[Dnsmasq-discuss] [patch] don't cache NODATA when upstream doesn't support recursion

Simon Kelley simon at thekelleys.org.uk
Mon Apr 16 22:13:07 BST 2012

On 11/04/12 06:00, Ben Winslow wrote:
> On 04/06/2012 03:33 AM, Simon Kelley wrote:
>> On 06/04/12 07:35, Ben Winslow wrote:
>>> Hello,
>>> After a very confusing ordeal with dnsmasq, I've discovered that it will
>>> cache a negative result when it does not find an acceptable answer in
>>> the reply even if the upstream server does not support recursion. This
>>> is particularly nasty if you're using --server to send some requests to
>>> a server which does not support recursion, since a CNAME response can
>>> then poison (well, somewhere between poison and delete) an arbitrary
>>> name.
>> The patch looks sensible, thanks. Will apply next week when I'm back
>> from holiday.
> Thanks!
>> Sorry for your ordeal, in our defence we never claimed tp be able to
>> talk to non-recursive nameservers, do log a very clear warning when we
>> try.
> Indeed!  I also maintain the upstream server that's refusing to recurse
> for me, so I should've noticed sooner, but I missed the log message
> because the problem occurred semi-randomly -- the upstream server
> frequently has A records for the CNAME targets cached, and bind will
> return those cached results even if recursion is disabled.
> I don't want to enable recursion globally on this server, and the client
> IPs aren't predictable enough for an acl.  Is there any chance dnsmasq
> will ever support TSIG signing of the queries it forwards?  ;)  (...bind
> can use signatures to identify a client for acl matching.  *I'd* use it,
> but I'd surely be the minority.)
>> Cheers,
>> Simon.
> Cheers,

Patch is in 2.61rc,




More information about the Dnsmasq-discuss mailing list