Hi, I recently upgraded a Debian 9 / bind9 system to Debian 11, so that would be package version 1:9.10.3.dfsg.P4-12.3+deb9u12 to 1:9.16.27-1~deb11u1. Ever since doing so, one particular zone is unable to be transferred to any of the several PowerDNS secondary servers.
What happens is that a NOTIFY is sent out, PowerDNS sees it and queries for SOA and logs this: Nov 18 00:25:26 daiquiri pdns_server[32452]: While checking domain freshness: Query to '2001:ba8:1f1:f085::53' for SOA of 'f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa' did not return a SOA This is a little baffling because "dig" on that host does produce the expected results: $ dig +short -t soa f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa @2001:ba8:1f1:f085::53 ns0.ribenakid.me.uk. bind.ribenakid.me.uk. 1668670704 28800 14400 3600000 86400 I can also do an axfr from that host with "dig" and I can also force PDNS to do an axfr which it successfully does. This is not happening with any of the other zones, just f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. Now, it could of course be a PDNS issue, but I did a tcpdump and saw an empty response packet go back, so it seems like my bind9 is doing something strange. I don't find any relevant log entries, nothing at all after the sending of the NOTIFY is logged in fact. Attached is empty-soa.txt, the text dump of the pcap of 4 packets. It shows: 1) 85.119.80.222 (another IP on the same host as 2001:ba8:1f1:f085::53) sending out a notify for "f.4.1.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa" to 172.104.29.216 (one of the PDNS secondary servers). 2) 172.104.29.216 response back toxp notify. 3) 172.104.29.216 query to 85.119.80.222 for SOA. 4) 85.119.80.222 empty response to 172.104.29.216. Now, I DID notice that packet #4 has truncated bit set, and there is no follow up query from 172.104.29.216 over TCP. Probably the reason why this is seen with only this zone is that it's DNSSEC whereas most of the iother zones aren't. A "dig +dnssec -t soa" is size 2293. So perhaps it is PDNS not handling truncated response properly? Thing is, this zone has been DNSSEC signed for a very long time and PowerDNS was fine with querying SOA before I upgraded bind9. The PDNS versions haven't changed, but even the latest stable version of PowerDNS auth server is seeing the same thing. But I will also ask about this in the PDNS community. I did an EDNS compliance check and it all came back okay: https://ednscomp.isc.org/ednscomp/a8c22e7194 Any insight would be appreciated! THanks, Andy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
