Mar 2, 2015

Back in 2011, in the work leading up to the biggest release of the Authoritative Server so far (3.0, with DNSSEC), in an attempt to bring the rcode for a ‘dangling CNAME’ in line with BIND, by accident the rcode for ‘we have no idea about this zone at all’ was also changed to NOERROR. This mostly went unnoticed; we got the occasional question about this behaviour, and always reassured people that this new behaviour was correct. We are aware of other (minority) auths that also do this. We still hold the position that this behaviour is correct, by the way.

However, the DNS landscape is changing. More and more parties are doing their own authoritative DNS implementations, or are buying expensive load balancers on which DNS was an afterthought. Many of these products send bogus replies to any questions that are weird to them (AAAA; EDNS; uppercase names; you name it, some vendor will have broken it). Specifically, it is now common for broken auths to respond with an empty, non-authoritative (AA=0), NOERROR reply when asked for AAAA. This reply is indistinguishable from a PowerDNS auth saying ‘this zone is unknown to me’!

As a result of this, some implementers of recursive servers (notably Google Public DNS, notably not the PowerDNS Recursor) have chosen to treat this reply as NODATA instead of ‘this server is lame’. This means that if one of your PowerDNS auths loses a zone (or a whole database, or any other number of operator errors), Google Public DNS will take your ‘i dunno’ for ‘definitely not’, breaking your zone!

Given all this, while we are confident that our approach since 3.0 is valid, we have decided to change our behaviour, and from now on the PowerDNS Authoritative Server will send REFUSED replies to any questions for unknown zones. This change will also be in Authoritative Server 3.4.3, released today.

Should you currently be affected by this incompatibility between your pre-3.4.3 auth and Google Public DNS or another recursor that misunderstands these replies, then you can use send-root-referral=lean to confuse the resolver into thinking you are lame for a zone. Do note that OARC recommends against this, and indeed recommends REFUSED, which PowerDNS has now switched to.

About the author

Peter van Dijk

Peter van Dijk

Senior Developer at PowerDNS

Related Articles

DNS performance metrics: the logarithmic percentile histogram

DNS performance is always a hot topic. No DNS-OARC, RIPE or IETF conference is complete without new presentations on DNS...

Peter van Dijk 11/5/17

PowerDNSSEC: packages available, ready for light production use

Dear PowerDNS Community, With the help of many of you, we’ve now brought ‘PowerDNSSEC’ to the point where it is in light...

Bert Hubert 01/3/11

Authoritative Server 3.4.0 Release Candidate 2

Warning Version 3.4.0 of the PowerDNS Authoritative Server is a major upgrade if you are coming from 2.9.x. Additionally, if...

Peter van Dijk 09/3/14

Authoritative Server 3.3 RC2 available!

Downloads: source semi-static packages (rpm, deb, i386, amd64) native RHEL5/6 packages from Kees Monshouwer This a...

Peter van Dijk 06/6/13