | ordername | auth 
--------+-----------+----------------------------------------------------+------+---------------+------+------+-------------+-----------+------
 190709 |        24 | renderchassis-1-switch-A1.london.wibblesplat.com | A    | 172.16.254.12 | 3600 |    0 |  1328715923 |           | 
 190710 |        24 | renderchassis-1-switch-A2.london.wibblesplat.com | A    | 172.16.254.3  | 3600 |    0 |  1328715923 |           | 
 190711 |        24 | renderchassis-2-switch-A1.london.wibblesplat.com | A    | 172.16.254.2  | 3600 |    0 |  1328715923 |           | 
 190712 |        24 | renderchassis-2-switch-A2.london.wibblesplat.com | A    | 172.16.254.13 | 3600 |    0 |  1328715923 |           | 
(4 rows)

This is what dig says.

tom.oconnor@charcoal-black:~$ dig renderchassis-1-switch-A1 +search
; <<>> DiG 9.7.0-P1 <<>> renderchassis-1-switch-A1 +search
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28586
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;renderchassis-1-switch-A1.london.wibblesplat.com. IN A

;; AUTHORITY SECTION:
london.wibblesplat.com. 1800    IN  SOA dns1.london.wibblesplat.com. hostmaster.london.wibblesplat.com. 2012020803 28800 7200 604800 86400

;; Query time: 2 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 15:58:53 2012
;; MSG SIZE  rcvd: 120

Why is PowerDNS not serving the record? It exists. The query should be fine. Is there something weird about zones not being served if the A record isn't in the subnet the server has access to? (I can't see this being right, what if I wanted (for whatever reason) to re-publish an A record for 8.8.8.8 or whatever).

Any thoughts?

EDIT:

The plot thickens. Out of interest, I nuked the old records, and added some new, shorter ones.

powerdns=# select * from records where name like '%rc1sw%' or content like '%rc1sw%';
   id   | domain_id |            name             | type |    content    | ttl  | prio | change_date | ordername | auth 
--------+-----------+-----------------------------+------+---------------+------+------+-------------+-----------+------
 190810 |        23 | rc1sw1.london.wibblesplat.com | A    | 172.16.254.12 | 3600 |    0 |  1328720986 |           | 
 190811 |        23 | rc1sw2.london.wibblesplat.com | A    | 172.16.254.3  | 3600 |    0 |  1328720999 |   

    |

And now.. tom.oconnor@charcoal-black:~$ dig rc1sw1 +search

; <<>> DiG 9.7.0-P1 <<>> rc1sw1 +search
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32849
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rc1sw1.london.wibblesplat.com. IN  A

;; ANSWER SECTION:
rc1sw1.london.wibblesplat.com. 3600 IN  A   172.16.254.12

;; Query time: 0 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:10:35 2012
;; MSG SIZE  rcvd: 61

And it works.

Seems Powerdns might not like so many - characters in a Name. I'll bear that in mind, and carry on. Still, an answer might be nice.

OK, it's the -A1 it doesn't like.

Have a look at this.

powerdns=# select * from records order by id desc limit 5;
   id   | domain_id |              name               | type |             content             | ttl  | prio | change_date | ordername | auth 
--------+-----------+---------------------------------+------+---------------------------------+------+------+-------------+-----------+------
 190830 |        23 | bunt-1-A1.london.wibblesplat.com  | A    | 127.0.0.1                       |  120 |    0 |  1328722058 |           | 
 190829 |        22 | 80.124.168.192.in-addr.arpa.    | PTR  | claret-red.london.wibblesplat.com | 3600 |    0 |  1328722007 |           | 
 190828 |        23 | claret-red.london.wibblesplat.com | A    | 192.168.124.80                  | 3600 |    0 |  1328722007 |           | 
 190825 |        23 | BUNT.london.wibblesplat.com       | A    | 127.0.0.1                       |  120 |    0 |  1328721975 |           | 
 190824 |        23 | bunt.london.wibblesplat.com       | A    | 127.0.0.1                       |  120 |    0 |  1328721967 |    

   |

and

tom.oconnor@charcoal-black:~$ dig bunt +search

; <<>> DiG 9.7.0-P1 <<>> bunt +search
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34027
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bunt.london.wibblesplat.com.   IN  A

;; ANSWER SECTION:
bunt.london.wibblesplat.com. 120    IN  A   127.0.0.1

;; Query time: 1 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:27:15 2012
;; MSG SIZE  rcvd: 59

tom.oconnor@charcoal-black:~$ dig BUNT +search

; <<>> DiG 9.7.0-P1 <<>> BUNT +search
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60125
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;BUNT.london.wibblesplat.com.   IN  A

;; ANSWER SECTION:
BUNT.london.wibblesplat.com. 120    IN  A   127.0.0.1

;; Query time: 0 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:27:20 2012
;; MSG SIZE  rcvd: 59


tom.oconnor@charcoal-black:~$ dig bunt-1-A1 +search

; <<>> DiG 9.7.0-P1 <<>> bunt-1-A1 +search
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22009
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;    ; QUESTION SECTION:
;bunt-1-A1.         IN  A

