When doing an AAAA lookup for mirror.centos.org, our BIND resolvers are throwing FORMERR errors.
It appears this is because mirror.centos.org is a separate zone delegated to pdns1.centos.org and pdns3.centos.org, however when queried for a non-existent record it's returning the SOA for centos.org in the authority section of the response (instead of an SOA for mirror.centos.org as it should).
Is there someone on this list who could update PowerDNS to serve the correct mirror.centos.org SOA record for that zone, rather than the centos.org SOA?
[please copy me directly in any responses as I'm not subscribed to the list]
Thanks, Tom
Example:
→ dig @ns1.centos.org mirror.centos.org aaaa +norecurse
; <<>> DiG 9.8.3-P1 <<>> @ns1.centos.org mirror.centos.org aaaa +norecurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56358 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION: ;mirror.centos.org. IN AAAA
;; AUTHORITY SECTION: mirror.centos.org. 600 IN NS pdns3.centos.org. mirror.centos.org. 600 IN NS pdns1.centos.org.
;; ADDITIONAL SECTION: pdns1.centos.org. 600 IN A 84.22.180.89 pdns3.centos.org. 600 IN A 93.113.36.66
;; Query time: 279 msec ;; SERVER: 199.187.126.93#53(199.187.126.93) ;; WHEN: Fri Dec 5 10:18:37 2014 ;; MSG SIZE rcvd: 107
→ dig @pdns1.centos.org mirror.centos.org aaaa +norecurse
; <<>> DiG 9.8.3-P1 <<>> @pdns1.centos.org mirror.centos.org aaaa +norecurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12613 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mirror.centos.org. IN AAAA
;; AUTHORITY SECTION: centos.org. 3600 IN SOA ns1.centos.org. hostmaster.centos.org. 2008080300 1800 3600 604800 3600
;; Query time: 446 msec ;; SERVER: 84.22.180.89#53(84.22.180.89) ;; WHEN: Fri Dec 5 10:18:45 2014 ;; MSG SIZE rcvd: 86
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/12/14 00:57, Tom Lanyon wrote:
When doing an AAAA lookup for mirror.centos.org, our BIND resolvers are throwing FORMERR errors.
It appears this is because mirror.centos.org is a separate zone delegated to pdns1.centos.org and pdns3.centos.org, however when queried for a non-existent record it's returning the SOA for centos.org in the authority section of the response (instead of an SOA for mirror.centos.org as it should).
Is there someone on this list who could update PowerDNS to serve the correct mirror.centos.org SOA record for that zone, rather than the centos.org SOA?
[please copy me directly in any responses as I'm not subscribed to the list]
Thanks, Tom
Example:
??? dig @ns1.centos.org mirror.centos.org aaaa +norecurse
; <<>> DiG 9.8.3-P1 <<>> @ns1.centos.org mirror.centos.org aaaa +norecurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56358 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION: ;mirror.centos.org. IN AAAA
;; AUTHORITY SECTION: mirror.centos.org. 600 IN NS pdns3.centos.org. mirror.centos.org. 600 IN NS pdns1.centos.org.
;; ADDITIONAL SECTION: pdns1.centos.org. 600 IN A 84.22.180.89 pdns3.centos.org. 600 IN A 93.113.36.66
;; Query time: 279 msec ;; SERVER: 199.187.126.93#53(199.187.126.93) ;; WHEN: Fri Dec 5 10:18:37 2014 ;; MSG SIZE rcvd: 107
??? dig @pdns1.centos.org mirror.centos.org aaaa +norecurse
; <<>> DiG 9.8.3-P1 <<>> @pdns1.centos.org mirror.centos.org aaaa +norecurse ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12613 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mirror.centos.org. IN AAAA
;; AUTHORITY SECTION: centos.org. 3600 IN SOA ns1.centos.org. hostmaster.centos.org. 2008080300 1800 3600 604800 3600
;; Query time: 446 msec ;; SERVER: 84.22.180.89#53(84.22.180.89) ;; WHEN: Fri Dec 5 10:18:45 2014 ;; MSG SIZE rcvd: 86
Well, the first thing to know is that there is *no* AAAA record for {mirror,vault,msync,cloud,etc} nodes (and that are in the zone delegated to the PowerDNS nodes.), because, well no IPv6 connectivity ...
The reason why those pdns nodes exist (and pdns2 just died yesterday and is still unreachable) is that we use the custom pipe backend for pdns, as we use GeoIP to redirect to the nearest one. (country/nearby country/continent/random).
We can change the SOA for that backend script if needed, but we cover multiple A records in that zone too, so the initial design was to reply with the standard centos.org one (and as you can see the serial number for that dynamic zone has never been updated either)
Kind Regards,
- --
Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
-
Fabian Arrotin -
Tom Lanyon