[Dnsmasq-discuss] [patch] don't cache NODATA when upstream doesn't support recursion
Simon Kelley
simon at thekelleys.org.uk
Mon Apr 16 22:13:07 BST 2012
On 11/04/12 06:00, Ben Winslow wrote:
> On 04/06/2012 03:33 AM, Simon Kelley wrote:
>> On 06/04/12 07:35, Ben Winslow wrote:
>>> Hello,
>>>
>>> After a very confusing ordeal with dnsmasq, I've discovered that it will
>>> cache a negative result when it does not find an acceptable answer in
>>> the reply even if the upstream server does not support recursion. This
>>> is particularly nasty if you're using --server to send some requests to
>>> a server which does not support recursion, since a CNAME response can
>>> then poison (well, somewhere between poison and delete) an arbitrary
>>> name.
>>>
>>
>> The patch looks sensible, thanks. Will apply next week when I'm back
>> from holiday.
> Thanks!
>> Sorry for your ordeal, in our defence we never claimed tp be able to
>> talk to non-recursive nameservers, do log a very clear warning when we
>> try.
> Indeed! I also maintain the upstream server that's refusing to recurse
> for me, so I should've noticed sooner, but I missed the log message
> because the problem occurred semi-randomly -- the upstream server
> frequently has A records for the CNAME targets cached, and bind will
> return those cached results even if recursion is disabled.
>
> I don't want to enable recursion globally on this server, and the client
> IPs aren't predictable enough for an acl. Is there any chance dnsmasq
> will ever support TSIG signing of the queries it forwards? ;) (...bind
> can use signatures to identify a client for acl matching. *I'd* use it,
> but I'd surely be the minority.)
>> Cheers,
>>
>> Simon.
>
> Cheers,
>
Patch is in 2.61rc,
http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.61rc2.tar.gz
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list