;; AUTHORITY SECTION:
.           1800    IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2012020801 1800 900 604800 86400

;; Query time: 59 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:27:53 2012
;; MSG SIZE  rcvd: 102

the NXDOMAIN is for a name inside oob.london.wibblesplat.com. Have you done anything quirky with or towards that zone, like CNAMEing a domain name? — Habbie, Feb 08 '12 at 16:25
One thought... What's up with zone name `oob.london.wibblesplat.com` in the Authority section? Seems a little odd, since you queried a record in the `london.wibblesplat.com` zone... — Mathias R. Jessen, Feb 08 '12 at 16:34
can you show the SOA (in SQL) and the entry in the domains-table? — Habbie, Feb 08 '12 at 16:43
the number of dashes is not the reason, PowerDNS does not care. I notice that domain_id changed between your dumps, why? :) — Habbie, Feb 08 '12 at 17:20
also note that PostgreSQL has a habit of being case-sensitive, the uppercase A in your first version could be a problem as well — Habbie, Feb 08 '12 at 17:21
My problem was similar. Instead of using a SQL backend, we've got a pipe backend, which uses a python script to do some geolocated magic. The python script was doing case sensitive searches, and when someone looked up plaTFOrm.domain.org it was returning nothing. Answer was to convert query to lowercase early in the python script. — Criggie, Sep 20 '15 at 23:24

score 6 · Accepted Answer · answered Feb 08 '12 at 18:02

6

PostgreSQL, at least under the default PowerDNS table schema, is case sensitive. PowerDNS lowercases all queries. So, make sure to always lowercase your names.

answered Feb 08 '12 at 18:02

Habbie

745
3
9

How does that explain why some allcaps queries work, and some mixed-case ones don't. – Tom O'Connor Feb 08 '12 at 18:04
both your queries for bunt and BUNT are matching row 190824; change the IP on one of them to see. – Habbie Feb 08 '12 at 18:18
Ah, ok. Suffice to say, they weren't bunt in the actual table, but I thought I oughtn't say what it really was on here. – Tom O'Connor Feb 08 '12 at 18:20
I figured as much :) – Habbie Feb 08 '12 at 18:31

score 3 · Answer 2 · answered Feb 08 '12 at 17:40

So, It looks like PowerDNS has a massive thing about uppercase strings in certain configurations.

It'll accept BUNT and bunt, but not bunt-1-A1 or variants thereof.

See the edits on the Question, and this block of digs.

tom.oconnor@charcoal-black:~$ dig bunt-A0000.london.wibblesplat.com

; <<>> DiG 9.7.0-P1 <<>> bunt-A0000.london.wibblesplat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21482
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bunt-A0000.london.wibblesplat.com. IN  A

;; AUTHORITY SECTION:
london.wibblesplat.com. 86400   IN  SOA dns-1.london.wibblesplat.com. root.london.wibblesplat.com. 2012020835 28800 14400 2419200 86400

;; Query time: 1 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:39:01 2012
;; MSG SIZE  rcvd: 116

tom.oconnor@charcoal-black:~$ dig bunt-B.london.wibblesplat.com

; <<>> DiG 9.7.0-P1 <<>> bunt-B.london.wibblesplat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41445
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bunt-B.london.wibblesplat.com. IN  A

;; AUTHORITY SECTION:
london.wibblesplat.com. 86400   IN  SOA dns-1.london.wibblesplat.com. root.london.wibblesplat.com. 2012020835 28800 14400 2419200 86400

;; Query time: 1 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:39:09 2012
;; MSG SIZE  rcvd: 112

tom.oconnor@charcoal-black:~$ dig bunt-BUNT.london.wibblesplat.com

; <<>> DiG 9.7.0-P1 <<>> bunt-BUNT.london.wibblesplat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57635
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bunt-BUNT.london.wibblesplat.com.  IN  A

;; AUTHORITY SECTION:
london.wibblesplat.com. 86400   IN  SOA dns-1.london.wibblesplat.com. root.london.wibblesplat.com. 2012020835 28800 14400 2419200 86400

;; Query time: 1 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:39:14 2012
;; MSG SIZE  rcvd: 115

tom.oconnor@charcoal-black:~$ dig buntA1.london.wibblesplat.com

; <<>> DiG 9.7.0-P1 <<>> buntA1.london.wibblesplat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29929
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;buntA1.london.wibblesplat.com. IN  A

;; AUTHORITY SECTION:
london.wibblesplat.com. 86400   IN  SOA dns-1.london.wibblesplat.com. root.london.wibblesplat.com. 2012020835 28800 14400 2419200 86400

;; Query time: 1 msec
;; SERVER: 192.168.123.140#53(192.168.123.140)
;; WHEN: Wed Feb  8 17:39:18 2012
;; MSG SIZE  rcvd: 112

PowerDNS and a strange NXDomain

2 Answers2