Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency within TTL of records expanded during AXFR #15174

Open
2 tasks done
sdomi opened this issue Feb 18, 2025 · 2 comments
Open
2 tasks done

Inconsistency within TTL of records expanded during AXFR #15174

sdomi opened this issue Feb 18, 2025 · 2 comments
Assignees
@miodvallat
Labels
auth defect

Comments

@sdomi
Copy link

sdomi commented Feb 18, 2025

Short description

When using ALIAS/ANAME with outgoing-axfr-expand-alias=yes, the primary server ends up using the upstream TTL, while all secondaries use record's TTL. This can be narrowed down to PowerDNS sending a different value during AXFR compared to a regular query:

$ dig @sakamoto.pl. AXFR sdomi.pl. | grep 'A\t185.236.240.103'
sdomi.pl.		3600	IN	A	185.236.240.103
$ dig @sakamoto.pl. A sdomi.pl. | grep 'A\t185.236.240.103'
sdomi.pl.		19530	IN	A	185.236.240.103

The ALIAS record is:

sdomi.pl. 3600 IN ALIAS sakamoto.pl.

The upstream A record is:

sakamoto.pl. 86400 IN A 185.236.240.103

With every subsequent query to the primary, the value is either decreased or some random offset is added; I haven't found any mention of this in the docs.

Environment

  • Operating system: Alpine Linux edge
  • Software version: 4.9.4
  • Software source: repo

Steps to reproduce

pdns.conf

  1. create any record with any TTL
  2. create an ALIAS record pointing to it with a different TTL
  3. observe

Expected behaviour

Generally, I'd expect the ALIAS' TTL to be mirrored for all records, just like it is done on secondaries. If not, a static value taken from the upstream would make this less weird to debug for others (and less prone to causing heart attacks, thinking that someone is MitMing your server)
@miodvallat miodvallat self-assigned this Feb 20, 2025
@miodvallat
Copy link
Contributor

This looks like an incorrectly initialized value somewhere. I've unfortunately been unable to reproduce the issue locally - I get the correct TTL values for every record.

Have you built the pdns_server binaries yourself? If so, which compiler version and compiler options have you been using?

@sdomi
Copy link
Author

sdomi commented Feb 20, 2025

I'm using the binaries from Alpine's repositories, sorry that I didn't specify this clearly enough. Non-zero chance that this is a musl vs glibc thing, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miodvallat miodvallat

Labels
auth defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdomi @miodvallat