From: Klaus Darilion Date: Wed, 6 Apr 2022 09:45:54 +0000 (+0000) Subject: New setting compare-signatures-on-zone-freshness-check to disable DO flag for SOA... X-Git-Tag: rec-4.8.0-alpha1~28^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=343566c59bc06ef4f246e0a49e903b9dbd9d1722;p=thirdparty%2Fpdns.git New setting compare-signatures-on-zone-freshness-check to disable DO flag for SOA checks Turning this off will disable the DO flag for SOA queries during zone freshness checks of secondary zones to workaround truncated SOA responses. It will also disable signature comparison which are used to detect signature changes even when the serial was not increased. Hence, disable this setting only if the Primary name server always increases the serial on signature changes. Default: yes (= old behavior) --- diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst index 0b2be10f32..6ada9d2699 100644 --- a/docs/modes-of-operation.rst +++ b/docs/modes-of-operation.rst @@ -101,6 +101,20 @@ retrieved and inserted into the database. In any case, after the check, the domain is declared 'fresh', and will only be checked again after '**refresh**' seconds have passed. +If the serial on the Primary is equal to the serial on the Secondary, +but the zone is presigned, the Secondary will also compare the RRSIG +of the SOA and queue a zone transfer if the signatures are different. +This is useful if the Primary is also PowerDNS as the serial may not be +increased although signatures are updated. To compare also the RRSIGs, +PowerDNS sets the DO flag when querying the SOA on the Primary. Setting +the DO flag may trigger truncated responses and the SOA check should +fall-back to TCP. As this fall-back is currently not supported in +PowerDNS, freshnes checks may fail. If it is known that the Primary +always increases the serial on signature changes, signature comparison +can be turned off by disabling +:ref:`setting-compare-signatures-on-zone-freshness-check`. This will disable +the DO flag and should work around the truncate issue. + When the freshness of a domain cannot be checked, e.g. because the master is offline, PowerDNS will retry the domain after :ref:`setting-xfr-cycle-interval` seconds. diff --git a/docs/settings.rst b/docs/settings.rst index ef7860c9f5..8bb24f1a9f 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -273,6 +273,21 @@ Either don't ``chroot`` on these systems or set the 'Type' of the service to 'simple' instead of 'notify' (refer to the systemd documentation on how to modify unit-files). +.. _setting-compare-signatures-on-zone-freshness-check: + +``compare-signatures-on-zone-freshness-check`` +---------------------------------------------- + +.. versionadded:: 4.7.0 + +- Boolean +- Default: yes + +Turning this off will disable the DO flag for SOA queries during zone freshness checks of secondary zones +to workaround truncated SOA responses. It will also disable signature comparison which are used to detect +signature changes even when the serial was not increased. Hence, disable this setting only if the Primary +name server always increases the serial on signature changes. + .. _setting-config-dir: ``config-dir`` diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc index 932f4e9cfe..1e407aa230 100644 --- a/pdns/auth-main.cc +++ b/pdns/auth-main.cc @@ -211,6 +211,7 @@ void declareArguments() ::arg().set("allow-notify-from", "Allow AXFR NOTIFY from these IP ranges. If empty, drop all incoming notifies.") = "0.0.0.0/0,::/0"; ::arg().set("slave-cycle-interval", "Schedule slave freshness checks once every .. seconds") = "60"; ::arg().set("xfr-cycle-interval", "Schedule primary/secondary SOA freshness checks once every .. seconds") = "60"; + ::arg().set("compare-signatures-on-zone-freshness-check", "Set DO flag on SOA queries to receive signatures for signature comparison") = "yes"; ::arg().set("tcp-control-address", "If set, PowerDNS can be controlled over TCP on this address") = ""; ::arg().set("tcp-control-port", "If set, PowerDNS can be controlled over TCP on this address") = "53000"; diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index fcb47be130..1266901007 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -1182,7 +1182,11 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) DomainNotificationInfo dni; dni.di=di; - dni.dnssecOk = dk.doesDNSSEC(); + if (::arg().mustDo("compare-signatures-on-zone-freshness-check")) { + dni.dnssecOk = dk.doesDNSSEC(); + } else { + dni.dnssecOk = false; + } if(dk.getTSIGForAccess(di.zone, sr.master, &dni.tsigkeyname)) { string secret64; @@ -1327,7 +1331,7 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P) } else if(hasSOA && theirserial == ourserial) { uint32_t maxExpire=0, maxInception=0; - if(dk.isPresigned(di.zone)) { + if(dk.isPresigned(di.zone) && ::arg().mustDo("compare-signatures-on-zone-freshness-check")) { B->lookup(QType(QType::RRSIG), di.zone, di.id); // can't use DK before we are done with this lookup! DNSZoneRecord zr; while(B->get(zr)) {