[Dnsmasq-discuss] [patch] don't cache NODATA when upstream doesn't support recursion

Ben Winslow rain at bluecherry.net
Wed Apr 11 06:00:01 BST 2012

On 04/06/2012 03:33 AM, Simon Kelley wrote:
> On 06/04/12 07:35, Ben Winslow wrote:
>> Hello,
>> After a very confusing ordeal with dnsmasq, I've discovered that it will
>> cache a negative result when it does not find an acceptable answer in
>> the reply even if the upstream server does not support recursion. This
>> is particularly nasty if you're using --server to send some requests to
>> a server which does not support recursion, since a CNAME response can
>> then poison (well, somewhere between poison and delete) an arbitrary 
>> name.
> The patch looks sensible, thanks. Will apply next week when I'm back 
> from holiday.
> Sorry for your ordeal, in our defence we never claimed tp be able to 
> talk to non-recursive nameservers, do log a very clear warning when we 
> try.
Indeed!  I also maintain the upstream server that's refusing to recurse 
for me, so I should've noticed sooner, but I missed the log message 
because the problem occurred semi-randomly -- the upstream server 
frequently has A records for the CNAME targets cached, and bind will 
return those cached results even if recursion is disabled.

I don't want to enable recursion globally on this server, and the client 
IPs aren't predictable enough for an acl.  Is there any chance dnsmasq 
will ever support TSIG signing of the queries it forwards?  ;)  (...bind 
can use signatures to identify a client for acl matching.  *I'd* use it, 
but I'd surely be the minority.)
> Cheers,
> Simon.


Ben Winslow<rain at bluecherry.net>

More information about the Dnsmasq-discuss mailing list