[CentOS-mirror] Misconfiguration of mirror.centos.org SOA in pdnsX.centos.org

Fri Dec 5 07:09:45 UTC 2014
Fabian Arrotin <arrfab at centos.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/12/14 00:57, Tom Lanyon wrote:
> 
> When doing an AAAA lookup for mirror.centos.org, our BIND resolvers
> are throwing FORMERR errors.
> 
> It appears this is because mirror.centos.org is a separate zone
> delegated to pdns1.centos.org and pdns3.centos.org, however when
> queried for a non-existent record it's returning the SOA for
> centos.org in the authority section of the response (instead of an
> SOA for mirror.centos.org as it should).
> 
> Is there someone on this list who could update PowerDNS to serve
> the correct mirror.centos.org SOA record for that zone, rather than
> the centos.org SOA?
> 
> [please copy me directly in any responses as I'm not subscribed to
> the list]
> 
> Thanks, Tom
> 
> 
> Example:
> 
> 
> ??? dig @ns1.centos.org mirror.centos.org aaaa +norecurse
> 
> ; <<>> DiG 9.8.3-P1 <<>> @ns1.centos.org mirror.centos.org aaaa
> +norecurse ; (1 server found) ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56358 
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION: ;mirror.centos.org.		IN	AAAA
> 
> ;; AUTHORITY SECTION: mirror.centos.org.	600	IN	NS
> pdns3.centos.org. mirror.centos.org.	600	IN	NS	pdns1.centos.org.
> 
> ;; ADDITIONAL SECTION: pdns1.centos.org.	600	IN	A	84.22.180.89 
> pdns3.centos.org.	600	IN	A	93.113.36.66
> 
> ;; Query time: 279 msec ;; SERVER:
> 199.187.126.93#53(199.187.126.93) ;; WHEN: Fri Dec  5 10:18:37
> 2014 ;; MSG SIZE  rcvd: 107
> 
> 
> ??? dig @pdns1.centos.org mirror.centos.org aaaa +norecurse
> 
> ; <<>> DiG 9.8.3-P1 <<>> @pdns1.centos.org mirror.centos.org aaaa
> +norecurse ; (1 server found) ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12613 
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION: ;mirror.centos.org.		IN	AAAA
> 
> ;; AUTHORITY SECTION: centos.org.		3600	IN	SOA	ns1.centos.org.
> hostmaster.centos.org. 2008080300 1800 3600 604800 3600
> 
> ;; Query time: 446 msec ;; SERVER: 84.22.180.89#53(84.22.180.89) ;;
> WHEN: Fri Dec  5 10:18:45 2014 ;; MSG SIZE  rcvd: 86
> 


Well, the first thing to know is that there is *no* AAAA record for
{mirror,vault,msync,cloud,etc} nodes (and that are in the zone
delegated to the PowerDNS nodes.), because, well no IPv6 connectivity ...

The reason why those pdns nodes exist (and pdns2 just died yesterday
and is still unreachable) is that we use the custom pipe backend for
pdns, as we use GeoIP to redirect to the nearest one. (country/nearby
country/continent/random).

We can change the SOA for that backend script if needed, but we cover
multiple A records in that zone too, so the initial design was to
reply with the standard centos.org one (and as you can see the serial
number for that dynamic zone has never been updated either)

Kind Regards,

- -- 

Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlSBWjkACgkQnVkHo1a+xU5jtgCgmdkDUnyfCSfXzDx5iDYHpXu3
y1oAn1G/vjTgM66EYtcDC9j0hItMqW08
=gcUb
-----END PGP SIGNATURE-----